diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 224abb8ddd..82a24ff791 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -524,6 +524,10 @@
     "master": [
       "Publish",
       "Pdf"
+    ],
+    "atp-api-danm": [
+      "Publish",
+      "Pdf"
     ]
   },
   "need_generate_pdf_url_template": true,
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 97405d2d24..78189003c5 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -5421,6 +5421,11 @@
 "redirect_document_id": true
 },
 {
+"source_path": "devices/surface/manage-surface-dock-firmware-updates.md",
+"redirect_url": "devices/surface/update",
+"redirect_document_id": true   
+},
+{
 "source_path": "devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md",
 "redirect_url": "/surface-hub/finishing-your-surface-hub-meeting",
 "redirect_document_id": true
@@ -13884,6 +13889,11 @@
 "source_path": "education/windows/windows-automatic-redeployment.md",
 "redirect_url": "/education/windows/autopilot-reset",
 "redirect_document_id": true
+},
+{
+"source_path": "windows/privacy/manage-windows-endpoints.md",
+"redirect_url": "/windows/privacy/manage-windows-1809-endpoints",
+"redirect_document_id": true
 }
 ]
 }
diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json
index b3be0aa999..42532b3fb2 100644
--- a/browsers/edge/docfx.json
+++ b/browsers/edge/docfx.json
@@ -9,7 +9,7 @@
       ],
     "resource": [
         {
-          "files": ["**/images/**", "**/*.json"],
+          "files": ["**/images/**"],
           "exclude": ["**/obj/**"]
         }
     ],
diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json
index 34e8b2d487..323ba3e4bd 100644
--- a/browsers/internet-explorer/docfx.json
+++ b/browsers/internet-explorer/docfx.json
@@ -9,7 +9,7 @@
       ],
     "resource": [
         {
-          "files": ["**/images/**", "**/*.json"],
+          "files": ["**/images/**"],
           "exclude": ["**/obj/**"]
         }
     ],
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index 5e6c740970..b314f85b52 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -1,8 +1,9 @@
 # [Microsoft HoloLens](index.md)
 ## [What's new in Microsoft HoloLens](hololens-whats-new.md)
-## [Insider preview for Microsoft HoloLens](hololens-insider.md)
 ## [HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md)
+## [Insider preview for Microsoft HoloLens](hololens-insider.md)
 ## [Set up HoloLens](hololens-setup.md)
+## [Install localized version of HoloLens](hololens-install-localized.md)
 ## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) 
 ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
 ## [Manage updates to HoloLens](hololens-updates.md)
diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
index 8f2862fc81..1fc820a243 100644
--- a/devices/hololens/change-history-hololens.md
+++ b/devices/hololens/change-history-hololens.md
@@ -16,6 +16,10 @@ ms.date: 11/05/2018
 
 This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
 
+## Windows 10 Holographic for Business, version 1809
+
+The topics in this library have been updated for Windows 10 Holographic for Business, version 1809.
+
 ## November 2018
 
 New or changed topic | Description
@@ -37,7 +41,7 @@ New or changed topic | Description
 
 New or changed topic | Description
 --- | ---
-[Insider preview for Microsoft HoloLens](hololens-insider.md) | New
+Insider preview for Microsoft HoloLens | New (topic retired on release of Windows 10, version 1809)
 
 ## June 2018
 
diff --git a/devices/hololens/hololens-encryption.md b/devices/hololens/hololens-encryption.md
index 8210e1f2fb..bbb59099b1 100644
--- a/devices/hololens/hololens-encryption.md
+++ b/devices/hololens/hololens-encryption.md
@@ -21,40 +21,21 @@ You can enable [Bitlocker device encryption](https://docs.microsoft.com/windows/
 
 You can use your mobile device management (MDM) provider to apply a policy that requires device encryption. The policy used is the [Security/RequireDeviceEncryption setting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-requiredeviceencryption) in the Policy CSP.
 
-In the following steps, Microsoft Intune is used as the example. For other MDM tools, see your MDM provider's documentation for instructions.
+[See instructions for enabling device encryption using Microsoft Intune.](https://docs.microsoft.com/intune/compliance-policy-create-windows#windows-holographic-for-business)
 
-1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
+For other MDM tools, see your MDM provider's documentation for instructions. If your MDM provider requires custom URI for device encryption, use the following configuration:
 
-2. Use **Search** or go to **More services** to open the Intune blade.
-
-3. Go to **Device configuration > Profiles**, and select **Create profile**.
-
-    ![Intune create profile option](images/encrypt-create-profile.png)
-
-4. Enter a name of your choice, select **Windows 10 and later** for the platform,  select **Custom** for the profile type, and then select **Add**.
-
-    ![Intune custom setting screen](images/encrypt-custom.png)
-
-5. In **Add Row OMA-URI Settings**, enter or select the following information:
-    - **Name**: a name of your choice
-    - **Description**: optional
-    - **OMA-URI**: `./Vendor/MSFT/Policy/Config/Security/RequireDeviceEncryption`
-    - **Data type**: integer
-    - **Value**: `1`
-
-    ![Intune OMA-URI settings for encryption](images/encrypt-oma-uri.png)
-
-6. Select **OK**, select **OK**, and then select **Create**. The blade for the profile opens automatically.
-
-7. Select **Assignments** to assign the profile to a group. After you configure the assignment, select **Save**.
-
-![Intune profile assignment screen](images/encrypt-assign.png)
+- **Name**: a name of your choice
+- **Description**: optional
+- **OMA-URI**: `./Vendor/MSFT/Policy/Config/Security/RequireDeviceEncryption`
+- **Data type**: integer
+- **Value**: `1`
 
 ## Enable device encryption using a provisioning package
 
 Provisioning packages are files created by the Windows Configuration Designer tool that apply a specified configuration to a device. 
 
-### Create a provisioning package that upgrades the Windows Holographic edition
+### Create a provisioning package that upgrades the Windows Holographic edition and enables encryption
 
 1.	[Create a provisioning package for HoloLens.](hololens-provisioning.md)
 
diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md
index c11b07759d..3a90c8fe68 100644
--- a/devices/hololens/hololens-insider.md
+++ b/devices/hololens/hololens-insider.md
@@ -37,77 +37,11 @@ To opt out of Insider builds:
 - On a HoloLens running a production build, go to **Settings > Update & Security > Windows Insider Program**, and select **Stop Insider builds**.
 - Follow the instructions to opt out your device.
 
-## New features for HoloLens 
- 
-The latest Insider Preview (RS5) has arrived for all HoloLens customers! This latest flight is packed with improvements that have been introduced since the [last major release of HoloLens software in May 2018](https://docs.microsoft.com/windows/mixed-reality/release-notes-october-2018). 
 
-### For everyone 
- 
-
-Feature | Details  | Instructions 
---- | --- | ---
-Stop video capture from the Start or quick actions menu | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.) | To start recording, select **Start > Video**. To stop recording, select **Start > Stop video**.
-Project to a Miracast-enabled device | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter | On **Start**, select **Connect**. Select the device you want to project to. 
-New notifications | View and respond to notification toasts on HoloLens, just like you do on a PC. | You’ll now see notifications from apps that provide them. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture).  
-HoloLens overlays (file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. | When you’re using an immersive app, input text, select a file from the file picker, or interact with dialogs without leaving the app. 
-Visual feedback overlay UI for volume change | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level. | Adjust the device volume using the volume up/down buttons located on the right arm of the HoloLens. Use the visual display to track the volume level. 
-New UI for device boot | A loading indicator was added during the boot process to provide visual feedback that the system is loading. | Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo. 
-Share UX: Nearby Sharing | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. | Capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge).  Select a nearby Windows device to share with. 
-Share from Microsoft Edge | Share button is now available on Microsoft Edge windows on HoloLens. | In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. 
-
-### For developers 
- 
-- Support for Holographic [Camera Capture UI API](https://docs.microsoft.com/windows/uwp/audio-video-camera/capture-photos-and-video-with-cameracaptureui), which will let developers expose a way for users to seamlessly invoke camera or video capture from within their applications. For example, users can now capture and insert photo or video content directly within apps like Word.  
-- Mixed Reality Capture has been improved to exclude hidden mesh from captures, which means videos captures by apps will no longer contain black corners around the content.  
-
-### For commercial customers 
-
-
-Feature | Details | Instructions 
---- | --- | ---
-Enable post-setup provisioning | Can now apply a runtime provisioning package at any time using **Settings**. | On your PC:<br><br>1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md). <br>2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC. <br>3. Drag and drop the provisioning package to the Documents folder on the HoloLens. <br><br>On your HoloLens: <br><br>1. Go to **Settings > Accounts > Access work or school**. <br>2. In **Related Settings**, select **Add or remove a provisioning package**.<br>3. On the next page, select **Add a package** to launch the file picker and select your provisioning package. <br>**Note:** if the folder is empty, make sure you select **This Device** and select **Documents**.<br>After your package has been applied, it will show in the list of Installed packages. To view package details or to remove the package from the device, select the listed package. 
-Assigned access with Azure AD groups | Flexibility to use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. | Prepare XML file to configure Assigned Access on PC:<br><br>1. In a text editor, open [the provided file AssignedAccessHoloLensConfiguration_AzureADGroup.xml](#xml).<br>2. Change the group ID to one available in your Azure AD tenant. You can find the group ID of an Azure Active Directory Group by either :<br>- following the steps at [Azure Active Directory version 2 cmdlets for group management](https://docs.microsoft.com/azure/active-directory/active-directory-accessmanagement-groups-settings-v2-cmdlets),<br>OR<br>- in the Azure portal, with the steps at [Manage the settings for a group in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-groups-settings-azure-portal).<br><br>**Note:** The sample configures the following apps: Skype, Learning, Feedback Hub, Flow, Camera, and Calibration. <br><br>Create provisioning package with WCD:<br><br>1. On a PC, follow the steps at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md) to create a provisioning package.<br>2. Ensure that you include the license file in **Set up device**.<br>3. Select **Switch to advanced editor** (bottom left), and **Yes** for warning prompt.<br>4. Expand the runtime settings selection in the **Available customizations** panel and select **AssignedAccess > MultiAppAssignedAccessSettings**.<br>5. In the middle panel, you should now see the setting displayed with documentation in the panel below. Browse to the XML you modified for Assigned Access.<br>6. On the **Export** menu, select **Provisioning package**. <br>**Warning:** If you encrypt the provisioning package, provisioning the HoloLens device will fail.<br>7. Select **Next** to specify the output location where you want the provisioning package to go once it's built.<br>8. Select **Next**, and then select **Build** to start building the package.<br>9. When the build completes, select **Finish**. <br><br>Apply the package to HoloLens: <br><br>1. Connect HoloLens via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box). HoloLens will show up as a device in File Explorer on the PC. <br>2. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage.<br>3. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the fit page. <br>4. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.<br>5. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.<br><br>Enable assigned access on HoloLens: <br><br>1. After applying the provisioning package, during the **Account Setup** flows in OOBE, select **My work or school owns this** to set up your device with an Azure AD account. <br>**Note:** This account must not be in the group chosen for Assigned Access.<br>2. Once you reach the Shell, ensure the Skype app is installed either via your MDM environment or from the Store. <br>3. After the Skype app is installed, sign out. <br>4. On the sign-in screen, select the **Other User** option and enter an Azure AD account email address that belongs to the group chosen for Assigned Access. Then enter the password to sign in. You should now see this user with only the apps configured in the Assigned Access profile. 
-PIN sign-in on profile switch from sign-in screen  | PIN sign-in is now available for **Other User**.  | When signing in as **Other User**, the PIN option is now available under **Sign-In options**. 
-Sign in with Web Cred Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. Look for additional web sign-in methods coming in the future. | From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password. <br>**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in.  
-Read device hardware info through MDM so devices can be tracked by serial # | IT administrators can see and track HoloLens by device serial number in their MDM console. | Refer to your MDM documentation for feature availability, and for how to use your MDM console to view HoloLens device serial number. 
-Set HoloLens device name through MDM (rename) |  IT administrators can see and rename HoloLens devices in their MDM console. | Refer to your MDM documentation for feature availability, and for how to use your MDM console to view and set your HoloLens device name (rename). 
-
-### For international customers 
- 
-
-Feature | Details | Instructions 
---- | --- | ---
-Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands. | See below.  
-
-#### Installing the Chinese or Japanese versions of the Insider builds 
- 
-In order to switch to the Chinese or Japanese version of HoloLens, you’ll need to download the build for the language on a PC and then install it on your HoloLens using the Windows Device Recovery Tool (WDRT). 
- 
->[!IMPORTANT] 
->Installing the Chinese or Japanese builds of HoloLens using WDRT will delete existing data, like personal files and settings, from your HoloLens. 
- 
-1. On a retail HoloLens device, [opt in to Insider Preview builds](#get-insider) to prepare your device for the RS5 Preview.   
-2. On your PC, download and install [the Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379). 
-3. Download the package for the language you want to your PC:  [Simplified Chinese](https://aka.ms/hololenspreviewdownload-ch) or [Japanese](https://aka.ms/hololenspreviewdownload-jp).
-4. When the download is finished, select **File Explorer > Downloads**. Right-click the zipped folder you just downloaded, and select **Extract all... > Extract** to unzip it. 
-5. Connect your HoloLens to your PC using the micro-USB cable it came with. (Even if you've been using other cables to connect your HoloLens, this one works best.)  
-6. The tool will automatically detect your HoloLens. Select the Microsoft HoloLens tile. 
-7. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the extension “.ffu”.) 
-8. Select **Install software** and follow the instructions to finish installing. 
-9. Once the build is installed, HoloLens setup will start automatically. Put on the device and follow the setup directions.
-10. After you complete setup, go to **Settings -> Update & Security -> Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider. Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms. Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build. 
- 
-
-
-
-## Note for language support
-
-- You can’t change the system language between English, Japanese, and Chinese using the Settings app. Flashing a new build is the only supported way to change the device system language.
-- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time.  However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the Shift key on a hardware keyboard toggles the keyboard to type in English).
 
 ## Note for developers
 
-You are welcome and encouraged to try developing your applications using this build of HoloLens.  Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started.  Those same instructions work with this latest build of HoloLens.  You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development.
+You are welcome and encouraged to try developing your applications using Insider builds of HoloLens.  Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with Insider builds of HoloLens.  You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development.
 
 ## Provide feedback and report issues
 
@@ -116,75 +50,3 @@ Please use [the Feedback Hub app](https://docs.microsoft.com/windows/mixed-reali
 >[!NOTE]
 >Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted).
  
-<span id="xml" />
-## AssignedAccessHoloLensConfiguration_AzureADGroup.xml
-
-Copy this sample XML to use for the [**Assigned access with Azure AD groups** feature](#for-commercial-customers).
-
-```xml
-<?xml version="1.0" encoding="utf-8" ?>
-<!-- 
-  This is a sample Assigned Access XML file. The Profile specifies which apps are allowed
-  and their app IDs. An Assigned Access Config specifies the accounts or groups to which 
-  a Profile is applicable. 
-  
-  !!! NOTE: Change the Name of the AzureActiveDirectoryGroup below to a valid object ID for a group in the tenant being tested.  !!!
-  
-  You can find the object ID of an Azure Active Directory Group by following the steps at 
-  https://docs.microsoft.com/azure/active-directory/active-directory-accessmanagement-groups-settings-v2-cmdlets
-  
-  OR in the Azure portal with the steps at
-  https://docs.microsoft.com/azure/active-directory/active-directory-groups-settings-azure-portal
-  
--->
-<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
-    <Profiles>
-        <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
-            <AllAppsList>
-                <AllowedApps>
-                    <!-- Learning app -->
-                    <App AppUserModelId="GGVLearning_cw5n1h2txyewy!GGVLearning" />
-                    <!-- Calibration app -->
-                    <App AppUserModelId="ViewCalibrationApp_cw5n1h2txyewy!ViewCalibrationApp" />
-                    <!-- Feedback Hub -->
-                    <App AppUserModelId="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe!App" />
-                    <!-- HoloSkype -->
-                    <App AppUserModelId="Microsoft.SkypeApp_kzf8qxf38zg5c!App" />
-                    <!-- HoloCamera -->
-                    <App AppUserModelId="HoloCamera_cw5n1h2txyewy!App" />
-                    <!-- HoloDevicesFlow -->
-                    <App AppUserModelId="HoloDevicesFlow_cw5n1h2txyewy!App" />
-                </AllowedApps>
-            </AllAppsList>
-            <!-- This section is required for parity with Desktop Assigned Access. It is not currently used on HoloLens -->
-            <StartLayout>
-                <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
-                      <LayoutOptions StartTileGroupCellWidth="6" />
-                      <DefaultLayoutOverride>
-                        <StartLayoutCollection>
-                          <defaultlayout:StartLayout GroupCellWidth="6">
-                            <start:Group Name="Life at a glance">
-                              <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.SkypeApp_kzf8qxf38zg5c!App" />
-                            </start:Group>
-                          </defaultlayout:StartLayout>
-                        </StartLayoutCollection>
-                      </DefaultLayoutOverride>
-                    </LayoutModificationTemplate>
-                ]]>
-            </StartLayout>
-            <!-- This section is required for parity with Desktop Assigned Access. It is not currently used on HoloLens -->
-            <Taskbar ShowTaskbar="true"/>
-        </Profile>
-    </Profiles>
-    <Configs>
-        <!-- IMPORTANT: Replace the group ID here with a valid object ID for a group in the tenant being tested that you want to 
-        be enabled for assigned access. Refer to https://docs.microsoft.com/azure/active-directory/users-groups-roles/groups-settings-v2-cmdlets on how to determine Object-Id for a AzureActiveDirectoryGroup. -->
-        <Config>
-           <UserGroup Type="AzureActiveDirectoryGroup" Name="ade2d5d2-1c86-4303-888e-80f323c33c61" /> <!-- All Intune Licensed Users -->
-           <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
-        </Config>
-    </Configs>
-</AssignedAccessConfiguration>
-
-```
-
diff --git a/devices/hololens/hololens-install-localized.md b/devices/hololens/hololens-install-localized.md
new file mode 100644
index 0000000000..8e5a72150a
--- /dev/null
+++ b/devices/hololens/hololens-install-localized.md
@@ -0,0 +1,35 @@
+---
+title: Install localized versions of HoloLens (HoloLens)
+description: Learn how to install the Chinese or Japanese versions of HoloLens
+ms.prod: hololens
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerms
+ms.author: jdecker
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 11/13/2018
+---
+
+# Install localized versions of HoloLens
+
+In order to switch to the Chinese or Japanese version of HoloLens, you’ll need to download the build for the language on a PC and then install it on your HoloLens using the Windows Device Recovery Tool (WDRT). 
+ 
+>[!IMPORTANT] 
+>Installing the Chinese or Japanese builds of HoloLens using WDRT will delete existing data, like personal files and settings, from your HoloLens. 
+ 
+   
+2. On your PC, download and install [the Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379). 
+3. Download the package for the language you want to your PC:  [Simplified Chinese](https://aka.ms/hololensdownload-ch) or [Japanese](https://aka.ms/hololensdownload-jp).
+4. When the download is finished, select **File Explorer > Downloads**. Right-click the zipped folder you just downloaded, and select **Extract all... > Extract** to unzip it. 
+5. Connect your HoloLens to your PC using the micro-USB cable it came with. (Even if you've been using other cables to connect your HoloLens, this one works best.)  
+6. The tool will automatically detect your HoloLens. Select the Microsoft HoloLens tile. 
+7. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the extension “.ffu”.) 
+8. Select **Install software** and follow the instructions to finish installing. 
+9. Once the build is installed, HoloLens setup will start automatically. Put on the device and follow the setup directions. 
+ 
+
+## Note for language support
+
+- You can’t change the system language between English, Japanese, and Chinese using the Settings app. Flashing a new build is the only supported way to change the device system language.
+- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time.  However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the ~ key on a hardware keyboard toggles the keyboard to type in English).
diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index 8f05c5e15c..c888927596 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -7,7 +7,7 @@ author: jdeckerms
 ms.author: jdecker
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 08/14/2018
+ms.date: 11/13/2018
 ---
 
 # Set up HoloLens in kiosk mode
@@ -20,7 +20,17 @@ When HoloLens is configured as a multi-app kiosk, only the allowed apps are avai
 
 Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the bloom gesture and Cortana are disabled, and placed apps aren't shown in the user's surroundings. 
 
-The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp)  enables kiosk configuration. 
+The following table lists the device capabilities in the different kiosk modes.
+
+Kiosk mode | Voice and Bloom commands | Quick actions menu | Camera and video | Miracast
+--- | --- | --- | --- | ---
+Single-app kiosk | ![no](images/crossmark.png)  |  ![no](images/crossmark.png)    | ![no](images/crossmark.png)     |  ![no](images/crossmark.png)  
+Multi-app kiosk | ![yes](images/checkmark.png)  | ![yes](images/checkmark.png) with **Home** and **Volume** (default)<br><br>Photo and video buttons shown in Quick actions menu if the Camera app is enabled in the kiosk configuration.<br><br>Miracast is shown if the Camera app and device picker app are enabled in the kiosk configuration.    | ![yes](images/checkmark.png) if the Camera app is enabled in the kiosk configuration.   | ![yes](images/checkmark.png) if the Camera app and device picker app are enabled in the kiosk configuration.
+
+>[!NOTE]
+>Use the Application User Model ID (AUMID) to allow apps in your kiosk configuration. The Camera app AUMID is `HoloCamera_cw5n1h2txyewy!HoloCamera`. The device picker app AUMID is `HoloDevicesFlow_cw5n1h2txyewy!HoloDevicesFlow`.
+
+The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) enables kiosk configuration. 
 
 >[!WARNING]
 >The assigned access feature which enables kiosk mode is intended for corporate-owned fixed-purpose devices. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all [the enforced policies](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#policies-set-by-multi-app-kiosk-configuration). A factory reset is needed to clear all the policies enforced via assigned access.
diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
index c1a90edadb..00a7436e23 100644
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@@ -7,7 +7,7 @@ author: jdeckerms
 ms.author: jdecker
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 04/30/2018
+ms.date: 11/13/2018
 ---
 
 # Configure HoloLens using a provisioning package
@@ -49,8 +49,7 @@ Provisioning packages can include management instructions and policies, customiz
 
 > [!TIP]
 > Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
->
->![open advanced editor](images/icd-simple-edit.png)
+
 
 ### Create the provisioning package
 
@@ -77,8 +76,8 @@ Use the Windows Configuration Designer tool to create a provisioning package.
 <tr><td style="width:45%" valign="top"><a id="two"></a>![step two](images/two.png)  ![set up network](images/set-up-network.png)</br></br>Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.</td><td>![Enter network SSID and type](images/set-up-network-details-desktop.png)</td></tr>
 <tr><td style="width:45%" valign="top"><a id="three"></a>![step three](images/three.png)  ![account management](images/account-management.png)</br></br>You can enroll the device in Azure Active Directory, or create a local account on the device</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions. </br></br>To create a local account, select that option and enter a user name and password. </br></br>**Important:** (For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.  </td><td>![join  Azure AD or create a local  account](images/account-management-details.png)</td></tr>
 <tr><td style="width:45%" valign="top"><a id="four"></a>![step four](images/four.png) ![add certificates](images/add-certificates.png)</br></br>To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.</td><td>![add a certificate](images/add-certificates-details.png)</td></tr> 
-<tr><td style="width:45%" valign="top"><a id="five"></a>![Developer Setup](images/developer-setup.png)</br></br>Toggle **Yes** or **No** to enable Developer Mode on the HoloLens. [Learn more about Developer Mode.](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)</td><td>![Enable Developer Mode](images/developer-setup-details.png)</td></tr>
-<tr><td style="width:45%" valign="top"><a id="six"></a>![finish](images/finish.png)</br></br>Do not set a password to protect your provisioning package. If the provisioning package is protected by a password, provisioning the HoloLens device will fail.</td><td>![Protect your package](images/finish-details.png)</td></tr>
+<tr><td style="width:45%" valign="top"><a id="five"></a>![step five](images/five.png) ![Developer Setup](images/developer-setup.png)</br></br>Toggle **Yes** or **No** to enable Developer Mode on the HoloLens. [Learn more about Developer Mode.](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)</td><td>![Enable Developer Mode](images/developer-setup-details.png)</td></tr>
+<tr><td style="width:45%" valign="top"><a id="six"></a>![step six](images/six.png) ![finish](images/finish.png)</br></br>Do not set a password to protect your provisioning package. If the provisioning package is protected by a password, provisioning the HoloLens device will fail.</td><td>![Protect your package](images/finish-details.png)</td></tr>
 </table>
 
 After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
@@ -137,7 +136,7 @@ After you're done, click **Create**. It only takes a few seconds. When the packa
 10. When the build completes, click **Finish**. 
 
 <span id="apply" />
-## Apply a provisioning package to HoloLens
+## Apply a provisioning package to HoloLens during setup
 
 1. Connect the device via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box).
 
@@ -156,6 +155,23 @@ After you're done, click **Create**. It only takes a few seconds. When the packa
 >[!NOTE]
 >If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package.
 
+## Apply a provisioning package to HoloLens after setup
+
+>[!NOTE]
+>Windows 10, version 1809 only
+
+On your PC:
+1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md). 
+2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC. 
+3. Drag and drop the provisioning package to the Documents folder on the HoloLens. 
+
+On your HoloLens: 
+1. Go to **Settings > Accounts > Access work or school**. 
+2. In **Related Settings**, select **Add or remove a provisioning package**.
+3. On the next page, select **Add a package** to launch the file picker and select your provisioning package. If the folder is empty, make sure you select **This Device** and select **Documents**.
+
+After your package has been applied, it will show in the list of **Installed packages**. To view package details or to remove the package from the device, select the listed package.
+
 ## What you can configure
 
 Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md
index e10552862b..9ea1e9de34 100644
--- a/devices/hololens/hololens-updates.md
+++ b/devices/hololens/hololens-updates.md
@@ -14,36 +14,30 @@ ms.date: 04/30/2018
 
 >**Looking for how to get the latest update? See [Update HoloLens](https://support.microsoft.com/help/12643/hololens-update-hololens).**
 
-Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. As with desktop devices, administrators can manage updates to the HoloLens operating system using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb).
-
 >[!NOTE]
 >HoloLens devices must be [upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md) to manage updates.
 
+For a complete list of Update policies, see [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business).
 
-Mobile device management (MDM) providers use the [Policy Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) to enable update management. 
+To configure how and when updates are applied, use the following policies:
+-	[Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate)
+-	[Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)
+-	[Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime)
 
-The Update policies supported for HoloLens are:
+To turn off the automatic check for updates, set the following policy to value **5** – Turn off Automatic Updates:
+- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate)
 
-- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) 
-- [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice)  
-- [Update/RequireDeferUpgrade](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requiredeferupgrade) 
-- [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval)
-- [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) 
+In Microsoft Intune, you can use **Automatic Update Behavior** to change this policy. (See [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure))
 
-
-
-Typically, devices access Windows Update directly for updates. You can use the following update policies to configure devices to get updates from Windows Server Update Service (WSUS) instead:
+For devices on Windows 10, version 1607 only: You can use the following update policies to configure devices to get updates from Windows Server Update Service (WSUS) instead of Windows Update:
 
 - [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice) 
 - [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) 
 - [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) 
 
-In Microsoft Intune, use [a custom profile](https://docs.microsoft.com/intune/custom-settings-windows-holographic) to configure devices to get updates from WSUS. 
-
-
-
 
 
 ## Related topics
 
-- [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure)
\ No newline at end of file
+- [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business)
+- [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure)
diff --git a/devices/hololens/hololens-whats-new.md b/devices/hololens/hololens-whats-new.md
index 75556a83db..0e17d81790 100644
--- a/devices/hololens/hololens-whats-new.md
+++ b/devices/hololens/hololens-whats-new.md
@@ -1,18 +1,60 @@
 ---
 title: What's new in Microsoft HoloLens (HoloLens)
-description: Windows Holographic for Business gets new features in Windows 10, version 1803.
+description: Windows Holographic for Business gets new features in Windows 10, version 1809.
 ms.prod: hololens
 ms.sitesec: library
 author: jdeckerms
 ms.author: jdecker
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 04/30/2018
+ms.date: 11/13/2018
 ---
 
 # What's new in Microsoft HoloLens
 
+## Windows 10, version 1809 for Microsoft HoloLens
 
+### For everyone 
+ 
+Feature | Details   
+--- | --- 
+Quick actions menu | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app. See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.<br><br>![sample of the Quick actions menu](images/minimenu.png)
+Stop video capture from the Start or quick actions menu | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.) 
+Project to a Miracast-enabled device | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter.  On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode.
+New notifications | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture).  
+HoloLens overlays (file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps.  
+Visual feedback overlay UI for volume change | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level. 
+New UI for device boot | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo. 
+Share UX: Nearby Sharing | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. 
+Share from Microsoft Edge | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. 
+
+
+
+### For administrators 
+
+
+Feature | Details  
+--- | --- 
+[Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**.   
+Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration.  
+PIN sign-in on profile switch from sign-in screen  | PIN sign-in is now available for **Other User**.  | When signing in as **Other User**, the PIN option is now available under **Sign-In options**. 
+Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password. <br>**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in.  
+Read device hardware info through MDM so devices can be tracked by serial # | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer to your MDM documentation for feature availability and instructions. 
+Set HoloLens device name through MDM (rename) |  IT administrators can see and rename HoloLens devices in their MDM console. Refer to your MDM documentation for feature availability and instructions. 
+
+### For international customers 
+ 
+
+Feature | Details  
+--- | --- 
+Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands.  
+Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English. 
+
+[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens-install-localized.md) 
+
+    
+
+## Windows 10, version 1803 for Microsoft HoloLens
 
 Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes:
 
@@ -49,6 +91,6 @@ Windows 10, version 1803, is the first feature update to Windows Holographic for
 ## Additional resources
 
 - [Reset or recover your HoloLens](https://developer.microsoft.com/windows/mixed-reality/reset_or_recover_your_hololens)
-- [Restart, rest, or recover HoloLens](https://support.microsoft.com/help/13452/hololens-restart-reset-or-recover-hololens)
+- [Restart, reset, or recover HoloLens](https://support.microsoft.com/help/13452/hololens-restart-reset-or-recover-hololens)
 - [Manage devices running Windows Holographic with Microsoft Intune](https://docs.microsoft.com/intune/windows-holographic-for-business)
 
diff --git a/devices/hololens/images/account-management-details.png b/devices/hololens/images/account-management-details.png
index 4094dabd85..20816830a4 100644
Binary files a/devices/hololens/images/account-management-details.png and b/devices/hololens/images/account-management-details.png differ
diff --git a/devices/hololens/images/account-management.PNG b/devices/hololens/images/account-management.PNG
index 34165dfcd6..da53cb74b8 100644
Binary files a/devices/hololens/images/account-management.PNG and b/devices/hololens/images/account-management.PNG differ
diff --git a/devices/hololens/images/add-certificates.PNG b/devices/hololens/images/add-certificates.PNG
index 24cb605d1c..7a16dffd26 100644
Binary files a/devices/hololens/images/add-certificates.PNG and b/devices/hololens/images/add-certificates.PNG differ
diff --git a/devices/hololens/images/developer-setup-details.png b/devices/hololens/images/developer-setup-details.png
index 0a32af7ba7..d445bf5759 100644
Binary files a/devices/hololens/images/developer-setup-details.png and b/devices/hololens/images/developer-setup-details.png differ
diff --git a/devices/hololens/images/developer-setup.png b/devices/hololens/images/developer-setup.png
index 826fda5f25..a7e49873b0 100644
Binary files a/devices/hololens/images/developer-setup.png and b/devices/hololens/images/developer-setup.png differ
diff --git a/devices/hololens/images/finish.PNG b/devices/hololens/images/finish.PNG
index 7c65da1799..975caba764 100644
Binary files a/devices/hololens/images/finish.PNG and b/devices/hololens/images/finish.PNG differ
diff --git a/devices/hololens/images/set-up-device-details.PNG b/devices/hololens/images/set-up-device-details.PNG
index 85b7dd382e..7325e06e86 100644
Binary files a/devices/hololens/images/set-up-device-details.PNG and b/devices/hololens/images/set-up-device-details.PNG differ
diff --git a/devices/hololens/images/set-up-device.PNG b/devices/hololens/images/set-up-device.PNG
index 0c9eb0e3ff..577117a26a 100644
Binary files a/devices/hololens/images/set-up-device.PNG and b/devices/hololens/images/set-up-device.PNG differ
diff --git a/devices/hololens/images/set-up-network.PNG b/devices/hololens/images/set-up-network.PNG
index a0e856c103..19fd3ff7bb 100644
Binary files a/devices/hololens/images/set-up-network.PNG and b/devices/hololens/images/set-up-network.PNG differ
diff --git a/devices/hololens/index.md b/devices/hololens/index.md
index 2f5741df7e..9b7ed69845 100644
--- a/devices/hololens/index.md
+++ b/devices/hololens/index.md
@@ -22,9 +22,9 @@ ms.date: 07/27/2018
 | Topic | Description |
 | --- | --- |
 | [What's new in Microsoft HoloLens](hololens-whats-new.md) | Discover the new features in the latest update. |
-[Insider preview for Microsoft HoloLens](hololens-insider.md) | Learn about new HoloLens features available in the latest Insider Preview build.
 | [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management |
 | [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time  |
+[Install localized version of HoloLens](hololens-install-localized.md) | Install the Chinese or Japanese version of HoloLens
 | [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md)  | How to upgrade your Development Edition HoloLens to Windows Holographic for Business |
 | [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft Intune |
 | [Manage updates to HoloLens](hololens-updates.md) | Use mobile device management (MDM) policies to configure settings for updates. |
diff --git a/devices/surface-hub/docfx.json b/devices/surface-hub/docfx.json
index dc151c3165..47f420a4d0 100644
--- a/devices/surface-hub/docfx.json
+++ b/devices/surface-hub/docfx.json
@@ -9,7 +9,7 @@
       ],
     "resource": [
         {
-          "files": ["**/images/**", "**/*.json"],
+          "files": ["**/images/**"],
           "exclude": ["**/obj/**"]
         }
     ],
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index e68eb9a565..3f99c917af 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -14,7 +14,6 @@
 ## [Surface firmware and driver updates](update.md)
 ### [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
 ### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
-### [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)
 ### [Surface Dock Updater](surface-dock-updater.md)
 ### [Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md)
 ## [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md)
@@ -26,6 +25,9 @@
 ### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
 ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
 ### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md)
+## [Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md)
+### [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
+### [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md)
 ## [Surface Data Eraser](microsoft-surface-data-eraser.md)
 ## [Top support solutions for Surface devices](support-solutions-surface.md)
 ## [Change history for Surface documentation](change-history-for-surface.md)
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
index 0e0ff5dcc7..5c34d22900 100644
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@@ -7,13 +7,22 @@ ms.sitesec: library
 author: jdeckerms
 ms.author: jdecker
 ms.topic: article
-ms.date: 10/15/2018
+ms.date: 11/15/2018
 ---
 
 # Change history for Surface documentation
 
 This topic lists new and updated topics in the Surface documentation library.
 
+## November 2018
+
+New or changed topic | Description
+--- | ---
+|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Pro 6  |
+[Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) | New
+[Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) | New
+[Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) | New
+
 ## October 2018
 
 New or changed topic | Description
diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
index 116df9446d..52a92a6ef7 100644
--- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
+++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
 ms.sitesec: library
 author: brecords
-ms.date: 10/15/2018
+ms.date: 11/15/2018
 ms.author: jdecker
 ms.topic: article
 ---
@@ -38,6 +38,16 @@ Recent additions to the downloads for Surface devices provide you with options t
 >[!NOTE]
 >A battery charge of 40% or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](https://go.microsoft.com/fwlink/p/?LinkId=618106) for more information.
 
+## Surface Laptop 2
+
+Download the following updates for [Surface Laptop 2 from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57515).
+* SurfaceLaptop2_Win10_XXXXX_XXXXXXX_X.msi – Cumulative firmware and driver update package for Windows 10
+
+## Surface Pro 6
+
+Download the following updates for [Surface Pro 6 from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57514).
+
+* SurfacePro6_Win10_XXXXX_XXXXXXX_X.msi – Cumulative firmware and driver update package for Windows 10
 
 ## Surface GO
 
@@ -46,29 +56,32 @@ Download the following updates for [Surface GO from the Microsoft Download Cente
 
 ## Surface Book 2
 
-
 Download the following updates for [Surface Book 2 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=56261).
 * SurfaceBook2_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
 
 ## Surface Laptop
 
-
 Download the following updates for [Surface Laptop from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55489).
 * SurfaceLaptop_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
 
 ## Surface Pro
 
-
 Download the following updates for [Surface Pro (Model 1796) from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55484).
 
 * SurfacePro_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
 
 ## Surface Pro with LTE Advanced
 
-
 Download the following updates for [Surface Pro with LTE Advanced from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=56278).
+
 * SurfacePro_LTE_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
 
+## Surface Pro 6
+
+Download the following updates for [Surface Pro 6 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=57514).
+
+* SurfacePro6_Win10_17134_xxxxx_xxxxxx.msi
+
 ## Surface Studio
 
 
diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json
index 86d594455f..8477cac86f 100644
--- a/devices/surface/docfx.json
+++ b/devices/surface/docfx.json
@@ -9,7 +9,7 @@
       ],
     "resource": [
         {
-          "files": ["**/images/**", "**/*.json"],
+          "files": ["**/images/**"],
           "exclude": ["**/obj/**"]
         }
     ],
diff --git a/devices/surface/images/sdt-1.png b/devices/surface/images/sdt-1.png
new file mode 100644
index 0000000000..fb10753608
Binary files /dev/null and b/devices/surface/images/sdt-1.png differ
diff --git a/devices/surface/images/sdt-2.png b/devices/surface/images/sdt-2.png
new file mode 100644
index 0000000000..be951967f0
Binary files /dev/null and b/devices/surface/images/sdt-2.png differ
diff --git a/devices/surface/images/sdt-3.png b/devices/surface/images/sdt-3.png
new file mode 100644
index 0000000000..0d3077cc1b
Binary files /dev/null and b/devices/surface/images/sdt-3.png differ
diff --git a/devices/surface/images/sdt-4.png b/devices/surface/images/sdt-4.png
new file mode 100644
index 0000000000..babddbb240
Binary files /dev/null and b/devices/surface/images/sdt-4.png differ
diff --git a/devices/surface/images/sdt-5.png b/devices/surface/images/sdt-5.png
new file mode 100644
index 0000000000..5c5346d93a
Binary files /dev/null and b/devices/surface/images/sdt-5.png differ
diff --git a/devices/surface/images/sdt-6.png b/devices/surface/images/sdt-6.png
new file mode 100644
index 0000000000..acf8e684b3
Binary files /dev/null and b/devices/surface/images/sdt-6.png differ
diff --git a/devices/surface/images/sdt-7.png b/devices/surface/images/sdt-7.png
new file mode 100644
index 0000000000..5e16961c6b
Binary files /dev/null and b/devices/surface/images/sdt-7.png differ
diff --git a/devices/surface/images/sdt-desk-1.png b/devices/surface/images/sdt-desk-1.png
new file mode 100644
index 0000000000..f1ecc03b30
Binary files /dev/null and b/devices/surface/images/sdt-desk-1.png differ
diff --git a/devices/surface/images/sdt-desk-2.png b/devices/surface/images/sdt-desk-2.png
new file mode 100644
index 0000000000..3d066cb3e5
Binary files /dev/null and b/devices/surface/images/sdt-desk-2.png differ
diff --git a/devices/surface/images/sdt-desk-3.png b/devices/surface/images/sdt-desk-3.png
new file mode 100644
index 0000000000..bbd9709300
Binary files /dev/null and b/devices/surface/images/sdt-desk-3.png differ
diff --git a/devices/surface/images/sdt-desk-4.png b/devices/surface/images/sdt-desk-4.png
new file mode 100644
index 0000000000..f533646605
Binary files /dev/null and b/devices/surface/images/sdt-desk-4.png differ
diff --git a/devices/surface/images/sdt-desk-5.png b/devices/surface/images/sdt-desk-5.png
new file mode 100644
index 0000000000..664828762e
Binary files /dev/null and b/devices/surface/images/sdt-desk-5.png differ
diff --git a/devices/surface/images/sdt-desk-6.png b/devices/surface/images/sdt-desk-6.png
new file mode 100644
index 0000000000..1b9ce9f7e2
Binary files /dev/null and b/devices/surface/images/sdt-desk-6.png differ
diff --git a/devices/surface/manage-surface-dock-firmware-updates.md b/devices/surface/manage-surface-dock-firmware-updates.md
deleted file mode 100644
index 45bf61629f..0000000000
--- a/devices/surface/manage-surface-dock-firmware-updates.md
+++ /dev/null
@@ -1,124 +0,0 @@
----
-title: Manage Surface Dock firmware updates (Surface)
-description: Read about the different methods you can use to manage the process of Surface Dock firmware updates.
-ms.assetid: 86DFC0C0-C842-4CD1-A2D7-4425471FFE3F
-ms.localizationpriority: medium
-keywords: firmware, update, install, drivers
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.pagetype: surface, devices
-ms.sitesec: library
-author: jobotto
-ms.author: jdecker
-ms.topic: article
-ms.date: 07/27/2017
----
-
-# Manage Surface Dock firmware updates
-
-
-Read about the different methods you can use to manage the process of Surface Dock firmware updates.
-
-The Surface Dock provides external connectivity to Surface devices through a single cable connection that includes Power, Ethernet, Audio, USB 3.0, and DisplayPort. The numerous connections provided by the Surface Dock are enabled by a smart chipset within the Surface Dock device. Like a Surface device’s chipset, the chipset that is built into the Surface Dock is controlled by firmware. For more information about the Surface Dock, see the [Surface Dock demonstration](https://technet.microsoft.com/mt697552) video.
-
-Like the firmware for Surface devices, firmware for Surface Dock is also contained within a downloaded driver that is visible in Device Manager. This driver stages the firmware update files on the Surface device. When a Surface Dock is connected and the driver is loaded, the newer version of the firmware staged by the driver is detected and firmware files are copied to the Surface Dock. The Surface Dock then begins a two-phase process to apply the firmware internally. Each phase requires the Surface Dock to be disconnected from the Surface device before the firmware is applied. The driver copies the firmware into the dock, but only applies it when the user disconnects the Surface device from the Surface Dock. This ensures that there are no disruptions because the firmware is only applied when the user leaves their desk with the device.
-
-
->[!NOTE]
->You can learn more about the firmware update process for Surface devices and how firmware is updated through driver installation at the following links:
->- [How to manage and update Surface drivers and firmware](https://technet.microsoft.com/mt697551) from Microsoft Mechanics
->- [Windows Update Makes Surface Better](https://go.microsoft.com/fwlink/p/?LinkId=785354) on the Microsoft Devices Blog
-
-
- 
-
-The Surface Dock firmware update process shown in Figure 1 follows these steps:
-
-1.  Drivers for Surface Dock are installed on Surface devices that are connected, or have been previously connected, to a Surface Dock.
-
-2.  The drivers for Surface Dock are loaded when a Surface Dock is connected to the Surface device.
-
-3.  The firmware version installed in the Surface Dock is compared with the firmware version staged by the Surface Dock driver.
-
-4.  If the firmware version on the Surface Dock is older than the firmware version contained in the Surface Dock driver, the main chipset firmware update files are copied from the driver to the Surface Dock.
-
-5.  When the Surface Dock is disconnected, the Surface Dock installs the firmware update to the main chipset.
-
-6.  When the Surface Dock is connected again, the main chipset firmware is verified against the firmware present in the Surface Dock driver.
-
-7.  If the firmware update for the main chipset is installed successfully, the Surface Dock driver copies the firmware update for the DisplayPort.
-
-8.  When the Surface Dock is disconnected for a second time, the Surface dock installs the firmware update to the DisplayPort chipset. This process takes up to 3 minutes to apply.
-
-![Surface Dock firmware update process](images/manage-surface-dock-fig1-updateprocess.png "Surface Dock firmware update process")
-
-*1- Driver installation can be performed by Windows Update, manual installation, or automatically downloaded with Microsoft Surface Dock Updater*
-
-*2 - The Surface Dock firmware installation process takes approximately 3 minutes*
-
-Figure 1. The Surface Dock firmware update process
-
-If the firmware installation process is interrupted (for example, if power is disconnected from the Surface Dock during firmware installation), the Surface Dock will automatically revert to the prior firmware without disruption to the user, and the update process will restart the next time the Surface Dock is disconnected. For most users this update process should be entirely transparent.
-
-## Methods for updating Surface Dock firmware
-
-
-There are three methods you can use to update the firmware of the Surface Dock:
-
--   [Automatic installation of drivers with Windows Update](#automatic-installation)
-
--   [Deployment of drivers downloaded from the Microsoft Download Center](#deployment-dlc)
-
--   [Manually update with Microsoft Surface Dock Updater](#manual-updater)
-
-## <a href="" id="automatic-installation"></a>Automatic installation with Windows Update
-
-
-Windows Update is the method that most users will use. The drivers for the Surface Dock are downloaded automatically from Windows Update and the dock update process is initiated without additional user interaction. The two-phase dock update process described earlier occurs in the background as the user connects and disconnects the Surface Dock during normal use.
-
->[!NOTE]
->The driver version that is displayed in Device Manager may be different from the firmware version that the Surface Dock is using.
-
- 
-
-## <a href="" id="deployment-dlc"></a>Deployment of drivers downloaded from the Microsoft Download Center
-
-
-This method is used mostly in environments where Surface device drivers and firmware are managed separately from Windows Update. See [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md) for more information about the different methods to manage Surface device driver and firmware updates. Updating the Surface Dock firmware through this method involves downloading and deploying an MSI package to the Surface device that contains the updated Surface Dock drivers and firmware. This is the same method recommended for updating all other Surface drivers and firmware. The two-phase firmware update process occurs in the background each time the Surface Dock is disconnected, just like it does with the Windows Update method.
-
-For more information about how to deploy MSI packages see [Create and deploy an application with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/get-started/create-and-deploy-an-application).
-
->[!NOTE]
->When drivers are installed through Windows Update or the MSI package, registry keys are added that indicate the version of firmware installed on the Surface Dock and contained within the Surface Dock driver. These registry keys can be found in:
-> **HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WUDF\\Services\\SurfaceDockFwUpdate\\Parameters**
-
-Firmware status is displayed for both the main chipset (displayed as **Component10**) and the DisplayPort chipset (displayed as **Component20**). For each chipset there are four keys, where *xx* is **10** or **20** corresponding to each chipset:
-
--   **Component*xx*CurrentFwVersion** – This key displays the version of firmware that is installed on the currently connected or most recently connected Surface Dock.
-
--   **Component*xx*OfferFwVersion** – This key displays the version of firmware staged by the Surface Dock driver.
-
--   **Component*xx*FirmwareUpdateStatus** – This key displays the stage of the Surface Dock firmware update process.
-
--   **Component*xx*FirmwareUpdateStatusRejectReason** – This key changes as the firmware update is processed. It should result in 0 after the successful installation of Surface Dock firmware.
-
->[!NOTE]
->These registry keys are not present unless you have installed updated Surface Dock drivers through Windows Update or MSI deployment.
-
- 
-
-## <a href="" id="manual-updater"></a>Manually update with Microsoft Surface Dock Updater
-
-
-The manual method using the Microsoft Surface Dock Updater tool to update the Surface Dock is used mostly in environments where IT prepares Surface Docks prior to delivery to the end user, or for troubleshooting of a Surface Dock. Microsoft Surface Dock Updater is a tool that you can run from any Surface device that is compatible with the Surface Dock, and will walk you through the process of performing the Surface Dock firmware update in the least possible amount of time. You can also use this tool to verify the firmware status of a connected Surface Dock.
-
-For more information about how to use the Microsoft Surface Dock Updater tool, please see [Microsoft Surface Dock Updater](surface-dock-updater.md). You can download the Microsoft Surface Dock Updater tool from the [Surface Tools for IT page](https://www.microsoft.com/download/details.aspx?id=46703) on the Microsoft Download Center.
-
- 
-
- 
-
-
-
-
-
diff --git a/devices/surface/surface-diagnostic-toolkit-business.md b/devices/surface/surface-diagnostic-toolkit-business.md
new file mode 100644
index 0000000000..46ae3be55e
--- /dev/null
+++ b/devices/surface/surface-diagnostic-toolkit-business.md
@@ -0,0 +1,165 @@
+---
+title: Surface Diagnostic Toolkit for Business
+description: This topic explains how to use the Surface Diagnostic Toolkit for Business.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerms
+ms.author: jdecker
+ms.topic: article
+ms.date: 11/15/2018
+---
+
+# Surface Diagnostic Toolkit for Business
+
+The Microsoft Surface Diagnostic Toolkit for Business (SDT) enables IT administrators to quickly investigate, troubleshoot, and resolve hardware, software, and firmware issues with Surface devices. You can run a range of diagnostic tests and software repairs in addition to obtaining device health insights and guidance for resolving issues. 
+
+Specifically, SDT for Business enables you to:
+
+- [Customize the package.](#create-custom-sdt)
+- [Run the app using commands.](surface-diagnostic-toolkit-command-line.md)
+- [Run multiple hardware tests to troubleshoot issues.](surface-diagnostic-toolkit-desktop-mode.md#multiple)
+- [Generate logs for analyzing issues.](surface-diagnostic-toolkit-desktop-mode.md#logs)
+- [Obtain detailed report comparing device vs optimal configuration.](surface-diagnostic-toolkit-desktop-mode.md#detailed-report)
+
+
+## Primary scenarios and download resources 
+
+To run SDT for Business, download the components listed in the following table.
+
+>[!NOTE]
+>In contrast to the way you typically install MSI packages, the SDT distributable MSI package can only be created by running Windows Installer (MSI.exe) at a command prompt and setting the custom flag `ADMINMODE = 1`. For details, see [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md).  
+
+Mode |	Primary scenarios | Download | Learn more
+--- | --- | --- | ---
+Desktop mode |	Assist users in running SDT on their Surface devices to troubleshoot issues.<br>Create a custom package to deploy on one or more Surface devices allowing users to select specific logs to collect and analyze. | SDT distributable MSI package:<br>Microsoft Surface Diagnostic Toolkit for Business Installer<br>[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Use Surface Diagnostic Toolkit in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
+Command line |	Directly troubleshoot Surface devices remotely without user interaction, using standard tools such as Configuration Manager. It includes the following commands:<br>`-DataCollector` collects all log files<br>`-bpa` runs health diagnostics using Best Practice Analyzer.<br>`-windowsupdate` checks Windows update for missing firmware or driver updates.<br><br>**Note:** Support for the ability to confirm warranty information will be available via the  command `-warranty`	| SDT console app:<br>Microsoft Surface Diagnostics App Console<br>[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md)
+
+## Supported devices 
+
+SDT for Business is supported on Surface 3 and later devices, including:
+
+- Surface Pro 6
+- Surface Laptop 2
+- Surface Go
+- Surface Go with LTE
+- Surface Book 2
+- Surface Pro with LTE Advanced (Model 1807)
+- Surface Pro (Model 1796)
+- Surface Laptop
+- Surface Studio
+- Surface Studio 2
+- Surface Book
+- Surface Pro 4
+- Surface 3 LTE
+- Surface 3
+- Surface Pro 3
+
+## Installing Surface Diagnostic Toolkit for Business
+
+To create an SDT package that you can distribute to users in your organization, you first need to install SDT at a command prompt and set a custom flag to install the tool in admin mode. SDT contains the following install option flags:
+
+- `SENDTELEMETRY` sends telemetry data to Microsoft. The flag accepts `0` for disabled or `1` for enabled. The default value is `1` to send telemetry.
+- `ADMINMODE` configures the tool to be installed in admin mode. The flag accepts `0` for Business client mode or `1` for Business Administrator mode. The default value is `0`.
+
+**To install SDT in ADMINMODE:**
+
+1.	Sign in to your Surface device using the Administrator account.
+2.	Download SDT Windows Installer Package (.msi) from the [Surface Tools for IT download page](https://www.microsoft.com/download/details.aspx?id=46703) and copy it to a preferred location on your Surface device, such as Desktop.
+3.	Open a command prompt and enter:
+
+    ```
+    msiexec.exe /i <the path of installer> ADMINMODE=1. 
+    ```
+    **Example:**
+
+    ```
+    C:\Users\Administrator> msiexec.exe/I"C:\Users\Administrator\Desktop\Microsoft_Surface_Diagnostic_Toolkit_for_Business_Installer.msi" ADMINMODE=1
+    ```
+
+4.	The SDT setup wizard appears, as shown in figure 1. Click **Next**. 
+
+    >[!NOTE]
+    >If the setup wizard does not appear, ensure that you are signed into the Administrator account on your computer. 
+
+    ![welcome to the Surface Diagnostic Toolkit setup wizard](images/sdt-1.png)
+
+    *Figure 1. Surface Diagnostic Toolkit setup wizard*
+
+5. When the SDT setup wizard appears, click **Next**, accept the End User License Agreement (EULA), and select a location to install the package. 
+
+6.	Click **Next** and then click **Install**. 
+
+## Locating SDT on your Surface device
+
+Both SDT and the SDT app console are installed at `C:\Program Files\Microsoft\Surface\Microsoft Surface Diagnostic Toolkit for Business`.
+
+In addition to the .exe file, SDT installs a JSON file and an admin.dll file (modules\admin.dll), as shown in figure 2.
+
+![list of SDT installed files in File Explorer](images/sdt-2.png)
+
+*Figure 2. Files installed by SDT*
+
+<span id="create-custom-sdt" />
+## Preparing the SDT package for distribution
+
+Creating a custom package allows you to target the tool to specific known issues.
+
+1.	Click **Start > Run**, enter **Surface** and then click **Surface Diagnostic Toolkit for Business**. 
+2.	When the tool opens, click **Create Custom Package**, as shown in figure 3.
+
+    ![Create custom package option](images/sdt-3.png)
+
+    *Figure 3. Create custom package*
+
+### Language and telemetry page
+
+  
+When you start creating the custom package, you’re asked whether you agree to send data to Microsoft to help improve the application. For more information,see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). Sharing is on by default, so uncheck the box if you wish to decline.
+
+>[!NOTE]
+>This setting is limited to only sharing data generated while running packages. 
+
+![Select language and telemetry settings](images/sdt-4.png)
+
+*Figure 4. Select language and telemetry settings*
+
+### Windows Update page
+
+Select the option appropriate for your organization. Most organizations with multiple users will typically select to receive updates via Windows Server Update Services (WSUS), as shown in figure 5. If using local Windows update packages or WSUS, enter the path as appropriate. 
+
+![Select Windows Update option](images/sdt-5.png)
+
+*Figure 5. Windows Update option*
+
+### Software repair page
+
+This allows you to select or remove the option to run software repair updates. 
+
+![Select software repair option](images/sdt-6.png)
+
+*Figure 6. Software repair option*
+
+### Collecting logs and saving package page
+
+You can select to run a wide range of logs across applications, drivers, hardware, and the operating system. Click the appropriate area and select from the menu of available logs. You can then save the package to a software distribution point or equivalent location that users can access. 
+
+![Select log options](images/sdt-7.png)
+
+*Figure 7. Log option and save package*
+
+## Next steps
+
+- [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
+- [Use Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md)
+
+
+
+
+
+
+
+
+
+
+
diff --git a/devices/surface/surface-diagnostic-toolkit-command-line.md b/devices/surface/surface-diagnostic-toolkit-command-line.md
new file mode 100644
index 0000000000..8d5cf4009c
--- /dev/null
+++ b/devices/surface/surface-diagnostic-toolkit-command-line.md
@@ -0,0 +1,148 @@
+---
+title: Run Surface Diagnostic Toolkit for Business using commands
+description: How to run Surface Diagnostic Toolkit in a command console
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerms
+ms.author: jdecker
+ms.topic: article
+ms.date: 11/15/2018
+---
+
+# Run Surface Diagnostic Toolkit for Business using commands
+
+Running the Surface Diagnostic Toolkit (SDT) at a command prompt requires downloading the STD app console. After it's installed, you can run SDT at a command prompt via the Windows command console (cmd.exe) or using Windows PowerShell, including PowerShell Integrated Scripting Environment (ISE), which provides support for autocompletion of commands, copy/paste, and other features. 
+
+>[!NOTE]
+>To run SDT using commands, you must be signed in to the Administrator account or signed in to an account that is a member of the Administrator group on your Surface device. 
+
+## Running SDT app console
+
+Download and install SDT app console from the [Surface Tools for IT download page](https://www.microsoft.com/download/details.aspx?id=46703). You can use the Windows command prompt (cmd.exe) or Windows PowerShell to: 
+
+- Collect all log files.
+- Run health diagnostics using Best Practice Analyzer.
+- Check update for missing firmware or driver updates.
+
+>[!NOTE]
+>In this release, the SDT app console supports single commands only. Running multiple command line options requires running the console exe separately for each command. 
+
+By default, output files are saved in the same location as the console app. Refer to the following table for a complete list of commands.
+
+Command | Notes
+--- | ---
+-DataCollector "output file" | Collects system details into a zip file. "output file" is the file path to create system details zip file.<br><br>**Example**:<br>`Microsoft.Surface.Diagnostics.App.Console.exe -DataCollector SDT_DataCollection.zip`
+-bpa "output file" | Checks several settings and health indicators in the device. “output file" is the file path to create the HTML report.<br><br>**Example**:<br>`Microsoft.Surface.Diagnostics.App.Console.exe -bpa BPA.html`
+-windowsupdate | Checks Windows Update online servers for missing firmware and/or driver updates.<br><br>**Example**:<br>Microsoft.Surface.Diagnostics.App.Console.exe -windowsupdate
+-warranty "output file" | Checks warranty information on the device (valid or invalid). The optional “output file” is the file path to create the xml file. <br><br>**Example**: <br>Microsoft.Surface.Diagnostics.App.Console.exe –warranty “warranty.xml”
+
+
+>[!NOTE]
+>To run the SDT app console remotely on target devices, you can use a configuration management tool such as System Center Configuration Manager. Alternatively, you can create a .zip file containing the console app and appropriate console commands and deploy per your organization’s software distribution processes. 
+
+## Running Best Practice Analyzer 
+
+You can run BPA tests across key components such as BitLocker, Secure Boot, and Trusted Platform Module (TPM) and then output the results to a shareable file. The tool generates a series of tables with color-coded headings and condition descriptors along with guidance about how to approach resolving the issue. 
+
+- Green indicates the component is running in an optimal condition (optimal).
+- Orange indicates the component is not running in an optimal condition (not optimal).
+- Red indicates the component is in an abnormal state. 
+
+### Sample BPA results output
+
+<table>
+<tr><th colspan="2"><font color="00ff00">BitLocker</font></th></tr>
+<tr><td><strong>Description:</strong></td><td>Checks if BitLocker is enabled on the system drive.</td></tr>
+<tr><td><strong>Value:</strong></td><td>Protection On</td></tr>
+<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
+<tr><td><strong>Guidance:</strong></td><td>It is highly recommended to enable BitLocker to protect your data.</td></tr>
+</table>
+
+<table>
+<tr><th colspan="2"><font color="00ff00">Secure Boot</font></th></tr>
+<tr><td><strong>Description:</strong></td><td>Checks if Secure Boot is enabled.</td></tr>
+<tr><td><strong>Value:</strong></td><td>True</td></tr>
+<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
+<tr><td><strong>Guidance:</strong></td><td>It is highly recommended to enable Secure Boot to protect your PC.</td></tr>
+</table>
+
+<table>
+<tr><th colspan="2"><font color="00ff00">Trusted Platform Module</font></th></tr>
+<tr><td><strong>Description:</strong></td><td>Ensures that the TPM is functional.</td></tr>
+<tr><td><strong>Value:</strong></td><td>True</td></tr>
+<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
+<tr><td><strong>Guidance:</strong></td><td>Without a functional TPM, security-based functions such as BitLocker may not work properly.</td></tr>
+</table>
+
+<table>
+<tr><th colspan="2"><font color="00ff00">Connected Standby</font></th></tr>
+<tr><td><strong>Description:</strong></td><td>Checks if Connected Standby is enabled.</td></tr>
+<tr><td><strong>Value:</strong></td><td>True</td></tr>
+<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
+<tr><td><strong>Guidance:</strong></td><td>Connected Standby allows a Surface device to receive updates and notifications while not being used. For best experience, Connected Standby should be enabled.</td></tr>
+</table>
+
+<table>
+<tr><th colspan="2"><font color="00ff00">Bluetooth</font></th></tr>
+<tr><td><strong>Description:</strong></td><td>Checks if Bluetooth is enabled.</td></tr>
+<tr><td><strong>Value:</strong></td><td>Enabled</td></tr>
+<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
+<tr><td><strong>Guidance:</strong></td><td></td></tr>
+</table>
+
+<table>
+<tr><th colspan="2"><font color="00ff00">Debug Mode</font></th></tr>
+<tr><td><strong>Description:</strong></td><td>Checks if the operating system is in Debug mode.</td></tr>
+<tr><td><strong>Value:</strong></td><td>Normal</td></tr>
+<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
+<tr><td><strong>Guidance:</strong></td><td>The debug boot option enables or disables kernel debugging of the Windows operating system. Enabling this option can cause system instability and can prevent DRM (digital rights managemend) protected media from playing.</td></tr>
+</table>
+
+<table>
+<tr><th colspan="2"><font color="00ff00">Test Signing</font></th></tr>
+<tr><td><strong>Description:</strong></td><td>Checks if Test Signing is enabled.</td></tr>
+<tr><td><strong>Value:</strong></td><td>Normal</td></tr>
+<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
+<tr><td><strong>Guidance:</strong></td><td>Test Signing is a Windows startup setting that should only be used to test pre-release drivers.</td></tr>
+</table>
+
+<table>
+<tr><th colspan="2"><font color="00ff00">Active Power Plan</font></th></tr>
+<tr><td><strong>Description:</strong></td><td>Checks that the correct power plan is active.</td></tr>
+<tr><td><strong>Value:</strong></td><td>Balanced</td></tr>
+<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
+<tr><td><strong>Guidance:</strong></td><td>It is highly recommended to use the "Balanced" power plan to maximize productivity and battery life.</td></tr>
+</table>
+
+<table>
+<tr><th colspan="2"><font color="ff9500">Windows Update</font></th></tr>
+<tr><td><strong>Description:</strong></td><td>Checks if the device is up to date with Windows updates.</td></tr>
+<tr><td><strong>Value:</strong></td><td>Microsoft Silverlight (KB4023307), Definition Update for Windows Defender Antivirus - KB2267602 (Definition 1.279.1433.0)</td></tr>
+<tr><td><strong>Condition:</strong></td><td><font color="ff9500">Not Optimal</font></td></tr>
+<tr><td><strong>Guidance:</strong></td><td>Updating to the latest windows makes sure you are on the latest firmware and drivers. It is recommended to always keep your device up to date</td></tr>
+</table>
+
+<table>
+<tr><th colspan="2"><font color="00ff00">Free Hard Drive Space</font></th></tr>
+<tr><td><strong>Description:</strong></td><td>Checks for low free hard drive space.</td></tr>
+<tr><td><strong>Value:</strong></td><td>66%</td></tr>
+<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
+<tr><td><strong>Guidance:</strong></td><td>For best performance, your hard drive should have at least 10% of its capacity as free space.</td></tr>
+</table>
+
+<table>
+<tr><th colspan="2"><font color="00ff00">Non-Functioning Devices</font></th></tr>
+<tr><td><strong>Description:</strong></td><td>List of non-functioning devices in Device Manager.</td></tr>
+<tr><td><strong>Value:</strong></td><td></td></tr>
+<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
+<tr><td><strong>Guidance:</strong></td><td>Non-functioning devices in Device Manager may cause unpredictable problems with Surface devices such as, but not limited to, no power savings for the respective hardware component.</td></tr>
+</table>
+
+<table>
+<tr><th colspan="2"><font color="00ff00">External Monitor</font></th></tr>
+<tr><td><strong>Description:</strong></td><td>Checks for an external monitor that may have compatibility issues.</td></tr>
+<tr><td><strong>Value:</strong></td><td></td></tr>
+<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
+<tr><td><strong>Guidance:</strong></td><td>Check with the original equipment manufacturer for compatibility with your Surface device.</td></tr>
+</table>
diff --git a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md
new file mode 100644
index 0000000000..ee76845656
--- /dev/null
+++ b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md
@@ -0,0 +1,99 @@
+---
+title: Use Surface Diagnostic Toolkit for Business in desktop mode
+description: How to use SDT to help users in your organization run the tool to identify and diagnose issues with the Surface device. 
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerms
+ms.author: jdecker
+ms.topic: article
+ms.date: 11/15/2018
+---
+
+# Use Surface Diagnostic Toolkit for Business in desktop mode
+
+This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help users in your organization run the tool to identify and diagnose issues with the Surface device. Successfully running SDT can quickly determine if a reported issue is caused by failed hardware or user error.
+
+1.	Direct the user to install [the SDT package](surface-diagnostic-toolkit-business.md#create-custom-sdt) from a software distribution point or network share. After it is installed, you’re ready to guide the user through a series of tests. 
+
+2.	Begin at the home page, which allows users to enter a description of the issue, and click **Continue**, as shown in figure 1.
+
+    ![Start SDT in desktop mode](images/sdt-desk-1.png)
+
+    *Figure 1. SDT in desktop mode*
+
+3. When SDT indicates the device has the latest updates, click **Continue** to advance to the catalog of available tests, as shown in figure 2.
+
+    ![Select from SDT options](images/sdt-desk-2.png)
+
+    *Figure 2. Select from SDT options*
+
+4. You can choose to run all the diagnostic tests. Or, if you already suspect a particular issue such as a faulty display or a power supply problem, click **Select** to choose from the available tests and click **Run Selected**, as shown in figure 3. See the following table for details of each test. 
+
+    ![Select hardware tests](images/sdt-desk-3.png)
+
+    *Figure 3. Select hardware tests*
+
+    Hardware test | Description
+    --- | ---
+    Power Supply and Battery |	Checks Power supply is functioning optimally
+    Display and Sound	| Checks brightness, stuck or dead pixels, speaker and microphone functioning
+    Ports and Accessories	| Checks accessories, screen attach and USB functioning
+    Connectivity |	Checks Bluetooth, wireless and LTE connectivity
+    Security	| Checks security related issues
+    Touch	| Checks touch related issues
+    Keyboard and touch |	Checks integrated keyboard connection and type cover
+    Sensors	| Checks functioning of different sensors in the device
+    Hardware |	Checks issues with different hardware components such as graphics card and camera
+
+
+
+
+
+<span id="multiple" />
+## Running multiple hardware tests to troubleshoot issues
+
+SDT is designed as an interactive tool that runs a series of tests. For each test, SDT provides instructions summarizing  the nature of the test and what users should expect or look for in order for the test to be successful. For example, to diagnose if the display brightness is working properly, SDT starts at zero and increases the brightness to 100 percent, asking users to confirm – by answering **Yes** or **No** -- that brightness is functioning as expected, as shown in figure 4. 
+
+For each test, if functionality does not work as expected and the user clicks **No**, SDT generates a report of the possible causes and ways to troubleshoot it. 
+
+![Running hardware diagnostics](images/sdt-desk-4.png)
+
+*Figure 4. Running hardware diagnostics*
+
+1.	If the brightness successfully adjusts from 0-100 percent as expected, direct the user to click **Yes** and then click **Continue**. 
+2.	If the brightness fails to adjust from 0-100 percent as expected, direct the user to click **No** and then click **Continue**. 
+3.	Guide users through remaining tests as appropriate. When finished, SDT automatically provides a high-level summary of the report, including the possible causes of any hardware issues along with guidance for resolution.
+
+
+### Repairing applications
+
+SDT enables you to diagnose and repair applications that may be causing issues, as shown in figure 5.
+
+![Running repairs](images/sdt-desk-5.png)
+
+*Figure 5. Running repairs*
+
+
+
+
+<span id="logs" />
+### Generating logs for analyzing issues 
+
+SDT provides extensive log-enabled diagnosis support across applications, drivers, hardware, and operating system issues, as shown in figure 6.
+
+![Generating logs](images/sdt-desk-6.png)
+
+*Figure 6. Generating logs*
+
+
+
+<span id="detailed-report" />
+### Generating detailed report comparing device vs. optimal configuration
+
+Based on the logs, SDT generates a report for software- and firmware-based issues that you can save to a preferred location.
+
+## Related topics
+
+- [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md)
+
diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md
index 925b058eb0..9c644b79eb 100644
--- a/devices/surface/surface-dock-updater.md
+++ b/devices/surface/surface-dock-updater.md
@@ -112,7 +112,7 @@ Microsoft Surface Dock Updater logs its progress into the Event Log, as shown in
 
 ## Changes and updates
 
-Microsoft periodically updates Surface Dock Updater. To learn more about the application of firmware by Surface Dock Updater, see [Manage Surface Dock firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-dock-firmware-updates).
+Microsoft periodically updates Surface Dock Updater. <!-- To learn more about the application of firmware by Surface Dock Updater, see [Manage Surface Dock firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-dock-firmware-updates). -->
 
 >[!Note]
 >Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater.
@@ -191,7 +191,7 @@ This version of Surface Dock Updater adds support for the following:
 * Update for Surface Dock DisplayPort firmware
 
 
-## Related topics
+<!-- ## Related topics -->
 
 
-[Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)
+<!-- [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md) -->
diff --git a/devices/surface/update.md b/devices/surface/update.md
index 29e0b9517b..df7a6e3c5d 100644
--- a/devices/surface/update.md
+++ b/devices/surface/update.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 author: heatherpoulsen
 ms.author: jdecker
 ms.topic: article
-ms.date: 12/01/2016
+ms.date: 11/13/2018
 ---
 
 # Surface firmware and driver updates
@@ -22,7 +22,6 @@ Find out how to download and manage the latest firmware and driver updates for y
 |[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | See how you can use Wake On LAN to remotely wake up devices to perform management or maintenance tasks, or to enable management solutions automatically. |
 | [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)| Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.| 
 | [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)| Explore the available options to manage firmware and driver updates for Surface devices.|
-| [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)| Read about the different methods you can use to manage the process of Surface Dock firmware updates.|
 | [Surface Dock Updater](surface-dock-updater.md)| Get a detailed walkthrough of Microsoft Surface Dock Updater.|
  
 
diff --git a/education/docfx.json b/education/docfx.json
index c01be28758..227546b56a 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -9,7 +9,7 @@
       ],
     "resource": [
         {
-          "files": ["**/images/**", "**/*.json"],
+          "files": ["**/images/**"],
           "exclude": ["**/obj/**"]
         }
     ],
diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md
index b7173afa9b..d6bd7cb98c 100644
--- a/education/windows/change-to-pro-education.md
+++ b/education/windows/change-to-pro-education.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: edu
 ms.localizationpriority: medium
 author: MikeBlodge
-ms.author: MikeBlodge
+ms.author: jaimeo
 ms.date: 04/30/2018
 ---
 
diff --git a/education/windows/s-mode-switch-to-edu.md b/education/windows/s-mode-switch-to-edu.md
index 285f3bea98..e9dabad759 100644
--- a/education/windows/s-mode-switch-to-edu.md
+++ b/education/windows/s-mode-switch-to-edu.md
@@ -8,8 +8,8 @@ ms.prod: w10
 ms.technology: Windows
 ms.sitesec: library
 ms.pagetype: edu
-ms.date: 04/30/2018
-author: Mikeblodge
+ms.date: 12/03/2018
+author: jaimeo
 ---
 
 # Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode
@@ -54,7 +54,7 @@ Tenant-wide Windows 10 Pro in S mode > Pro Education in S mode <BR>
 Tenant-wide Windows 10 Pro > Pro Education
 
 > [!IMPORTANT]
-> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare metal recover (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
+> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to roll back this kind of switch is through a [bare metal recovery (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
 
 ### Devices running Windows 10, version 1709
 
diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
index ceacdbb6dc..2473c384ee 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
@@ -56,7 +56,7 @@ Use the following table to get information about supported versions of Office an
 </ul></td>
 </tr>
 <tr class="even">
-<td align="left"><p>[Planning for Using App-V with coexsiting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting)</p></td>
+<td align="left"><p>[Planning for Using App-V with coexisting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting)</p></td>
 <td align="left"><p>Considerations for installing different versions of Office on the same computer</p></td>
 </tr>
 </tbody>
diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
index d2b4fb5e5e..3cf91ddf99 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
@@ -56,7 +56,7 @@ Use the following table to get information about supported versions of Office an
 </ul></td>
 </tr>
 <tr class="even">
-<td align="left"><p>[Planning for Using App-V with coexsiting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting)</p></td>
+<td align="left"><p>[Planning for Using App-V with coexisting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting)</p></td>
 <td align="left"><p>Considerations for installing different versions of Office on the same computer</p></td>
 </tr>
 </tbody>
diff --git a/mdop/dart-v10/getting-started-with-dart-10.md b/mdop/dart-v10/getting-started-with-dart-10.md
index f301a986ed..daca6358aa 100644
--- a/mdop/dart-v10/getting-started-with-dart-10.md
+++ b/mdop/dart-v10/getting-started-with-dart-10.md
@@ -14,13 +14,12 @@ ms.date: 08/30/2016
 # Getting Started with DaRT 10
 
 
-Microsoft Diagnostics and Recovery Toolset (DaRT) 10 requires thorough planning before you deploy it or use its features. If you are new to this product, we recommend that you read the documentation carefully. Before you deploy the product to a production environment, we also recommend that you validate your deployment plan in a test network environment. You might also consider taking a class about relevant technologies. For more information about Microsoft training opportunities, see the Microsoft Training Overview at [https://go.microsoft.com/fwlink/p/?LinkId=80347](https://go.microsoft.com/fwlink/?LinkId=80347).
-
-**Note**  
-A downloadable version of this administrator’s guide is not available. However, you can learn about a special mode of the TechNet Library that allows you to select articles, group them in a collection, and print them or export them to a file at <https://go.microsoft.com/fwlink/?LinkId=272493> (https://go.microsoft.com/fwlink/?LinkId=272493).
-
-Additional downloadable information about this product can also be found at <https://go.microsoft.com/fwlink/?LinkId=267420>.
+Microsoft Diagnostics and Recovery Toolset (DaRT) 10 requires thorough planning before you deploy it or use its features. If you are new to this product, we recommend that you read the documentation carefully. Before you deploy the product to a production environment, we also recommend that you validate your deployment plan in a test network environment. You might also consider taking a class about relevant technologies. 
 
+>[!NOTE]  
+>A downloadable version of this administrator’s guide is not available. However, you can click **Download PDF** at the bottom of the Table of Contents pane to get a PDF version of this guide.
+>
+>Additional information about this product can also be found on the [Diagnostics and Recovery Toolset documentation download page.](https://www.microsoft.com/download/details.aspx?id=27754)
  
 
 ## Getting started with DaRT 10
diff --git a/mdop/docfx.json b/mdop/docfx.json
index a6ff6398ef..530722278f 100644
--- a/mdop/docfx.json
+++ b/mdop/docfx.json
@@ -9,7 +9,7 @@
       ],
     "resource": [
         {
-          "files": ["**/images/**", "**/*.json"],
+          "files": ["**/images/**"],
           "exclude": ["**/obj/**"]
         }
     ],
diff --git a/mdop/index.md b/mdop/index.md
index 757a88fd9a..4764ce169b 100644
--- a/mdop/index.md
+++ b/mdop/index.md
@@ -167,7 +167,7 @@ MDOP is a suite of products that can help streamline desktop deployment, managem
 MDOP subscribers can download the software at the [Microsoft Volume Licensing website (MVLS)](https://go.microsoft.com/fwlink/p/?LinkId=166331).
 
 <a href="" id="purchase-mdop"></a>**Purchase MDOP**
-Visit the enterprise [Purchase Windows Enterprise Licensing](https://www.microsoft.com/windows/enterprise/how-to-buy.aspx) website to find out how to purchase MDOP for your business.
+Visit the enterprise [Purchase Windows Enterprise Licensing](https://www.microsoft.com/licensing/how-to-buy/how-to-buy) website to find out how to purchase MDOP for your business.
 
  
 
diff --git a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
index b183080d0a..bb717d6751 100644
--- a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
+++ b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
@@ -22,7 +22,7 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
 
 1.  Download the latest [MDOP Group Policy templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531) 
 
-2.  Run the downloaded file to extract the template folders.
+2.  Expand the downloaded .cab file by running `expand <download_folder>\MDOP_ADMX_Templates.cab -F:* <destination_folder>`
 
     **Warning**  
     Do not extract the templates directly to the Group Policy deployment directory. Multiple technologies and versions are bundled in this file.
diff --git a/mdop/uev-v2/security-considerations-for-ue-v-2x-both-uevv2.md b/mdop/uev-v2/security-considerations-for-ue-v-2x-both-uevv2.md
index 09f7739c77..d82e263f02 100644
--- a/mdop/uev-v2/security-considerations-for-ue-v-2x-both-uevv2.md
+++ b/mdop/uev-v2/security-considerations-for-ue-v-2x-both-uevv2.md
@@ -43,7 +43,7 @@ Because settings packages might contain personal information, you should take ca
 
         | User account | Recommended permissions | Folder |
         | - | - | - |
-        | Creator/Owner | No permissions | No permissions |
+        | Creator/Owner | Full control | Subfolders and files only|
         | Domain Admins | Full control | This folder, subfolders, and files |
         | Security group of UE-V users | List folder/read data, create folders/append data | This folder only |
         | Everyone | Remove all permissions | No permissions |
diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md
index 393503a4e4..db464151f8 100644
--- a/smb/cloud-mode-business-setup.md
+++ b/smb/cloud-mode-business-setup.md
@@ -297,7 +297,7 @@ In this part of the walkthrough, we'll be working on the <a href="https://manage
 **To associate your Store account with Intune and configure synchronization**
 
 1. From the <a href="https://manage.microsoft.com/" target="_blank">Microsoft Intune management portal</a>, select **Admin**.
-2. In the **Administration** workspace, click **Mobile Device Management**. If this is the first tiem you're using the portal, click **manage mobile devices** in the **Mobile Device Management** window. The page will refresh and you'll have new options under **Mobile Device Management**.
+2. In the **Administration** workspace, click **Mobile Device Management**. If this is the first item you're using the portal, click **manage mobile devices** in the **Mobile Device Management** window. The page will refresh and you'll have new options under **Mobile Device Management**.
 
   **Figure 24** - Mobile device management
 
@@ -433,7 +433,7 @@ In the <a href="https://manage.microsoft.com/" target="_blank">Intune management
 2. Log in to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>.
 3. Select **Groups** and then go to **Devices**.
 4. In the **All Devices** page, look at the list of devices and select the entry that matches the name of your PC. 
-  - Check that the device name appears in the list. Select the device and it will also show the user that's currently logged in in the **General Information** section.
+  - Check that the device name appears in the list. Select the device and it will also show the current logged-in user in the **General Information** section.
   - Check the **Management Channel** column and confirm that it says **Managed by Microsoft Intune**.
   - Check the **AAD Registered** column and confirm that it says **Yes**.
 
diff --git a/store-for-business/images/msft-accept-partner.png b/store-for-business/images/msft-accept-partner.png
new file mode 100644
index 0000000000..6b04d822a4
Binary files /dev/null and b/store-for-business/images/msft-accept-partner.png differ
diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md
index d0c8a17014..618205cdd5 100644
--- a/store-for-business/prerequisites-microsoft-store-for-business.md
+++ b/store-for-business/prerequisites-microsoft-store-for-business.md
@@ -56,6 +56,7 @@ If your organization restricts computers on your network from connecting to the
 -   windowsphone.com
 -   \*.wns.windows.com
 -   \*.microsoft.com
+-   \*.s-microsoft.com
 -   www.msftncsi.com (prior to Windows 10, version 1607)
 -   www.msftconnecttest.com/connecttest.txt (replaces www.msftncsi.com
 starting with Windows 10, version 1607)
diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md
index 0b88f3f051..2bcdcd39b9 100644
--- a/store-for-business/release-history-microsoft-store-business-education.md
+++ b/store-for-business/release-history-microsoft-store-business-education.md
@@ -13,7 +13,7 @@ ms.date: 10/31/2018
 
 # Microsoft Store for Business and Education release history
 
-Microsoft Store for Business and Education regularly releases new and improved feaures. Here's a summary of new or updated features in previous releases. 
+Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases. 
 
 Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) 
 
@@ -24,7 +24,7 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store
 - **App requests** - People in your organization can make requests for apps that they need. hey can also request them on behalf of other people. Admins review requests and can decide on purchases. [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#allow-app-requests)
 
 ## July 2018
-- Bug fixes and permformance improvements.
+- Bug fixes and performance improvements.
 
 ## June 2018
 - **Change order within private store collection** - Continuing our focus on improvements for private store, now you can customize the order of products in each private store collection. 
@@ -39,7 +39,7 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store
 - **Office 365 subscription management** -  We know that sometimes customers need to cancel a subscription. While we don't want to lose a customer, we want the process for managing subscriptions to be easy. Now, you can delete your Office 365 subscription without calling Support. From Microsoft Store for Business and Education, you can request to delete an Office 365 subscription. We'll wait three days before permanently deleting the subscription. In case of a mistake, customers are welcome to reactivate subscriptions during the three-day period.
 
 ## March 2018
-- **Performance improvements in private store** - We've made it significantly faster for you to udpate the private store. Many changes to the private store are available immediately after you make them. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance)
+- **Performance improvements in private store** - We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance)
 - **Private store collection updates** - We’ve made it easier to find apps when creating private store collections – now you can search and filter results. 
  [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-collections) 
 - **Manage Skype Communication credits** - Office 365 customers that own Skype Communication Credits can now see and manage them in Microsoft Store for Business. You can view your account, add funds to your account, and manage auto-recharge settings.
@@ -53,20 +53,20 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store
 - **Microsoft Product and Services Agreement customers can invite people to take roles** - MPSA admins can invite people to take Microsoft Store for Business roles even if the person is not in their tenant. You provide an email address when you assign the role, and we'll add the account to your tenant and assign the role. 
 
 ## December 2017
-- Bug fixes and permformance improvements.
+- Bug fixes and performance improvements.
 
 ## November 2017
 - **Export list of Minecraft: Education Edition users** - Admins and teachers can now export a list of users who have Minecraft: Education Edition licenses assigned to them. Click **Export users**, and Store for Education creates an Excel spreadsheet for you, and saves it as a .csv file.
 
 ## October 2017
-- Bug fixes and permformance improvements.  
+- Bug fixes and performance improvements.  
 
 ## September 2017
 
 - **Manage Windows device deployment with Windows Autopilot Deployment** - In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device. [Get more info](add-profile-to-devices.md)
-- **Request an app** - People in your organization can reqest additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#request-apps)
+- **Request an app** - People in your organization can request additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#request-apps)
 - **My organization** - **My organization** shows you all Agreements that apply to your organization. You can also update profile info for you org, such as mailing address and email associated with your account.
-- **Manage prepaid Office 365 subscriptions** - Office 365 prepaid subscriptions can be redeemed using a prepaid token. Tokens are available through 3rd-party businesses, outside of Microsoft Store for Business or the Office 365 Admin portal. After redemming prepaid subscriptions, Admins can add more licenses or extend the subscription's expiration date.
+- **Manage prepaid Office 365 subscriptions** - Office 365 prepaid subscriptions can be redeemed using a prepaid token. Tokens are available through 3rd-party businesses, outside of Microsoft Store for Business or the Office 365 Admin portal. After redeeming prepaid subscriptions, Admins can add more licenses or extend the subscription's expiration date.
 - **Manage Office 365 subscriptions acquired by partners** - Office 365 subscriptions purchased for your organization by a partner or reseller can be managed in Microsoft Store for Business. Admins can assign and manage licenses for these subscriptions.
 - **Edge extensions in Microsoft Store** - Edge Extensions are now available from Microsoft Store! You can acquire and distribute them from Microsoft Store for Business just like any other app.
-- **Search results in Microsoft Store for Business** - Search results now have sub categories to help you refine search results.
\ No newline at end of file
+- **Search results in Microsoft Store for Business** - Search results now have sub categories to help you refine search results.
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index 39896e6c80..45d4c68486 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -28,7 +28,7 @@ We’ve been working on bug fixes and performance improvements to provide you a
 |-----------------------|---------------------------------|
 | ![Private store performance icon](images/perf-improvement-icon.png) |**Performance improvements in private store**<br /><br /> We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. <br /><br />[Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
 | <iframe width="288" height="232" src="https://www.youtube-nocookie.com/embed/IpLIZU_j7Z0" frameborder="0" allowfullscreen></iframe>| **Manage Windows device deployment with Windows Autopilot Deployment** <br /><br /> In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device.<br /><br />[Get more info](add-profile-to-devices.md)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education  |
-| ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**<br /><br />People in your organization can reqest additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. <br /><br />[Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#request-apps)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
+| ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**<br /><br />People in your organization can request additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. <br /><br />[Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#request-apps)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
 ||  ![Image showing Add a Collection.](images/msfb-add-collection.png) |**Private store collections**<br /><br> You can groups of apps in your private store with **Collections**. This can help you organize apps and help people find apps for their job or classroom. <br /><br />[Get more info](https://review.docs.microsoft.com/microsoft-store/manage-private-store-settings?branch=msfb-14856406#add-a-collection)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
 -->
 
@@ -69,7 +69,7 @@ We’ve been working on bug fixes and performance improvements to provide you a
 - Microsoft Product and Services Agreement customers can invite people to take roles
 
 [December 2017](release-history-microsoft-store-business-education.md#december-2017)
-- Bug fixes and permformance improvements
+- Bug fixes and performance improvements
 
 [November 2017](release-history-microsoft-store-business-education.md#november-2017)
 - Export list of Minecraft: Education Edition users
diff --git a/store-for-business/work-with-partner-microsoft-store-business.md b/store-for-business/work-with-partner-microsoft-store-business.md
index f364728d57..0f30df6697 100644
--- a/store-for-business/work-with-partner-microsoft-store-business.md
+++ b/store-for-business/work-with-partner-microsoft-store-business.md
@@ -20,7 +20,7 @@ The process goes like this:
 - Admins find and contact a solution provider using **Find a solution provider** in Microsoft Store for Business. 
 - Solution providers send a request from Partner center to customers to become their solution provider.
 - Customers accept the invitation in Microsoft Store for Business and start working with the solution provider.
-- Customers can manage setting for the relationship with Partner in Microsoft Store for Business. 
+- Customers can manage settings for the relationship with Partner in Microsoft Store for Business. 
 
 ## What can a solution provider do for my organization or school?
 
@@ -59,9 +59,11 @@ The solution provider will get in touch with you. You'll have a chance to learn
 Once you've found a solution provider and decided to work with them, they'll send you an invitation to work together from Partner Center. In Microsoft Store for Business or Education, you'll need to accept the invitation. After that, you can manage their permissions.
 
 **To accept a solution provider invitation**
-1. **Follow email link** - You'll receive an email with a link accept the solution provider invitation. The link will take you to Microsoft Store for Business or Education.
+1. **Follow email link** - You'll receive an email with a link to accept the solution provider invitation from your solution provider. The link will take you to Microsoft Store for Business or Education.
 2. **Accept invitation** - On **Accept Partner Invitation**, select **Authorize** to accept the invitation, accept terms of the Microsoft Cloud Agreement, and start working with the solution provider. 
-  
+
+![Image shows accepting an invitation from a solution provider in Microsoft Store for Business.](images/msft-accept-partner.png)
+ 
 ## Delegate admin privileges
 
 Depending on the request made by the solution provider, part of accepting the invitation will include agreeing to give delegated admin privileges to the solution provider. This will happen when the solution provider request includes acting as a delegated administrator. For more information, see [Delegated admin privileges in Azure AD](https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges#delegated-admin-privileges-in-azure-ad). 
@@ -76,4 +78,4 @@ If you delegate admin privileges to a solution provider, you can remove that lat
 3. Choose the Partner you want to manage.
 4. Select **Remove Delegated Permissions**. 
 
-The solution provider will still be able to work with you, for example, as a Reseller. 
\ No newline at end of file
+The solution provider will still be able to work with you, for example, as a Reseller. 
diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
index 2da4a3b2f6..5a78399b06 100644
--- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
+++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
@@ -16,7 +16,7 @@ To install the management server on a standalone computer and connect it to the
 
 1. Copy the App-V server installation files to the computer on which you want to install it on. To start the App-V server installation, run **appv\_server\_setup.exe** as an administrator, then select **Install**.
 2. On the **Getting Started** page, review and accept the license terms, then select **Next**.
-3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft Udpate, select **Use Microsoft Update when I check for updates (recommended)**. To disable Microsoft Update, select **I don’t want to use Microsoft Update**, then select **Next**.
+3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft Update, select **Use Microsoft Update when I check for updates (recommended)**. To disable Microsoft Update, select **I don’t want to use Microsoft Update**, then select **Next**.
 4. On the **Feature Selection** page, select the **Management Server** checkbox, then select **Next**.
 5. On the **Installation Location** page, accept the default location, then select **Next**.
 6. On the **Configure Existing Management Database** page, select **Use a remote SQL Server**, then enter the computer running Microsoft SQL's machine name, such as ```SqlServerMachine```.
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index 5ee9f992a3..02aa19ebf0 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -18,124 +18,25 @@ The following types of apps run on Windows 10:
 - "Win32" apps - traditional Windows applications.
 
 Digging into the Windows apps, there are two categories:
-- System apps - Apps that are installed in the c:\Windows\* directory. These apps are integral to the OS.
-- Apps - All other apps, installed in c:\Program Files\WindowsApps. There are two classes of apps:
+- Apps - All other apps, installed in C:\Program Files\WindowsApps. There are two classes of apps:
    - Provisioned: Installed in user account the first time you sign in with a new user account.
    - Installed: Installed as part of the OS.
+- System apps - Apps that are installed in the C:\Windows\* directory. These apps are integral to the OS.
 
 The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1607, 1703, and 1709, and indicate whether an app can be uninstalled through the UI.
 
 Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running.
 
-> [!TIP]
-> Want to see a list of the apps installed on your specific image? You can run the following PowerShell cmdlet:
-> ```powershell
-> Get-AppxPackage | select Name,PackageFamilyName
-> Get-AppxProvisionedPackage -Online | select DisplayName,PackageName
-> ```
-
-## System apps
-
-System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1703, 1709, and 1803.
-
-| Name             | Full name                                 |1703  | 1709 | 1803 |Uninstall through UI?                                  |
-|------------------|-------------------------------------------|:------:|:------:|:------:|-------------------------------------------------------|
-| Cortana UI       | CortanaListenUIApp                        | x    |      |      |No                                                     |
-|                  | Desktop Learning                          | x    |      |      |No                                                     |
-|                  | DesktopView                               | x    |      |      |No                                                     |
-|                  | EnvironmentsApp                           | x    |      |      |No                                                     |
-| Mixed Reality +  | HoloCamera                                | x    |      |      |No                                                     |
-| Mixed Reality +  | HoloItemPlayerApp                         | x    |      |      |No                                                     |
-| Mixed Reality +  | HoloShell                                 | x    |      |      |No                                                     |
-|                  | InputApp                                  |      |  x   | x    |No                                                     |
-|                  | Microsoft.AAD.Broker.Plugin               | x    |  x   | x    |No                                                     |
-|                  | Microsoft.AccountsControl                 | x    |  x   | x    |No                                                     |
-| Hello setup UI   | Microsoft.BioEnrollment                   | x    |  x   | x    |No                                                     |
-|                  | Microsoft.CredDialogHost                  | x    |  x   | x    |No                                                     |
-|                  | Microsoft.ECApp                           |      |  x   | x    |No                                                     |
-|                  | Microsoft.LockApp                         | x    |  x   | x    |No                                                     |
-| Microsoft Edge   | Microsoft.Microsoft.Edge                  | x    |  x   | x    |No                                                     |
-|                  | Microsoft.PPIProjection                   | x    |  x   | x    |No                                                     |
-|                  | Microsoft.Windows. Apprep.ChxApp           | x    |  x  | x    |No                                                     |
-|                  | Microsoft.Windows. AssignedAccessLockApp   | x    |  x  | x    |No                                                     |
-|                  | Microsoft.Windows. CloudExperienceHost     | x    |  x  | x    |No                                                     |
-|                  | Microsoft.Windows. ContentDeliveryManager  | x    |  x  | x    |No                                                     |
-| Cortana          | Microsoft.Windows.Cortana                  | x    |  x  | x    |No                                                     |
-|                  | Microsoft.Windows. Holographic.FirstRun    | x    |  x  | x    |No                                                     |
-|                  | Microsoft.Windows. ModalSharePickerHost    | x    |     |      |No                                                     |
-|                  | Microsoft.Windows. OOBENetworkCaptivePort  | x    |  x  | x    |No                                                     |
-|                  | Microsoft.Windows. OOBENetworkConnectionFlow  | x |  x  | x    |No                                                     |
-|                  | Microsoft.Windows. ParentalControls        | x    |  x  | x    |No                                                     |
-| People Hub       | Microsoft.Windows. PeopleExperienceHost    |      |  x  | x    |No                                                     |
-|                  | Microsoft.Windows. PinningConfirmationDialog  |   |  x  | x    |No                                                     |
-|                  | Microsoft.Windows. SecHealthUI             | x    |  x  | x    |No                                                     |
-|                  | Microsoft.Windows. SecondaryTileExperience | x    |  x  |      |No                                                     |
-|                  | Microsoft.Windows. SecureAssessmentBrowser | x    |  x  | x    |No                                                     |
-| Start            | Microsoft.Windows. ShellExperienceHost     | x    |  x  | x    |No                                                     |
-| Windows Feedback | Microsoft.WindowsFeedback                  | *    |  *  |      |No                                                     |
-|                  | Microsoft.XboxGameCallableUI               | x    |  x  |  x   |No                                                     |
-| Contact Support* | Windows.ContactSupport                     | x    |  *  |      |Via Optional Features app                      |
-| Settings         | Windows.ImmersiveControlPanel              | x    |  x  |      |No                                                     |
-| Connect          | Windows.MiracastView                       | x    |     |      |No                                                     |
-| Print 3D         | Windows.Print3D                            |      |  x  |      |Yes                                                    |
-| Print UI         | Windows.PrintDialog                        | x    |  x  |  x   |No                                                     |
-| Purchase UI      | Windows.PurchaseDialog                     |      |     | x    |No                                                     |
-|                  | Microsoft.AsyncTextService                 |      |     | x    |No                                                     |
-|                  | Microsoft.MicrosoftEdgeDevToolsClient      |      |     | x    |No                                                     |
-|                  | Microsoft.Win32WebViewHost                 |      |     | x    |No                                                     |
-|                  | Microsoft.Windows.CapturePicker            |      |     | x    |No                                                     |
-|                  | Windows.CBSPreview                         |      |     | x    |No                                                     |
-|File Picker       | 1527c705-839a-4832-9118-54d4Bd6a0c89       |      |     | x    |No                                                     |
-|File Explorer     | c5e2524a-ea46-4f67-841f-6a9465d9d515       |      |     | x    |No                                                     |
-|App Resolver      | E2A4F912-2574-4A75-9BB0-0D023378592B       |      |     | x    |No                                                     |
-|Add Suggested folder Dialog box| F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE||     | x    |No                                                     |
-
-> [!NOTE]
-> - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support).
-
-## Installed Windows apps
-
-Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, and 1803.
-
-| Name               | Full name                                | 1703 | 1709 | 1803 |Uninstall through UI? |
-|--------------------|------------------------------------------|:----:|:----:|:----:|:----------------------:|
-| Remote Desktop     | Microsoft.RemoteDesktop                  | x    | x    |      | Yes                  |
-| PowerBI            | Microsoft.Microsoft PowerBIforWindows    | x    |      |      | Yes                  |
-| Code Writer        | ActiproSoftwareLLC.562882FEEB491         | x    | x    | x    | Yes                  |
-| Eclipse Manager    | 46928bounde.EclipseManager               | x    | x    | x    | Yes                  |
-| Pandora            | PandoraMediaInc.29680B314EFC2            | x    | x    | x    | Yes                  |
-| Photoshop Express  | AdobeSystemIncorporated. AdobePhotoshop  | x    | x    | x    | Yes                  |
-| Duolingo           | D5EA27B7.Duolingo- LearnLanguagesforFree | x    | x    | x    | Yes                  |
-| Network Speed Test | Microsoft.NetworkSpeedTest               | x    | x    | x    | Yes                  |
-| News               | Microsoft.BingNews                       | x    | x    | x    | Yes                  |
-| Flipboard          |                                          |      |      |      | Yes                  |
-|                    | Microsoft.Advertising.Xaml               | x    | x    | x    | Yes                  |
-|                    | Microsoft.NET.Native.Framework.1.2       | x    | x    | x    | Yes                  |
-|                    | Microsoft.NET.Native.Framework.1.3       | x    | x    | x    | Yes                  |
-|                    | Microsoft.NET.Native.Framework.1.6       |      | x    | x    | Yes                  |
-|                    | Microsoft.NET.Native.Framework.1.7       |      |      | x    | Yes                  |
-|                    | Microsoft.NET.Native.Framework.2.0       |      | x    | x    | Yes                  |
-|                    | Microsoft.NET.Native.Runtime.1.1         |      | x    | x    | Yes                  |
-|                    | Microsoft.NET.Native.Runtime.1.3         | x    | x    |      | Yes                  |
-|                    | Microsoft.NET.Native.Runtime.1.4         | x    | x    | x    | Yes                  |
-|                    | Microsoft.NET.Native.Runtime.1.6         |      | x    | x    | Yes                  |
-|                    | Microsoft.NET.Native.Runtime.1.7         |      |      | x    | Yes                  |
-|                    | Microsoft.NET.Native.Runtime.2.0         |      | x    | x    | Yes                  |
-|                    | Microsoft.Services.Store.Engagement      |      | x    | x    | Yes                  |
-|                    | Microsoft.VCLibs.120.00                  | x    | x    | x    | Yes                  |
-|                    | Microsoft.VCLibs.140.00                  | x    | x    | x    | Yes                  |
-|                    | Microsoft.VCLibs.120.00.Universal        |      | x    |      | Yes                  |
-|                    | Microsoft.VCLibs.140.00.UWPDesktop       |      |      | x    | Yes                  |
-|                    | Microsoft.WinJS.2.0                      | x    |      |      | Yes                  |
----
 
 ## Provisioned Windows apps
 
 Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 and 1809.
 
-```
-> Get-AppxProvisionedPackage -Online | Select-Object DisplayName, PackageName
-```
+> [!TIP]
+> You can list all provisioned Windows apps with this PowerShell command:
+> ```
+> Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName
+> ```
 
 | Package name                           | App name                                                                                                           | 1703 | 1709 | 1803 | 1809 | Uninstall through UI? |
 |----------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:|
@@ -152,7 +53,7 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an
 | Microsoft.MicrosoftStickyNotes         | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe)                 | x    | x    | x    | x    | No                    |
 | Microsoft.MixedReality.Portal          | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe)                    |      |      |      | x    | No                    |
 | Microsoft.MSPaint                      | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe)                                            | x    | x    | x    | x    | No                    |
-| Microsoft.Office.OneNote               | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe)                                      | x    | x    | x    | x    | Yes                    |
+| Microsoft.Office.OneNote               | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe)                                      | x    | x    | x    | x    | Yes                   |
 | Microsoft.OneConnect                   | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe)                            | x    | x    | x    | x    | No                    |
 | Microsoft.People                       | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe)                                     | x    | x    | x    | x    | No                    |
 | Microsoft.Print3D                      | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe)                                            |      | x    | x    | x    | No                    |
@@ -185,4 +86,106 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an
 ---
 >[!NOTE]
 >The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it.
+---
+
+## System apps
+
+System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1703, 1709, and 1803.
+
+> [!TIP]
+> You can list all system apps with this PowerShell command:
+> ```
+> Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation
+> ```
+
+| Name                             | Package Name                                | 1703  | 1709 | 1803 | Uninstall through UI? |
+|----------------------------------|---------------------------------------------|:-----:|:----:|:----:|-----------------------|
+| File Picker                      | 1527c705-839a-4832-9118-54d4Bd6a0c89        |       |      | x    | No                    |
+| File Explorer                    | c5e2524a-ea46-4f67-841f-6a9465d9d515        |       |      | x    | No                    |
+| App Resolver UX                  | E2A4F912-2574-4A75-9BB0-0D023378592B        |       |      | x    | No                    |
+| Add Suggested Folders To Library | F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE        |       |      | x    | No                    |
+|                                  | InputApp                                    |       | x    | x    | No                    |
+| Cortana UI                       | CortanaListenUIApp                          | x     |      |      | No                    |
+|                                  | Desktop Learning                            | x     |      |      | No                    |
+|                                  | DesktopView                                 | x     |      |      | No                    |
+|                                  | EnvironmentsApp                             | x     |      |      | No                    |
+| Mixed Reality +                  | HoloCamera                                  | x     |      |      | No                    |
+| Mixed Reality +                  | HoloItemPlayerApp                           | x     |      |      | No                    |
+| Mixed Reality +                  | HoloShell                                   | x     |      |      | No                    |
+|                                  | Microsoft.AAD.Broker.Plugin                 | x     | x    | x    | No                    |
+|                                  | Microsoft.AccountsControl                   | x     | x    | x    | No                    |
+|                                  | Microsoft.AsyncTextService                  |       |      | x    | No                    |
+| Hello setup UI                   | Microsoft.BioEnrollment                     | x     | x    | x    | No                    |
+|                                  | Microsoft.CredDialogHost                    | x     | x    | x    | No                    |
+|                                  | Microsoft.ECApp                             |       | x    | x    | No                    |
+|                                  | Microsoft.LockApp                           | x     | x    | x    | No                    |
+| Microsoft Edge                   | Microsoft.MicrosoftEdge                     | x     | x    | x    | No                    |
+|                                  | Microsoft.MicrosoftEdgeDevToolsClient       |       |      | x    | No                    |
+|                                  | Microsoft.PPIProjection                     | x     | x    |      | No                    |
+|                                  | Microsoft.Win32WebViewHost                  |       |      | x    | No                    |
+|                                  | Microsoft.Windows.Apprep.ChxApp             | x     | x    | x    | No                    |
+|                                  | Microsoft.Windows.AssignedAccessLockApp     | x     | x    | x    | No                    |
+|                                  | Microsoft.Windows.CapturePicker             |       |      | x    | No                    |
+|                                  | Microsoft.Windows.CloudExperienceHost       | x     | x    | x    | No                    |
+|                                  | Microsoft.Windows.ContentDeliveryManager    | x     | x    | x    | No                    |
+| Cortana                          | Microsoft.Windows.Cortana                   | x     | x    | x    | No                    |
+|                                  | Microsoft.Windows.Holographic.FirstRun      | x     | x    |      | No                    |
+|                                  | Microsoft.Windows.ModalSharePickerHost      | x     |      |      | No                    |
+|                                  | Microsoft.Windows.OOBENetworkCaptivePort    | x     | x    | x    | No                    |
+|                                  | Microsoft.Windows.OOBENetworkConnectionFlow | x     | x    | x    | No                    |
+|                                  | Microsoft.Windows.ParentalControls          | x     | x    | x    | No                    |
+| People Hub                       | Microsoft.Windows.PeopleExperienceHost      |       | x    | x    | No                    |
+|                                  | Microsoft.Windows.PinningConfirmationDialog |       | x    | x    | No                    |
+|                                  | Microsoft.Windows.SecHealthUI               | x     | x    | x    | No                    |
+|                                  | Microsoft.Windows.SecondaryTileExperience   | x     | x    |      | No                    |
+|                                  | Microsoft.Windows.SecureAssessmentBrowser   | x     | x    | x    | No                    |
+| Start                            | Microsoft.Windows.ShellExperienceHost       | x     | x    | x    | No                    |
+| Windows Feedback                 | Microsoft.WindowsFeedback                   | *     | *    |      | No                    |
+|                                  | Microsoft.XboxGameCallableUI                | x     | x    | x    | No                    |
+|                                  | Windows.CBSPreview                          |       |      | x    | No                    |
+| Contact Support*                 | Windows.ContactSupport                      | x     | *    |      | Via Settings App      |
+| Settings                         | Windows.immersivecontrolpanel               | x     | x    | x    | No                    |
+| Connect                          | Windows.MiracastView                        | x     |      |      | No                    |
+| Print 3D                         | Windows.Print3D                             |       | x    |      | Yes                   |
+| Print UI                         | Windows.PrintDialog                         | x     | x    | x    | No                    |
+| Purchase UI                      | Windows.PurchaseDialog                      |       |      |      | No                    |
+
+
+> [!NOTE]
+> - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support).
+
+## Installed Windows apps
+
+Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, and 1803.
+
+| Name               | Full name                                | 1703 | 1709 | 1803 |Uninstall through UI? |
+|--------------------|------------------------------------------|:----:|:----:|:----:|:---------------------:|
+| Remote Desktop     | Microsoft.RemoteDesktop                  | x    | x    |      | Yes                  |
+| PowerBI            | Microsoft.Microsoft PowerBIforWindows    | x    |      |      | Yes                  |
+| Code Writer        | ActiproSoftwareLLC.562882FEEB491         | x    | x    | x    | Yes                  |
+| Eclipse Manager    | 46928bounde.EclipseManager               | x    | x    | x    | Yes                  |
+| Pandora            | PandoraMediaInc.29680B314EFC2            | x    | x    | x    | Yes                  |
+| Photoshop Express  | AdobeSystemIncorporated. AdobePhotoshop  | x    | x    | x    | Yes                  |
+| Duolingo           | D5EA27B7.Duolingo- LearnLanguagesforFree | x    | x    | x    | Yes                  |
+| Network Speed Test | Microsoft.NetworkSpeedTest               | x    | x    | x    | Yes                  |
+| News               | Microsoft.BingNews                       | x    | x    | x    | Yes                  |
+| Flipboard          |                                          |      |      |      | Yes                  |
+|                    | Microsoft.Advertising.Xaml               | x    | x    | x    | Yes                  |
+|                    | Microsoft.NET.Native.Framework.1.2       | x    | x    | x    | Yes                  |
+|                    | Microsoft.NET.Native.Framework.1.3       | x    | x    | x    | Yes                  |
+|                    | Microsoft.NET.Native.Framework.1.6       |      | x    | x    | Yes                  |
+|                    | Microsoft.NET.Native.Framework.1.7       |      |      | x    | Yes                  |
+|                    | Microsoft.NET.Native.Framework.2.0       |      | x    | x    | Yes                  |
+|                    | Microsoft.NET.Native.Runtime.1.1         |      | x    | x    | Yes                  |
+|                    | Microsoft.NET.Native.Runtime.1.3         | x    | x    |      | Yes                  |
+|                    | Microsoft.NET.Native.Runtime.1.4         | x    | x    | x    | Yes                  |
+|                    | Microsoft.NET.Native.Runtime.1.6         |      | x    | x    | Yes                  |
+|                    | Microsoft.NET.Native.Runtime.1.7         |      |      | x    | Yes                  |
+|                    | Microsoft.NET.Native.Runtime.2.0         |      | x    | x    | Yes                  |
+|                    | Microsoft.Services.Store.Engagement      |      | x    | x    | Yes                  |
+|                    | Microsoft.VCLibs.120.00                  | x    | x    | x    | Yes                  |
+|                    | Microsoft.VCLibs.140.00                  | x    | x    | x    | Yes                  |
+|                    | Microsoft.VCLibs.120.00.Universal        |      | x    |      | Yes                  |
+|                    | Microsoft.VCLibs.140.00.UWPDesktop       |      |      | x    | Yes                  |
+|                    | Microsoft.WinJS.2.0                      | x    |      |      | Yes                  |
 ---
\ No newline at end of file
diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md
index 92024688fb..c92489e73a 100644
--- a/windows/application-management/msix-app-packaging-tool.md
+++ b/windows/application-management/msix-app-packaging-tool.md
@@ -8,228 +8,30 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: mikeblodge
 ms.topic: article
-ms.date: 10/18/2018
+ms.date: 12/03/2018
 ---
 
 # Repackage existing win32 applications to the MSIX format
 
-The MSIX Packaging Tool 1.2018.1005.0 is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store. 
+MSIX is a packaging format built to be safe, secure and reliable, based on a combination of .msi, .appx, App-V and ClickOnce installation technologies. You can [use the MSIX packaging tool](https://docs.microsoft.com/windows/msix/packaging-tool/create-app-package-msi-vm) to repackage your existing Win32 applications to the MSIX format. 
 
-> Prerequisites:
+You can either run your installer interactivly (through the UI) or create a package from the command line. Either way, you can convert an application without having the source code. Then, you can make your app available through the Microsoft Store.
+
+- [Package your favorite application installer](https://docs.microsoft.com/windows/msix/packaging-tool/create-app-package-msi-vm) interactively (msi, exe, App-V 5.x and ClickOnce) in MSIX format. 
+- Create a [modification package](https://docs.microsoft.com/windows/msix/packaging-tool/package-editor) to update an existing MSIX package.
+- [Bundle multiple MSIX packages](https://docs.microsoft.com/windows/msix/packaging-tool/bundle-msix-packages) for distribution. 
+
+## Installing the MSIX Packaging Tool
+
+### Prerequisites
 
 - Windows 10, version 1809 (or later)
 - Participation in the Windows Insider Program (if you're using an Insider build)
 - A valid Microsoft account (MSA) alias to access the app from the Microsoft Store 
 - Admin privileges on your PC account 
 
-## Installing the MSIX Packaging Tool
+### Get the app from the Microsoft Store
 
 1. Use the MSA login associated with your Windows Insider Program credentials in the [Microsoft Store](https://www.microsoft.com/store/r/9N5LW3JBCXKF). 
 2. Open the product description page.
-3. Click the install icon to begin installation.
-
-Here is what you can expect to be able to do with this tool:
-
-- Package your favorite application installer interactively (msi, exe, App-V 5.x and ClickOnce) to MSIX format by launching the tool and selecting **Application package** icon. 
-- Create a modification package for a newly created Application MSIX Package by launching the tool and selecting the **Modification package** icon.
-- Open your MSIX package to view and edit its content/properties by navigating to the **Open package editor** tab. Browse to the MSIX package and select **Open package**. 
-
-## Creating an application package using the Command line interface
-To create a new MSIX package for your application, run the MsixPackagingTool.exe create-package command in a Command prompt window. 
-
-Here are the parameters that can be passed as command line arguments:
-
-
-|Parameter   |Description  |
-|---------|---------|
-|-? <br> --help     |   Show help information      |
-|--template     | [required] path to the conversion template XML file containing package information and settings for this conversion    |
-|--virtualMachinePassword     |    [optional] The password for the Virtual Machine to be used for the conversion environment. Notes: The template file must contain a VirtualMachine element and the Settings::AllowPromptForPassword attribute must not be set to true.     |
-
-Examples:
-
-- MsixPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml
-- MSIXPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml  --virtualMachinePassword pswd112893
-
-## Creating an application package using virtual machines
-
-You can select to perform the packaging steps on a virtual machine. To do this: 
-- Click on Application package and select “Create package on an existing virtual machine” in the select environment page. 
-- The tool will then query for existing Virtual machines and allows you to select one form a drop down menu. 
-- Once a VM is selected the tool will ask for user and password. The username field accepts domain\user entries as well.
-
-When using local virtual machines as conversion environment, the tool leverages an authenticated remote PowerShell connection to configure the virtual machine. A lightweight WCF server then provides bidirectional communication between the host and target environment.
-
-Requirements:
-- Virtual Machine need to have PSRemoting enabled. (Enable-PSRemoting command should be run on the VM)
-- Virtual Machine needs to be configured for Windows Insider Program similar to the host machine. Minimum Windows 10 build 17701
-
-
-## Conversion template file
-
-
-```xml
-<MsixPackagingToolTemplate
-    xmlns="http://schemas.microsoft.com/appx/msixpackagingtool/template/2018">
-
-    <Settings
-        AllowTelemetry="true"
-        ApplyAllPrepareComputerFixes="true"
-        GenerateCommandLineFile="true"
-        AllowPromptForPassword="false" 
-        EnforceMicrosoftStoreVersioningRequirements="false">
-
-        <ExclusionItems>
-            <FileExclusion ExcludePath="[{CryptoKeys}]" />
-            <FileExclusion ExcludePath="[{Common AppData}]\Microsoft\Crypto" />
-            <FileExclusion ExcludePath="[{Common AppData}]\Microsoft\Search\Data" />
-            <FileExclusion ExcludePath="[{Cookies}]" />
-            <FileExclusion ExcludePath="[{History}]" />
-            <FileExclusion ExcludePath="[{Cache}]" />
-            <FileExclusion ExcludePath="[{Personal}]" />
-            <FileExclusion ExcludePath="[{Profile}]\Local Settings" />
-            <FileExclusion ExcludePath="[{Profile}]\NTUSER.DAT.LOG1" />
-            <FileExclusion ExcludePath="[{Profile}]\ NTUSER.DAT.LOG2" />
-            <FileExclusion ExcludePath="[{Recent}]" />
-            <FileExclusion ExcludePath="[{Windows}]\debug" />
-            <FileExclusion ExcludePath="[{Windows}]\Logs\CBS" />
-            <FileExclusion ExcludePath="[{Windows}]\Temp" />
-            <FileExclusion ExcludePath="[{Windows}]\WinSxS\ManifestCache" />
-            <FileExclusion ExcludePath="[{Windows}]\WindowsUpdate.log" />
-            <FileExclusion ExcludePath="[{AppVPackageDrive}]\$Recycle.Bin " />
-            <FileExclusion ExcludePath="[{AppVPackageDrive}]\System Volume Information" />
-            <FileExclusion ExcludePath="[{AppData}]\Microsoft\AppV" />
-            <FileExclusion ExcludePath="[{Common AppData}]\Microsoft\Microsoft Security Client" />
-            <FileExclusion ExcludePath="[{Common AppData}]\Microsoft\Microsoft Antimalware" />
-            <FileExclusion ExcludePath="[{Common AppData}]\Microsoft\Windows Defender" />
-            <FileExclusion ExcludePath="[{ProgramFiles}]\Microsoft Security Client" />
-            <FileExclusion ExcludePath="[{ProgramFiles}]\Windows Defender" />
-            <FileExclusion ExcludePath="[{Local AppData}]\Temp" />
-
-            <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography" />
-            <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography" />
-            <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware" />
-            <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup" />
-            <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Security Client" />
-            <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware" />
-            <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" />
-            <RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" />
-            <RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" />
-            <RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams" />
-            <RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Streams" />
-            <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\AppV" />
-            <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\AppV" />
-            <RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Microsoft\AppV" />
-            <RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Wow6432Node\Microsoft\AppV" />
-        </ExclusionItems>
-    </Settings>
-
-
-    <PrepareComputer
-        DisableDefragService="true"
-        DisableWindowsSearchService="true"
-        DisableSmsHostService="true"
-        DisableWindowsUpdateService ="true"/>
-    <!--Note: this section takes precedence over the Settings::ApplyAllPrepareComputerFixes attribute -->
-
-    <SaveLocation
-    PackagePath="C:\users\user\Desktop\MyPackage.msix" 
-    TemplatePath="C:\users\user\Desktop\MyTemplate.xml" />
-
-    <Installer
-        Path="C:\MyAppInstaller.msi"
-        Arguments="/quiet"
-        InstallLocation="C:\Program Files\MyAppInstallLocation" />
-
-    <VirtualMachine Name="vmname" Username="vmusername" />
-
-    <PackageInformation
-        PackageName="MyAppPackageName"
-        PackageDisplayName="MyApp Display Name"
-        PublisherName="CN=MyPublisher"
-        PublisherDisplayName="MyPublisher Display Name"
-        Version="1.1.0.0"
-        MainPackageNameForModificationPackage="MainPackageIdentityName">
-
-        <Applications>
-            <Application
-                Id="MyApp1"
-                Description="MyApp"
-                DisplayName="My App"
-                ExecutableName="MyApp.exe"/>
-        </Applications>
-
-        <Capabilities>
-            <Capability Name="runFullTrust" />
-        </Capabilities>
-
-    </PackageInformation>
-</MsixPackagingToolTemplate>
-
-```
-
-## Conversion template parameter reference
-Here is the complete list of parameters that you can use in the Conversion template file. When a virtual machine is conversion environment, all file paths(installer, savelocation, etc) should be declared relative to the host, where the tool is running)
-
-
-|ConversionSettings entries  |Description  |
-|---------|---------|
-|Settings:: AllowTelemetry     |[optional] Enables telemetry logging for this invocation of the tool.       |
-|Settings:: ApplyAllPrepareComputerFixes     |[optional] Applies all recommended prepare computer fixes. Cannot be set when other attributes are used.         |
-|Settings:: GenerateCommandLineFile     |[optional] Copies the template file input to the SaveLocation directory for future use.         |
-|Settings:: AllowPromptForPassword     |[optional] Instructs the tool to prompt the user to enter passwords for the Virtual Machine and for the signing certificate if it is required and not specified.         |
-|Settings:: EnforceMicrosoftStoreVersioningRequirements|[optional] Instructs the tool to enforce the package versioning scheme required for deployment from Microsoft Store and Microsoft Store for Business.|
-|ExclusionItems     |[optional] 0 or more FileExclusion or RegistryExclusion elements. All FileExclusion elements must appear before any RegistryExclusion elements.         |
-|ExclusionItems::FileExclusion     |[optional] A file to exclude for packaging.         |
-|ExclusionItems::FileExclusion::ExcludePath     |Path to file to exclude for packaging.         |
-|ExclusionItems::RegistryExclusion     |[optional] A registry key to exclude for packaging.          |
-|ExclusionItems::RegistryExclusion:: ExcludePath     |Path to registry to exclude for packaging.         |
-|PrepareComputer::DisableDefragService     |[optional] Disables Windows Defragmenter while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes.         |
-|PrepareComputer:: DisableWindowsSearchService     |[optional] Disables Windows Search while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes.         |
-|PrepareComputer:: DisableSmsHostService     |[optional] Disables SMS Host while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes.         |
-|PrepareComputer:: DisableWindowsUpdateService     |[optional] Disables Windows Update while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes.         |
-|SaveLocation     |[optional] An element to specify the save location of the tool. If not specified, the package will be saved under the Desktop folder.         |
-|SaveLocation::PackagePath     |[optional] The path to the file or folder where the resulting MSIX package is saved.         |
-|SaveLocation::TemplatePath    |[optional] The path to the file or folder where the resulting CLI template is saved.    |
-|Installer::Path     |The path to the application installer.         |
-|Installer::Arguments     |The arguments to pass to the installer. You must pass the arguments to force your installer to run unattended/silently. If the installer is an msi or appv, pass an empty argument ie Installer=””.        |
-|Installer::InstallLocation     |[optional] The full path to your application's root folder for the installed files if it were installed (e.g. "C:\Program Files (x86)\MyAppInstalllocation").         |
-|VirtualMachine     |[optional] An element to specify that the conversion will be run on a local Virtual Machine.         |
-|VrtualMachine::Name     |The name of the Virtual Machine to be used for the conversion environment.         |
-|VirtualMachine::Username     |[optional] The user name for the Virtual Machine to be used for the conversion environment.         |
-|PackageInformation::PackageName     |The Package Name for your MSIX package.         |
-|PackageInformation::PackageDisplayName     |The Package Display Name for your MSIX package.         |
-|PackageInformation::PublisherName     |The Publisher for your MSIX package.         |
-|PackageInformation::PublisherDisplayName     |The Publisher Display Name for your MSIX package.         |
-|PackageInformation::Version     |The version number for your MSIX package.         |
-|PackageInformation:: MainPackageNameForModificationPackage     |[optional] The Package identity name of the main package name. This is used when creating a modification package that takes a dependency on a main (parent) application.         |
-|Applications     |[optional] 0 or more Application elements to configure the Application entries in your MSIX package.         |
-|Application::Id     |The App ID for your MSIX application. This ID will be used for the Application entry detected that matches the specified ExecutableName. You can have multiple Application ID for executables in the package         |
-|Application::ExecutableName     |The executable name for the MSIX application that will be added to the package manifest. The corresponding application entry will be ignored if no application with this name is detected.         |
-|Application::Description     |[optional] The App Description for your MSIX application. If not used, the Application DisplayName will be used. This description will be used for the application entry detected that matches the specified ExecutableName         |
-|Application::DisplayName     |The App Display Name for your MSIX package. This Display Name will be used for the application entry detected that matches the specified ExecutableName         |
-|Capabilities     |[optional] 0 or more Capability elements to add custom capabilities to your MSIX package. “runFullTrust” capability is added by default during conversion.         |
-|Capability::Name     |The capability to add to your MSIX package.          |
-
-## Delete temporary conversion files using Command line interface
-To delete all the temporary package files, logs, and artifacts created by the tool, run the MsixPackagingTool.exe cleanup command in the Command line window.
-
-Example:
-- MsixPackagingTool.exe cleanup 
-
-## How to file feedback
-
-Open Feedback Hub. Alternatively, launch the tool and select the **Settings** gear icon in the top right corner to open the Feedback tab. Here you can file feedback for suggestions, problems, and see other feedback items. 
-
-## Best practices 
-
-- When Packaging ClickOnce installers, it is necessary to send a shortcut to the desktop if the installer is not doing so already. In general, it's a good practice to always send a shortcut to your desktop for the main app executable. 
-- When creating modification packages, you need to declare the **Package Name** (Identity Name) of the parent application in the tool UI so that the tool sets the correct package dependency in the manifest of the modification package. 
-- Declaring an installation location field on the Package information page is optional but *recommended*. Make sure that this path matches the installation location of application Installer. 
-- Performing the preparation steps on the **Prepare Computer** page is optional but *highly recommended*.  
-
-## Known issues
-- MSIX Packaging Tool Driver will fail to install if Windows Insider flight ring settings do no match the OS build of the conversion environment. Navigate to Settings, Updates & Security, Windows Insider Program to make sure your Insider preview build settings do not need attention. If you see this message click on the Fix me button to log in again. You might have to go to Windows Update page and check for update before settings change takes effect. Then try to run the tool again to download the MSIX Packaging Tool driver. If you are still hitting issues, try changing your flight ring to Canary or Insider Fast, install the latest Windows updates and try again. 
-- Restarting the machine during application installation is not supported. Please ignore the restart request if possible or pass an argument to the installer to not require a restart.
-- Setting **EnforceMicrosoftStoreVersioningRequirements=true**, when using the command line interface, will throw an error, even if the vesrion is set correctly. To work around this issue, use **EnforceMicrosoftStoreVersioningRequirements=false** in the conversion template file.
-- Adding files to MSIX packages in package editor does not add the file to the folder that the user right-clicks. To work around this issue, ensure that the file being added is in the correct classic app location. For example if you want to add a file in the VFS\ProgramFilesx86\MyApp folder, copy the file locally to your C:\Program Files (86)\MyApp location first, then in the package editor right-click **Package files**, and then click **Add file**. Browse to the newly copied file, then click **Save**.
+3. Click the install icon to begin installation.
\ No newline at end of file
diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md
index 93b1e53290..7369a791fd 100644
--- a/windows/client-management/TOC.md
+++ b/windows/client-management/TOC.md
@@ -14,6 +14,14 @@
 ## [Troubleshoot Windows 10 clients](windows-10-support-solutions.md)
 ### [Data collection for troubleshooting 802.1x Authentication](data-collection-for-802-authentication.md)
 ### [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md)
+### [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
 ### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
+### [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md)
+### [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md)
+### [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md)
+#### [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
+#### [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
+#### [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md)
+#### [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)
 ## [Mobile device management for solution providers](mdm/index.md)
 ## [Change history for Client management](change-history-for-client-management.md)
diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md
new file mode 100644
index 0000000000..207d12b5d3
--- /dev/null
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@@ -0,0 +1,389 @@
+---
+title: Advanced troubleshooting for Windows boot problems
+description: Learn how to troubleshoot when Windows is unable to boot 
+ms.prod: w10
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: elizapo
+ms.date: 11/16/2018
+---
+
+# Advanced troubleshooting for Windows boot problems
+
+>[!NOTE]
+>This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/help/12415).
+
+## Summary
+
+There are several reasons why a Windows-based computer may have problems during startup. To troubleshoot boot problems, first determine in which of the following phases the computer gets stuck:
+
+| **Phase** | **Boot Process**     | **BIOS**       | **UEFI**              |
+|--------|----------------------|------------------------------|  |
+| 1      | PreBoot              | MBR/PBR (Bootstrap Code)             | UEFI Firmware                        |
+| 2      | Windows Boot Manager | %SystemDrive%\bootmgr                | \EFI\Microsoft\Boot\bootmgfw.efi     |
+| 3      | Windows OS Loader    | %SystemRoot%\system32\winload.exe    | %SystemRoot%\system32\winload.efi    |
+| 4      | Windows NT OS Kernel | %SystemRoot%\system32\ntoskrnl.exe     |                                     |
+
+
+**1. PreBoot**
+
+The PC’s firmware initiates a Power-On Self Test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot
+Manager.
+
+**2. Windows Boot Manager**
+
+Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition.
+
+**3. Windows operating system loader**
+
+Essential drivers required to start the Windows kernel are loaded and the kernel starts to run.
+
+**4. Windows NT OS Kernel**
+
+The kernel loads into memory the system registry hive and additional drivers that are marked as BOOT_START.
+
+The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that are not marked BOOT_START.
+
+Here is a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement.
+
+![thumbnail of boot sequence flowchart](images/boot-sequence-thumb.png)<br>
+[Click to enlarge](img-boot-sequence.md)<br>
+
+
+
+
+Each phase has a different approach to troubleshooting. This article provides troubleshooting techniques for problems that occur during the first three phases.
+
+>[!NOTE]
+>If the computer repeatedly boots to the recovery options, run the following command at a command prompt to break the cycle:
+>
+>`Bcdedit /set {default} recoveryenabled no`
+>
+>If the F8 options don't work, run the following command:
+>
+>`Bcdedit /set {default} bootmenupolicy legacy`
+
+
+## BIOS phase
+
+To determine whether the system has passed the BIOS phase, follow these steps:
+
+1. If there are any external peripherals connected to the computer, disconnect them.
+2. Check whether the hard disk drive light on the physical computer is working. If it is not working, this indicates that the startup process is stuck at the BIOS phase.
+3. Press the NumLock key to see whether the indicator light toggles on and off. If it does not, this indicates that the startup process is stuck at BIOS.
+
+If the system is stuck at the BIOS phase, there may be a hardware problem.
+
+## Boot loader phase
+
+If the screen is completely black except for a blinking cursor, or if you receive one of the following error codes, this indicates that the boot process is stuck in the Boot Loader phase:
+
+-   Boot Configuration Data (BCD) missing or corrupted
+-   Boot file or MBR corrupted
+-   Operating system Missing
+-   Boot sector missing or corrupted
+-   Bootmgr missing or corrupted
+-   Unable to boot due to system hive missing or corrupted
+
+To troubleshoot this problem, use Windows installation media to start the computer, press Shift+F10 for a command prompt, and then use any of the following methods.
+
+
+### Method 1: Startup Repair tool
+
+The Startup Repair tool automatically fixes many common problems. The tool also lets you quickly diagnose and repair more complex startup problems. When the computer detects a startup problem, the computer starts the Startup Repair tool. When the tool starts, it performs diagnostics. These diagnostics include analyzing startup log files to determine the cause of the problem. When the Startup Repair tool determines the cause, the tool tries to fix the problem automatically.
+
+To do this, follow these steps.
+
+>[!NOTE]
+>For additional methods to start WinRE, see [Entry points into WinRE](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre).
+
+1. Start the system to the installation media for the installed version of Windows.  
+    **Note** For more information, see [Create installation media for Windows](https://support.microsoft.com/help/15088).
+
+2. On the **Install Windows** screen, select **Next** > **Repair your computer**.
+
+3. On the **System Recovery Options** screen, select **Next** > **Command Prompt**.
+
+4. After Startup Repair, select **Shutdown**, then turn on your PC to see if Windows can boot properly.
+
+The Startup Repair tool generates a log file to help you understand the startup problems and the repairs that were made. You can find the log file in the following location:
+
+**%windir%\System32\LogFiles\Srt\Srttrail.txt**
+
+
+For more information see, [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s)
+
+
+### Method 2: Repair Boot Codes
+
+To repair boot codes, run the following command:
+
+```dos
+BOOTREC /FIXMBR
+```
+
+To repair the boot sector, run the following command:
+
+```dos
+BOOTREC /FIXBOOT
+```
+
+>[!NOTE]
+>Running **BOOTREC** together with **Fixmbr** overwrites only the master boot code. If the corruption in the MBR affects the partition table, running **Fixmbr** may not fix the problem.
+
+### Method 3: Fix BCD errors
+
+If you receive BCD-related errors, follow these steps:
+
+1. Scan for all the systems that are installed. To do this, run the following command:
+   ```dos
+   Bootrec /ScanOS
+   ```
+
+2. Restart the computer to check whether the problem is fixed.
+
+3. If the problem is not fixed, run the following command:
+    ```dos
+    Bootrec /rebuildbcd
+    ```
+
+4. You might receive one of the following outputs:
+
+    - Scanning all disks for Windows installations. Please wait, since this may take a while...Successfully scanned Windows installations. Total identified Windows installations: 0
+    The operation completed successfully.
+
+    - Scanning all disks for Windows installations. Please wait, since this may take a while... Successfully scanned Windows installations. Total identified Windows installations: 1
+    D:\Windows  
+    Add installation to boot list? Yes/No/All:
+
+If the output shows **windows installation: 0**, run the following commands:
+
+```dos
+bcdedit /export c:\bcdbackup
+
+attrib c:\\boot\\bcd -h -r –s
+
+ren c:\\boot\\bcd bcd.old
+
+bootrec /rebuildbcd
+```
+
+After you run the command, you receive the following output:
+
+    Scanning all disks for Windows installations. Please wait, since this may take a while...Successfully scanned Windows installations. Total identified Windows installations: 1{D}:\Windows  
+Add installation to boot list? Yes/No/All: Y
+
+5.  Try again to start the system.
+
+### Method 4: Replace Bootmgr
+
+If methods 1 and 2 do not fix the problem, replace the Bootmgr file from drive C to the System Reserved partition. To do this, follow these steps:
+
+1. At a command prompt, change the directory to the System Reserved partition.
+
+2. Run the **attrib** command to unhide the file:
+    ```dos
+    attrib-s -h -r
+    ```
+
+3. Run the same **attrib** command on the Windows (system drive):
+    ```dos
+    attrib-s -h –r
+    ```
+
+4. Rename the Bootmgr file as Bootmgr.old:
+    ```dos
+    ren c:\\bootmgr bootmgr.old
+    ```
+
+5. Start a text editor, such as Notepad.
+
+6. Navigate to the system drive.
+
+7.  Copy the Bootmgr file, and then paste it to the System Reserved partition.
+
+8.  Restart the computer.
+
+### Method 5: Restore System Hive
+
+If Windows cannot load the system registry hive into memory, you must restore the system hive. To do this, use the Windows Recovery Environment or use Emergency Repair Disk (ERD) to copy the files from the C:\Windows\System32\config\RegBack to C:\Windows\System32\config.
+
+If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
+
+
+## Kernel Phase
+
+If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following:
+
+-   A Stop error appears after the splash screen (Windows Logo screen).
+
+-   Specific error code is displayed.
+    For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on.
+    (To troubleshoot the 0x0000007B error, see [Error code INACCESSIBLE_BOOT_DEVICE (STOP    0x7B)](https://internal.support.services.microsoft.com/help/4343769/troubleshooting-guide-for-windows-boot-problems#0x7bstoperror))
+
+-   The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon.
+
+-   A black screen appears after the splash screen.
+
+To troubleshoot these problems, try the following recovery boot options one at a time.
+
+**Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration**
+
+On the **Advanced Boot Options** screen, try to start the computer in **Safe Mode** or **Safe Mode with Networking**. If either of these options works, use Event Viewer to help identify and diagnose the cause of the boot problem. To view events that are recorded in the event logs, follow these steps:
+
+1.  Use one of the following methods to open Event Viewer:
+
+    -   Click **Start**, point to **Administrative Tools**, and then click
+        **Event Viewer**.
+
+    -   Start the Event Viewer snap-in in Microsoft Management Console (MMC).
+
+2.  In the console tree, expand Event Viewer, and then click the log that you
+    want to view. For example, click **System log** or **Application log**.
+
+3.  In the details pane, double-click the event that you want to view.
+
+4.  On the **Edit** menu, click **Copy**, open a new document in the program in
+    which you want to paste the event (for example, Microsoft Word), and then
+    click **Paste**.
+
+5.  Use the Up Arrow or Down Arrow key to view the description of the previous
+    or next event.
+
+
+### Clean boot
+
+To troubleshoot problems that affect services, do a clean boot by using System Configuration (msconfig).
+Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you cannot find the cause, try including system services. However, in most cases, the problematic service is third-party.
+
+Disable any service that you find to be faulty, and try to start the computer again by selecting **Normal startup**.
+
+For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135/how-to-perform-a-clean-boot-in-windows).
+
+If the computer starts in Disable Driver Signature mode, start the computer in Disable Driver Signature Enforcement mode, and then follow the steps that are documented in the following article to determine which drivers or files require driver signature enforcement:
+[Troubleshooting boot problem caused by missing driver signature (x64)](https://blogs.technet.microsoft.com/askcore/2012/04/15/troubleshooting-boot-issues-due-to-missing-driver-signature-x64/)
+
+>[!NOTE]
+>If the computer is a domain controller, try Directory Services Restore mode (DSRM).
+>
+>This method is an important step if you encounter Stop error "0xC00002E1" or "0xC00002E2"
+
+
+**Examples**
+
+>[!WARNING]
+>Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these
+problems can be solved. Modify the registry at your own risk.
+
+*Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)*
+
+To troubleshoot this Stop error, follow these steps to filter the drivers:
+
+1.  Go to Window Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of same version of Windows or a later version.
+
+2.  Open the registry.
+
+3.  Load the system hive, and name it as "test."
+
+4.  Under the following registry subkey, check for lower filter and upper filter items for Non-Microsoft Drivers:  
+      
+    **HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class**  
+    
+5.  For each third-party driver that you locate, click the upper or lower filter, and then delete the value data.
+
+6.  Search through the whole registry for similar items. Process as an appropriate, and then unload the registry hive.
+
+7.  Restart the server in Normal mode.
+
+For additional troubleshooting steps, see the following articles:
+
+- [Troubleshooting a Stop 0x7B in Windows](https://blogs.technet.microsoft.com/askcore/2013/08/05/troubleshooting-a-stop-0x7b-in-windows/)  
+  
+- [Advanced troubleshooting for "Stop error code 0x0000007B (INACCESSIBLE_BOOT_DEVICE)" errors in Windows XP](https://internal.support.services.microsoft.com/help/324103).
+
+To fix problems that occur after you install Windows updates, check for pending updates by using these steps:
+
+1. Open a Command Prompt winodw in WinRE.
+
+2. Run the command:
+    ```dos
+    dism /image:C:\ /get-packages
+    ```
+
+3. If there are any pending updates, uninstall them by running the following commands:
+    ```dos
+    DISM /image:C:\ /remove-package /packagename: name of the package
+    ```
+    ```dos
+    Dism /Image:C:\ /Cleanup-Image /RevertPendingActions
+    ```
+
+Try to start the computer.
+
+If the computer does not start, follow these steps:
+
+1.  Open A Command Prompt window in WinRE, and start a text editor, such as Notepad.
+
+2.  Navigate to the system drive, and search for windows\winsxs\pending.xml.
+
+3.  If the Pending.xml file is found, rename the file as Pending.xml.old.
+
+4.  Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as a test.
+
+5.  Highlight the loaded test hive, and then search for the **pendingxmlidentifier** value.
+
+6.  If the **pendingxmlidentifier** value exists, delete the value.
+
+7.  Unload the test hive.
+
+8.  Load the system hive, name it as "test".
+
+9.  Navigate to the following subkey:  
+      
+    **HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\TrustedInstaller**  
+    
+10. Change the **Start** value from **1** to **4**
+
+11. Unload the hive.
+
+12. Try to start the computer.
+
+If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following Knowledge Base article:
+
+- [969028](https://support.microsoft.com/help/969028) How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2
+
+For more information about page file problems in Windows 10 or Windows Server 2016, see the following Knowledge Base article:
+
+- [4133658](https://support.microsoft.com/help/4133658) Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows
+
+For more information about Stop errors, see the following Knowledge Base article:
+
+- [3106831](https://support.microsoft.com/help/3106831) Troubleshooting Stop error problems for IT Pros
+
+
+If the dump file shows an error that is related to a driver (for example, windows\system32\drivers\stcvsm.sys is missing or corrupted), follow these guidelines:
+
+- Check the functionality that is provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does.
+
+- If the driver is not important and has no dependencies, load the system hive, and then disable the driver.
+
+- If the stop error indicates system file corruption, run the system file checker in offline mode.
+    - To do this, open WinRE, open a command prompt, and then run the following command:
+        ```dos
+        SFC /Scannow /OffBootDir=C:\ /OffWinDir=E:\Windows
+        ```
+        For more information, see [Using System File Checker (SFC) To Fix  Issues](https://blogs.technet.microsoft.com/askcore/2007/12/18/using-system-file-checker-sfc-to-fix-issues/)
+
+    - If there is disk corruption, run the check disk command:
+        ```dos
+        chkdsk /f /r
+        ```
+
+    - If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps:
+
+        1. Start WinRE, and open a Command Prompt window.
+        2. Start a text editor, such as Notepad.
+        3. Navigate to C\Windows\System32\Config\.
+        4. Rename the all five hives by appending ".old" to the name.
+        5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode.
diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md
index f5b708473d..91800241a0 100644
--- a/windows/client-management/change-history-for-client-management.md
+++ b/windows/client-management/change-history-for-client-management.md
@@ -9,13 +9,30 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: jdeckerMS
 ms.author: jdecker
-ms.date: 09/12/2017
+ms.date: 12/06/2018
 ---
 
 # Change history for Client management
 
 This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile.
 
+## December 2018
+
+New or changed topic | Description
+--- | ---
+[Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md) | New
+[Collect data using Network Monitor](troubleshoot-tcpip-netmon.md) | New
+[Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md) | New
+[Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md) | New
+[Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md) | New
+
+## November 2018
+
+New or changed topic | Description
+--- | ---
+ [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md) | New
+ [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md) | New
+
 ## RELEASE: Windows 10, version 1709
 
 The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update).
diff --git a/windows/client-management/data-collection-for-802-authentication.md b/windows/client-management/data-collection-for-802-authentication.md
index aea4ddbb30..60a255a2b6 100644
--- a/windows/client-management/data-collection-for-802-authentication.md
+++ b/windows/client-management/data-collection-for-802-authentication.md
@@ -14,538 +14,373 @@ ms.date: 10/29/2018
 # Data Collection for Troubleshooting 802.1x Authentication
  
  
-## Steps to capture Wireless/Wired functionality logs
- 
+## Capture wireless/wired functionality logs
+
+Use the following steps to collect wireless and wired logs on Windows and Windows Server:
+
 1. Create C:\MSLOG on the client machine to store captured logs.
-2. Launch a command prompt as an administrator on the client machine, and run the following commands to start RAS trace log and Wireless/Wired scenario log:
+2. Launch a command prompt as an administrator on the client machine, and run the following commands to start RAS trace log and Wireless/Wired scenario log.
 
-**On Windows 8.1, Windows 10 Wireless Client**
+   **Wireless Windows 8.1 and Windows 10:**
 
-```dos
-netsh ras set tracing * enabled
-```
-```dos
-netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl
-```
+   ```
+   netsh ras set tracing * enabled
+   netsh trace start scenario=wlan,wlan_wpp,wlan_dbg,wireless_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl
+   ```
 
-**On Windows 7, Winodws 8 Wireless Client**
-```dos
-netsh ras set tracing * enabled
-```
-```dos
-netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl
-```
+   **Wireless Windows 7 and Windows 8:**
+   ```
+   netsh ras set tracing * enabled
+   netsh trace start scenario=wlan,wlan_wpp,wlan_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl
+   ```
 
-**On Wired network client**
-
-```dos
-netsh ras set tracing * enabled
-```
-```dos
-netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_cli.etl
-```
+   **Wired client, regardless of version**
+   ```
+   netsh ras set tracing * enabled
+   netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_cli.etl
+   ```
  
-3. Run the followind command to enable CAPI2 logging:
- 
-```dos
-wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
-```
+3. Run the following command to enable CAPI2 logging:
+  
+   ```
+   wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
+   ```
  
 4. Create C:\MSLOG on the NPS to store captured logs.
  
 5. Launch a command prompt as an administrator on the NPS and run the following commands to start RAS trace log and Wireless/Wired scenario log:
  
-**On Windows Server 2012 R2, Windows Server 2016 Wireless network**
+   **Windows Server 2012 R2, Windows Server 2016 wireless network:**
 
-   ```dos
-    netsh ras set tracing * enabled
    ```
-   ```dos
-    netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl
+   netsh ras set tracing * enabled
+   netsh trace start scenario=wlan,wlan_wpp,wlan_dbg,wireless_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl
    ```
 
-**On Windows Server 2008 R2, Winodws Server 2012 Wireless network**
+   **Windows Server 2008 R2, Windows Server 2012 wireless network**
 
-   ```dos
-    netsh ras set tracing * enabled
    ```
-   ```dos
-    netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl
+   netsh ras set tracing * enabled
+   netsh trace start scenario=wlan,wlan_wpp,wlan_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl
    ```
 
-**On wired network**
+   **Wired network**
 
-   ```dos
-    netsh ras set tracing * enabled
    ```
-   ```dos
-    netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_nps.etl
+   netsh ras set tracing * enabled
+   netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_nps.etl
    ```
  
-6. Run the followind command to enable CAPI2 logging:
+6. Run the following command to enable CAPI2 logging:
 
-  ```dos
+   ```
     wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
   ```
- 
 7. Run the following command from the command prompt on the client machine and start PSR to capture screen images:
-
  
-> [!NOTE]
-> When the mouse button is clicked, the cursor will blink in red while capturing a screen image.
+   > [!NOTE]
+   > When the mouse button is clicked, the cursor will blink in red while capturing a screen image.
 
-   ```dos
-    psr /start /output c:\MSLOG\%computername%\_psr.zip /maxsc 100
    ```
- 
+    psr /start /output c:\MSLOG\%computername%_psr.zip /maxsc 100
+   ```
 8. Repro the issue.
- 
-9. Run the following command on the client machine to stop the PSR capturing:
+9. Run the following command on the client PC to stop the PSR capturing:
 
-  ```dos
-    psr /stop
-  ```
+   ```
+      psr /stop
+   ```
  
 10. Run the following commands from the command prompt on the NPS.
  
-**Stopping RAS trace log and Wireless scenario log**
+   - To stop RAS trace log and wireless scenario log:
 
-   ```dos
-    netsh trace stop
-   ```
-   ```dos
-    netsh ras set tracing * disabled
-   ```
- 
-**Disabling and copying CAPI2 log**
+      ```
+      netsh trace stop
+      netsh ras set tracing * disabled
+      ```
+   - To disable and copy CAPI2 log:
     
-   ```dos
-    wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
-   ```
-   ```dos
-    wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx
-   ```
+      ```
+      wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
+      wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx
+      ```
  
-11. Run the following commands from the prompt on the client machine.
+11. Run the following commands on the client PC.
+   - To stop RAS trace log and wireless scenario log:
+      ```
+      netsh trace stop
+      netsh ras set tracing * disabled
+      ```
  
-**Stopping RAS trace log and Wireless scenario log**
+   - To disable and copy the CAPI2 log:
+      ```
+      wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
+      wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx
+      ```
+ 
+12. Save the following logs on the client and the NPS:
+ 
+   **Client**
+      - C:\MSLOG\%computername%_psr.zip
+      - C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx
+      - C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl
+      - C:\MSLOG\%COMPUTERNAME%_wireless_cli.cab
+      - All log files and folders in %Systemroot%\Tracing
+ 
+   **NPS**
+      - C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx
+      - C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl (%COMPUTERNAME%_wired_nps.etl for wired scenario)
+      - C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario)
+      - All log files and folders in %Systemroot%\Tracing
 
-  ```dos
-    netsh trace stop
-   ```
-   ```dos
-    netsh ras set tracing * disabled
-   ```
- 
-**Disabling and copying CAPI2 log**
+## Save environmental and configuration information
+
+### On Windows client
 
-   ```dos
-    wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
-   ```
-   ```dos
-    wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx
-   ```
- 
-12. Save the following logs on the client and the NPS.
- 
-**Client**
- - C:\MSLOG\%computername%_psr.zip
- - C:\MSLOG\CAPI2_%COMPUTERNAME%.evtx
- - C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl
- - C:\MSLOG\%COMPUTERNAME%_wireless_cli.cab
- - All log files and folders in %Systemroot%\Tracing
- 
-**NPS**
- - C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx
- - C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl (%COMPUTERNAME%_wired_nps.etl for wired scenario)
- - C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario)
- - All log files and folders in %Systemroot%\Tracing
- 
- 
-### Steps to save environmental / configuration information
- 
-**Client**
 1. Create C:\MSLOG to store captured logs.
 2. Launch a command prompt as an administrator.
 3. Run the following commands.
-    - Environmental information and Group Policies application status
-         ```dos                
-            gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.htm
-            
-            msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
-            
-            ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
-              
-            route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
-         ```
- 
-**Event logs**
+   - Environmental information and Group Policies application status
+   
+   ```               
+   gpresult /H C:\MSLOG\%COMPUTERNAME%_gpresult.htm
+   msinfo32 /report c:\MSLOG\%COMPUTERNAME%_msinfo32.txt
+   ipconfig /all > c:\MSLOG\%COMPUTERNAME%_ipconfig.txt
+   route print > c:\MSLOG\%COMPUTERNAME%_route_print.txt
+   ``` 
+   - Event logs
+   
+   ```
+   wevtutil epl Application c:\MSLOG\%COMPUTERNAME%_Application.evtx
+   wevtutil epl System c:\MSLOG\%COMPUTERNAME%_System.evtx
+   wevtutil epl Security c:\MSLOG\%COMPUTERNAME%_Security.evtx
+   wevtutil epl Microsoft-Windows-GroupPolicy/Operational C:\MSLOG\%COMPUTERNAME%_GroupPolicy_Operational.evtx
+   wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%_Microsoft-Windows-WLAN-AutoConfig-Operational.evtx
+   wevtutil epl "Microsoft-Windows-Wired-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%_Microsoft-Windows-Wired-AutoConfig-Operational.evtx
+   wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx
+   wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx
+   ```
+   - For Windows 8 and later, also run these commands for event logs: 
+   
+   ```
+   wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx
+   wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-User_Operational.evtx
+   wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServices-Deployment_Operational.evtx
+   ```
+   - Certificates Store information:
+   
+   ```
+   certutil -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%_cert-Personal-Registry.txt
+   certutil -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-Registry.txt
+   certutil -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-GroupPolicy.txt
+   certutil -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_TrustedRootCA-Enterprise.txt
+   certutil -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Reg.txt
+   certutil -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-GroupPolicy.txt
+   certutil -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Enterprise.txt
+   certutil -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-Registry.txt
+   certutil -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-GroupPolicy.txt
+   certutil -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%_cert-Intermediate-Enterprise.txt
+   certutil -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Registry.txt
+   certutil -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-GroupPolicy.txt
+   certutil -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Enterprise.txt
+   certutil -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Registry.txt
+   certutil -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-GroupPolicy.txt
+   certutil -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Enterprise.txt
+   certutil -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%_cert-NtAuth-Enterprise.txt
+   certutil -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%_cert-User-Personal-Registry.txt
+   certutil -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Registry.txt
+   certutil -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Enterprise.txt
+   certutil -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-Registry.txt
+   certutil -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-GroupPolicy.txt
+   certutil -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-Registry.txt
+   certutil -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-GroupPolicy.txt
+   certutil -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-Registry.txt
+   certutil -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-GroupPolicy.txt
+   certutil -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-Registry.txt
+   certutil -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-GroupPolicy.txt
+   certutil -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-Registry.txt
+   certutil -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-GroupPolicy.txt
+   certutil -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%_cert-User-UserDS.txt
+   ```
+   - Wireless LAN client information:
+   
+   ```
+   netsh wlan show all > c:\MSLOG\%COMPUTERNAME%_wlan_show_all.txt
+   netsh wlan export profile folder=c:\MSLOG\
+   ```
+   - Wired LAN Client information
+   
+   ```
+   netsh lan show interfaces > c:\MSLOG\%computername%_lan_interfaces.txt
+   netsh lan show profiles > c:\MSLOG\%computername%_lan_profiles.txt
+   netsh lan show settings > c:\MSLOG\%computername%_lan_settings.txt
+   netsh lan export profile folder=c:\MSLOG\
+   ```
+4.  Save the logs stored in C:\MSLOG.
 
-**Run the following command on Windows 8 and above **
-```dos
-wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
-            
-wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
-            
-wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
-```
- 
-```dos
-wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
-           
-wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
-           
-wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
-           
-wevtutil epl Microsoft-Windows-GroupPolicy/Operational C:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
-           
-wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-WLAN-AutoConfig-Operational.evtx
-           
-wevtutil epl "Microsoft-Windows-Wired-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-Wired-AutoConfig-Operational.evtx
-           
-wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
-           
-wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
-```
+### On NPS
 
-**Certificates Store information**
-        
-```dos
-certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
-            
-certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
-            
-certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
-    
-certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
-            
-certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
-            
-certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
-            
-certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
-            
-certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
-            
-certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
-            
-certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
-            
-certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
-            
-certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
-            
-certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
-            
-certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
-            
-certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
-            
-certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
-            
-certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
-            
-certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
-            
-certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
-            
-certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
-            
-certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
-            
-certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
-            
-certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
-            
-certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
-            
-certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
-            
-certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
-            
-certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
-            
-certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
-            
-certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
-            
-certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
-            
-certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
-```
- 
-**Wireless LAN Client information**
-```dos
-netsh wlan show all > c:\MSLOG\%COMPUTERNAME%\_wlan\_show\_all.txt
-            
-netsh wlan export profile folder=c:\MSLOG\
-```
- 
-**Wired LAN Client information**
-```dos
-netsh lan show all > c:\MSLOG\%COMPUTERNAME%\_lan\_show\_all.txt
-            
-netsh lan export profile folder=c:\MSLOG\
-```
+1. Create C:\MSLOG to store captured logs.
+2. Launch a command prompt as an administrator.
+3. Run the following commands.
+   - Environmental information and Group Policies application status:
+
+   ```
+   gpresult /H C:\MSLOG\%COMPUTERNAME%_gpresult.txt
+   msinfo32 /report c:\MSLOG\%COMPUTERNAME%_msinfo32.txt
+   ipconfig /all > c:\MSLOG\%COMPUTERNAME%_ipconfig.txt
+   route print > c:\MSLOG\%COMPUTERNAME%_route_print.txt
+   ```
+   - Event logs:
+   
+   ```
+   wevtutil epl Application c:\MSLOG\%COMPUTERNAME%_Application.evtx
+   wevtutil epl System c:\MSLOG\%COMPUTERNAME%_System.evtx
+   wevtutil epl Security c:\MSLOG\%COMPUTERNAME%_Security.evtx
+   wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%_GroupPolicy_Operational.evtx
+   wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx
+   wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx
+   ```
+   - Run the following 3 commands on Windows Server 2012 and later:
+   
+   ```
+   wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx
+   wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-User_Operational.evtx
+   wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServices-Deployment_Operational.evtx
+   ```
+   - Certificates store information
+   
+   ```
+   certutil -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%_cert-Personal-Registry.txt
+   certutil -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-Registry.txt
+   certutil -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-GroupPolicy.txt
+   certutil -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_TrustedRootCA-Enterprise.txt
+   certutil -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Reg.txt
+   certutil -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-GroupPolicy.txt
+   certutil -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Enterprise.txt
+   certutil -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-Registry.txt
+   certutil -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-GroupPolicy.txt
+   certutil -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%_cert-Intermediate-Enterprise.txt
+   certutil -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Registry.txt
+   certutil -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-GroupPolicy.txt
+   certutil -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Enterprise.txt
+   certutil -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Registry.txt
+   certutil -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-GroupPolicy.txt
+   certutil -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Enterprise.txt
+   certutil -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%_cert-NtAuth-Enterprise.txt
+   certutil -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%_cert-User-Personal-Registry.txt
+   certutil -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Registry.txt
+   certutil -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Enterprise.txt
+   certutil -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-Registry.txt
+   certutil -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-GroupPolicy.txt
+   certutil -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-Registry.txt
+   certutil -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-GroupPolicy.txt
+   certutil -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-Registry.txt
+   certutil -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-GroupPolicy.txt
+   certutil -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-Registry.txt
+   certutil -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-GroupPolicy.txt
+   certutil -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-Registry.txt
+   certutil -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-GroupPolicy.txt
+   certutil -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%_cert-User-UserDS.txt
+   ```
+   - NPS configuration information:
+   
+   ```
+   netsh nps show config > C:\MSLOG\%COMPUTERNAME%_nps_show_config.txt
+   netsh nps export filename=C:\MSLOG\%COMPUTERNAME%_nps_export.xml exportPSK=YES
+   ```
+3. Take the following steps to save an NPS accounting log.
+   1. Open **Administrative tools > Network Policy Server**.
+   2. On the Network Policy Server administration tool, select **Accounting** in the left pane.
+   3. Click **Change Log File Properties**.
+   4. On the **Log File** tab, note the log file naming convention shown as **Name** and the log file location shown in **Directory** box.
+   5. Copy the log file to C:\MSLOG.
  
 4. Save the logs stored in C:\MSLOG.
- 
- 
-**NPS**
-    1. Create C:\MSLOG to store captured logs.
-    2. Launch a command prompt as an administrator.
-    3. Run the following commands:
 
-   **Environmental information and Group Policies application status**
+### Certificate Authority (CA) (OPTIONAL)
 
-   ```dos
-   gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt
-            
-   msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
-            
-   ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
-            
-   route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
+1. On a CA, launch a command prompt as an administrator. Create C:\MSLOG to store captured logs.
+2. Run the following commands.
+   - Environmental information and Group Policies application status
+   
    ```
- 
-**Event logs**
-**Run the following 3 commands on Windows Server 2012 and above:**
-```dos
-wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
-            
-wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
-            
-wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
-```
-
-```dos
-wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
-            
-wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
-            
-wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
-            
-wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
-            
-wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
-            
-wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
-```
-
-**Certificates store information**
-```dos
-certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
-            
-certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
-            
-certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
-            
-certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
-            
-certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
-            
-certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
-            
-certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
-            
-certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
-            
-certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
-            
-certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
-            
-certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
-            
-certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
-            
-certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
-            
-certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
-            
-certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
-            
-certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
-            
-certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
-            
-certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
-            
-certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
-            
-certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
-            
-certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
-            
-certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
-            
-certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
-            
-certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
-            
-certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
-            
-certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
-            
-certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
-            
-certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
-            
-certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
-            
-certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
-            
-certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
-```
- 
-**NPS configuration information**
-```dos
-netsh nps show config > C:\MSLOG\%COMPUTERNAME%\_nps\_show\_config.txt
-            
-netsh nps export filename=C:\MSLOG\%COMPUTERNAME%\_nps\_export.xml exportPSK=YES
-```
- 
-3. Take the following steps to save an NPS accounting log:
-4. Launch **Administrative tools** - **Network Policy Server**.
-    - On the Network Policy Server administration tool, select **Accounting** in the left pane.
-    - Click **Change Log File Properties** in the right pane.
-    - Click the **Log File** tab, note the log file naming convention shown as *Name* and the log file location shown in the **Directory** box.
-    - Copy the log file to C:\MSLOG.
-    - Save the logs stored in C:\MSLOG.
- 
- 
-**Certificate Authority (CA)** *Optional*
-
-1. On a CA, launch a command prompt as an administrator.
-2. Create C:\MSLOG to store captured logs.
-3. Run the following commands:
-
-Environmental information and Group Policies application status
-
-```dos
-gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt
-            
-msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
-            
-ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
-            
-route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
-```
- 
-**Event logs**
-
-**Run the following 3 lines on Windows 2012 and up:**
-
-```dos
-wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
- 
-wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
- 
-wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
-```
-
-```dos
-wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
-            
-wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
-            
-wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
-            
-wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
-            
-wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
-            
-wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
-```
-
-**Certificates store information**
-
-```dos
-certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
-            
-certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
-            
-certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
-            
-certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
-            
-certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
-            
-certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
-            
-certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
-            
-certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
-            
-certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
-            
-certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
-            
-certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
-            
-certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
-            
-certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
-            
-certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
-            
-certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
-            
-certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
-            
-certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
-            
-certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
-            
-certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
-            
-certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
-            
-certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
-            
-certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
-            
-certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
-            
-certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
-            
-certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
-            
-certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
-            
-certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
-            
-certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
-            
-certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
-            
-certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
-            
-certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
-```
-            
-**CA configuration information**
-```dos
-reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.hiv
-            
-reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.txt
-            
-reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.hiv
-            
-reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.tx
-```
-            
-4. Copy the following files, if exist, to C:\MSLOG. %windir%\CAPolicy.inf
-5. Log on to a domain controller and create C:\MSLOG to store captured logs.
-6. Launch Windows PowerShell as an administrator.
-7. Run the following PowerShell commandlets
-
-        \* Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain.
-```powershell
-Import-Module ActiveDirectory
-        
-Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject\_$Env:COMPUTERNAME.txt
-```
-8. Save the following logs:
-- All files in C:\MSLOG on the CA
-- All files in C:\MSLOG on the domain controller
+   gpresult /H C:\MSLOG\%COMPUTERNAME%_gpresult.txt
+   msinfo32 /report c:\MSLOG\%COMPUTERNAME%_msinfo32.txt
+   ipconfig /all > c:\MSLOG\%COMPUTERNAME%_ipconfig.txt
+   route print > c:\MSLOG\%COMPUTERNAME%_route_print.txt
+   ```
+   - Event logs
+   
+   ```
+   wevtutil epl Application c:\MSLOG\%COMPUTERNAME%_Application.evtx
+   wevtutil epl System c:\MSLOG\%COMPUTERNAME%_System.evtx
+   wevtutil epl Security c:\MSLOG\%COMPUTERNAME%_Security.evtx
+   wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%_GroupPolicy_Operational.evtx
+   wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx
+   wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx
+   ```
+   - Run the following 3 lines on Windows 2012 and up
+   
+   ```
+   wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx
+   wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-User_Operational.evtx
+   wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServices-Deployment_Operational.evtx
+   ```
+   - Certificates store information
+   
+   ```
+   certutil -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%_cert-Personal-Registry.txt
+   certutil -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-Registry.txt
+   certutil -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-GroupPolicy.txt
+   certutil -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_TrustedRootCA-Enterprise.txt
+   certutil -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Reg.txt
+   certutil -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-GroupPolicy.txt
+   certutil -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Enterprise.txt
+   certutil -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-Registry.txt
+   certutil -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-GroupPolicy.txt
+   certutil -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%_cert-Intermediate-Enterprise.txt
+   certutil -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Registry.txt
+   certutil -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-GroupPolicy.txt
+   certutil -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Enterprise.txt
+   certutil -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Registry.txt
+   certutil -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-GroupPolicy.txt
+   certutil -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Enterprise.txt
+   certutil -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%_cert-NtAuth-Enterprise.txt
+   certutil -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%_cert-User-Personal-Registry.txt
+   certutil -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Registry.txt
+   certutil -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Enterprise.txt
+   certutil -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-Registry.txt
+   certutil -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-GroupPolicy.txt
+   certutil -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-Registry.txt
+   certutil -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-GroupPolicy.txt
+   certutil -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-Registry.txt
+   certutil -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-GroupPolicy.txt
+   certutil -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-Registry.txt
+   certutil -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-GroupPolicy.txt
+   certutil -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-Registry.txt
+   certutil -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-GroupPolicy.txt
+   certutil -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%_cert-User-UserDS.txt
+   ```
+   - CA configuration information
+   
+   ```
+   reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%_CertSvc.hiv
+   reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%_CertSvc.txt
+   reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%_Cryptography.hiv
+   reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%_Cryptography.tx
+   ```
+3. Copy the following files, if exist, to C:\MSLOG: %windir%\CAPolicy.inf
+4. Log on to a domain controller and create C:\MSLOG to store captured logs.
+5. Launch Windows PowerShell as an administrator.
+6. Run the following PowerShell cmdlets. Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain.
+   
+   ```powershell
+   Import-Module ActiveDirectory
+   Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject_$Env:COMPUTERNAME.txt
+   ```
+7. Save the following logs.
+   - All files in C:\MSLOG on the CA
+   - All files in C:\MSLOG on the domain controller
 
diff --git a/windows/client-management/images/boot-sequence-thumb.png b/windows/client-management/images/boot-sequence-thumb.png
new file mode 100644
index 0000000000..164f9f9848
Binary files /dev/null and b/windows/client-management/images/boot-sequence-thumb.png differ
diff --git a/windows/client-management/images/boot-sequence.png b/windows/client-management/images/boot-sequence.png
new file mode 100644
index 0000000000..31e6dc34c9
Binary files /dev/null and b/windows/client-management/images/boot-sequence.png differ
diff --git a/windows/client-management/images/rpc-error.png b/windows/client-management/images/rpc-error.png
new file mode 100644
index 0000000000..0e0828522b
Binary files /dev/null and b/windows/client-management/images/rpc-error.png differ
diff --git a/windows/client-management/images/rpc-flow.png b/windows/client-management/images/rpc-flow.png
new file mode 100644
index 0000000000..a3d9c13030
Binary files /dev/null and b/windows/client-management/images/rpc-flow.png differ
diff --git a/windows/client-management/images/tcp-ts-1.png b/windows/client-management/images/tcp-ts-1.png
new file mode 100644
index 0000000000..621235d5b3
Binary files /dev/null and b/windows/client-management/images/tcp-ts-1.png differ
diff --git a/windows/client-management/images/tcp-ts-10.png b/windows/client-management/images/tcp-ts-10.png
new file mode 100644
index 0000000000..7bf332b57a
Binary files /dev/null and b/windows/client-management/images/tcp-ts-10.png differ
diff --git a/windows/client-management/images/tcp-ts-11.png b/windows/client-management/images/tcp-ts-11.png
new file mode 100644
index 0000000000..75b0361f89
Binary files /dev/null and b/windows/client-management/images/tcp-ts-11.png differ
diff --git a/windows/client-management/images/tcp-ts-12.png b/windows/client-management/images/tcp-ts-12.png
new file mode 100644
index 0000000000..592ccf0e76
Binary files /dev/null and b/windows/client-management/images/tcp-ts-12.png differ
diff --git a/windows/client-management/images/tcp-ts-13.png b/windows/client-management/images/tcp-ts-13.png
new file mode 100644
index 0000000000..da6157c72a
Binary files /dev/null and b/windows/client-management/images/tcp-ts-13.png differ
diff --git a/windows/client-management/images/tcp-ts-14.png b/windows/client-management/images/tcp-ts-14.png
new file mode 100644
index 0000000000..f3a3cc4a35
Binary files /dev/null and b/windows/client-management/images/tcp-ts-14.png differ
diff --git a/windows/client-management/images/tcp-ts-15.png b/windows/client-management/images/tcp-ts-15.png
new file mode 100644
index 0000000000..e3e161317f
Binary files /dev/null and b/windows/client-management/images/tcp-ts-15.png differ
diff --git a/windows/client-management/images/tcp-ts-16.png b/windows/client-management/images/tcp-ts-16.png
new file mode 100644
index 0000000000..52a5e24e2b
Binary files /dev/null and b/windows/client-management/images/tcp-ts-16.png differ
diff --git a/windows/client-management/images/tcp-ts-17.png b/windows/client-management/images/tcp-ts-17.png
new file mode 100644
index 0000000000..e690bbdf1c
Binary files /dev/null and b/windows/client-management/images/tcp-ts-17.png differ
diff --git a/windows/client-management/images/tcp-ts-18.png b/windows/client-management/images/tcp-ts-18.png
new file mode 100644
index 0000000000..95cf36dbe7
Binary files /dev/null and b/windows/client-management/images/tcp-ts-18.png differ
diff --git a/windows/client-management/images/tcp-ts-19.png b/windows/client-management/images/tcp-ts-19.png
new file mode 100644
index 0000000000..4f2d239e57
Binary files /dev/null and b/windows/client-management/images/tcp-ts-19.png differ
diff --git a/windows/client-management/images/tcp-ts-2.png b/windows/client-management/images/tcp-ts-2.png
new file mode 100644
index 0000000000..cdaada6cb6
Binary files /dev/null and b/windows/client-management/images/tcp-ts-2.png differ
diff --git a/windows/client-management/images/tcp-ts-20.png b/windows/client-management/images/tcp-ts-20.png
new file mode 100644
index 0000000000..9b3c573f7e
Binary files /dev/null and b/windows/client-management/images/tcp-ts-20.png differ
diff --git a/windows/client-management/images/tcp-ts-21.png b/windows/client-management/images/tcp-ts-21.png
new file mode 100644
index 0000000000..1e29a2061e
Binary files /dev/null and b/windows/client-management/images/tcp-ts-21.png differ
diff --git a/windows/client-management/images/tcp-ts-22.png b/windows/client-management/images/tcp-ts-22.png
new file mode 100644
index 0000000000..c49dcd72ee
Binary files /dev/null and b/windows/client-management/images/tcp-ts-22.png differ
diff --git a/windows/client-management/images/tcp-ts-23.png b/windows/client-management/images/tcp-ts-23.png
new file mode 100644
index 0000000000..16ef4604c1
Binary files /dev/null and b/windows/client-management/images/tcp-ts-23.png differ
diff --git a/windows/client-management/images/tcp-ts-24.png b/windows/client-management/images/tcp-ts-24.png
new file mode 100644
index 0000000000..14ae950076
Binary files /dev/null and b/windows/client-management/images/tcp-ts-24.png differ
diff --git a/windows/client-management/images/tcp-ts-25.png b/windows/client-management/images/tcp-ts-25.png
new file mode 100644
index 0000000000..21e8b97a08
Binary files /dev/null and b/windows/client-management/images/tcp-ts-25.png differ
diff --git a/windows/client-management/images/tcp-ts-3.png b/windows/client-management/images/tcp-ts-3.png
new file mode 100644
index 0000000000..ce3072c95e
Binary files /dev/null and b/windows/client-management/images/tcp-ts-3.png differ
diff --git a/windows/client-management/images/tcp-ts-4.png b/windows/client-management/images/tcp-ts-4.png
new file mode 100644
index 0000000000..73bc5f90be
Binary files /dev/null and b/windows/client-management/images/tcp-ts-4.png differ
diff --git a/windows/client-management/images/tcp-ts-5.png b/windows/client-management/images/tcp-ts-5.png
new file mode 100644
index 0000000000..ee64c96da0
Binary files /dev/null and b/windows/client-management/images/tcp-ts-5.png differ
diff --git a/windows/client-management/images/tcp-ts-6.png b/windows/client-management/images/tcp-ts-6.png
new file mode 100644
index 0000000000..8db75fdb08
Binary files /dev/null and b/windows/client-management/images/tcp-ts-6.png differ
diff --git a/windows/client-management/images/tcp-ts-7.png b/windows/client-management/images/tcp-ts-7.png
new file mode 100644
index 0000000000..4b61bf7e36
Binary files /dev/null and b/windows/client-management/images/tcp-ts-7.png differ
diff --git a/windows/client-management/images/tcp-ts-8.png b/windows/client-management/images/tcp-ts-8.png
new file mode 100644
index 0000000000..f0ef8300ba
Binary files /dev/null and b/windows/client-management/images/tcp-ts-8.png differ
diff --git a/windows/client-management/images/tcp-ts-9.png b/windows/client-management/images/tcp-ts-9.png
new file mode 100644
index 0000000000..dba375fd65
Binary files /dev/null and b/windows/client-management/images/tcp-ts-9.png differ
diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md
new file mode 100644
index 0000000000..ca385d841a
--- /dev/null
+++ b/windows/client-management/img-boot-sequence.md
@@ -0,0 +1,11 @@
+---
+description: A full-sized view of the boot sequence flowchart.
+title: Boot sequence flowchart
+ms.date: 11/16/2018
+---
+
+Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)<br>
+
+
+![Full-sized boot sequence flowchart](images/boot-sequence.png)
+
diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md
index aa9b63bd2b..7b80381b7c 100644
--- a/windows/client-management/manage-settings-app-with-group-policy.md
+++ b/windows/client-management/manage-settings-app-with-group-policy.md
@@ -38,7 +38,7 @@ Policy paths:
 The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon delimited list of URIs in **Settings Page Visiblity**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). 
 
 >[!NOTE]  
-> When you specify the URI in the Settings Page Visbility textbox, don't include **ms-settings:** in the string.
+> When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string.
 
 Here are some examples:
 
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
index b1d8ac001f..8cc949f6b9 100644
--- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
@@ -400,7 +400,7 @@ Location:
 
 Example:
 HTTP/1.1 302
-Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=Acess%20is%20denied%2E
+Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=Access%20is%20denied%2E
 ```
 
 The following table shows the error codes.
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 9231a68bbf..2e0b0840bd 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -6,9 +6,8 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 08/31/2018
+ms.date: 12/06/2018
 ---
-
 # BitLocker CSP
 
 > [!WARNING]
@@ -795,13 +794,13 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <a href="" id="allowwarningforotherdiskencryption"></a>**AllowWarningForOtherDiskEncryption**  
 
-<p style="margin-left: 20px">Allows the Admin to disable the warning prompt for other disk encryption on the user machines.</p>
+<p style="margin-left: 20px">Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1.</p>
 
 > [!Important]  
-> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices.  Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview) for value 0.
+> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview).
 
 > [!Warning]
-> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will require reinstallation of Windows.
+> When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows.
 
 <table>
 <tr>
@@ -844,6 +843,16 @@ The following diagram shows the BitLocker configuration service provider in tree
 </Replace>
 ```
 
+>[!NOTE]
+>When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
+>
+>The endpoint for a fixed data drive's backup is chosen in the following order:
+  >1. The user's Windows Server Active Directory Domain Services account.
+  >2. The user's Azure Active Directory account.
+  >3. The user's personal OneDrive (MDM/MAM only).
+>
+>Encryption will wait until one of these three locations backs up successfully.
+
 <a href="" id="allowstandarduserencryption"></a>**AllowStandardUserEncryption**  
 Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account.
 
@@ -854,7 +863,7 @@ Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where pol
                      
 If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system.
 
-The expected values for this policy are: 
+The expected values for this policy are:
 
 - 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
 - 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive.
diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
index 4e860c0b4b..8aa018c18c 100644
--- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
@@ -79,7 +79,7 @@ Using the ICD, create a provisioning package using the enrollment information re
 12. Enter the values for your package and specify the package output location.
 
     ![enter package information](images/bulk-enrollment3.png)
-    ![enter additonal information for package information](images/bulk-enrollment4.png)
+    ![enter additional information for package information](images/bulk-enrollment4.png)
     ![specify file location](images/bulk-enrollment6.png)
 13. Click **Build**.
 
diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md
index 4fb7edff7c..97ae506323 100644
--- a/windows/client-management/mdm/diagnosticlog-ddf.md
+++ b/windows/client-management/mdm/diagnosticlog-ddf.md
@@ -25,7 +25,7 @@ The content below are the latest versions of the DDF files:
 ## <a href="" id="version-1-2"></a>DiagnosticLog CSP version 1.2
 
 
-``` syntax
+```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
     "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
@@ -502,7 +502,7 @@ The content below are the latest versions of the DDF files:
                                 <Replace />
                             </AccessType>
                             <DefaultValue>4</DefaultValue>
-                            <Description>This node is used for setting or getting the block size (in Kilobytes) for the download of assoicated log file. The value range is 1~16. Default value is 4.</Description>
+                            <Description>This node is used for setting or getting the block size (in Kilobytes) for the download of associated log file. The value range is 1~16. Default value is 4.</Description>
                             <DFFormat>
                                 <int />
                             </DFFormat>
@@ -634,7 +634,7 @@ The content below are the latest versions of the DDF files:
 ## <a href="" id="version-1-3"></a>DiagnosticLog CSP version 1.3
 
 
-``` syntax
+```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
     "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
@@ -1153,7 +1153,7 @@ The content below are the latest versions of the DDF files:
                                 <Replace />
                             </AccessType>
                             <DefaultValue>4</DefaultValue>
-                            <Description>This node is used for setting or getting the block size (in Kilobytes) for the download of assoicated log file. The value range is 1~16. Default value is 4.</Description>
+                            <Description>This node is used for setting or getting the block size (in Kilobytes) for the download of associated log file. The value range is 1~16. Default value is 4.</Description>
                             <DFFormat>
                                 <int />
                             </DFFormat>
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index cf28233abe..a4f77849fe 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -80,10 +80,10 @@ Query parameters:
     -   Bundle - returns installed bundle packages.
     -   Framework - returns installed framework packages.
     -   Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They are parts of a bundle.
-    -   XAP - returns XAP package types.
+    -   XAP - returns XAP package types. This filter is not supported on devices other than Windows Mobile. 
     -   All - returns all package types.
 
-    If no value is specified, the combination of Main, Bundle, Framework, and XAP are returned.
+    If no value is specified, the combination of Main, Bundle, and Framework are returned.
 
 -   PackageFamilyName - specifies the name of a particular package. If you specify this parameter, it returns the Package Family name if the package contains this value.
 
diff --git a/windows/client-management/mdm/images/class-guids.png b/windows/client-management/mdm/images/class-guids.png
new file mode 100644
index 0000000000..6951e4ed5a
Binary files /dev/null and b/windows/client-management/mdm/images/class-guids.png differ
diff --git a/windows/client-management/mdm/images/hardware-ids.png b/windows/client-management/mdm/images/hardware-ids.png
new file mode 100644
index 0000000000..9017f289f6
Binary files /dev/null and b/windows/client-management/mdm/images/hardware-ids.png differ
diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md
index 72b31a82e2..eb70f310ec 100644
--- a/windows/client-management/mdm/index.md
+++ b/windows/client-management/mdm/index.md
@@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: jdeckerms
-ms.date: 09/12/2018
+ms.date: 10/09/2018
 ---
 
 # Mobile device management
@@ -23,12 +23,15 @@ There are two parts to the Windows 10 management component:
 -   The enrollment client, which enrolls and configures the device to communicate with the enterprise management server.
 -   The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.
 
-Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
+Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347).
 
 ## MDM security baseline
 
 With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros’ operational needs, addressing security concerns for modern cloud-managed devices.
 
+>[!NOTE]
+>Intune support for the MDM security baseline is coming soon.
+
 The MDM security baseline includes policies that cover the following areas:
 
 - Microsoft inbox security technology (not deprecated) such as Bitlocker, Smartscreen, and DeviceGuard (virtual-based security), ExploitGuard, Defender, and Firewall
@@ -38,7 +41,7 @@ The MDM security baseline includes policies that cover the following areas:
 - Legacy technology policies that offer alternative solutions with modern technology
 - And much more
 
-For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see [Security baseline (DRAFT) for Windows 10 v1809 and Windows Server 2019](https://blogs.technet.microsoft.com/secguide/2018/10/01/security-baseline-draft-for-windows-10-v1809-and-windows-server-2019/).
+For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see [MDM Security baseline (Preview) for Windows 10, version 1809](http://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip).
 
 
 
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 7a2feeca63..4d9e65932e 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 09/20/2018
+ms.date: 12/06/2018
 ---
 
 # What's new in MDM enrollment and management
@@ -1255,7 +1255,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>WindowsDefenderSecurityCenter/HideSecureBoot</li>
 <li>WindowsDefenderSecurityCenter/HideTPMTroubleshooting</li>
 </ul>
-<p>Security/RequireDeviceEncrption - updated to show it is supported in desktop.</p>
+<p>Security/RequireDeviceEncryption - updated to show it is supported in desktop.</p>
 </tr>
 <tr class="odd">
 <td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
@@ -1760,6 +1760,12 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 
 ## Change history in MDM documentation
 
+### December 2018
+
+|New or updated topic | Description|
+|--- | ---|
+|[BitLocker CSP](bitlocker-csp.md)|Updated AllowWarningForOtherDiskEncryption policy description to describe silent and non-silent encryption scenarios, as well as where and how the recovery key is backed up for each scenario.|
+
 ### September 2018
 
 |New or updated topic | Description|
@@ -2335,7 +2341,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>Settings/AllowOnlineTips</li>
 <li>System/DisableEnterpriseAuthProxy </li>
 </ul>
-<p>Security/RequireDeviceEncrption - updated to show it is supported in desktop.</p>
+<p>Security/RequireDeviceEncryption - updated to show it is supported in desktop.</p>
 </tr>
 <tr class="odd">
 <td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md
index 6f65055513..79bf2a8409 100644
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@@ -21,7 +21,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
 
 The XML below is for Windows 10, version 1809.
 
-``` syntax
+```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
   "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
@@ -1262,7 +1262,7 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re
                     <Replace />
                 </AccessType>
                 <DefaultValue>False</DefaultValue>
-                <Description>Enables/Disables Dyanamic Lock</Description>
+                <Description>Enables/Disables Dynamic Lock</Description>
                 <DFFormat>
                     <bool />
                 </DFFormat>
@@ -1304,4 +1304,4 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re
         </Node>
       </Node>
 </MgmtTree>
-```
\ No newline at end of file
+```
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index f73ed9e092..6021cb7a15 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 08/30/2018
+ms.date: 11/15/2018
 ---
 
 # Policy CSP - Bluetooth
@@ -352,15 +352,15 @@ Footnote:
 
 ## ServicesAllowedList usage guide
 
-When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly define Bluetooth profiles and services. It is an allowed list, enabling admins to still allow custom Bluetooth profiles that are not defined by the Bluetooth Special Interests Group (SIG).
+When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly defined Bluetooth profiles and services. It is an allowed list, enabling admins to still allow custom Bluetooth profiles that are not defined by the Bluetooth Special Interests Group (SIG).
 
-To define which profiles and services are allowed, enter the profile or service Universally Unique Identifiers (UUID) using semicolon delimiter. To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website. 
+To define which profiles and services are allowed, enter the semicolon delimited profile or service Universally Unique Identifiers (UUID). To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website. 
 
 These UUIDs all use the same base UUID with the profile identifiers added to the beginning of the base UUID.
 
 Here are some examples:
 
-**Bluetooth Headsets for Voice (HFP)**
+**Example of how to enable Hands Free Profile (HFP)**
 
 BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB
 
@@ -370,8 +370,22 @@ BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB
 
 Footnote: * Used as both Service Class Identifier and Profile Identifier.
 
-Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000111E-0000-1000-8000-00805F9B34FB
+Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000**111E**-0000-1000-8000-00805F9B34FB
 
+**Allow Audio Headsets (Voice)**
+
+|Profile|Reasoning|UUID|
+|-|-|-|
+|HFP (Hands Free Profile)|For voice-enabled headsets|0x111E|
+|Generic Audio Service|Generic audio service|0x1203|
+|Headset Service Class|For older voice-enabled headsets|0x1108|
+|PnP Information|Used to identify devices occasionally|0x1200|
+
+This means that if you only want Bluetooth headsets, the UUIDs to include are:
+
+{0000111E-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}
+
+<!--
 **Allow Audio Headsets only (Voice)**
 
 |Profile  |Reasoning  |UUID  |
@@ -386,38 +400,38 @@ Footnote: * *GAP, DID, and Scan Parameter are required, as these are underlying
 This means that if you only want Bluetooth headsets, the UUIDs are:
 
 {0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
+-->
 
 **Allow Audio Headsets and Speakers (Voice & Music)**
 
 |Profile  |Reasoning  |UUID  |
 |---------|---------|---------|
 |HFP (Hands Free Profile)     |For voice enabled headsets         |0x111E         |
-|A2DP Source (Advance Audio Distribution)|For streaming to Bluetooth speakers         |0x110A         |
-|GAP (Generic Access Profile)     |Generic service used by Bluetooth         |0x1800         |
-|Device ID (DID)     |Generic service used by Bluetooth         |0x180A         |
-|Scan Parameters     |Generic service used by Bluetooth         |0x1813         |
+|A2DP Source (Advance Audio Distribution)|For streaming to Bluetooth speakers         |0x110B|         
+|Generic Audio Service|Generic service used by Bluetooth|0x1203|
+|Headset Service Class|For older voice-enabled headsets|0x1108|
+|AV Remote Control Target Service|For controlling audio remotely|0x110C|
+|AV Remote Control Service|For controlling audio remotely|0x110E|
+|AV Remote Control Controller Service|For controlling audio remotely|0x110F|
+|PnP Information|Used to identify devices occasionally|0x1200|
 
-{0000111E-0000-1000-8000-00805F9B34FB};{0000110A-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
+{0000111E-0000-1000-8000-00805F9B34FB};{0000110B-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{0000110C-0000-1000-8000-00805F9B34FB};{0000110E-0000-1000-8000-00805F9B34FB};{0000110F-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}; 
 
 **Classic Keyboards and Mice**
 
 |Profile  |Reasoning  |UUID  |
 |---------|---------|---------|
 |HID (Human Interface Device)     |For classic BR/EDR keyboards and mice         |0x1124         |
-|GAP (Generic Access Profile)     |Generic service used by Bluetooth         |0x1800         |
-|DID (Device ID)     |Generic service used by Bluetooth         |0x180A         |
-|Scan Parameters     |Generic service used by Bluetooth         |0x1813         |
+|PnP Information|Used to identify devices occasionally|0x1200|
 
-{00001801-0000-1000-8000-00805F9B34FB};{00001812-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
+{00001124-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB};
 
-> [!Note]  
-> For both Classic and LE use a super set of the two formula’s UUIDs
 
 **LE Keyboards and Mice**  
 
 |Profile  |Reasoning  |UUID  |
 |---------|---------|---------|
-|Generic Access Atribute     |For the LE Protocol         |0x1801         |
+|Generic Access Attribute     |For the LE Protocol         |0x1801         |
 |HID Over GATT *     |For LE keyboards and mice         |0x1812         |
 |GAP (Generic Access Profile)     |Generic service used by Bluetooth         |0x1800         |
 |DID (Device ID)     |Generic service used by Bluetooth         |0x180A         |
@@ -433,10 +447,6 @@ Footnote: * The Surface pen uses the HID over GATT profile
 |---------|---------|---------|
 |OBEX Object Push (OPP)     |For file transfer         |0x1105         |
 |Object Exchange (OBEX)     |Protocol for file transfer         |0x0008         |
-|Generic Access Profile (GAP)     |Generic service used by Bluetooth         |0x1800         |
-|Device ID (DID)     |Generic service used by Bluetooth         |0x180A         |
-|Scan Parameters     |Generic service used by Bluetooth         |0x1813         |
-
-{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
-
+|PnP Information|Used to identify devices occasionally|0x1200|
 
+{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 996f6c944d..47f25fad53 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 08/08/2018
+ms.date: 11/14/2018
 ---
 
 # Policy CSP - Defender
@@ -1366,7 +1366,7 @@ ADMX Info:
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications.
 
-Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator.
+Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator.
 
 <!--/Description-->
 <!--ADMXMapped-->
@@ -1421,7 +1421,7 @@ ADMX Info:
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders.
 
-Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator.
+Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator.
 
 <!--/Description-->
 <!--ADMXMapped-->
@@ -1679,7 +1679,7 @@ ADMX Info:
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders  and changed to EnableControlledFolderAccess.
 
-Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.
+Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the controlled folder access feature. The controlled folder access feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.
 
 <!--/Description-->
 <!--ADMXMapped-->
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 5dabbc96ab..c11cd41c96 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -6,14 +6,11 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 07/23/2018
+ms.date: 12/01/2018
 ---
 
 # Policy CSP - DeviceInstallation
 
-> [!WARNING]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
 
 <hr/>
 
@@ -80,19 +77,29 @@ ms.date: 07/23/2018
 
 <!--/Scope-->
 <!--Description-->
-This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one.
+This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. 
+
+> [!TIP]
+> Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one.
 
 If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
 
 If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
 
+For more information about hardware IDs and compatible IDs, see [Device Identification Strings](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings).
+
+To get the hardware ID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Hardware Ids** from the **Property** menu:
+
+![Hardware IDs](images/hardware-ids.png)
+
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 
 <!--ADMXBacked-->
 ADMX Info:  
@@ -113,6 +120,37 @@ ADMX Info:
 <!--/Validation-->
 <!--/Policy-->
 
+To enable this policy, use the following SyncML. This example allows Windows to install compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use `&#xF000;` as a delimiter. 
+
+
+``` syntax
+<SyncML>
+    <SyncBody>
+        <Replace>
+            <CmdID>$CmdID$</CmdID>
+            <Item>
+                <Target>
+                    <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceIDs</LocURI>
+                </Target>
+                <Meta>
+                    <Format xmlns="syncml:metinf">string</Format>
+                </Meta>
+                <Data><enabled/><Data id="DeviceInstall_IDs_Allow_List" value="1&#xF000;USB\Composite&#xF000;2&#xF000;USB\Class_FF"/></Data>
+                </Item>
+        </Replace>
+    </SyncBody>
+</SyncML>
+```
+
+To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
+
+```txt
+>>>  [Device Installation Restrictions Policy Check]
+>>>  Section start 2018/11/15 12:26:41.659
+<<<  Section end 2018/11/15 12:26:41.751
+<<<  [Exit status: SUCCESS]
+```
+
 <hr/>
 
 <!--Policy-->
@@ -151,19 +189,31 @@ ADMX Info:
 
 <!--/Scope-->
 <!--Description-->
-This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one.
+This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is allowed to install. 
+
+> [!TIP]
+> Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one.
 
 If you enable this policy setting, Windows is allowed to install or update device drivers whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
 
+This setting allows device installation based on the serial number of a removable device if that number is in the hardware ID.
+
 If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
 
+For a list of Class and ClassGUID entries for device setup classes, see [System-Defined Device Setup Classes Available to Vendors](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
+
+To get the ClassGUID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Class GUID** from the **Property** menu:
+
+![Class GUIDs](images/class-guids.png)
+
 <!--/Description-->
 > [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 
 <!--ADMXBacked-->
 ADMX Info:  
@@ -184,6 +234,44 @@ ADMX Info:
 <!--/Validation-->
 <!--/Policy-->
 
+To enable this policy, use the following SyncML. This example allows Windows to install:
+
+- Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318}
+- CD ROMs, ClassGUID = {4d36e965-e325-11ce-bfc1-08002be10318}
+- Modems, ClassGUID = {4d36e96d-e325-11ce-bfc1-08002be10318}
+
+Enclose the class GUID within curly brackets {}. To configure multiple classes, use `&#xF000;` as a delimiter. 
+
+
+``` syntax
+<SyncML>
+    <SyncBody>
+        <Replace>
+            <CmdID>$CmdID$</CmdID>
+            <Item>
+                <Target>
+                    <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses</LocURI>
+                </Target>
+                <Meta>
+                    <Format xmlns="syncml:metinf">string</Format>
+                </Meta>
+                <Data><enabled/><Data id="DeviceInstall_Classes_Allow_List" value="1&#xF000;{4d36e980-e325-11ce-bfc1-08002be10318}&#xF000;2&#xF000;{4d36e965-e325-11ce-bfc1-08002be10318}&#xF000;3&#xF000;{4d36e96d-e325-11ce-bfc1-08002be10318}"/></Data>
+                </Item>
+        </Replace>
+    </SyncBody>
+</SyncML>
+```
+
+To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
+
+
+```txt
+>>>  [Device Installation Restrictions Policy Check]
+>>>  Section start 2018/11/15 12:26:41.659
+<<<  Section end 2018/11/15 12:26:41.751
+<<<  [Exit status: SUCCESS]
+```
+
 <hr/>
 
 <!--Policy-->
@@ -228,6 +316,8 @@ If you enable this policy setting, Windows does not retrieve device metadata for
 
 If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet.
 
+
+
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -299,6 +389,7 @@ If you enable this policy setting, Windows is prevented from installing or updat
 
 If you disable or do not configure this policy setting, Windows is allowed to install or update the device driver for any device that is not described by the "Prevent installation of devices that match any of these device IDs," "Prevent installation of devices for these device classes," or "Prevent installation of removable devices" policy setting.
 
+
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -370,6 +461,13 @@ If you enable this policy setting, Windows is prevented from installing a device
 
 If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
 
+For more information about hardware IDs and compatible IDs, see [Device Identification Strings](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings).
+
+To get the hardware ID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Hardware Ids** from the **Property** menu:
+
+![Hardware IDs](images/hardware-ids.png)
+
+
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -388,7 +486,38 @@ ADMX Info:
 <!--/ADMXBacked-->
 <!--/Policy-->
 
+
 <hr/>
+To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use `&#xF000;` as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_IDs_Deny_Retroactive to true. 
+
+
+``` syntax
+<SyncML>
+    <SyncBody>
+        <Replace>
+            <CmdID>$CmdID$</CmdID>
+            <Item>
+                <Target>
+                    <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs</LocURI>
+                </Target>
+                <Meta>
+                    <Format xmlns="syncml:metinf">string</Format>
+                </Meta>
+                <Data><enabled/><data id="DeviceInstall_IDs_Deny_Retroactive" value="true"/><Data id="DeviceInstall_IDs_Deny_List" value="1&#xF000;USB\Composite&#xF000;2&#xF000;USB\Class_FF"/></Data>
+                </Item>
+        </Replace>
+    </SyncBody>
+</SyncML>
+```
+
+To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
+
+```txt
+>>>  [Device Installation Restrictions Policy Check]
+>>>  Section start 2018/11/15 12:26:41.659
+<<<  Section end 2018/11/15 12:26:41.751
+<<<  [Exit status: SUCCESS]
+```
 
 <!--Policy-->
 <a href="" id="deviceinstallation-preventinstallationofmatchingdevicesetupclasses"></a>**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses**  
@@ -432,6 +561,13 @@ If you enable this policy setting, Windows is prevented from installing or updat
 
 If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
 
+For a list of Class and ClassGUID entries for device setup classes, see [System-Defined Device Setup Classes Available to Vendors](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
+
+To get the ClassGUID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Class GUID** from the **Property** menu:
+
+![Class GUIDs](images/class-guids.png)
+
+
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -451,13 +587,50 @@ ADMX Info:
 <!--/Policy-->
 <hr/>
 
+To enable this policy, use the following SyncML. This example prevents Windows from installing:
+
+- Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318}
+- CD ROMs, ClassGUID = {4d36e965-e325-11ce-bfc1-08002be10318}
+- Modems, ClassGUID = {4d36e96d-e325-11ce-bfc1-08002be10318}
+
+Enclose the class GUID within curly brackets {}. To configure multiple classes, use `&#xF000;` as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_Classes_Deny_Retroactive to true. 
+
+
+``` syntax
+<SyncML>
+    <SyncBody>
+        <Replace>
+            <CmdID>$CmdID$</CmdID>
+            <Item>
+                <Target>
+                    <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses</LocURI>
+                </Target>
+                <Meta>
+                    <Format xmlns="syncml:metinf">string</Format>
+                </Meta>
+                <Data><enabled/><data id="DeviceInstall_Classes_Deny_Retroactive" value="true"/><Data id="DeviceInstall_Classes_Deny_List" value="1&#xF000;{4d36e980-e325-11ce-bfc1-08002be10318}&#xF000;2&#xF000;{4d36e965-e325-11ce-bfc1-08002be10318}&#xF000;3&#xF000;{4d36e96d-e325-11ce-bfc1-08002be10318}"/></Data>
+                </Item>
+        </Replace>
+    </SyncBody>
+</SyncML>
+```
+
+To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
+
+```txt
+>>>  [Device Installation Restrictions Policy Check]
+>>>  Section start 2018/11/15 12:26:41.659
+<<<  Section end 2018/11/15 12:26:41.751
+<<<  [Exit status: SUCCESS]
+```
+
 Footnote:
 
 -   1 - Added in Windows 10, version 1607.
 -   2 - Added in Windows 10, version 1703.
 -   3 - Added in Windows 10, version 1709.
 -   4 - Added in Windows 10, version 1803.
--   5 - Added in the next major release of Windows 10.
+-   5 - Added in Windows 10, version 1809.
 
 <!--/Policies-->
 
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index 99ad8fd29e..51f9efc4a5 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -664,7 +664,7 @@ If you enable this policy setting, you must provide a value, in seconds, indicat
 
 If you disable or do not configure this policy setting, users control this setting.
 
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring.  The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring.  The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
 
 <!--/Description-->
 > [!TIP]
diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md
new file mode 100644
index 0000000000..0ae0f55f3f
--- /dev/null
+++ b/windows/client-management/troubleshoot-stop-errors.md
@@ -0,0 +1,178 @@
+---
+title: Advanced troubleshooting for Stop error or blue screen error issue
+description: Learn how to troubleshoot Stop error or blue screen issues.
+ms.prod: w10
+ms.mktglfcycl:
+ms.sitesec: library
+ms.topic: troubleshooting
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 11/30/2018
+---
+
+# Advanced troubleshooting for Stop error or blue screen error issue
+
+>[!NOTE]
+>If you're not a support agent or IT professional, you'll find more helpful information about Stop error ("blue screen") messages in [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238).
+
+ 
+## What causes Stop errors?
+
+A Stop error is displayed as a blue screen that contains the name of the faulty driver, such as any of the following example drivers:
+
+- atikmpag.sys
+- igdkmd64.sys
+- nvlddmkm.sys
+
+There is no simple explanation for the cause of Stop errors (also known as blue screen errors or bug check errors). Many different factors can be involved. However, various studies indicate that Stop errors usually are not caused by Microsoft Windows components. Instead, these errors are generally related to malfunctioning hardware drivers or drivers that are installed by third-party software. This includes video cards, wireless network cards, security programs, and so on.
+
+Our analysis of the root causes of crashes indicates the following:
+
+- 70 percent are caused by third-party driver code
+- 10 percent are caused by hardware issues 
+- 5 percent are caused by Microsoft code
+- 15 percent have unknown causes (because the memory is too corrupted to analyze)
+
+## General troubleshooting steps
+
+To troubleshoot Stop error messages, follow these general steps:
+
+1. Review the Stop error code that you find in the event logs. Search online for the specific Stop error codes to see whether there are any known issues, resolutions, or workarounds for the problem.
+2. As a best practice, we recommend that you do the following:
+
+    a. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system:
+    
+    - [Windows 10, version 1803](https://support.microsoft.com/help/4099479)
+    - [Windows 10, version 1709](https://support.microsoft.com/help/4043454)
+    - [Windows 10, version 1703](https://support.microsoft.com/help/4018124)
+    - [Windows Server 2016 and Windows 10, version 1607](https://support.microsoft.com/help/4000825)
+    - [Windows 10, version 1511](https://support.microsoft.com/help/4000824)
+    - [Windows Server 2012 R2 and Windows 8.1](https://support.microsoft.com/help/4009470)
+    - [Windows Server 2008 R2 and Windows 7 SP1](https://support.microsoft.com/help/4009469)
+
+    b. Make sure that the BIOS and firmware are up-to-date.
+
+    c. Run any relevant hardware and memory tests.
+
+3. Run the [Machine Memory Dump Collector](https://home.diagnostics.support.microsoft.com/selfhelp?knowledgebasearticlefilter=2027760&wa=wsignin1.0) Windows diagnostic package. This diagnostic tool is used to collect machine memory dump files and check for known solutions.
+
+4. Run [Microsoft Safety Scanner](http://www.microsoft.com/security/scanner/en-us/default.aspx) or any other virus detection program that includes checks of the Master Boot Record for infections.
+
+5. Make sure that there is sufficient free space on the hard disk. The exact requirement varies, but we recommend 10 to 15 percent free disk space.
+
+6. Contact the respective hardware or software vendor to update the drivers and applications in the following scenarios:
+  
+    - The error message indicates that a specific driver is causing the problem.
+    - You are seeing an indication of a service that is starting or stopping before the crash occurred. In this situation, determine whether the service behavior is consistent across all instances of the crash.
+    - You have made any software or hardware changes.
+
+    >[!NOTE]
+    >If there are no updates available from a specific manufacturer, it is recommended that you disable the related service.
+    >
+    >To do this, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135)
+    >
+    >You can disable a driver by following the steps in [How to temporarily deactivate the kernel mode filter driver in Windows](https://support.microsoft.com/help/816071).
+    >
+    >You may also want to consider the option of rolling back changes or reverting to the last-known working state. For more information, see [Roll Back a Device Driver to a Previous Version](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732648(v=ws.11)).
+
+### Memory dump collection
+
+To configure the system for memory dump files, follow these steps:
+
+1. [Download DumpConfigurator tool](https://codeplexarchive.blob.core.windows.net/archive/projects/WinPlatTools/WinPlatTools.zip).
+2. Extract the .zip file and navigate to **Source Code** folder.
+3. Run the tool DumpConfigurator.hta, and then select **Elevate this HTA**.
+3. Select **Auto Config Kernel**.
+4. Restart the computer for the setting to take effect. 
+5. Stop and disable Automatic System Restart Services (ASR) to prevent dump files from being written. 
+6. If the server is virtualized, disable auto reboot after the memory dump file is created. This lets you take a snapshot of the server in-state and also if the problem recurs.
+
+The memory dump file is saved at the following locations.
+
+| Dump file type | Location |
+|----------------|----------|
+|(none) | %SystemRoot%\MEMORY.DMP (inactive, or greyed out) |
+|Small memory dump file (256kb) | %SystemRoot%\Minidump |
+|Kernel memory dump file | %SystemRoot%\MEMORY.DMP |
+| Complete memory dump file | %SystemRoot%\MEMORY.DMP |
+| Automatic memory dump file | %SystemRoot%\MEMORY.DMP |
+| Active memory dump file | %SystemRoot%\MEMORY.DMP |
+
+You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid. For more information, see the following video: 
+
+>[!video https://www.youtube.com/embed?v=xN7tOfgNKag]
+
+
+More information on how to use Dumpchk.exe to check your dump files:
+
+-	[Using DumpChk]( https://docs.microsoft.com/windows-hardware/drivers/debugger/dumpchk)
+-	[Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk)
+
+### Pagefile Settings
+
+- [Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows](https://support.microsoft.com/help/4133658) 
+- [How to determine the appropriate page file size for 64-bit versions of Windows](https://support.microsoft.com/help/2860880) 
+- [How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2](https://support.microsoft.com/help/969028)
+
+### Memory dump analysis
+
+Finding the root cause of the crash may not be easy. Hardware problems are especially difficult to diagnose because they may cause erratic and unpredictable behavior that can manifest itself in a variety of symptoms.
+
+When a Stop error occurs, you should first isolate the problematic components, and then try to cause them to trigger the Stop error again. If you can replicate the problem, you can usually determine the cause.
+
+You can use the tools such as Windows Software Development KIT (SDK) and Symbols to diagnose dump logs.
+
+## Video resources
+
+The following videos illustrate various troubleshooting techniques on analyzing dump file.
+
+- [Analyze Dump File](https://www.youtube.com/watch?v=s5Vwnmi_TEY)
+
+- [Installing Debugging Tool for Windows (x64 and x86)](https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-Building-your-USB-thumbdrive/player#time=22m29s:paused)
+
+- [Debugging kernel mode crash memory dumps](https://channel9.msdn.com/Shows/Defrag-Tools/DefragTools-137-Debugging-kernel-mode-dumps)
+
+- [Special Pool](https://www.youtube.com/watch?v=vHXYS9KdU1k)
+
+ 
+## Advanced troubleshooting using Driver Verifier
+
+We estimate that about 75 percent of all Stop errors are caused by faulty drivers. The Driver Verifier tool provides several methods to help you troubleshoot. These include running drivers in an isolated memory pool (without sharing memory with other components), generating extreme memory pressure, and validating parameters. If the tool encounters errors in the execution of driver code, it proactively creates an exception to let that part of the code be examined further.
+
+>[!WARNING]
+>Driver Verifier consumes lots of CPU and can slow down the computer significantly. You may also experience additional crashes. Verifier disables faulty drivers after a Stop error occurs, and continues to do this until you can successfully restart the system and access the desktop. You can also expect to see several dump files created.
+>
+>Don’t try to verify all the drivers at one time. This can degrade performance and make the system unusable. This also limits the effectiveness of the tool.
+
+Use the following guidelines when you use Driver Verifier:  
+
+- Test any “suspicious” drivers (drivers that were recently updated or that are known to be problematic).
+- If you continue to experience non-analyzable crashes, try enabling verification on all third-party and unsigned drivers.
+- Enable concurrent verification on groups of 10 to 20 drivers.
+- Additionally, if the computer cannot boot into the desktop because of Driver Verifier, you can disable the tool by starting in Safe mode. This is because the tool cannot run in Safe mode.
+
+For more information, see [Driver Verifier](https://docs.microsoft.com/windows-hardware/drivers/devtest/driver-verifier).
+
+## Common Windows Stop errors
+
+This section doesn't contain a list of all error codes, but since many error codes have the same potential resolutions, your best bet is to follow the steps below to troubleshoot your error.
+
+The following table lists general troubleshooting procedures for common Stop error codes.
+
+Stop error message and code | Mitigation
+--- | ---
+VIDEO_ENGINE_TIMEOUT_DETECTED or VIDEO_TDR_TIMEOUT_DETECTED<br>Stop error code 0x00000141, or 0x00000117 | Contact the vendor of the listed display driver to get an appropriate update for that driver.
+DRIVER_IRQL_NOT_LESS_OR_EQUAL <br>Stop error code 0x0000000D1 | Apply the latest updates for the driver by applying the latest cumulative updates for the system through the Microsoft Update Catalog website.Update an outdated NIC driver. Virtualized VMware systems often run “Intel(R) PRO/1000 MT Network Connection” (e1g6032e.sys). This driver is available at [http://downloadcenter.intel.com](http://downloadcenter.intel.com). Contact the hardware vendor to update the NIC driver for a resolution. For VMware systems, use the VMware integrated NIC driver (types VMXNET or VMXNET2 , VMXNET3 can be used) instead of Intel e1g6032e.sys.
+PAGE_FAULT_IN_NONPAGED_AREA <br>Stop error code 0x000000050 | If a driver is identified in the Stop error message, contact the manufacturer for an update.If no updates are available, disable the driver, and monitor the system for stability. Run Chkdsk /f /r to detect and repair disk errors. You must restart the system before the disk scan begins on a system partition. Contact the manufacturer for any diagnostic tools that they may provide for the hard disk subsystem. Try to reinstall any application or service that was recently installed or updated. It's possible that the crash was triggered while the system was starting applications and reading the registry for preference settings. Reinstalling the application can fix corrupted registry keys.If the problem persists, and you have run a recent system state backup, try to restore the registry hives from the backup.
+SYSTEM_SERVICE_EXCEPTION <br>Stop error code c000021a {Fatal System Error} The Windows SubSystem system process terminated unexpectedly with a status of 0xc0000005. The system has been shut down. | Use the System File Checker tool to repair missing or corrupted system files. The System File Checker lets users scan for corruptions in Windows system files and restore corrupted files.  For more information, see [Use the System File Checker tool](https://support.microsoft.com/en-us/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files).
+NTFS_FILE_SYSTEM <br>Stop error code 0x000000024 | This Stop error is commonly caused by corruption in the NTFS file system or bad blocks (sectors) on the hard disk. Corrupted drivers for hard disks (SATA or IDE) can also adversely affect the system's ability to read and write to disk. Run any hardware diagnostics that are provided by the manufacturer of the storage subsystem. Use the scan disk tool to verify that there are no file system errors. To do this, right-click the drive that you want to scan, select Properties, select Tools, and then select the Check now button.We also suggest that you update the NTFS file system driver (Ntfs.sys), and apply the latest cumulative updates for the current operating system that is experiencing the problem. 
+KMODE_EXCEPTION_NOT_HANDLED <br>Stop error code 0x0000001E | If a driver is identified in the Stop error message, disable or remove that driver. Disable or remove any drivers or services that were recently added. <br><br>If the error occurs during the startup sequence, and the system partition is formatted by using the NTFS file system, you might be able to use Safe mode to disable the driver in Device Manager. To do this, follow these steps:<br><br>Go to **Settings > Update &amp; security > Recovery**. Under **Advanced startup**, select **Restart now**. After your PC restarts to the **Choose an option** screen, select **Troubleshoot &gt; Advanced options &gt; Startup Settings &gt; Restart**. After the computer restarts, you'll see a list of options. Press **4** or **F4** to start the computer in Safe mode. Or, if you intend to use the Internet while in Safe mode, press **5** or **F5** for the Safe Mode with Networking option.
+DPC_WATCHDOG_VIOLATION <br>Stop error code 0x00000133 | This Stop error code is caused by a faulty driver that does not complete its work within the allotted time frame in certain conditions. To enable us to help mitigate this error, collect the memory dump file from the system, and then use the Windows Debugger to find the faulty driver. If a driver is identified in the Stop error message, disable the driver to isolate the problem. Check with the manufacturer for driver updates. Check the system log in Event Viewer for additional error messages that might help identify the device or driver that is causing Stop error 0x133. Verify that any new hardware that is installed is compatible with the installed version of Windows. For example, you can get information about required hardware at Windows 10 Specifications. If Windows Debugger is installed, and you have access to public symbols, you can load the c:\windows\memory.dmp file into the Debugger, and then refer to [Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012](https://blogs.msdn.microsoft.com/ntdebugging/2012/12/07/determining-the-source-of-bug-check-0x133-dpc_watchdog_violation-errors-on-windows-server-2012/) to find the problematic driver from the memory dump.  
+USER_MODE_HEALTH_MONITOR <br>Stop error code 0x0000009E		| This Stop error indicates that a user-mode health check failed in a way that prevents graceful shutdown. Therefore, Windows restores critical services by restarting or enabling application failover to other servers. The Clustering Service incorporates a detection mechanism that may detect unresponsiveness in user-mode components.<br>This Stop error usually occurs in a clustered environment, and the indicated faulty driver is RHS.exe.Check the event logs for any storage failures to identify the failing process.Try to update the component or process that is indicated in the event logs. You should see the following event recorded:<br>Event ID: 4870<br>Source: Microsoft-Windows-FailoverClustering<br>Description: User mode health monitoring has detected that the system is not being responsive. The Failover cluster virtual adapter has lost contact with the Cluster Server process with a process ID ‘%1’, for ‘%2’ seconds. Recovery action will be taken. Review the Cluster logs to identify the process and investigate which items might cause the process to hang. <br />For more information, see ["Why is my Failover Clustering node blue screening with a Stop 0x0000009E?"](https://blogs.technet.microsoft.com/askcore/2009/06/12/why-is-my-failover-clustering-node-blue-screening-with-a-stop-0x0000009e) Also, see the following Microsoft video [What to do if a 9E occurs](https://www.youtube.com/watch?v=vOJQEdmdSgw).
+
+
+
+## References
+
+- [Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2)
diff --git a/windows/client-management/troubleshoot-tcpip-connectivity.md b/windows/client-management/troubleshoot-tcpip-connectivity.md
new file mode 100644
index 0000000000..a18d193527
--- /dev/null
+++ b/windows/client-management/troubleshoot-tcpip-connectivity.md
@@ -0,0 +1,109 @@
+---
+title: Troubleshoot TCP/IP connectivity
+description: Learn how to troubleshoot TCP/IP connectivity.
+ms.prod: w10
+ms.sitesec: library
+ms.topic: troubleshooting
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 12/06/2018
+---
+
+# Troubleshoot TCP/IP connectivity
+
+You might come across connectivity errors on the application end or timeout errors. Most common scenarios would include application connectivity to a database server, SQL timeout errors, BizTalk application timeout errors, Remote Desktop Protocol (RDP) failures, file share access failures, or general connectivity.  
+ 
+When you suspect that the issue is on the network, you collect a network trace. The network trace would then be filtered. During troubleshooting connectivity errors, you might come across TCP reset in a network capture which could indicate a network issue.  
+ 
+* TCP is defined as connection-oriented and reliable protocol. One of the ways in which TCP ensures this is through the handshake process. Establishing a TCP session would begin with a 3-way handshake, followed by data transfer, and then a 4-way closure. The 4-way closure where both sender and receiver agree on closing the session is termed as *graceful closure*. After the 4-way closure, the server will allow 4 minutes of time (default), during which any pending packets on the network are to be processed, this is the TIME_WAIT state. Once the TIME_WAIT state is done, all the resources allocated for this connection are released.  
+ 
+* TCP reset is an abrupt closure of the session which causes the resources allocated to the connection to be immediately released and all other information about the connection is erased.  
+ 
+* TCP reset is identified by the RESET flag in the TCP header set to `1`.  
+ 
+A network trace on the source and the destination which will help you determine the flow of the traffic and see at what point the failure is observed.  
+ 
+The following sections describe some of the scenarios when you will see a RESET. 
+ 
+## Packet drops
+ 
+When one TCP peer is sending out TCP packets for which there is no response received from the other end, the TCP peer would end up re-transmitting the data and when there is no response received, it would end the session by sending an ACK RESET( meaning, application acknowledges whatever data exchanged so far, but due to packet drop closing the connection).  
+ 
+The simultaneous network traces on source and destination will help you verify this behavior where on the source side you would see the packets being retransmitted and on the destination none of these packets are seen. This would mean, the network device between the source and destination is dropping the packets. 
+ 
+If the initial TCP handshake is failing because of packet drops then you would see that the TCP SYN packet is retransmitted only 3 times. 
+    
+Source side connecting on port 445:
+
+![](images/tcp-ts-6.png)
+
+Destination side: applying the same filter, you do not see any packets.
+
+![](images/tcp-ts-7.png)
+
+For the rest of the data, TCP will retransmit the packets 5 times.
+
+**Source 192.168.1.62 side trace:**
+
+![](images/tcp-ts-8.png)
+
+**Destination 192.168.1.2 side trace:**
+     
+You would not see any of the above packets. Engage your network team to investigate with the different hops and see if any of them are potentially causing drops in the network.
+    
+If you are seeing that the SYN packets are reaching the destination, but the destination is still not responding, then verify if the port that you are trying to connect to is in the listening state. (Netstat output will help). If the port is listening and still there is no response, then there could be a wfp drop.  
+ 
+## Incorrect parameter in the TCP header
+ 
+You see this behavior when the packets are modified in the network by middle devices and TCP on the receiving end is unable to accept the packet, such as the sequence number being modified, or packets being re-played by middle device by changing the sequence number. Again, the simultaneous network trace on the source and destination will be able to tell you if any of the TCP headers are modified. Start by comparing the source trace and destination trace, you will be able to notice if there is a change in the packets itself or if any new packets are reaching the destination on behalf of the source.  
+ 
+In this case, you will again need help from the network team to identify any such device which is modifying packets or re-playing packets to the destination. The most common ones are RiverBed devices or WAN accelerators. 
+ 
+     
+## Application side reset
+ 
+When you have identified that the resets are not due to retransmits or incorrect parameter or packets being modified with the help of network trace, then you have narrowed it down to application level reset.
+    
+The application resets are the ones where you see the Acknowledgement flag set to `1` along with the reset flag. This would mean that the server is acknowledging the receipt of the packet but for some reason it will not accept the connection. This is when the application that received the packet did not like something it received.  
+ 
+In the below screenshots, you see that the packets seen on the source and the destination are the same without any modification or any drops, but you see an explicit reset sent by the destination to the source.
+    
+**Source Side**
+
+![](images/tcp-ts-9.png)
+
+**On the destination-side trace** 
+
+![](images/tcp-ts-10.png)
+
+You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason does not want to accept the packet, it would send an ACK+RST packet.  
+
+![](images/tcp-ts-11.png)
+
+The application which is causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection. 
+ 
+>[!Note]
+>The above information is about resets from a TCP standpoint and not UDP. UDP is a connectionless protocol and the packets are sent unreliably. You would not see retransmission or resets when using UDP as a transport protocol. However, UDP makes use of ICMP as a error reporting protocol. When you have the UDP packet sent out on a port and the destination does not have port listed, you will see the destination sending out  **ICMP Destination host unreachable: Port unreachable** message immediately after the UDP packet
+ 
+ 
+```typescript
+10.10.10.1  10.10.10.2  UDP UDP:SrcPort=49875,DstPort=3343
+ 
+10.10.10.2  10.10.10.1  ICMP    ICMP:Destination Unreachable Message, Port Unreachable,10.10.10.2:3343
+```
+ 
+ 
+During the course of troubleshooting connectivity issue, you might also see in the network trace that a machine receives packets but does not respond to. In such cases, there could be a drop at the server level. You should enable firewall auditing on the machine to understand if the local firewall is dropping the packet.
+ 
+```typescript
+auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable
+```
+ 
+You can then review the Security event logs to see for a packet drop on a particular port-IP and a filter ID associated with it.
+
+![](images/tcp-ts-12.png)
+
+Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. Once you open this file and filter for the ID you find in the above event (2944008), you will be able to see a firewall rule name associated with this ID which is blocking the connection.
+
+![](images/tcp-ts-13.png)
\ No newline at end of file
diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md
new file mode 100644
index 0000000000..a82076e8d9
--- /dev/null
+++ b/windows/client-management/troubleshoot-tcpip-netmon.md
@@ -0,0 +1,60 @@
+---
+title: Collect data using Network Monitor
+description: Learn how to run Network Monitor to collect data for troubleshooting TCP/IP connectivity.
+ms.prod: w10
+ms.sitesec: library
+ms.topic: troubleshooting
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 12/06/2018
+---
+
+# Collect data using Network Monitor
+
+In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic.
+
+To get started, [download and run NM34_x64.exe](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image.
+
+![A view of the properties for the adapter](images/tcp-ts-1.png)
+
+When the driver gets hooked to the network interface card (NIC) during installation, the NIC is reinitialized, which might cause a brief network glitch.
+
+**To capture traffic**
+
+1. Click **Start** and enter **Netmon**.
+
+2. For **netmon run command**,select **Run as administrator**.
+
+    ![Image of Start search results for Netmon](images/tcp-ts-3.png)
+
+3. Network Monitor opens with all network adapters displayed. Select **New Capture**, and then select **Start**.
+
+    ![Image of the New Capture option on menu](images/tcp-ts-4.png)
+
+4. Reproduce the issue, and you will see that Network Monitor grabs the packets on the wire.
+
+    ![Frame summary of network packets](images/tcp-ts-5.png)
+
+5. Select **Stop**, and go to **File > Save as** to save the results. By default, the file will be saved as a ".cap" file.
+
+The saved file has captured all the traffic that is flowing to and from the network adapters of this machine. However, your interest is only to look into the traffic/packets that are related to the specific connectivity problem you are facing. So you will need to filter the network capture to see only the related traffic. 
+ 
+**Commonly used filters**
+ 
+- Ipv4.address=="client ip" and ipv4.address=="server ip"
+- Tcp.port==
+- Udp.port==
+- Icmp 
+- Arp 
+- Property.tcpretranmits
+- Property.tcprequestfastretransmits
+- Tcp.flags.syn==1
+ 
+>[!TIP]
+>If you want to filter the capture for a specific field and do not know the syntax for that filter, just right-click that field and select **Add *the selected value* to Display Filter**. 
+ 
+Network traces which are collected using the **netsh** commands built in to Windows are of the extension "ETL". However, these ETL files can be opened using Network Monitor for further analysis. 
+
+
+
diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
new file mode 100644
index 0000000000..a0db4e18ee
--- /dev/null
+++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
@@ -0,0 +1,196 @@
+---
+title: Troubleshoot port exhaustion issues
+description: Learn how to troubleshoot port exhaustion issues.
+ms.prod: w10
+ms.sitesec: library
+ms.topic: troubleshooting
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 12/06/2018
+---
+
+# Troubleshoot port exhaustion issues
+
+TCP and UDP protocols work based on port numbers used for establishing connection. Any application or a service that needs to establish a TCP/UDP connection will require a port on its side. 
+ 
+There are two types of ports:
+
+- *Ephemeral ports*, which are usually dynamic ports, are the set of ports that every machine by default will have them to make an outbound connection.
+- *Well-known ports* are the defined port for a particular application or service. For example, file server service is on port 445, HTTPS is 443, HTTP is 80, and RPC is 135. Custom application will also have their defined port numbers.
+ 
+Clients when connecting to an application or service will make use of an ephemeral port from its machine to connect to a well-known port defined for that application or service. A browser on a client machine will use an ephemeral port to connect to https://www.microsoft.com on port 443.
+ 
+In a scenario where the same browser is creating a lot of connections to multiple website, for any new connection that the browser is attempting, an ephemeral port is used. After some time, you will notice that the connections will start to fail and one high possibility for this would be because the browser has used all the available ports to make connections outside and any new attempt to establish a connection will fail as there are no more ports available. When all the ports are on a machine are used, we term it as *port exhaustion*. 
+ 
+## Default dynamic port range for TCP/IP
+ 
+To comply with [Internet Assigned Numbers Authority (IANA)](http://www.iana.org/assignments/port-numbers) recommendations, Microsoft has increased the dynamic client port range for outgoing connections. The new default start port is **49152**, and the new default end port is **65535**. This is a change from the configuration of earlier versions of Windows that used a default port range of **1025** through **5000**. 
+ 
+You can view the dynamic port range on a computer by using the following netsh commands: 
+
+- `netsh int ipv4 show dynamicport tcp` 
+- `netsh int ipv4 show dynamicport udp` 
+- `netsh int ipv6 show dynamicport tcp` 
+- `netsh int ipv6 show dynamicport udp` 
+ 
+
+The range is set separately for each transport (TCP or UDP). The port range is now a range that has a starting point and an ending point. Microsoft customers who deploy servers that are running Windows Server may have problems that affect RPC communication between servers if firewalls are used on the internal network. In these situations, we recommend that you reconfigure the firewalls to allow traffic between servers in the dynamic port range of **49152** through **65535**. This range is in addition to well-known ports that are used by services and applications. Or, the port range that is used by the servers can be modified on each server. You adjust this range by using the netsh command, as follows. The above command sets the dynamic port range for TCP. 
+ 
+```cmd
+netsh int <ipv4|ipv6> set dynamic <tcp|udp> start=number num=range
+```
+ 
+The start port is number, and the total number of ports is range. The following are sample commands:
+ 
+- `netsh int ipv4 set dynamicport tcp start=10000 num=1000`
+- `netsh int ipv4 set dynamicport udp start=10000 num=1000`
+- `netsh int ipv6 set dynamicport tcp start=10000 num=1000`
+- `netsh int ipv6 set dynamicport udp start=10000 num=1000`
+ 
+These sample commands set the dynamic port range to start at port 10000 and to end at port 10999 (1000 ports). The minimum range of ports that can be set is 255. The minimum start port that can be set is 1025. The maximum end port (based on the range being configured) cannot exceed 65535. To duplicate the default behavior of Windows Server 2003, use 1025 as the start port, and then use 3976 as the range for both TCP and UDP. This results in a start port of 1025 and an end port of 5000.
+ 
+Specifically, about outbound connections as incoming connections will not require an Ephemeral port for accepting connections.
+ 
+Since outbound connections start to fail, you will see a lot of the below behaviors:
+ 
+- Unable to login to the machine with domain credentials, however login with local account works. Domain login will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain login might still work.
+
+    ![](images/tcp-ts-14.png)
+
+- Group Policy update failures:
+
+    ![](images/tcp-ts-15.png)
+
+- File shares are inaccessible:
+
+    ![](images/tcp-ts-16.png)
+
+- RDP from the affected server fails:
+
+    ![](images/tcp-ts-17.png)
+
+- Any other application running on the machine will start to give out errors
+
+Reboot of the server will resolve the issue temporarily, but you would see all the symptoms come back after a period of time.
+
+If you suspect that the machine is in a state of port exhaustion: 
+ 
+1.	Try making an outbound connection. From the server/machine, access a remote share or try an RDP to another server or telnet to a server on a port. If the outbound connection fails for all of these, go to the next step.
+
+2.	Open event viewer and under the system logs, look for the events which clearly indicate the current state: 
+
+    a.	**Event ID 4227**
+
+    ![](images/tcp-ts-18.png)
+
+    b.	**Event ID 4231**
+
+    ![](images/tcp-ts-19.png)
+
+3. Collect a `netstat -anob output` from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID.
+
+    ![](images/tcp-ts-20.png)
+
+After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
+ 
+You may also see CLOSE_WAIT state connections in the same output, however CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion.
+ 
+>[!Note]
+>Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion.
+>
+>Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state.  An update for Windows 8.1 and Windows Server 2012R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports.
+ 
+4.	Open a command prompt in admin mode and run the below command
+
+    ```cmd
+    Netsh trace start scenario=netconnection capture=yes tracefile=c:\Server.etl
+    ```
+
+5.	Open the server.etl file with [Network Monitor](troubleshoot-tcpip-netmon.md) and in the filter section, apply the filter **Wscore_MicrosoftWindowsWinsockAFD.AFD_EVENT_BIND.Status.LENTStatus.Code == 0x209**. You should see entries which say **STATUS_TOO_MANY_ADDRESSES**. If you do not find any entries, then the server is still not out of ports. If you find them, then you can confirm that the server is under port exhaustion.
+ 
+## Troubleshoot Port exhaustion
+ 
+The key is to identify which process or application is using all the ports. Below are some of the tools that you can use to isolate to one single process
+ 
+### Method 1
+
+Start by looking at the netstat output. If you are using Windows 10 or Windows Server 2016, then you can run the command `netstat -anobq` and check for the process ID which has maximum entries as BOUND. Alternately, you can also run the below Powershell command to identify the process:
+
+```Powershell
+Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending 
+```
+
+Most port leaks are caused by user-mode processes not correctly closing the ports when an error was encountered. At the user-mode level ports (actually sockets) are handles. Both **TaskManager** and **ProcessExplorer** are able to display handle counts which allows you to identify which process is consuming all of the ports.
+ 
+For Windows 7 and Windows Server 2008 R2, you can update your Powershell version to include the above cmdlet. 
+ 
+### Method 2
+
+If method 1 does not help you identify the process (prior to Windows 10 and Windows Server 2012 R2), then have a look at Task Manager: 
+
+1.	Add a column called “handles” under details/processes.
+2.	Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe.
+
+    ![](images/tcp-ts-21.png)
+
+3.	If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds.
+ 
+### Method 3
+
+If Task Manager did not help you identify the process, then use Process Explorer to investigate the issue.
+ 
+Steps to use Process explorer: 
+
+1.	[Download Process Explorer](https://docs.microsoft.com/sysinternals/downloads/process-explorer) and run it **Elevated**. 
+2.	Alt + click the column header, select **Choose Columns**, and on the **Process Performance** tab, add **Handle Count**.
+3.	Select **View \ Show Lower Pane**.
+4.	Select **View \ Lower Pane View \ Handles**.
+5.	Click the **Handles** column to sort by that value.
+6.	Examine the processes with higher handle counts than the rest (will likely be over 10,000 if you can't make outbound connections).
+7.	Click to highlight one of the processes with a high handle count.
+8.	In the lower pane, the handles listed as below are sockets. (Sockets are technically file handles).
+    
+    File   \Device\AFD
+
+    ![](images/tcp-ts-22.png)
+
+10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app.
+ 
+Finally, if the above methods did not help you isolate the process, we suggest you collect a complete memory dump of the machine in the issue state. The dump will tell you which process has the maximum handles.
+ 
+As a workaround, rebooting the computer will get the it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands:
+
+```cmd
+netsh int ipv4 set dynamicport tcp start=10000 num=1000
+```
+
+This will set the dynamic port range to start at port 10000 and to end at port 10999 (1000 ports). The minimum range of ports that can be set is 255. The minimum start port that can be set is 1025. The maximum end port (based on the range being configured) cannot exceed 65535.
+ 
+>[!NOTE]
+>Note that increasing the dynamic port range is not a permanent solution but only temporary. You will need to track down which process/processors are consuming max number of ports and troubleshoot from that process standpoint as to why its consuming such high number of ports. 
+
+For Windows 7 and Windows Server 2008 R2, you can use the below script to collect the netstat output at defined frequency. From the outputs, you can see the port usage trend.
+
+```
+@ECHO ON
+set v=%1
+:loop
+set /a v+=1
+ECHO %date% %time% >> netstat.txt
+netstat -ano >> netstat.txt
+ 
+PING 1.1.1.1 -n 1 -w 60000 >NUL
+ 
+goto loop
+```
+
+
+
+ 
+## Useful links
+
+- [Port Exhaustion and You!](https://blogs.technet.microsoft.com/askds/2008/10/29/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend/) - this article gives a detail on netstat states and how you can use netstat output to determine the port status
+
+- [Detecting ephemeral port exhaustion](https://blogs.technet.microsoft.com/clinth/2013/08/09/detecting-ephemeral-port-exhaustion/): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10)
+
diff --git a/windows/client-management/troubleshoot-tcpip-rpc-errors.md b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
new file mode 100644
index 0000000000..b4e5ad5000
--- /dev/null
+++ b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
@@ -0,0 +1,187 @@
+---
+title: Troubleshoot Remote Procedure Call (RPC) errors
+description: Learn how to troubleshoot Remote Procedure Call (RPC) errors
+ms.prod: w10
+ms.sitesec: library
+ms.topic: troubleshooting
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 12/06/2018
+---
+
+# Troubleshoot Remote Procedure Call (RPC) errors
+
+You might encounter an **RPC server unavailable** error when connecting to Windows Management Instrumentation (WMI), SQL Server, during a remote connection, or for some Microsoft Management Console (MMC) snap-ins. The following image is an example of an RPC error.
+
+![The following error has occurred: the RPC server is unavailable](images/rpc-error.png)
+
+This is a commonly encountered error message in the networking world and one can lose hope very fast without trying to understand much, as to what is happening ‘under the hood’. 
+
+Before getting in to troubleshooting the **RPC server unavailable*- error, let’s first understand basics about the error. There are a few important terms to understand:
+
+- Endpoint mapper – a service listening on the server, which guides client apps to server apps by port and UUID.
+- Tower – describes the RPC protocol, to allow the client and server to negotiate a connection.
+- Floor – the contents of a tower with specific data like ports, IP addresses, and identifiers.
+- UUID – a well-known GUID that identifies the RPC application. The UUID is what you use to see a specific kind of RPC application conversation, as there are likely to be many.
+- Opnum – the identifier of a function that the client wants the server to execute. It’s just a hexadecimal number, but a good network analyzer will translate the function for you. If neither knows, your application vendor must tell you.
+- Port – the communication endpoints for the client and server applications.
+- Stub data – the information given to functions and data exchanged between the client and server. This is the payload, the important part.
+ 
+>[!Note]
+> A lot of the above information is used in troubleshooting, the most important is the Dynamic RPC port number you get while talking to EPM.
+ 
+## How the connection works
+
+Client A wants to execute some functions or wants to make use of a service running on the remote server, will first establish the connection with the Remote Server by doing a three-way handshake.  
+
+![Diagram illustrating connection to remote server](images/rpc-flow.png)
+
+RPC ports can be given from a specific range as well.
+### Configure RPC dynamic port allocation
+ 
+Remote Procedure Call (RPC) dynamic port allocation is used by server applications and remote administration applications such as Dynamic Host Configuration Protocol (DHCP) Manager, Windows Internet Name Service (WINS) Manager, and so on. RPC dynamic port allocation will instruct the RPC program to use a particular random port in the range configured for TCP and UDP, based on the implementation of the operating system used. 
+ 
+Customers using firewalls may want to control which ports RPC is using so that their firewall router can be configured to forward only these Transmission Control Protocol (UDP and TCP) ports. Many RPC servers in Windows let you specify the server port in custom configuration items such as registry entries. When you can specify a dedicated server port, you know what traffic flows between the hosts across the firewall, and you can define what traffic is allowed in a more directed manner.
+ 
+As a server port, please choose a port outside of the range you may want to specify below. You can find a comprehensive list of server ports that are used in Windows and major Microsoft products in the article [Service overview and network port requirements for Windows](https://support.microsoft.com/help/832017).
+The article also lists the RPC servers and which RPC servers can be configured to use custom server ports beyond the facilities the RPC runtime offers. 
+ 
+Some firewalls also allow for UUID filtering where it learns from a RPC Endpoint Mapper request for a RPC interface UUID. The response has the server port number, and a subsequent RPC Bind on this port is then allowed to pass.
+ 
+With Registry Editor, you can modify the following parameters for RPC. The RPC Port key values discussed below are all located in the following key in the registry:
+ 
+**HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\ Entry name Data Type**
+
+**Ports REG_MULTI_SZ**
+ 
+- Specifies a set of IP port ranges consisting of either all the ports available from the Internet or all the ports not available from the Internet. Each string represents a single port or an inclusive set of ports. For example, a single port may be represented by **5984**, and a set of ports may be represented by **5000-5100**. If any entries are outside the range of 0 to 65535, or if any string cannot be interpreted, the RPC runtime treats the entire configuration as invalid.
+ 
+**PortsInternetAvailable REG_SZ Y or N (not case-sensitive)**
+ 
+- If Y, the ports listed in the Ports key are all the Internet-available ports on that computer. If N, the ports listed in the Ports key are all those ports that are not Internet-available.
+ 
+**UseInternetPorts REG_SZ ) Y or N (not case-sensitive)**
+ 
+- Specifies the system default policy.
+- If Y, the processes using the default will be assigned ports from the set of Internet-available ports, as defined previously.
+- If N, the processes using the default will be assigned ports from the set of intranet-only ports.
+ 
+**Example:**
+
+In this example ports 5000 through 6000 inclusive have been arbitrarily selected to help illustrate how the new registry key can be configured. This is not a recommendation of a minimum number of ports needed for any particular system.
+
+1.	Add the Internet key under: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
+
+2.	Under the Internet key, add the values "Ports" (MULTI_SZ), "PortsInternetAvailable" (REG_SZ), and "UseInternetPorts" (REG_SZ).
+
+    For example, the new registry key appears as follows:
+    Ports: REG_MULTI_SZ: 5000-6000
+    PortsInternetAvailable: REG_SZ: Y
+    UseInternetPorts: REG_SZ: Y
+
+3.	Restart the server. All applications that use RPC dynamic port allocation use ports 5000 through 6000, inclusive. 
+
+You should open up a range of ports above port 5000. Port numbers below 5000 may already be in use by other applications and could cause conflicts with your DCOM application(s). Furthermore, previous experience shows that a minimum of 100 ports should be opened, because several system services rely on these RPC ports to communicate with each other.
+ 
+>[!Note]
+>The minimum number of ports required may differ from computer to computer. Computers with higher traffic may run into a port exhaustion situation if the RPC dynamic ports are restricted. Take this into consideration when restricting the port range.
+ 
+>[!WARNING]
+>If there is an error in the port configuration or there are insufficient ports in the pool, the Endpoint Mapper Service will not be able to register RPC servers with dynamic endpoints. When there is a configuration error, the error code will be 87 (0x57) ERROR_INVALID_PARAMETER. This can affect Windows RPC servers as well, such as Netlogon. It will log event 5820 in this case:
+> 
+>Log Name: System
+>Source: NETLOGON
+>Event ID: 5820
+>Level: Error
+>Keywords: Classic
+>Description:
+>The Netlogon service could not add the AuthZ RPC interface. The service was terminated. The following error occurred: 'The parameter is incorrect.'
+ 
+If you would like to do a deep dive as to how it works, see [RPC over IT/Pro](https://blogs.technet.microsoft.com/askds/2012/01/24/rpc-over-itpro/).
+ 
+ 
+## Troubleshooting RPC error
+ 
+### PortQuery
+
+The best thing to always troubleshoot RPC issues before even getting in to traces is by making use of tools like **PortQry**. You can quickly determine if you are able to make a connection by running the command:
+
+```cmd
+Portqry.exe -n <ServerIP> -e 135
+``` 
+ 
+This would give you a lot of output to look for, but you should be looking for **ip_tcp*- and the port number in the brackets, which tells whether you were successfully able to get a dynamic port from EPM and also make a connection to it. If the above fails, you can typically start collecting simultaneous network traces. Something like this from the output of “PortQry”:
+
+```cmd 
+Portqry.exe -n 169.254.0.2 -e 135
+```
+Partial output below:
+ 
+>Querying target system called:
+>169.254.0.2
+>Attempting to resolve IP address to a name...
+>IP address resolved to RPCServer.contoso.com
+>querying...
+>TCP port 135 (epmap service): LISTENING
+>Using ephemeral source port
+>Querying Endpoint Mapper Database...
+>Server's response:
+>UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
+>ncacn_ip_tcp:169.254.0.10**[49664]**
+
+ 
+The one in bold is the ephemeral port number that you made a connection to successfully. 
+ 
+### Netsh
+
+You can run the commands below to leverage Windows inbuilt netsh captures, to collect a simultaneous trace. Remember to execute the below on an “Admin CMD”, it requires elevation.
+ 
+- On the client
+```cmd
+Netsh trace start scenario=netconnection capture=yes tracefile=c:\client_nettrace.etl maxsize=512 overwrite=yes report=yes
+```
+ 
+- On the Server
+```cmd
+Netsh trace start scenario=netconnection capture=yes tracefile=c:\server_nettrace.etl maxsize=512 overwrite=yes report=yes
+```
+
+Now try to reproduce your issue from the client machine and as soon as you feel the issue has been reproduced, go ahead and stop the traces using the command
+```cmd
+Netsh trace stop
+```
+
+Open the traces in [Microsoft Network Monitor 3.4](troubleshoot-tcpip-netmon.md) or Message Analyzer and filter the trace for
+
+- Ipv4.address==<client-ip> and ipv4.address==<server-ip> and tcp.port==135 or just tcp.port==135 should help.
+
+- Look for the “EPM” Protocol Under the “Protocol” column.
+
+- Now check if you are getting a response from the server or not, if you get a response note the Dynamic Port number that you have been allocated to use.
+
+    ![](images/tcp-ts-23.png)
+
+- Check if we are connecting successfully to this Dynamic port successfully.
+
+- The filter should be something like this: tcp.port==<dynamic-port-allocated> and ipv4.address==<server-ip> 
+
+    ![](images/tcp-ts-24.png)
+
+This should help you verify the connectivity and isolate if any network issues are seen.
+
+
+### Port not reachable
+
+The most common reason why we would see the RPC server unavailable is when the dynamic port that the client tries to connect is not reachable. The client side trace would then show TCP SYN retransmits for the dynamic port.
+ 
+![](images/tcp-ts-25.png)
+ 
+The port cannot be reachable due to one of the following reasons:
+
+- The dynamic port range is blocked on the firewall in the environment. 
+- A middle device is dropping the packets. 
+- The destination server is dropping the packets (WFP drop / NIC drop/ Filter driver etc)
+
+
+
diff --git a/windows/client-management/troubleshoot-tcpip.md b/windows/client-management/troubleshoot-tcpip.md
new file mode 100644
index 0000000000..f758b36a67
--- /dev/null
+++ b/windows/client-management/troubleshoot-tcpip.md
@@ -0,0 +1,20 @@
+---
+title: Advanced troubleshooting for TCP/IP issues
+description: Learn how to troubleshoot TCP/IP issues.
+ms.prod: w10
+ms.sitesec: library
+ms.topic: troubleshooting
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 12/06/2018
+---
+
+# Advanced troubleshooting for TCP/IP issues
+
+In these topics, you will learn how to troubleshoot common problems in a TCP/IP network environment.
+
+- [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
+- [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
+- [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md)
+- [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)
\ No newline at end of file
diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md
new file mode 100644
index 0000000000..47104b0b78
--- /dev/null
+++ b/windows/client-management/troubleshoot-windows-freeze.md
@@ -0,0 +1,287 @@
+--- 
+title: Advanced troubleshooting for Windows-based computer freeze issues 
+description: Learn how to troubleshoot computer freeze issues. 
+ms.prod: w10 
+ms.mktglfcycl: 
+ms.sitesec: library 
+ms.topic: troubleshooting 
+author: kaushika-msft 
+ms.localizationpriority: medium 
+ms.author: kaushika 
+ms.date: 11/26/2018 
+--- 
+
+# Advanced troubleshooting for Windows-based computer freeze issues 
+
+This article describes how to troubleshoot freeze issues on Windows-based computers and servers. It also provides methods for collecting data that will help administrators or software developers diagnose, identify, and fix these issues. 
+
+> [!Note] 
+> The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. 
+
+## Identify the problem  
+
+*   Which computer is freezing? (Example: The impacted computer is a physical server, virtual server, and so on.) 
+*   What operation was being performed when the freezes occurred? (Example: This issue occurs when you shut down GUI, perform one or more operations, and so on.) 
+*   How often do the errors occur? (Example: This issue occurs every night at 7 PM, every day around 7 AM, and so on.) 
+*   On how many computers does this occur? (Example: All computers, only one computer, 10 computers, and so on.) 
+
+## Troubleshoot the freeze issues  
+
+To troubleshoot the freeze issues, check the current status of your computer, and follow one of the following methods. 
+
+### For the computer that's still running in a frozen state 
+
+If the physical computer or the virtual machine is still freezing, use one or more of the following methods for troubleshooting: 
+
+*   Try to access the computer through Remote Desktop, Citrix, and so on. 
+*   Use the domain account or local administrator account to log on the computer by using one of the Remote Physical Console Access features, such as Dell Remote Access Card (DRAC), HP Integrated Lights-Out (iLo), or IBM Remote supervisor adapter (RSA). 
+*   Test ping to the computer. Packet dropping and high network latency may be observed. 
+*   Access administrative shares (\\\\**ServerName**\\c$). 
+*   Press Ctrl + Alt + Delete command and check response. 
+*   Try to use Remote Admin tools such as Computer Management, remote Server Manager, and Wmimgmt.msc.   
+
+### For the computer that is no longer frozen 
+
+If the physical computer or virtual machine froze but is now running in a good state, use one or more of the following methods for troubleshooting.  
+
+#### For a physical computer 
+
+*   Review the System and Application logs from the computer that is having the issue. Check the event logs for the relevant Event ID:
+
+    - Application event log : Application Error (suggesting Crash or relevant System Process)
+    - System Event logs, Service Control Manager Error event IDs for Critical System Services
+    - Error Event IDs 2019/2020 with source Srv/Server
+
+*   Generate a System Diagnostics report by running the perfmon /report command. 
+
+#### For a virtual machine 
+
+*   Review the System and Application logs from the computer that is having the issue.  
+*   Generate a System Diagnostics report by running the perfmon /report command. 
+*   Check history in virtual management monitoring tools. 
+
+## More Information 
+
+### Collect data for the freeze issues 
+
+To collect data for a server freeze, check the following table, and use one or more of the suggested methods. 
+
+|Computer type and state    |Data collection method | 
+|-------------------------|--------------------| 
+|A physical computer that's running in a frozen state|[Use a memory dump file to collect data](#use-memory-dump-to-collect-data-for-the-physical-computer-thats-running-in-a-frozen-state). Or use method 2, 3, or 4. These methods are listed later in this section.| 
+|A physical computer that is no longer frozen|Use method 1, 2, 3, or 4. These methods are listed later in this section. And [use Pool Monitor to collect data](#use-pool-monitor-to-collect-data-for-the-physical-computer-that-is-no-longer-frozen).| 
+|A virtual machine that's running in a frozen state|Hyper-V or VMware: [Use a memory dump file to collect data for the virtual machine that's running in a frozen state](#use-memory-dump-to-collect-data-for-the-virtual-machine-thats-running-in-a-frozen-state). <br /> XenServer: Use method 1, 2, 3, or 4. These methods are listed later in this section.| 
+|A virtual machine that is no longer frozen|Use method 1, 2, 3, or 4. These methods are listed later in this section.| 
+
+
+#### Method 1: Memory dump 
+
+> [!Note] 
+> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.   
+
+A complete memory dump file records all the contents of system memory when the computer stops unexpectedly. A complete memory dump file may contain data from processes that were running when the memory dump file was collected.   
+
+If the computer is no longer frozen and now is running in a good state, use the following steps to enable memory dump so that you can collect memory dump when the freeze issue occurs again. If the virtual machine is still running in a frozen state, use the following steps to enable and collect memory dump.   
+
+> [!Note] 
+> If you have a restart feature that is enabled on the computer, such as the Automatic System Restart (ASR) feature in Compaq computers, disable it. This setting is usually found in the BIOS. With this feature enabled, if the BIOS doesn't detect a heartbeat from the operating system, it will restart the computer. The restart can interrupt the dump process.   
+
+
+1.  Make sure that the computer is set up to get a complete memory dump file. To do this, follow these steps: 
+
+    1.  Go to **Run** and enter `Sysdm.cpl`, and then press enter.
+    
+    2. In **System Properties**, on the **Advanced** tab, select **Performance** \> **Settings** \> **Advanced**, and then check or change the virtual memory by clicking **Change**. 
+
+    2.  Go back to **System Properties** \> **Advanced** \> **Settings** in **Startup and Recovery**. 
+
+    3.  In the **Write Debugging Information** section, select **Complete Memory Dump**. 
+
+        > [!Note]     
+        > For Windows versions that are earlier than Windows 8 or Windows Server 2012, the Complete Memory Dump type isn't available in the GUI. You have to change it in Registry Editor. To do this, change the value of the following **CrashDumpEnabled** registry entry to **1** (REG_DWORD):
+        >**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled**   
+
+    4.  Select **Overwrite any existing file**. 
+
+    5.  Make sure that there's a paging file (pagefile.sys) on the system drive and that it’s at least 100 megabytes (MB) over the installed RAM (Initial and Maximum Size). 
+
+        Additionally, you can use the workaround for [space limitations on the system drive in Windows Server 2008](#space-limitations-on-the-system-drive-in-windows-server-2008). 
+
+    6.  Make sure that there's more freed-up space on the hard disk drives than there is physical RAM. 
+
+2.  Enable the CrashOnCtrlScroll registry value to allow the system to generate a dump file by using the keyboard. To do this, follow these steps: 
+
+    1.  Go to Registry Editor, and then locate the following registry keys: 
+
+      *   `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters` 
+
+      *   `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters` 
+
+    2.  Create the following CrashOnCtrlScroll registry entry in the two registry keys: 
+
+        - **Value Name**: `CrashOnCtrlScroll`    
+        - **Data Type**: `REG_DWORD`      
+        - **Value**: `1`  
+ 
+    3.  Exit Registry Editor. 
+
+    4.  Restart the computer. 
+
+3.  On some physical computers, you may generate a nonmakeable interruption (NMI) from the Web Interface feature (such as DRAC, iLo, and RSA). However, by default, this setting will stop the system without creating a memory dump.   
+
+    To allow the operating system to generate a memory dump file at an NMI interruption, set the value of the [NMICrashDump](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783271(v=ws.10)) registry entry to `1` (REG_DWORD). Then, restart the computer to apply this change.   
+
+    > [!Note] 
+    > This is applicable only for Windows 7, Windows Server 2008 R2, and earlier versions of Windows. For Windows 8 Windows Server 2012, and later versions of Windows, the NMICrashDump registry key is no longer required, and an NMI interruption will result in [a Stop error that follows a memory dump data collection](https://support.microsoft.com/help/2750146).   
+
+4.  When the computer exhibits the problem, hold down the right **Ctrl** key, and press the **Scroll Lock** key two times to generate a memory dump file.   
+
+    > [!Note] 
+    > By default, the dump file is located in the following path:<br /> 
+    > %SystemRoot%\MEMORY.DMP 
+
+
+#### Method 2: Data sanity check 
+
+Use the Dump Check Utility (Dumpchk.exe) to read a memory dump file or verify that the file was created correctly. You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid. 
+
+-	[Using DumpChk]( https://docs.microsoft.com/windows-hardware/drivers/debugger/dumpchk)
+-	[Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk)
+
+Learn how to use Dumpchk.exe to check your dump files: 
+
+> [!video https://www.youtube-nocookie.com/embed/xN7tOfgNKag] 
+
+
+#### Method 3: Performance Monitor 
+
+You can use Windows Performance Monitor to examine how programs that you run affect your computer's performance, both in real time and by collecting log data for later analysis. To create performance counter and event trace log collections on local and remote systems, run the following commands in a command prompt as administrator: 
+
+```cmd 
+Logman create counter LOGNAME_Long -u DOMAIN\USERNAME * -f bincirc -v mmddhhmm -max 500 -c "\\COMPUTERNAME\LogicalDisk(*)\*" "\\COMPUTERNAME\Memory\*" "\\COMPUTERNAME\Network Interface(*)\*" "\\COMPUTERNAME\Paging File(*)\*" "\\COMPUTERNAME\PhysicalDisk(*)\*" "\\COMPUTERNAME\Process(*)\*" "\\COMPUTERNAME\Redirector\*" "\\COMPUTERNAME\Server\*" "\\COMPUTERNAME\System\*" "\\COMPUTERNAME\Terminal Services\*" "\\COMPUTERNAME\Processor(*)\*" "\\COMPUTERNAME\Cache\*" -si 00:05:00  
+``` 
+
+```cmd 
+Logman create counter LOGNAME_Short -u DOMAIN\USERNAME * -f bincirc -v mmddhhmm -max 500 -c "\\COMPUTERNAME\LogicalDisk(*)\*" "\\COMPUTERNAME\Memory\*" "\\COMPUTERNAME\Network Interface(*)\*" "\\COMPUTERNAME\Paging File(*)\*" "\\COMPUTERNAME\PhysicalDisk(*)\*" "\\COMPUTERNAME\Process(*)\*" "\\COMPUTERNAME\Redirector\*" "\\COMPUTERNAME\Server\*" "\\COMPUTERNAME\System\*" "\\COMPUTERNAME\Terminal Services\*" "\\COMPUTERNAME\Processor(*)\*" "\\COMPUTERNAME\Cache\*" -si 00:00:10  
+``` 
+
+Then, you can start or stop the log by running the following commands: 
+
+```cmd 
+logman start LOGNAME_Long / LOGNAME_Short   
+logman stop LOGNAME_Long / LOGNAME_Short  
+``` 
+
+The Performance Monitor log is located in the path: C:\PERFLOGS   
+
+#### Method 4: Microsoft Support Diagnostics 
+
+1.  In the search box of the [Microsoft Support Diagnostics Self-Help Portal](https://home.diagnostics.support.microsoft.com/selfhelp), type Windows Performance Diagnostic. 
+
+2.  In the search results, select **Windows Performance Diagnostic**, and then click **Create**. 
+
+3.  Follow the steps of the diagnostic. 
+
+
+### Additional methods to collect data 
+
+#### Use memory dump to collect data for the physical computer that's running in a frozen state 
+
+> [!Warning] 
+> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.   
+
+If the physical computer is still running in a frozen state, follow these steps to enable and collect memory dump: 
+
+
+1.  Make sure that the computer is set up to get a complete memory dump file and that you can access it through the network. To do this, follow these steps:   
+  > [!Note] 
+  > If it isn't possible to access the affected computer through the network, try to generate a memory dump file through NMI interruption. The result of the action may not collect a memory dump file if some of the following settings aren't qualified.   
+
+    1.  Try to access the desktop of the computer by any means.   
+
+        > [!Note] 
+        > In case accessing the operating system isn't possible, try to access Registry Editor on the computer remotely in order to check the type of memory dump file and page file with which the computer is currently configured.   
+
+    2.  From a remote computer that is preferably in the same network and subnet, go to **Registry Editor** \> **Connect Network Registry**. Then, connect to the concerned computer, and verify the following settings: 
+
+        *  ` `*HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled`   
+
+            Make sure that the [CrashDumpEnabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-2000-server/cc976050(v=technet.10)) registry entry is `1`.            
+
+        *   `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\NMICrashDump`   
+
+            On some physical servers, if the NMICrashDump registry entry exists and its value is `1`, you may take advantage of the NMI from the remote management capabilities (such as DRAC, iLo, and RSA). 
+
+        *   `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles and ExistingPageFiles`   
+
+            If the value of the **Pagefile** registry entry is system managed, the size won't be reflected in the registry (Example value: ?:\pagefile.sys).   
+
+            If the page file is customized, the size will be reflected in the registry, such as ‘?:\pagefile.sys 1024 1124’ where 1024 is the initial size and 1124 is the max size.   
+
+            > [!Note] 
+            > If the size isn't reflected in the Registry, try to access an Administrative share where the page file is located (such as \\\\**ServerName**\C$). 
+
+    3.  Make sure that there's a paging file (pagefile.sys) on the system drive of the computer, and it's at least 100 MB over the installed RAM. 
+
+    4.  Make sure that there's more free space on the hard disk drives of the computer than there is physical RAM. 
+
+2.  Enable the **CrashOnCtrlScroll** registry value on the computer to allow the system to generate a dump file by using the keyboard. To do this, follow these steps: 
+
+    1.  From a remote computer preferably in the same network and subnet, go to Registry Editor \> Connect Network Registry. Connect to the concerned computer and locate the following registry keys: 
+
+        *   `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters` 
+
+        *   `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters` 
+
+    2.  Create the following CrashOnCtrlScroll registry entry in the two registry keys: 
+
+        **Value Name**: `CrashOnCtrlScroll`     
+        **Data Type**: `REG_DWORD`     
+        **Value**: `1`  
+
+    3.  Exit Registry Editor. 
+
+    4.  Restart the computer. 
+
+3.  When the computer exhibits the problem, hold down the right **CTRL** key, and press the **Scroll Lock** key two times to generate a memory dump.  
+    > [!Note] 
+    > By default, the dump file is located in the path: %SystemRoot%\MEMORY.DMP 
+
+#### Use Pool Monitor to collect data for the physical computer that is no longer frozen 
+
+Pool Monitor shows you the number of allocations and outstanding bytes of allocation by type of pool and the tag that is passed into calls of ExAllocatePoolWithTag.   
+
+Learn [how to use Pool Monitor](https://support.microsoft.com/help/177415) and how to [use the data to troubleshoot pool leaks](http://blogs.technet.com/b/markrussinovich/archive/2009/03/26/3211216.aspx). 
+
+#### Use memory dump to collect data for the virtual machine that's running in a frozen state 
+
+Use the one of the following methods for the application on which the virtual machine is running.   
+
+##### Microsoft Hyper-V 
+
+If the virtual machine is running Windows 8, Windows Server 2012, or a later version of Windows on Microsoft Hyper-V Server 2012, you can use the built-in NMI feature through a [Debug-VM](https://docs.microsoft.com/previous-versions/windows/powershell-scripting/dn464280(v=wps.630)) cmdlet to debug and get a memory dump.   
+
+To debug the virtual machines on Hyper-V, run the following cmdlet in Windows PowerShell: 
+
+```powershell 
+Debug-VM -Name "VM Name" -InjectNonMaskableInterrupt -ComputerName Hostname  
+``` 
+
+> [!Note] 
+> This method is applicable only to Windows 8, Windows Server 2012, and later versions of Windows virtual machines. For the earlier versions of Windows, see methods 1 through 4 that are described earlier in this section.  
+
+##### VMware 
+
+You can use VMware Snapshots or suspend state and extract a memory dump file equivalent to a complete memory dump file. By using [Checkpoint To Core Tool (vmss2core)](https://labs.vmware.com/flings/vmss2core), you can convert both suspend (.vmss) and snapshot (.vmsn) state files to a dump file and then analyze the file by using the standard Windows debugging tools.   
+
+##### Citrix XenServer 
+
+The memory dump process occurs by pressing the RIGHT CTRL + SCROLL LOCK + SCROLL LOCK keyboard combination that's described in Method 1 and on [the Citrix site](http://support.citrix.com/article/ctx123177).   
+
+## Space limitations on the system drive in Windows Server 2008 
+
+On Windows Server 2008, you may not have enough free disk space to generate a complete memory dump file on the system volume. There's a [hotfix](https://support.microsoft.com/help/957517) that allows for the data collection even though there isn't sufficient space on the system drive to store the memory dump file.   
+
+Additionally, on Windows Server 2008 Service Pack (SP2), there's a second option if the system drive doesn't have sufficient space. Namely, you can use the DedicatedDumpFile registry entry. To learn how to use the registry entry, see [New behavior in Windows Vista and Windows Server 2008](https://support.microsoft.com/help/969028).   
+
+For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](http://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx).
\ No newline at end of file
diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md
index c212eae7d8..d540b098dd 100644
--- a/windows/client-management/windows-10-support-solutions.md
+++ b/windows/client-management/windows-10-support-solutions.md
@@ -7,45 +7,54 @@ ms.sitesec: library
 ms.author: elizapo
 author: kaushika-msft
 ms.localizationpriority: medium
-ms.date: 11/08/2017
+ms.date: 11/08/2018
 ---
 # Top support solutions for Windows 10
 
 Microsoft regularly releases both updates and solutions for Windows 10. To ensure your computers can receive future updates, including security updates, it's important to keep them updated. Check out the following links for a complete list of released updates:
 
-- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124/)
-- [Windows 10 Version 1607 update history](https://support.microsoft.com/help/4000825/)
-- [Windows 10 Version 1511 update history](https://support.microsoft.com/help/4000824/)
+- [Windows 10 version 1803 update history](https://support.microsoft.com/help/4099479)
+- [Windows 10 version 1709 update history](https://support.microsoft.com/help/4043454)
+- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124)
+- [Windows 10 Version 1607 update history](https://support.microsoft.com/help/4000825)
+- [Windows 10 Version 1511 update history](https://support.microsoft.com/help/4000824)
 
 
 These are the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment. The links below include links to KB articles, updates, and library articles.
 
-## Solutions related to installing Windows updates or hotfixes
-- [Understanding the Windowsupdate.log file for advanced users](https://support.microsoft.com/help/4035760/understanding-the-windowsupdate-log-file-for-advanced-users)
-- [You can't install updates on a Windows-based computer](https://support.microsoft.com/help/2509997/you-can-t-install-updates-on-a-windows-based-computer)
-- [Get-WindowsUpdateLog](https://technet.microsoft.com/itpro/powershell/windows/windowsupdate/get-windowsupdatelog)
-- [How to read the Windowsupdate.log file](https://support.microsoft.com/help/902093/how-to-read-the-windowsupdate-log-file)
-- [Can't download updates from Windows Update from behind a firewall or proxy server](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p)
-- [Computer staged from a SysPrepped image doesn't receive WSUS updates](https://support.microsoft.com/help/4010909/computer-staged-from-a-sysprepped-image-doesn-t-receive-wsus-updates)
-- [Servicing stack update for Windows 10 Version 1703: June 13, 2017](https://support.microsoft.com/help/4022405/servicingstackupdateforwindows10version1703june13-2017)
-- [Servicing stack update for Windows 10 Version 1607 and Windows Server 2016: March 14, 2017](https://support.microsoft.com/help/4013418/servicing-stack-update-for-windows-10-version-1607-and-windows-server)
+## Solutions related to installing Windows Updates
+- [How does Windows Update work](https://docs.microsoft.com/en-us/windows/deployment/update/how-windows-update-works)
+- [Windows Update log files](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-logs)
+- [Windows Update troubleshooting](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting)
+- [Windows Update common errors and mitigation](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-errors)
+- [Windows Update - additional resources](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-resources)
+
+## Solutions related to installing or upgrading Windows
+
+- [Quick Fixes](https://docs.microsoft.com/en-us/windows/deployment/upgrade/quick-fixes)
+- [Troubleshooting upgrade errors](https://docs.microsoft.com/en-us/windows/deployment/upgrade/troubleshoot-upgrade-errors)
+- [Resolution procedures](https://docs.microsoft.com/en-us/windows/deployment/upgrade/resolution-procedures)
+- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/en-in/help/3194588/0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus)
+- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/en-in/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system)
+
+## Solutions related to BitLocker
+
+- [BitLocker recovery guide](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan)
+- [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock)
+- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker)
+- [BitLocker Group Policy settings](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings)
 
 ## Solutions related to Bugchecks or Stop Errors
 - [Troubleshooting Stop error problems for IT Pros](https://support.microsoft.com/help/3106831/troubleshooting-stop-error-problems-for-it-pros)
 - [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s)
 - [How to troubleshoot Windows-based computer freeze issues](https://support.microsoft.com/help/3118553/how-to-troubleshoot-windows-based-computer-freeze-issues)
-- [Understanding Bugchecks](https://blogs.technet.microsoft.com/askperf/2007/12/18/understanding-bugchecks/)
-- [Understanding Crash Dump Files](https://blogs.technet.microsoft.com/askperf/2008/01/08/understanding-crash-dump-files/)
+- [Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows](https://support.microsoft.com/help/4133658)
+
+
+## Solutions related to Windows Boot issues
+- [Troubleshooting Windows boot problems for IT Pros](https://support.microsoft.com/help/4343769)
+- [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s)
 
-## Solutions related to installing or upgrading Windows
-- [Resolve Windows 10 upgrade errors : Technical information for IT Pros](/windows/deployment/upgrade/resolve-windows-10-upgrade-errors)
-- [Windows OOBE fails when you start a new Windows-based computer for the first time](https://support.microsoft.com/help/4020048/windows-oobe-fails-when-you-start-a-new-windows-based-computer-for-the)
-- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/help/3194588/-0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus)
-- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system)
-- [Updates fix in-place upgrade to Windows 10 version 1607 problem](https://support.microsoft.com/help/4020149/updates-fix-in-place-upgrade-to-windows-10-version-1607-problem)
-- [OOBE update for Windows 10 Version 1703: May 9, 2017](https://support.microsoft.com/help/4020008)
-- [OOBE update for Windows 10 Version 1607: May 30, 2017](https://support.microsoft.com/help/4022632)
-- [OOBE update for Windows 10 Version 1511: May 30, 2017](https://support.microsoft.com/help/4022633)
 
 ## Solutions related to configuring or managing the Start menu
 - [Manage Windows 10 Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies)
@@ -57,7 +66,8 @@ These are the top Microsoft Support solutions for the most common issues experie
 - [Modern apps are blocked by security software when you start the applications on Windows 10 Version 1607](https://support.microsoft.com/help/4016973/modern-apps-are-blocked-by-security-software-when-you-start-the-applic)
 
 ## Solutions related to wireless networking and 802.1X authentication
-
+- [Advanced Troubleshooting Wireless Network](Connectivity]https://docs.microsoft.com/en-us/windows/client-management/advanced-troubleshooting-wireless-network-connectivity)
+- [Advanced Troubleshooting 802.1x Authentication](https://docs.microsoft.com/en-us/windows/client-management/advanced-troubleshooting-802-authentication)
+- [Troubleshooting Windows 802.11 Wireless Connections](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc766215(v=ws.10))
+- [Troubleshooting Windows Secure 802.3 Wired Connections](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749352(v%3dws.10))
 - [Windows 10 devices can't connect to an 802.1X environment](https://support.microsoft.com/kb/3121002)
-- [Windows 10 wireless connection displays "Limited" status](https://support.microsoft.com/kb/3114149)
-- [Computer that has VPN software installed can't detect wireless network after upgrading to Windows 10](https://support.microsoft.com/kb/3084164)
diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md
index a99249bc6b..54bb8122b7 100644
--- a/windows/client-management/windows-version-search.md
+++ b/windows/client-management/windows-version-search.md
@@ -15,7 +15,7 @@ ms.date: 04/30/2018
 To determine if your device is enrolled in the [Long-Term Servicing Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [Semi-Annual Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them. 
 
 ## System Properties
-Click **Start** > **Settings** > **Settings** > click **About** from the bottom of the left-hand menu
+Click **Start** > **Settings** > **System** > click **About** from the bottom of the left-hand menu
 
 You'll now see **Edition**, **Version**, and **OS Build** information. Something like this:
 
diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md
index b0498ec09f..c2226fc484 100644
--- a/windows/configuration/TOC.md
+++ b/windows/configuration/TOC.md
@@ -42,6 +42,7 @@
 ### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
 ### [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
 ### [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+### [Troubleshoot Start menu errors](start-layout-troubleshoot.md)
 ### [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
 ## [Provisioning packages for Windows 10](provisioning-packages/provisioning-packages.md)
 ### [How provisioning works in Windows 10](provisioning-packages/provisioning-how-it-works.md)
diff --git a/windows/configuration/images/start-ts-1.png b/windows/configuration/images/start-ts-1.png
new file mode 100644
index 0000000000..ca04fc7f77
Binary files /dev/null and b/windows/configuration/images/start-ts-1.png differ
diff --git a/windows/configuration/images/start-ts-2.png b/windows/configuration/images/start-ts-2.png
new file mode 100644
index 0000000000..56e1ff05d1
Binary files /dev/null and b/windows/configuration/images/start-ts-2.png differ
diff --git a/windows/configuration/images/start-ts-3.png b/windows/configuration/images/start-ts-3.png
new file mode 100644
index 0000000000..e62bb90aa2
Binary files /dev/null and b/windows/configuration/images/start-ts-3.png differ
diff --git a/windows/configuration/images/start-ts-4.png b/windows/configuration/images/start-ts-4.png
new file mode 100644
index 0000000000..71316899fd
Binary files /dev/null and b/windows/configuration/images/start-ts-4.png differ
diff --git a/windows/configuration/images/start-ts-5.jpg b/windows/configuration/images/start-ts-5.jpg
new file mode 100644
index 0000000000..61292cac4b
Binary files /dev/null and b/windows/configuration/images/start-ts-5.jpg differ
diff --git a/windows/configuration/images/start-ts-6.png b/windows/configuration/images/start-ts-6.png
new file mode 100644
index 0000000000..d124d38fed
Binary files /dev/null and b/windows/configuration/images/start-ts-6.png differ
diff --git a/windows/configuration/images/start-ts-7.png b/windows/configuration/images/start-ts-7.png
new file mode 100644
index 0000000000..0c85959912
Binary files /dev/null and b/windows/configuration/images/start-ts-7.png differ
diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md
index 3a810a03ce..8eef8af221 100644
--- a/windows/configuration/kiosk-policies.md
+++ b/windows/configuration/kiosk-policies.md
@@ -61,7 +61,7 @@ Remove All Programs list from the Start Menu	 |	Enabled – Remove and disable s
 Prevent access to drives from My Computer	 |	Enabled - Restrict all drivers
 
 >[!NOTE]
->When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears expalining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
+>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
 
 
 
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
index 7932dafc17..79b8628623 100644
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@@ -31,7 +31,7 @@ Recommendation | How to
 Hide update notifications<br>(New in Windows 10, version 1809)   | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**<br>-or-<br>Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)<br>-or-<br>Add the following registry keys as DWORD (32-bit) type:</br>`HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateNotificationLevel` with a value of `1`, and `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetUpdateNotificationLevel` with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings.
 Replace "blue screen" with blank screen for OS errors   | Add the following registry key as DWORD (32-bit) type with a value of `1`:</br></br>`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`
 Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign.
-Hide **Ease of access** feature on the sign-in screen. |     Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
+Hide **Ease of access** feature on the sign-in screen. |     See [how to disable the Ease of Access button in the registry.](https://docs.microsoft.com/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen)
 Disable the hardware power button. |     Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
 Remove the power button from the sign-in screen. |     Go to **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt;**Security Options** &gt; **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
 Disable the camera. |     Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 46423972f4..232a0d1e60 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -315,7 +315,7 @@ The following example hides the taskbar:
 ```
 
 >[!IMPORTANT]
->The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Direcotry account could potentially compromise confidential information.  
+>The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Directory account could potentially compromise confidential information.  
 
 
 #### Configs
@@ -619,7 +619,7 @@ Remove All Programs list from the Start Menu	 |	Enabled – Remove and disable s
 Prevent access to drives from My Computer	 |	Enabled - Restrict all drivers
 
 >[!NOTE]
->When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears expalining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
+>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
 
 
 
diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md
new file mode 100644
index 0000000000..635ee7e17a
--- /dev/null
+++ b/windows/configuration/start-layout-troubleshoot.md
@@ -0,0 +1,313 @@
+---
+title: Troubleshoot Start menu errors
+description: Troubleshoot common errors related to Start menu in Windows 10.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.author: kaushika
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.date: 12/03/18
+---
+
+# Troubleshoot Start Menu errors
+
+Start failures can be organized into these categories:
+
+- **Deployment/Install issues** - Easiest to identify but difficult to recover. This failure is consistent and usually permanent. Reset, restore from backup, or rollback to recover.
+- **Performance issues** - More common with older hardware, low-powered machines. Symptoms include: High CPU utilization, disk contention, memory resources. This makes Start very slow to respond. Behavior is intermittent depending on available resources.
+- **Crashes** - Also easy to identify. Crashes in Shell Experience Host or related can be found in System or Application event logs. This can be a code defect or related to missing or altered permissions to files or registry keys by a program or incorrect security tightening configurations. Determining permissions issues can be time consuming but a [SysInternals tool called Procmon](https://docs.microsoft.com/sysinternals/downloads/procmon) will show **Access Denied**. The other option is to get a dump of the process when it crashes and depending on comfort level, review the dump in the debugger, or have support review the data.
+- **Hangs** in Shell Experience host or related. These are the hardest issues to identify as there are few events logged, but behavior is typically intermittent or recovers with a reboot. If a background application or service hangs, Start will not have resources to respond in time. Clean boot may help identify if the issue is related to additional software. Procmon is also useful in this scenario.
+- **Other issues** - Customization, domain policies, deployment issues.
+
+## Basic troubleshooting
+	
+When troubleshooting basic Start issues (and for the most part, all other Windows apps), there are a few things to check if they are not working as expected. When experiencing issues where the Start Menu or sub-component are not working, there are some quick tests to narrow down where the issue may reside.
+
+### Check the OS and update version
+
+- Is the system running the latest Feature and Cumulative Monthly update?
+- Did the issue start immediately after an update? Ways to check:
+  - Powershell:[System.Environment]::OSVersion.Version
+  - WinVer from CMD.exe
+
+
+
+### Check if Start is installed
+
+- If Start fails immediately after a feature update, on thing to check is if the App package failed to install successfully.
+
+- If Start was working and just fails intermittently, it's likely that Start is installed correctly, but the issue occurs downstream. The way to check for this is to look for output from these two PS commands:
+
+  - `get-AppXPackage -Name Microsoft.Windows.ShellExperienceHost`
+  - `get-AppXPackage -Name Microsoft.Windows.Cortana`
+
+    ![Example of output from cmdlets](images/start-ts-1.png)
+
+    Failure messages will appear if they are not installed
+
+- If Start is not installed the fastest resolution is to revert to a known good configuration. This can be rolling back the update, resetting the PC to defaults (where there is a choice to save to delete user data), or restoring from backup. There is no supported method to install Start Appx files. The results are often problematic and unreliable.
+
+### Check if Start is running
+
+If either component is failing to start on boot, reviewing the event logs for errors or crashes during boot may pin point the problem. Booting with MSCONFIG and using a selective or diagnostic startup option will eliminate and/or identify possible interference from additional applications.
+- `get-process -name shellexperiencehost`
+- `get-process -name searchui`
+
+If it is installed but not running, test booting into safe mode or use MSCONFIG to eliminate 3rd party or additional drivers and applications.
+
+### Check whether the system a clean install or upgrade
+
+- Is this system an upgrade or clean install?
+  - Run `test-path "$env:windir\panther\miglog.xml"`
+  - If that file does not exist, the system is a clean install.
+- Upgrade issues can be found by running `test-path "$env:windir\panther\miglog.xml"`
+
+
+### Check if Start is registered or activated
+
+- Export the following Event log to CSV and do a keyword search in a text editor or spreadsheet:
+  - Microsoft-Windows-TWinUI/Operational for Microsoft.Windows.ShellExperienceHost or Microsoft.Windows.Cortana
+    - "Package was not found"
+    - "Invalid value for registry"
+    - "Element not found"
+    - "Package could not be registered"
+    
+If these events are found, Start is not activated correctly. Each event will have more detail in the description and should be investigated further. Event messages can vary.
+
+### Other things to consider
+
+When did this start?
+
+- Top issues for Start Menu failure are triggered
+  - After an update
+  - After installation of an application
+  - After joining a domain or applying a domain policy
+- Many of those issues are found to be
+  - Permission changes on Registry keys or folders
+  - Start or related component crashes or hangs
+  - Customization failure
+
+To narrow this down further, it's good to note:
+
+- What is the install background?
+  - Was this a deployment, install from media, other
+  - Using customizations?
+    - DISM
+    - Group Policy or MDM
+    - copyprofile
+    - Sysprep
+    - Other
+    
+- Domain-joined
+  - Group policy settings that restrict access or permissions to folders or registry keys can cause issues with Start performance.
+  - Some Group Policies intended for Windows 7 or older have been known to cause issues with Start
+  - Untested Start Menu customizations can cause unexpected behavior by typically not complete Start failures. 
+  
+- Is this a virtualized environment? 
+  - VMware
+  - Citrix
+  - Other
+  
+## Check Event logs that record Start Issues:
+
+- System Event log
+- Application Event log
+- Microsoft/Windows/Shell-Core*
+- Microsoft/Windows/Apps/
+- Microsoft-Windows-TWinUI*
+- Microsoft/Windows/AppReadiness*
+- Microsoft/Windows/AppXDeployment*
+- Microsoft-Windows-PushNotification-Platform/Operational
+- Microsoft-Windows-CoreApplication/Operational
+- Microsoft-Windows-ShellCommon-StartLayoutPopulation*
+- Microsoft-Windows-CloudStore*
+
+
+- Check for crashes that may be related to Start (explorer.exe, taskbar, etc)
+  - Application log event 1000, 1001
+  - Check WER reports
+    - C:\ProgramData\Microsoft\Windows\WER\ReportArchive\
+    - C:\ProgramData\Micrt\Windowsosof\WER\ReportQueue\
+    
+If there is a component of Start that is consistently crashing, capture a dump which can be reviewed by Microsoft Support.
+
+## Common errors and mitigation
+
+The following list provides information about common errors you might run into with Start Menu, as well as steps to help you mitigate them.
+
+### Symptom: Start Menu doesn't respond on Windows 2012 R2, Windows 10, or Windows 2016
+
+**Cause**: Background Tasks Infrastructure Service (BrokerInfrastructure) service is not started.
+
+**Resolution**: Ensure that Background Tasks Infrastructure Service is set to automatic startup in Services MMC.
+
+If Background Tasks Infrastructure Service fails to start, verify that the Power Dependency Coordinator Driver (PDC) driver and registry key are not disabled or deleted. If either are missing, restore from backup or the installation media.
+
+To verify the PDC Service, run `C:\>sc query pdc` in a command prompt. The results will be similar to the following:
+
+>SERVICE_NAME: pdc
+>TYPE          : 1 KERNEL_DRIVER
+>STATE          : 4 RUNNING
+>  (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
+>WIN32_EXIT_CODE     : 0 (0x0)
+>SERVICE_EXIT_CODE    : 0 (0x0)
+>CHECKPOINT       : 0x0
+>WAIT_HINT        : 0x0
+
+The PDC service uses pdc.sys located in the %WinDir%\system32\drivers.
+
+The PDC registry key is:
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pdc`
+**Description**="@%SystemRoot%\\system32\\drivers\\pdc.sys,-101"
+**DisplayName**="@%SystemRoot%\\system32\\drivers\\pdc.sys,-100"
+**ErrorControl**=dword:00000003
+**Group**="Boot Bus Extender"
+**ImagePath**=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
+ 72,00,69,00,76,00,65,00,72,00,73,00,5c,00,70,00,64,00,63,00,2e,00,73,00,79,\
+ 00,73,00,00,00
+**Start**=dword:00000000
+**Type**=dword:00000001
+
+In addition to the listed dependencies for the service, Background Tasks Infrastructure Service requires the Power Dependency Coordinator Driver to be loaded. If the PDC does not load at boot, Background Tasks Infrastructure Service will fail and affect Start Menu.
+Events for both PDC and Background Tasks Infrastructure Service will be recorded in the event logs. PDC should not be disabled or deleted. BrokerInfrastructure is an automatic service. This Service is required for all these operating Systems as running to have a stable Start Menu.
+
+>[!NOTE]
+>You cannot stop this automatic service when machine is running (C:\windows\system32\svchost.exe -k DcomLaunch -p).
+
+
+### Symptom: After upgrading from 1511 to 1607 versions of Windows, the Group Policy "Remove All Programs list from the Start Menu" may not work
+
+**Cause**: There was a change in the All Apps list between Windows 10, versions 1511 and 1607. These changes mean the original Group Policy and corresponding registry key no longer apply.
+
+**Resolution**: This issue was resolved in the June 2017 updates. Please update Windows 10, version 1607 to the latest cumulative or feature updates.
+
+>[!Note] 
+>When the Group Policy is enabled, the desired behavior also needs to be selected. By default, it is set to **None**.
+
+
+### Symptom: Application tiles like Alarm, Calculator, and Edge are missing from Start Menu and the Settings app fails to open on Windows 10, version 1709 when a local user profile is deleted
+
+![Screenshots that show download icons on app tiles and missing app tiles](images/start-ts-2.png)
+
+**Cause**: This is a known issue where the first-time logon experience is not detected and does not trigger the install of some Apps.
+
+**Resolution**: This issue has been fixed for Windows 10, version 1709 in [KB 4089848](https://support.microsoft.com/help/4089848) March 22, 2018—KB4089848 (OS Build 16299.334)
+
+### Symptom: When attempting to customize Start Menu layout, the customizations do not apply or results are not expected
+
+**Cause**: There are two main reasons for this issue:
+
+- Incorrect format: Editing the xml file incorrectly by adding an extra space or spaces, entering a bad character, or saving in the wrong format.
+  - To tell if the format is incorrect, check for **Event ID: 22** in the "Applications and Services\Microsoft\Windows\ShellCommon-StartLayoutPopulation\Operational" log.
+  - Event ID 22 is logged when the xml is malformed, meaning the specified file simply isn’t valid xml.
+  - When editing the xml file, it should be saved in UTF-8 format.
+
+- Unexpected information: This occurs when possibly trying to add a tile via unexpected or undocumented method.
+  - **Event ID: 64** is logged when the xml is valid but has unexpected values.
+  - For example: The following error occurred while parsing a layout xml file: The attribute 'LayoutCustomizationRestrictiontype' on the element '{http://schemas.microsoft.com/Start/2014/LayoutModification}DefaultLayoutOverride' is not defined in the DTD/Schema.
+
+XML files can and should be tested locally on a Hyper-V or other virtual machine before deployment or application by Group Policy
+
+### Symptom: Start menu no longer works after a PC is refreshed using F12 during start up 
+
+**Description**: If a user is having problems with a PC, is can be refreshed, reset, or restored. Refreshing the PC is a beneficial option because it maintains personal files and settings.	When users have trouble starting the PC, "Change PC settings" in Settings is not accessible. So, to access the System Refresh, users may use the F12 key at start up. Refreshing the PC finishes, but Start Menu is not accessible.
+
+**Cause**: This is a known issue and has been resolved in a cumulative update released August 30th 2018. 
+
+**Resolution**: Install corrective updates; a fix is included in the [September 11, 2018-KB4457142 release](https://support.microsoft.com/help/4457142).
+
+### Symptom: The All Apps list is missing from Start menu
+
+**Cause**: “Remove All Programs list from the Start menu" Group Policy is enabled.
+
+**Resolution**: Disable the “Remove All Programs list from the Start menu" Group Policy.
+
+### Symptom: Tiles are missing from the Start Menu when using Windows 10, version 1703 or older, Windows Server 2016, and Roaming User Profiles with a Start layout
+
+**Description**: There are two different Start Menu issues in Windows 10:
+- Administrator configured tiles in the start layout fail to roam.
+- User-initiated changes to the start layout are not roamed.
+
+Specifically, behaviors include
+ - Applications (apps or icons) pinned to the start menu are missing.
+ - Entire tile window disappears.
+ - The start button fails to respond.
+ - If a new roaming user is created, the first logon appears normal, but on subsequent logons, tiles are missing.
+
+
+![Example of a working layout](images/start-ts-3.png)
+
+*Working layout on first sign-in of a new roaming user profile*
+
+![Example of a failing layout](images/start-ts-4.png)
+
+*Failing layout on subsequent sign-ins*
+
+
+**Cause**: A timing issue exists where the Start Menu is ready before the data is pulled locally from the Roaming User Profile. The issue does not occur on first logons of a new roaming user, as the code path is different and slower.
+
+**Resolution**: This issue has been resolved in Windows 10, versions 1703 and 1607, cumulative updates [as of March 2017](https://support.microsoft.com/help/4013429).
+
+
+### Symptom: Start Menu layout customizations are lost after upgrading to Windows 10, version 1703
+
+**Description**:
+
+Before the upgrade:
+ 
+  ![Example of Start screen with customizations applied](images/start-ts-5.jpg)
+
+After the upgrade the user pinned tiles are missing:
+
+  ![Example of Start screen with previously pinned tiles missing](images/start-ts-6.png)
+ 
+Additionally, users may see blank tiles if logon was attempted without network connectivity.
+
+  ![Example of blank tiles](images/start-ts-7.png)
+ 
+
+**Resolution**: This is fixed in [October 2017 update](https://support.microsoft.com/en-us/help/4041676).
+
+### Symptom: Tiles are missing after upgrade from Windows 10, version 1607 to version 1709 for users with Roaming User Profiles (RUP) enabled and managed Start Menu layout with partial lockdown
+
+**Resolution** The April 2018 LCU must be applied to Windows 10, version 1709 before a user logs on. 
+
+### Symptom: Start Menu and/or Taskbar layout customizations are not applied if CopyProfile option is used in an answer file during Sysprep
+
+**Resolution**: CopyProfile is no longer supported when attempting to customize Start Menu or taskbar with a layoutmodification.xml.
+
+### Symptom: Start Menu issues with Tile Data Layer corruption 
+
+**Cause**: Windows 10, version 1507 through the release of version 1607 uses a database for the Tile image information. This is called the Tile Data Layer database. 
+
+**Resolution** There are steps you can take to fix the icons, first is to confirm that is the issue that needs to be addressed.
+
+1. The App or Apps work fine when you click on the tiles.
+2. The tiles are blank, have a generic placeholder icon, have the wrong or strange title information.
+3. The app is missing, but listed as installed via Powershell and works if you launch via URI.
+  - Example: `windows-feedback://`
+4. In some cases, Start can be blank, and Action Center and Cortana do not launch.
+
+>[!Note]
+>Corruption recovery removes any manual pins from Start. Apps should still be visible, but you’ll need to re-pin any secondary tiles and/or pin app tiles to the main Start view. Aps that you have installed that are completely missing from “all apps” is unexpected, however. That implies the re-registration didn’t work.
+
+- Open a command prompt, and run the following command:
+
+```
+C:\Windows\System32\tdlrecover.exe -reregister -resetlayout -resetcache
+```
+
+Although a reboot is not required, it may help clear up any residual issues after the command is run.
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
index 8a119cf39e..f91ada9764 100644
--- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
+++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
@@ -35,10 +35,10 @@ When replacing a user’s device, UE-V automatically restores settings if the us
 You can also use the Windows PowerShell cmdlet, Restore-UevBackup, to restore settings from a different device. To clone the settings packages for the new device, use the following cmdlet in Windows PowerShell:
 
 ``` syntax
-Restore-UevBackup -Machine <MachineName>
+Restore-UevBackup -ComputerName <Computer name>
 ```
 
-where &lt;MachineName&gt; is the computer name of the device.
+where &lt;ComputerName&gt; is the computer name of the device.
 
 Templates such as the Office 2013 template that include many applications can either all be included in the roamed (default) or backed up profile. Individual apps in a template suite follow the group. Office 2013 in-box templates include both roaming and backup-only settings. Backup-only settings cannot be included in a roaming profile.
 
diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
index 585fe8822f..eea5619b50 100644
--- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
+++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
@@ -84,7 +84,7 @@ Review the following tables for details about Office support in UE-V:
 <p>Microsoft PowerPoint 2016</p>
 <p>Microsoft Project 2016</p>
 <p>Microsoft Publisher 2016</p>
-<p>Microsoft SharePoint Designer 2013 (not udpated for 2016)</p>
+<p>Microsoft SharePoint Designer 2013 (not updated for 2016)</p>
 <p>Microsoft Visio 2016</p>
 <p>Microsoft Word 2016</p>
 <p>Microsoft Office Upload Manager</p></td>
diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md
index 70a65ed02e..b245647edf 100644
--- a/windows/configuration/wcd/wcd-devicemanagement.md
+++ b/windows/configuration/wcd/wcd-devicemanagement.md
@@ -50,7 +50,7 @@ Use to configure device management settings.
 | ProtocolVersion | Select between **1.1** and **1.2** for the OMA DM protocol version that the server supports |
 | **Role** | Select between **Enterprise** and **Mobile Operator** for the role mask that the DM session runs with when it communicates with the server |
 | **ServerID** | Enter the OMA DM server's unique identifier for the current OMA DM account |
-| SSLClientCertSearchCriteria | Specify the client certificate search criteria, by subject attribute and certficate stores. For details, see [DMAcc configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmacc-csp). |
+| SSLClientCertSearchCriteria | Specify the client certificate search criteria, by subject attribute and certificate stores. For details, see [DMAcc configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmacc-csp). |
 | UseHardwareDeviceID | Specify whether to use the hardware ID for the ./DevInfo/DevID parameter in the DM account to identify the device |
 | UseNonceResync | Specify whether the OMA DM client should use the nonce resynchronization procedure if the server trigger notification fails authentication |
 
@@ -90,4 +90,4 @@ In **PROVURL**, enter the URL for a Trusted Provisioning Server (TPS).
 ## Related topics
 
 - [DMAcc configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/dmacc-csp)
-- [PXLOGICAL CSP](https://docs.microsoft.com/windows/client-management/mdm/pxlogical-csp)
\ No newline at end of file
+- [PXLOGICAL CSP](https://docs.microsoft.com/windows/client-management/mdm/pxlogical-csp)
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index ce9e1629c5..00acdc9318 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -215,6 +215,7 @@
 ### [Quick guide to Windows as a service](update/waas-quick-start.md)
 #### [Servicing stack updates](update/servicing-stack-updates.md)
 ### [Overview of Windows as a service](update/waas-overview.md)
+### [Understand how servicing differs in Windows 10](update/waas-servicing-differences.md)
 ### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md)
 ### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md)
 ### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md)
@@ -260,6 +261,7 @@
 ##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md)
 ##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
 ##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
+##### [Step 4: Monitor deployment](upgrade/upgrade-readiness-monitor-deployment.md)
 ##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
 ##### [Targeting a new operating system version](upgrade/upgrade-readiness-target-new-OS.md)
 ### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index a70b584daf..c1d98d727b 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -73,7 +73,7 @@ For more information about integrating on-premises AD DS domains with Azure AD,
 
 ## Preparing for deployment: reviewing requirements
 
-Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
+Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
 
 ## Assigning licenses to users
 
@@ -225,7 +225,7 @@ Use the following figures to help you troubleshoot when users experience these c
 
 ### Review requirements on devices
 
-Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
+Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
 
 **To determine if a device is Azure Active Directory joined:**
 
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index be1e1f9ea7..b00555481d 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -26,7 +26,7 @@ This topic provides an overview of new solutions and online content related to d
 
 ## The Modern Desktop Deployment Center
 
-The [Modern Destop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Office 365 ProPlus.
+The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Office 365 ProPlus.
 
 ## Windows 10 servicing and support
 
diff --git a/windows/deployment/images/UR-driver-issue-detail.png b/windows/deployment/images/UR-driver-issue-detail.png
new file mode 100644
index 0000000000..933b2e2346
Binary files /dev/null and b/windows/deployment/images/UR-driver-issue-detail.png differ
diff --git a/windows/deployment/images/UR-example-feedback.png b/windows/deployment/images/UR-example-feedback.png
new file mode 100644
index 0000000000..5a05bb54e1
Binary files /dev/null and b/windows/deployment/images/UR-example-feedback.png differ
diff --git a/windows/deployment/images/UR-monitor-main.png b/windows/deployment/images/UR-monitor-main.png
new file mode 100644
index 0000000000..83904d3be2
Binary files /dev/null and b/windows/deployment/images/UR-monitor-main.png differ
diff --git a/windows/deployment/images/UR-update-progress-failed-detail.png b/windows/deployment/images/UR-update-progress-failed-detail.png
new file mode 100644
index 0000000000..4e619ae27c
Binary files /dev/null and b/windows/deployment/images/UR-update-progress-failed-detail.png differ
diff --git a/windows/deployment/planning/windows-10-1809-removed-features.md b/windows/deployment/planning/windows-10-1809-removed-features.md
index fe64501dab..0c87d5a683 100644
--- a/windows/deployment/planning/windows-10-1809-removed-features.md
+++ b/windows/deployment/planning/windows-10-1809-removed-features.md
@@ -7,7 +7,7 @@ ms.localizationpriority: medium
 ms.sitesec: library
 author: lizap
 ms.author: elizapo
-ms.date: 08/31/2018
+ms.date: 11/16/2018
 ---
 # Features removed or planned for replacement starting with Windows 10, version 1809
 
@@ -32,7 +32,7 @@ We're removing the following features and functionalities from the installed pro
 |Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.|
 |limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.|
 |Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.|
-|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 8 and Windows Embedded 8 Standard|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx).|
+|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.|
 
 ## Features we’re no longer developing
 
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
index b79237a3e1..7dcb96facc 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
@@ -1,7 +1,7 @@
 ---
 title: Windows 10 Enterprise FAQ for IT pros (Windows 10)
 description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise.
-keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage udpates, Windows as a service, servicing channels, deployment tools
+keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools
 ms.prod: w10
 ms.mktglfcycl: plan
 ms.localizationpriority: medium
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index 839fe5301c..51f0ecee10 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -7,8 +7,8 @@ ms.localizationpriority: medium
 ms.prod: w10
 ms.sitesec: library
 ms.pagetype: deploy
-ms.date: 10/02/2018
-author: Mikeblodge
+ms.date: 12/05/2018
+author: jaimeo
 ---
 
 # Windows 10 in S mode - What is it?
@@ -19,7 +19,7 @@ S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update
 ## S mode key features
 **Microsoft-verified security**
 
-With Windows 10 in S mode, you’ll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they’re Microsoft-verified for security. You can also feel secure when you’re online. Microsoft Edge, your default browser, gives you protection against phishing and socially-engineered malware. 
+With Windows 10 in S mode, you’ll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they’re Microsoft-verified for security. You can also feel secure when you’re online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware. 
 
 **Performance that lasts**
 
@@ -27,15 +27,23 @@ Start-ups are quick, and S mode is built to keep them that way. With Microsoft E
 
 **Choice and flexibility**
 
-Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode) to Home, Pro, or Enterprise at any time and search the web for more choices, as shown below. 
+Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below. 
 
 ![Switching out of S mode flow chart](images/s-mode-flow-chart.png)
 
 
 ## Deployment
-Windows 10 S mode is built for [Modern Management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Auto Pilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot). The best way to start using an S mode device is to embrace Modern Management fully when designing the deployment plan. Windows Auto Pilot allows you to deploy the deivce directly to the employee without having to touch the physical device. Instead of manually deploying a custom image to a machine, Windows Auto Pilot will start with a generic PC that can only be used to join the company domain; Polices are then deployed automatically through Modern Device Management.
 
-![Windows auto pilot work flow](images/autopilotworkflow.png)
+Windows 10 in S mode is built for [modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired. 
+
+## Keep line of business apps functioning with Desktop Bridge
+
+Worried about your line of business apps not working in S mode? [Desktop Bridge](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of buisness apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode. 
+
+## Repackage Win32 apps into the MSIX format
+
+The [MSIX Packaging Tool](https://docs.microsoft.com/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your device and upload to the Microsoft Store. This is another way to get your apps ready to run on Windows 10 in S mode.
+
 
 ## Related links
 
diff --git a/windows/deployment/update/images/champs-2.png b/windows/deployment/update/images/champs-2.png
new file mode 100644
index 0000000000..bb87469a35
Binary files /dev/null and b/windows/deployment/update/images/champs-2.png differ
diff --git a/windows/deployment/update/images/champs.png b/windows/deployment/update/images/champs.png
new file mode 100644
index 0000000000..ea719bc251
Binary files /dev/null and b/windows/deployment/update/images/champs.png differ
diff --git a/windows/deployment/update/images/deploy-land.png b/windows/deployment/update/images/deploy-land.png
new file mode 100644
index 0000000000..bf104b6843
Binary files /dev/null and b/windows/deployment/update/images/deploy-land.png differ
diff --git a/windows/deployment/update/images/discover-land.png b/windows/deployment/update/images/discover-land.png
new file mode 100644
index 0000000000..8f9e30ce10
Binary files /dev/null and b/windows/deployment/update/images/discover-land.png differ
diff --git a/windows/deployment/update/images/ignite-land.jpg b/windows/deployment/update/images/ignite-land.jpg
new file mode 100644
index 0000000000..7d0837af47
Binary files /dev/null and b/windows/deployment/update/images/ignite-land.jpg differ
diff --git a/windows/deployment/update/images/plan-land.png b/windows/deployment/update/images/plan-land.png
new file mode 100644
index 0000000000..7569da7ac1
Binary files /dev/null and b/windows/deployment/update/images/plan-land.png differ
diff --git a/windows/deployment/update/images/servicing-cadence.png b/windows/deployment/update/images/servicing-cadence.png
new file mode 100644
index 0000000000..cb79ff70be
Binary files /dev/null and b/windows/deployment/update/images/servicing-cadence.png differ
diff --git a/windows/deployment/update/images/servicing-previews.png b/windows/deployment/update/images/servicing-previews.png
new file mode 100644
index 0000000000..0914b555ba
Binary files /dev/null and b/windows/deployment/update/images/servicing-previews.png differ
diff --git a/windows/deployment/update/images/video-snip.PNG b/windows/deployment/update/images/video-snip.PNG
new file mode 100644
index 0000000000..35317ee027
Binary files /dev/null and b/windows/deployment/update/images/video-snip.PNG differ
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index 420b02b8a3..7a74f8e858 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: Jaimeo
 ms.localizationpriority: medium
 ms.author: jaimeo
-ms.date: 09/24/2018
+ms.date: 11/29/2018
 ---
 
 # Servicing stack updates
@@ -15,35 +15,38 @@ ms.date: 09/24/2018
 
 **Applies to**
 
-- Windows 10
+- Windows 10, Windows 8.1, Windows 8, Windows 7
 
 ## What is a servicing stack update?
-The "servicing stack" is the code that installs other operating system updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.
+Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.
 
 ## Why should servicing stack updates be installed and kept up to date?
   
-Having the latest servicing stack update is a prerequisite to reliably installing the latest quality updates and feature updates. Servicing stack updates improve the reliability and performance of the update process.
+Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
 
 ## When are they released?
 
-Currently, the servicing stack update releases are aligned with the monthly quality update release date, though sometimes they are released on a separate date if required.
+Servicing stack update are scheduled to release simultaneously with the monthly quality updates. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical."
+
+>[!NOTE]
+>You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001).
 
 ## What's the difference between a servicing stack update and a cumulative update?
 
-Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates.
+Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates.
 
-However, there are some operating system fixes that aren’t included in a cumulative update but are still pre-requisites for the cumulative update. That is, the component that performs the actual updates sometimes itself requires an update. Those fixes are available in a servicing stack update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update.
+Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update.
 
-If a given cumulative update required a servicing stack update, you'll see that information in the release notes for the update. **If you try to install the cumulative update without installing the servicing stack update, you'll get an error.**
 
 ## Is there any special guidance?
 
-Typically, the improvements are reliability, security, and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes.
+Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update.
+
+Typically, the improvements are reliability and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes.
 
 ## Installation notes
 
 * Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system.
 * Installing servicing stack update does not require restarting the device, so installation should not be disruptive. 
 * Servicing stack update releases are specific to the operating system version (build number), much like quality updates.
-* Search to install latest available [Servicing stack update for Windows 10](https://support.microsoft.com/search?query=servicing%20stack%20update%20Windows%2010).
-
+* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001).
\ No newline at end of file
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 0b00273fa8..b44f133b50 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jaimeo
 ms.localizationpriority: medium
 ms.author: jaimeo
-ms.date: 06/01/2018
+ms.date: 11/16/2018
 ---
 
 # Configure Windows Update for Business
@@ -20,10 +20,6 @@ ms.date: 06/01/2018
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
->[!IMPORTANT]
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still appear in some of our products.
->
->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
 
 You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).  
 
@@ -40,83 +36,77 @@ By grouping devices with similar deferral periods, administrators are able to cl
 >In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/). 
 
 <span id="configure-devices-for-current-branch-or-current-branch-for-business"/>
-## Configure devices for Current Branch (CB) or Current Branch for Business (CBB)
 
-With Windows Update for Business, you can set a device to be on either the Current Branch (CB) (now called Semi-Annual Channel (Targeted)) or the Current Branch for Business (CBB) (now called Semi-Annual Channel) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). 
+
+## Configure devices for the appropriate service channel
+
+With Windows Update for Business, you can set a device to be on either Windows Insider Preview or the Semi-Annual Channel servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). 
 
 **Release branch policies**
 
 | Policy | Sets registry key under **HKLM\Software** |
 | --- | --- |
-| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel |
-| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade |
-| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel |
-| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**RequireDeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
+| GPO for Windows 10, version 1607 or later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel |
+| GPO for Windows 10, version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade |
+| MDM for Windows 10, version 1607 or later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel |
+| MDM for Windows 10, version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**RequireDeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
 
-Starting with version 1703, users are able to configure their device's branch readiness level, by going to **Settings > Update & security > Windows Update > Advanced options**.
+Starting with Windows 10, version 1703, users can configure the branch readiness level for their device by using **Settings > Update & security > Windows Update > Advanced options**.
 
 ![Branch readiness level setting](images/waas-wufb-settings-branch.jpg)
 
 >[!NOTE]
 >Users will not be able to change this setting if it was configured by policy.
 
->[!IMPORTANT]
->Devices on the Semi-Annual Channel (formerly called Current Branch for Business) must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. If diagnostic data is set to **0**, the device will be treated as if it were in the Semi-Annual Channel (Targeted)(formerly called Current Branch or CB) branch. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
 
-## Configure when devices receive Feature Updates
+## Configure when devices receive feature updates
 
-After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update.  You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.  
+After you configure the servicing branch (Windows Insider Preview or Semi-Annual Channel), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.  
 
 >[!IMPORTANT]
->This policy does not apply to Windows 10 Mobile Enterprise.
 >
->You can only defer up to 180 days prior to version 1703.
+>You can only defer up to 180 days on devices running Windows 10, version 1703.
 
-**Examples**
+For example, a device on the Semi-Annual Channel with `DeferFeatureUpdatesPeriodinDays=30` will not install a feature update that is first publicly available on Windows Update in September until 30 days later, in October.
 
-| Settings | Scenario and behavior |
-| --- | --- |
-| Device is on CB</br>DeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Device will not receive update until February, 30 days later. |
-| Device is on CBB</br>DeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Four months later, in April, Feature Update X is released to CBB. Device will receive the Feature Update 30 days following this CBB release and will update in May. |
 
 </br></br>
-**Defer Feature Updates policies**
+**Policy settings for deferring feature updates**
 
 | Policy | Sets registry key under **HKLM\Software** |
 | --- | --- |
-| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays |
-| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod |
-| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays |
-| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
+| GPO for Windows 10, version 1607 later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays |
+| GPO for Windows 10, version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod |
+| MDM for Windows 10, version 1607 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays |
+| MDM for Windows 10, version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
 
 >[!NOTE]
->If not configured by policy, users can defer feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
+>If not configured by policy, individual users can defer feature updates by using **Settings > Update & security > Windows Update > Advanced options**.
 
-## Pause Feature Updates
+## Pause feature updates
 
-You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again.
+You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, you can then pause Feature Updates for the device again.
 
-Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date. 
+Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. 
 
-In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date.
+In cases where the pause policy is first applied after the configured start date has passed, you can extend the pause period up to a total of 35 days by configuring a later start date.
 
 >[!IMPORTANT]
->This policy does not apply to Windows 10 Mobile Enterprise.
 >
->Prior to Windows 10, version 1703, feature updates could be paused by up to 60 days. This number has been changed to 35, similar to the number of days for quality updates.
+>In Windows 10, version 1703 and later versions, you can pause feature updates to 35 days, similar to the number of days for quality updates.
 
-**Pause Feature Updates policies**
+**Policy settings for pausing feature updates**
 
 | Policy | Sets registry key under **HKLM\Software** |
 | --- | --- |
-| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates</br>**1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate |
-| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
-| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates</br> **1703:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartDate |
-| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
+| GPO for Windows 10, version 1607 and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates</br>**1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate |
+| GPO for Windows 10, version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
+| MDM for Windows 10, version 1607 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates</br> **1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartDate |
+| MDM for Windows 10, version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
 
-You can check the date Feature Updates were paused at by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. 
+You can check the date that Feature Updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. 
 
-The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor.  To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+The local group policy editor (GPEdit.msc) will not reflect whether the Feature Update pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain selected in the policy editor. To check whether a device has automatically resumed taking Feature Updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
 
 | Value | Status|
 | --- | --- |
@@ -125,58 +115,58 @@ The local group policy editor (GPEdit.msc) will not reflect if your Feature Upda
 | 2 | Feature Updates have auto-resumed after being paused |
 
 >[!NOTE]
->If not configured by policy, users can pause feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
+>If not configured by policy, individual users can pause feature updates by using **Settings > Update & security > Windows Update > Advanced options**.
 
-With version 1703, pausing through the settings app will provide a more consistent experience:
-- Any active restart notification are cleared or closed
-- Any pending restarts are canceled
-- Any pending update installations are canceled
-- Any update installation running when pause is activated will attempt to rollback
+Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically:
+- Any active restart notification are cleared or closed.
+- Any pending restarts are canceled.
+- Any pending update installations are canceled.
+- Any update installation running when pause is activated will attempt to roll back.
 
 ## Configure when devices receive Quality Updates
 
-Quality Updates are typically published the first Tuesday of every month, though can be released at any time by Microsoft. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.  
+Quality Updates are typically published on the first Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.  
 
-You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When this is done, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates.
+You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When you do this, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates.
 
 >[!IMPORTANT]
 >This policy defers both Feature and Quality Updates on Windows 10 Mobile Enterprise.
 
-**Defer Quality Updates policies**
+**Policy settings for deferring quality updates**
 
 | Policy | Sets registry key under **HKLM\Software** |
 | --- | --- |
-| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays  |
-| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod |
-| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays |
-| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate  |
+| GPO for Windows 10, version 1607 and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays  |
+| GPO for Windows 10, version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod |
+| MDM for Windows 10, version 1607 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays |
+| MDM for Windows 10, version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate  |
 
 >[!NOTE]
->If not configured by policy, users can defer quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
+>If not configured by policy, individual users can defer quality updates by using **Settings > Update & security > Windows Update > Advanced options**.
 
-## Pause Quality Updates
+## Pause quality updates
 
-You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set.  After 35 days has passed, pause functionality will automatically expire and the system will scan Windows Updates for applicable Quality Updates. Following this scan, Quality Updates for the device can then be paused again.
+You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set.   After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable quality Updates. Following this scan, you can then pause quality Updates for the device again.
 
-Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date. 
+Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. 
 
-In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date.
+In cases where the pause policy is first applied after the configured start date has passed, you can extend the pause period up to a total of 35 days by configuring a later start date.
 
->[!IMPORTANT]
->This policy pauses both Feature and Quality Updates on Windows 10 Mobile Enterprise.
+>[!NOTE]
+>Starting with Windows 10, version 1809, IT administrators can prevent individual users from pausing updates.
 
-**Pause Quality Updates policies**
+**Policy settings for pausing quality updates**
 
 | Policy | Sets registry key under **HKLM\Software** |
 | --- | --- |
-| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |**1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates</br>**1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdatesStartTime  |
-| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
-| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates</br>**1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime |
-| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
+| GPO for Windows 10, version 1607 and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |**1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates</br>**1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdatesStartTime  |
+| GPO for Windows 10, version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
+| MDM for Windows 10, version 1607 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates</br>**1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime |
+| MDM for Windows 10, version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
 
-You can check the date that Quality Updates were paused at by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. 
+You can check the date that quality Updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. 
 
-The local group policy editor (GPEdit.msc) will not reflect if your Quality Update Pause period has expired. Although the device will resume Quality Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor.  To see if a device has auto-resumed taking Quality Updates, you can check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+The local group policy editor (GPEdit.msc) will not reflect whether the quality Update pause period has expired. Although the device will resume quality Updates after 35 days automatically, the pause checkbox will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
 
 | Value | Status|
 | --- | --- |
@@ -185,21 +175,22 @@ The local group policy editor (GPEdit.msc) will not reflect if your Quality Upda
 | 2 | Quality Updates have auto-resumed after being paused |
 
 >[!NOTE]
->If not configured by policy, users can pause quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
+>If not configured by policy, individual users can pause quality updates by using **Settings > Update & security > Windows Update > Advanced options**.
 
-With version 1703, pausing through the settings app will provide a more consistent experience:
+Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically:
 - Any active restart notification are cleared or closed
 - Any pending restarts are canceled
 - Any pending update installations are canceled
 - Any update installation running when pause is activated will attempt to rollback
 
-## Configure when devices receive Windows Insider preview builds
+## Configure when devices receive Windows Insider Preview builds
 
 Starting with Windows 10, version 1709, you can set policies to manage preview builds and their delivery:
 
 The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public.
 * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
 * MDM: **Update/ManagePreviewBuilds**
+* System Center Configuration Manager: **Enable dual scan, manage through Windows Update for Business policy**
 
 >[!IMPORTANT]
 >This policy replaces the "Toggle user control over Insider builds" policy under that is only supported up to Windows 10, version 1703. You can find the older policy here:
@@ -212,18 +203,18 @@ The policy settings to **Select when Feature Updates are received** allows you t
 
 ## Exclude drivers from Quality Updates
 
-In Windows 10, starting with version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle.  This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete.
+Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy will not apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to Feature Updates, where drivers might be dynamically installed to ensure the Feature Update process can complete.
 
-**Exclude driver policies**
+**Policy settings to exclude drivers**
 
 | Policy | Sets registry key under **HKLM\Software** |
 | --- | --- |
-| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate  |
-| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
+| GPO for Windows 10, version 1607 and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate  |
+| MDM for Windows 10, version 1607 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
 
-## Summary: MDM and Group Policy for version 1703
+## Summary: MDM and Group Policy settings for Windows 10, version 1703 and later
 
-Below are quick-reference tables of the supported Windows Update for Business policy values for Windows 10, version 1607 and above.
+The following are quick-reference tables of the supported policy values for Windows Update for Business in Windows 10, version 1607 and later.
 
 **GPO: HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
 
@@ -252,25 +243,14 @@ Below are quick-reference tables of the supported Windows Update for Business po
 
 ## Update devices to newer versions
 
-Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703, also uses a few GPO and MDM keys that are different to what's available in version 1607. However, Windows Update for Business clients running version older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, it should be noted that only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator.
+Due to the changes in Windows Update for Business, Windows 10, version 1607 uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703 also uses a few GPO and MDM keys that are different from those available in version 1607. However, Windows Update for Business devices running older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator.
 
 ### How older version policies are respected on newer versions
 
-When a client running a newer version sees an update available on Windows Update, the client will first evaluate and execute against the Windows Updates for Business policy keys for it's version.  If these are not present, it will then check to see if any of the older version keys are set and defer accordingly.  Update keys for newer versions will always supersede the older equivalent.
+When a device running a newer version sees an update available on Windows Update, the device first evaluates and executes the Windows Updates for Business policy keys for its current (newer) version. If these are not present, it then checks whether any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent.
 
-### Comparing the version 1511 keys to the version 1607 keys
 
-In the Windows Update for Business policies in version 1511, all the deferral rules were grouped under a single policy where pausing affected both upgrades and updates.  In Windows 10, version 1607, this functionality has been broken out into separate polices: deferral of Feature and Quality Updates can be enabled and paused independently of one other.   
-
-<table><caption>Group Policy keys</caption><thead><th>Version 1511 GPO keys</th><th>Version 1607 GPO keys</th></thead>
-<tbody><tr><td valign="top">**DeferUpgrade**: *enable/disable*</br>Enabling allows user to set deferral periods for upgrades and updates.  It also puts the device on CBB (no ability to defer updates while on the CB branch).</br></br>**DeferUpgradePeriod**: *0 - 8 months*</br></br>**DeferUpdatePeriod**: *1 – 4 weeks*</br></br>**Pause**: *enable/disable*</br>Enabling will pause both upgrades and updates for a max of 35 days</br></td><td>**DeferFeatureUpdates**: *enable/disable*</br></br>**BranchReadinessLevel**</br>Set device on CB or CBB</br></br>**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*</br></br>**PauseFeatureUpdates**: *enable/disable*</br>Enabling will pause Feature updates for a max of 60 days</br></br>**DeferQualityUpdates**: *Enable/disable*</br></br>**DeferQualityUpdatesPeriodinDays**: *0 - 35 days*</br></br>**PauseQualityUpdates**: *enable/disable*</br>Enabling will pause Quality updates for a max of 35 days</br></br>**ExcludeWUDrivers**: *enable/disable*</br></td></tr>
-</table>
-
-<table><caption>MDM keys</caption><thead><th>Version 1511 MDM keys</th><th>Version 1607 MDM keys</th></thead>
-<tbody><tr><td valign="top">**RequireDeferUpgade**: *bool*</br>Puts the device on CBB (no ability to defer updates while on the CB branch).</br></br>**DeferUpgradePeriod**: *0 - 8 months*</br></br>**DeferUpdatePeriod**: *1 – 4 weeks*</br></br>**PauseDeferrals**: *bool*</br>Enabling will pause both upgrades and updates for a max of 35 days</br></td><td>**BranchReadinessLevel**</br>Set system on CB or CBB</br></br>**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*</br></br>**PauseFeatureUpdates**: *enable/disable*</br>Enabling will pause Feature updates for a max of 60 days</br></br>**DeferQualityUpdatesPeriodinDays**: *0 - 35 days*</br></br>**PauseQualityUpdates**: *enable/disable*</br>Enabling will pause Quality updates for a max of 35 days</br></br>**ExcludeWUDriversInQualityUpdate**: *enable/disable*</br></td></tr>
-</tbody></table>
-
-### Comparing the version 1607 keys to the version 1703 keys
+### Comparing keys in Windows 10, version 1607 to Windows 10, version 1703
 
 | Version 1607 key | Version 1703 key |
 | --- | --- |
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index bab0085402..4df6cd83e0 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jaimeo
 ms.localizationpriority: medium
 ms.author: jaimeo
-ms.date: 06/01/2018
+ms.date: 11/16/2018
 ---
 
 # Deploy updates using Windows Update for Business
@@ -20,12 +20,9 @@ ms.date: 06/01/2018
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
->[!IMPORTANT]
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still apear in some of our products.
->
->In the following settings, CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. 
 
-Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices. 
+
+Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined devices. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices. 
 
 Specifically, Windows Update for Business allows for: 
 
@@ -35,7 +32,7 @@ Specifically, Windows Update for Business allows for:
 - Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution.
 - Control over diagnostic data level to provide reporting and insights in Windows Analytics.
 
-Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education.
+Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education editions.
 
 >[!NOTE]
 >See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10.
@@ -48,79 +45,70 @@ Windows Update for Business provides three types of updates to Windows 10 device
 - **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates.
 - **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred.
  
-Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business.
+Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device (if you set a deferral period of 365 days, the update will not be offered until 365 days after that update was released).
 
-| Category | Maximum deferral | Deferral increments | Example | Classification GUID |
+| Category | Maximum deferral | Deferral increments | Example | WSUS classification GUID |
 | --- | --- | --- | --- | --- |
-| Feature Updates | 365 days | Days | From Windows 10, version 1511 to version 1607 maximum was 180 days</br>In Windows 10, version 1703 maximum is 365 | 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
-| Quality Updates | 30 days | Days | Security updates</br>Drivers (optional)</br>Non-security updates</br>Microsoft updates (Office,Visual Studio, etc.) | 0FA1201D-4330-4FA8-8AE9-B877473B6441</br>EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</br>CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</br>varies |
+| Feature Updates | 365 days | Days | From Windows 10, version 1511 to version 1607 maximum was 180 days.</br>From Windows 10, version 1703 to version 1809, the maximum is 365 days. | 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
+| Quality Updates | 30 days | Days | Security updates</br>Drivers (optional)</br>Non-security updates</br>Microsoft updates (Office,Visual Studio, etc.) | 0FA1201D-4330-4FA8-8AE9-B877473B6441</br></br>EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</br></br>CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</br></br>varies |
 | Non-deferrable | No deferral | No deferral | Definition updates | E0789628-CE08-4437-BE74-2495B842F43B |
 
 >[!NOTE]
 >For information about classification GUIDs, see [WSUS Classification GUIDs](https://msdn.microsoft.com/library/ff357803.aspx).
 
-## Changes to Windows Update for Business in Windows 10, version 1709
+## Windows Update for Business in various Windows 10 versions
 
-The group policy path for Windows Update for Business was changed to correctly reflect its association to Windows Update for Business.
+Windows Update for Business was first available in Windows 10, version 1511. This diagram lists new or changed capabilities and updated behavior in subsequent versions.
 
-| Prior to Windows 10, version 1709 | Windows 10, version 1709 |
-| --- | --- |
-| Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Update | Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business | 
 
-We have added the ability to manage Windows Insider preview builds and their delivery:
+| Windows 10, version 1511 | 1607 | 1703 | 1709 | 1803 | 1809 |
+| --- | --- | --- | --- | --- | --- |
+| Defer quality updates</br>Defer feature updates</br>Pause updates | All 1511 features, plus: **WSUS integration** | All 1607 features, plus **Settings controls** | All 1703 features, plus **Ability to set slow vs. fast Insider Preview branch** | All 1709 features, plus **Uninstall updates remotely** | All 1803 features, plus **Option to use default automatic updates**</br>**Ability to set separate deadlines for feature vs. quality updates**</br>**Admins can prevent users from pausing updates**
+## Managing Windows Update for Business with Group Policy
 
-The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public.
-* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
-* MDM: **Update/ManagePreviewBuilds**
+The group policy path for Windows Update for Business has changed to correctly reflect its association to Windows Update for Business and provide the ability to easily manage pre-release Windows Insider Preview builds in Windows 10, version 1709. 
 
->[!IMPORTANT]
->This policy replaces the "Toggle user control over Insider builds" policy under that is only supported up to Windows 10, version 1703. You can find the older policy here:
->* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds**
->* MDM: **System/AllowBuildPreview**
+| Action | Windows 10 versions prior to 1709 | Windows 10 versions after 1709 |
+| --- | --- | --- |
+| Set Windows Update for Business Policies | Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Update | Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business |
+| Manage Windows Insider Preview builds | Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds |	Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business - *Manage preview builds* |
+| Manage when updates are received | Select when Feature Updates are received | Select when Preview Builds and Feature Updates are received </br> (Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business - **Select when Preview Builds and Feature Updates are received**) |
 
-The policy settings to **Select when Feature Updates are received** is now called **Select when Preview Builds and Feature Updates are received**. In addition to previous functionality, it now allows you to choose between preview flight rings, and allows you to defer or pause their delivery.
-* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received*
-* MDM: **Update/BranchReadinessLevel**
+## Managing Windows Update for Business with MDM
 
-## Changes to Windows Update for Business in Windows 10, version 1703
+Starting with Windows 10, version 1709, Windows Update for Business was changed to correctly reflect its association to Windows Update for Business and provide the ability to easily manage Windows Insider Preview builds in 1709.
 
-### Options added to Settings
+| Action | Windows 10 versions prior to 1709 | Windows 10 versions after 1709 |
+| --- | --- | --- |
+| Manage Windows Insider Preview builds | System/AllowBuildPreview | Update/ManagePreviewBuilds |
+| Manage when updates are received | Select when Feature Updates are received |	Select when Preview Builds and Feature Updates are received (Update/BranchReadinessLevel) |
 
-We have added a few controls into settings to allow users to control Windows Update for Business through an interface. 
-- [Configuring the device's branch readiness level](waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), through **Settings > Update & security > Windows Update > Advanced options**
-- [Pausing feature updates](waas-configure-wufb.md#pause-feature-updates), through **Settings > Update & security > Window Update > Advanced options**
+## Managing Windows Update for Business with Software Center Configuration Manager
 
-### Adjusted time periods
+Starting with Windows 10, version 1709, you can assign a collection of devices to have dual scan enabled and manage that collection with Windows Update for Business policies. Starting with Windows 10, version 1809, you can set a collection of devices to receive the Windows Insider Preview Feature Updates from Windows Update from within Software Center Configuration Manager.
 
-We have adjusted the maximum pause period for both quality and feature updates to be 35 days, as opposed to 30 and 60 days previously, respectively.
+| Action | Windows 10 versions between 1709 and 1809 | Windows 10 versions after 1809 |
+| --- | --- | --- |
+| Manage Windows Update for Business in Configuration Manager | Manage Feature or Quality Updates with Windows Update for Business via Dual Scan | Manage Insider pre-release builds with Windows Update for Business within Software Center Configuration Manager |
 
-We have also adjusted the maximum feature update deferral period to be 365 days, as opposed to 180 days previously.
+## Managing Windows Update for Business with Windows Settings options
+Windows Settings includes options to control certain Windows Update for Business features:
 
-### Additional changes
+- [Configure the readiness level](waas-configure-wufb.md#configure-devices-for-the-appropriate-service-channel) for a branch by using **Settings > Update & security > Windows Update > Advanced options**
+- [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) by using Settings > Update & security > Window Update > Advanced options
 
-The pause period is now calculated starting from the set start date. For additional details, see [Pause Feature Updates](waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](waas-configure-wufb.md#pause-quality-updates). Due to that, some policy keys are now named differently. For more information, see [Comparing the version 1607 keys to the version 1703 keys](waas-configure-wufb.md#comparing-the-version-1607-keys-to-the-version-1703-keys).
+## Other changes in Windows Update for Business in Windows 10, version 1703 and later releases
 
-## Comparing Windows Update for Business in Windows 10, version 1511 and version 1607
 
-Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior.  
+### Pause and deferral periods
 
->[!NOTE]
->For more information on Current Branch (Semi-Annual Channel (Targeted)) and Current Branch for Business (Semi-Annual Channel), see [Windows 10 servicing options](waas-overview.md#servicing-channels).
+The maximum pause time period is 35 days for both quality and feature updates. The maximum deferral period for feature updates is 365 days.
 
-<table>
-    <thead>
-        <tr><th>Capability</th><th>Windows 10, version 1511</th><th>Windows 10, version 1607</th>           
-        </tr>
-    </thead>
-    <tbody>
-        <tr><td><p>Select servicing options: CB or CBB</p></td><td><p>Not available. To defer updates, all systems must be on the Current Branch for Business (CBB)</p></td><td><p>Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB).</p></td></tr>
-<tr><td><p>Quality Updates</p></td><td><p>Able to defer receiving Quality Updates:</p><ul><li>Up to 4 weeks</li><li>In weekly increments</li></ul></td><td><p>Able to defer receiving Quality Updates:</p><ul><li>Up to 30 days</li><li>In daily increments</li></ul></td></tr>
-<tr><td><p>Feature Updates</p></td><td><p>Able to defer receiving Feature Updates:</p><ul><li>Up to 8 months</li><li>In monthly increments</li></ul></td><td><p>Able to defer receiving Feature Updates:</p><ul><li>Up to 180 days</li><li>In daily increments</li></ul></td></tr>
-<tr><td><p>Pause updates</p></td><td><ul><li>Feature Updates and Quality Updates paused together</li><li>Maximum of 35 days</li></ul></td><td><p>Features and Quality Updates can be paused separately.</p><ul><li>Feature Updates: maximum 60 days</li><li>Quality Updates: maximum 35 days</li></ul></td></tr>
-<tr><td><p>Drivers</p></td><td><p>No driver-specific controls</p></td><td><p>Drivers can be selectively excluded from Windows Update for Business.</p></td></tr>
-</tbody></table>
+Also, the pause period is calculated from the set start date. For more details, see [Pause Feature Updates](waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](waas-configure-wufb.md#pause-quality-updates). As a result, certain policy keys have different names; see the "Comparing keys in Windows 10, version 1607 to Windows 10, version 1703" section in [Configure Windows Update for Business](waas-configure-wufb.md) for details.
 
-## Monitor Windows Updates using Update Compliance
+
+
+## Monitor Windows Updates by using Update Compliance
 
 Update Compliance, now **available in public preview**, provides a holistic view of OS update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This new service uses diagnostic data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without additional infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated.
 
diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md
index 8446553143..70cba0bcec 100644
--- a/windows/deployment/update/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/update/waas-optimize-windows-10-updates.md
@@ -54,7 +54,7 @@ Windows 10 quality update downloads can be large because every package contains
 >Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business.
 
 ### How Microsoft supports Express
-- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or 1607 with the April 2017 cumulative update.
+- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update.
 - **Express on WSUS Standalone**
 
   Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx).
diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md
new file mode 100644
index 0000000000..cb55ad0bc9
--- /dev/null
+++ b/windows/deployment/update/waas-servicing-differences.md
@@ -0,0 +1,106 @@
+---
+title: Servicing differences between Windows 10 and older operating systems
+description: Learn the differences between servicing Windows 10 and servicing older operating systems.
+keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: KarenSimWindows
+ms.localizationpriority: medium
+ms.author: karensim
+ms.date: 11/09/2018
+---
+# Understanding the differences between servicing Windows 10-era and legacy Windows operating systems 
+
+>Applies to: Windows 10 
+
+Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need critical to understand how best to leverage a modern workplace to support system updates.
+ 
+The following provides an initial overview of how updating client and server differs between the Windows 10-era operating systems (such as Windows 10 version 1709, Windows Server 2016) and legacy operating systems (such as Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2).    
+
+>[!NOTE]
+> A note on naming convention in this article: For brevity, "Windows 10" refers to all operating systems across client, server and IoT released since July 2015, while "legacy" refers to all operating systems prior to that period for client and server, including Windows 7, Window 8.1, Windows Server 2008 R2, Windows Server 2012 R2, etc.
+
+## Infinite fragmentation
+Prior to Windows 10, all updates to operating system (OS) components were published individually. On "Update Tuesday," customers would pick and choose individual updates they wanted to apply. Most chose to update security fixes, while far fewer selected non-security fixes, updated drivers, or installed .NET Framework updates.  
+
+As a result, each environment with the global Windows ecosystem that had only a subset of security and non-security fixes installed had a different set of binaries and behaviors than those that consistently installed every available update as tested by Microsoft. 
+
+This resulted in a fragmented ecosystem  that created diverse challenges in predictively testing interoperability, resulting in high update failure rates - which were subsequently mitigated by customers removing individual updates that were causing issues.  Each customer that selectively removed individual updates amplified this fragmentation by creating more diverse environment permutations across the ecosystem. As an IT Administrator once quipped, "If you’ve seen one Windows 7 PC, you have seen one Windows 7 PC," suggesting no consistency or predictability across more than 250M commercial devices at the time.
+
+## Windows 10 – Next generation
+Windows 10 provided an opportunity to end the era of infinite fragmentation. With Windows 10 and the Windows as a service model, updates came rolled together in the "latest cumulative update" (LCU) packages for both client and server. Every new update published includes all changes from previous updates, as well as new fixes. Since Windows client and server share the same code base, these LCUs This helps simplify servicing. Devices with the original Release to Market (RTM) version of a feature release installed could get up to date by installing the most recent LCU. 
+
+Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security and Internet Explorer 11 (IE11) fixes. The security classification, by definition, requires a reboot of the device to complete installation of the update.
+
+![Servicing cadence](images/servicing-cadence.png)
+
+Another benefit of the LCU model is fewer steps. Devices that have the original Release to Market (RTM) version of a release can install the most recent LCU to get up to date in one step, rather than having to install multiple updates with reboots after each.
+
+This cumulative update model for Windows 10 has helped provide the Windows ecosystem with consistent update experiences that can be predicted by baseline testing before release. Even with highly complex updates with hundreds of fixes, the number of incidents with monthly security updates for Windows 10 have fallen month over month since the initial release of Windows 10.
+
+### Points to consider
+
+- Windows 10 does not have the concept of a Security-Only or Monthly Rollup for updates. All updates are an LCU package, which includes the last release plus anything new.
+- Windows 10 no longer has the concept of a "hotfix" since all individual updates must be rolled into the cumulative packages. (Note: Any private fix is offered for customer validation only, and then rolled into an LCU.)
+- [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in the Windows 10 LCU. They are separate packages with different behaviors depending on the version of .NET Framework being updated, and on which OS. As of October 2018, .NET Framework updates for Windows 10 will be separate and have their own cumulative update model.
+- For Windows 10, available update types vary by publishing channel: 
+   - For customers using Windows Server Update Services (WSUS) and for the Update Catalog, several different updates types for Windows 10 are rolled together for the core OS in a single LCU package, with exception of Servicing Stack Updates.
+   - Servicing Stack Updates (SSU) are available for download from the Update Catalog and can be imported through WSUS, but will not be automatically synced. (See this [example](https://support.microsoft.com/help/4132650/servicing-stack-update-for-windows-10-version-1709-may-21-2018) for Windows 10, version 1709). For more information on Servicing Stack Updates, please see this [blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434).
+   - For customers connecting to Windows Update, the new cloud update architecture uses a database of updates which break out all the different update types, including Servicing Stack Updates (SSU) and Dynamic Updates (DU). The update scanning in the Windows 10 servicing stack on the client automatically takes only the updates that are needed by the device to be completely up to date.
+- Windows 7 and other legacy operating systems have cumulative updates that operate differently than in Windows 10 (see next section).
+
+## Windows 7 and legacy OS versions
+While Windows 10 updates could have been controlled as cumulative from "Day 1," the legacy OS ecosystem for both client and server was highly fragmented. Recognizing the challenges of update quality in a fragmented environment, we moved Windows 7 to a cumulative update model in October 2016.  
+
+Customers saw the LCU model used for Windows 10 as having packages that were too large and represented too much of a change for legacy operating systems, so a different model was implemented. Windows instead offered two cumulative package types for all legacy operating systems: Monthly Rollups and Security-only updates.
+
+The Monthly Rollup includes new non-security, security updates, Internet Explorer (IE) updates, and all updates from the previous month, similar to the Windows 10 model. The Security-only package includes new security updates and all security updates from the previous month. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10.
+
+Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments have fully updated machines, which means that the baseline against which all legacy OS version updates are tested include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously.
+
+### Points to consider
+- Windows 7 and Windows 8 legacy operating system updates [moved from individual to cumulative in October 2016](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783). Devices with updates missing prior to that point are still missing those updates, as they were not included in the subsequent cumulative packages. 
+- "Hotfixes" are no longer published for legacy OS versions. All updates are rolled into the appropriate package depending on their classification as either non-security, security, or Internet Explorer updates. (Note: any private fix is offered for customer validation only. Once validated they are then rolled into a Monthly Rollup or IE cumulative update, as appropriate.)
+- Both Monthly Rollups and Security-only updates released on Update Tuesday for legacy OS versions are identified as "security, critical" updates, because both have the full set of security updates in them. The Monthly Rollup has additional non-security updates that are not included in the Security Only update. The "security" classification requires the device be rebooted so the update can be fully installed.
+- Despite the cumulative nature of both Monthly Rollups and Security-only updates, switching between these update types is not advised. Small differences in the baselines of these packages may result in installation errors and conflicts. Choosing one and staying on that update type – Monthly Rollup or Security-only – is recommended.
+- In [February 2017](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798), Windows pulled IE updates out of the legacy OS versions Security-only updates, while leaving them in the Monthly Rollup updates. This was done specifically to reduce package size based on customer feedback.
+- The IE cumulative update includes both security and non-security updates and is also needed for to help secure the entire environment. This update can be installed separately or as part of the Monthly Rollup.
+- [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in legacy Monthly Rollup or Security Only packages. They are separate packages with different behaviors depending on the version of the .NET Framework, and which legacy OS, being updated.
+- For [Windows Server 2008 SP2](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/), cumulative updates began in October 2018, and follow the same model as Windows 7. Updates for IE9 are included in those packages, as the last supported version of Internet Explorer for that Legacy OS version. 
+
+## Public preview releases
+Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month’s B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month’s B release package together with new security updates.
+
+### Examples
+Windows 10 version 1709:
+
+- (9B) September 11, 2018 Update Tuesday / B release - includes security, non-security and IE update. This update is categorized as "Required, Security" it requires a system reboot.
+- (9C) September 26, 2018 Preview C release - includes everything from 9B PLUS some non-security updates for testing/validation. This update is qualified as not required, non-security. No system reboot is required.
+- (10B) October 9, 2018 Update Tuesday / B release includes all fixes included in 9B, all fixes in 9C and introduces new security fixes and IE updates. This update is qualified as "Required, Security" and requires a system reboot.
+
+All of these updates are cumulative and build on each other for Windows 10. This is in contrast to legacy OS versions, where the 9C release becomes part of the "Monthly Rollup," but not the "Security Only" update. In other words, a Window 7 SP1 9C update is part of the cumulative "Monthly Rollup" but not included in the "Security Only" update because the fixes are qualified as "non-security". This is an important variation to note on the two models. 
+
+![Servicing preview releases](images/servicing-previews.png)
+
+### Previews vs. on-demand releases
+In 2018, we experienced incidents that required urgent remediation that didn’t map to the monthly update release cadence. These incidents were situations that required an immediate fix to an Update Tuesday release. While Windows engineering worked aggressively to respond within a week of the B-release, these "on-demand" releases created confusion with the C Preview releases.
+
+#### Points to consider:
+- When Windows identifies an issue with a Update Tuesday release, engineering teams work to remediate or fix the issue as quickly as possible. The outcome is often a new update which may be released at any time, including during the 3rd or 4th week of the month. Such updates are independent of the regularly scheduled "C" and "D" update previews. These updates are created on-demand to remediate a customer impacting issue. In most cases they are qualified as a "non-security" update, and do not require a system reboot.
+- With the new Windows Update (WU) architecture, updates can be targeted to affected devices. This targeting is not available through the Update Catalog or WSUS channels, however. 
+- On-demand releases address a specific issue with an Update Tuesday release and are often qualified as "non-security" for one of two reasons. First, the fix may not be an additional security fix, but a non-security change to the update. Second, the "non-security" designation allows individuals or companies to choose when and how to reboot the devices, rather than forcing a system reboot on all Windows devices receiving the update globally. This trade-off is rarely a difficult choice as it has the potential to impact customer experience across client and server, across consumer and commercial customers for more than one billion devices.
+- Because the cumulative model is used across Window 10 and legacy Windows OS versions, despite variations between these OS versions, an out of band release will include all of the changes from the Update Tuesday release plus the fix that addresses the issue. And since Windows no longer releases hotfixes, everything is cumulative in some way.
+
+In closing, I hope this overview of the update model across current and legacy Windows OS versions highlights the benefits of the Windows 10 cumulative update model to help defragment the Windows ecosystem environments, simplify servicing and help make systems more secure. 
+
+
+## Resources
+- [Simplifying updates for Windows 7 and 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplifying-updates-for-Windows-7-and-8-1/ba-p/166530) 
+- [Further simplifying servicing models for Windows 7 and Windows 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Further-simplifying-servicing-models-for-Windows-7-and-Windows-8/ba-p/166772) 
+- [More on Windows 7 and Windows 8.1 servicing changes](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783)  
+- [.NET Framework Monthly Rollups Explained](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/)   
+- [Simplified servicing for Windows 7 and Windows 8.1: the latest improvements](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798)  
+- [Windows Server 2008 SP2 servicing changes](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/) 
+- [Windows 10 update servicing cadence](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376) 
+- [Windows 7 servicing stack updates: managing change and appreciating cumulative updates](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434)
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 643e549073..49a13d74fc 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -28,9 +28,16 @@ Using Group Policy to manage Windows Update for Business is simple and familiar:
 
 In Windows 10 version 1511, only Current Branch for Business (CBB) upgrades could be delayed, restricting the Current Branch (CB) builds to a single deployment ring. Windows 10 version 1607, however, has a new Group Policy setting that allows you to delay feature updates for both CB and CBB, broadening the use of the CB servicing branch.
 
->[!NOTE]
+>[!NOTES]
 >The terms *feature updates* and *quality updates* in Windows 10, version 1607, correspond to the terms *upgrades* and *updates* in version 1511.
 
+>To follow the instructions in this article, you will need to download and install the relevant ADMX templates for your Windows 10 version.
+>See the following articles for instructions on the ADMX templates in your environment.
+
+> - [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759)
+> - [Step-By-Step: Managing Windows 10 with Administrative templates](https://blogs.technet.microsoft.com/canitpro/2015/10/20/step-by-step-managing-windows-10-with-administrative-templates/)
+
+
 To use Group Policy to manage quality and feature updates in your environment, you must first create Active Directory security groups that align with your constructed deployment rings. Most customers have many deployment rings already in place in their environment, and these rings likely align with existing phased rollouts of current patches and operating system upgrades.
 
 ## Configure Windows Update for Business in Windows 10 version 1511
diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md
index 1ceeae0987..1ea7a5532f 100644
--- a/windows/deployment/update/windows-analytics-get-started.md
+++ b/windows/deployment/update/windows-analytics-get-started.md
@@ -87,6 +87,8 @@ The compatibility update scans your devices and enables application usage tracki
 | Windows 8.1          | [KB 2976978](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)<br>Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed. <br>For more information about this update, see <https://support.microsoft.com/kb/2976978>|
 | Windows 7 SP1        | [KB2952664](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664) <br>Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed. <br>For more information about this update, see <https://support.microsoft.com/kb/2952664>|
 
+We also recommend installing the latest [Windows Monthly Rollup](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup) on Windows 7 and Windows 8.1 devices.
+
 >[!IMPORTANT]
 >Restart devices after you install the compatibility updates for the first time.
 
diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md
new file mode 100644
index 0000000000..de4cc5691d
--- /dev/null
+++ b/windows/deployment/update/windows-as-a-service.md
@@ -0,0 +1,136 @@
+---
+title: Windows as a service  
+ms.prod: windows-10
+layout: LandingPage  
+ms.topic: landing-page
+ms.manager: elizapo
+author: lizap
+ms.author: elizapo  
+ms.date: 12/05/2018
+ms.localizationpriority: high
+---
+# Windows as a service
+
+Find the tools and resources you need to help deploy and support Windows as a service in your organization.
+
+## Latest news, videos, & podcasts
+
+Find the latest and greatest news on Windows 10 deployment and servicing.
+
+**Windows 10 monthly updates**
+> [!VIDEO https://www.youtube-nocookie.com/embed/BwB10v55WSk]      
+
+Windows 10 is the most secure version of Windows yet. Learn what updates we release and when we release them, so you understand the efforts we take to keep your digital life safe and secure.
+
+The latest news:
+<ul compact style="list-style: none"> 
+
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181">LTSC: What is it, and when should it be used?</a> - November 29, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Local-Experience-Packs-What-are-they-and-when-should-you-use/ba-p/286841">Local Experience Packs: What are they and when should you use them?</a> - November 14, 2018</li>
+<li><a href="https://blogs.windows.com/windowsexperience/2018/11/13/resuming-the-rollout-of-the-windows-10-october-2018-update/#amAFU5YS1igMQRoB.97">Resuming the Rollout of the Windows 10 October 2018 Update</a> - November 13, 2018</li>
+<li><a href="https://blogs.windows.com/windowsexperience/2018/11/13/windows-10-quality-approach-for-a-complex-ecosystem/#9VlPpT2qGIlPAg5a.97">Windows 10 Quality Approach for a Complex Ecosystem</a> - November 13, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Delivery-Optimization-Scenarios-and-configuration-options/ba-p/280195">Delivery Optimization: Scenarios and Configuration Options</a> - October 30, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Language-pack-acquisition-and-retention-for-enterprise-devices/ba-p/275404">Language Pack Acquisition and Retention for Enterprise Devices</a> - October 18, 2018</li>
+<li><a href="https://blogs.windows.com/windowsexperience/2018/10/09/updated-version-of-windows-10-october-2018-update-released-to-windows-insiders/#MDZYGkj6ZehHyF1g.97">Updated Version of Windows 10 October 2018 Update Released to Windows Insiders</a> - October 9, 2018</li>
+<li><a href="https://blogs.windows.com/windowsexperience/2018/10/02/how-to-get-the-windows-10-october-2018-update/#T4LJQ3OzDkCR72em.97">How to get the Windows 10 October 2018 Update</a> - October 2, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Reduced-Windows-10-package-size-downloads-for-x64-systems/ba-p/262386">Reducing Windows 10 Package Size Downloads for x64 Systems</a> - September 26, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434">Windows 7 Servicing Stack Updates: Managing Change and Appreciating Cumulative Updates</a> - September 21, 2018</li>
+<li><a href="https://www.microsoft.com/en-us/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop/">Helping customers shift to a modern desktop</a> - September 6, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-amp-Windows-Analytics-a-real-world/ba-p/242417#M228">Windows Update for Business & Windows Analytics: a real-world experience</a> - September 5, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-next-for-Windows-10-and-Windows-Server-quality-updates/ba-p/229461">What's next for Windows 10 and Windows Server quality updates</a> - August 16, 2018
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376">Windows 10 update servicing cadence</a> - August 1, 2018
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-quality-updates-explained-amp-the-end-of-delta/ba-p/214426">Windows 10 quality updates explained and the end of delta updates</a> - July 11, 2018
+<li><a href="https://blogs.windows.com/windowsexperience/2018/06/14/ai-powers-windows-10-april-2018-update-rollout/#67LrSyWdwgTyciSG.97">AI Powers Windows 10 April 2018 Update Rollout</a> - June 14, 2018
+<li><a href="https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/">Windows Server 2008 SP2 Servicing Changes</a> - June 12, 2018
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-Enhancements-diagnostics/ba-p/201978">Windows Update for Business - Enhancements, diagnostics, configuration</a> - June 7, 2018
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747">Windows 10 and the disappearing SAC-T</a> - May 31, 2018
+<li><a href="https://www.youtube.com/watch?v=EVzFIg_MhaE&t=5s">Manage update download size using Windows as a service</a> - March 30, 2018</li></ul>
+
+[See more news](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog)
+
+## IT pro champs corner
+Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing.
+
+<img src="images/champs-2.png" alt="" width="640" height="320">
+
+
+<a href="waas-servicing-differences.md">**NEW** Understanding the differences between servicing Windows 10-era and legacy Windows operating systems</a>
+
+<a href="https://docs.microsoft.com/windows-server/get-started/express-updates"><b>NEW</b> Express updates for Windows Server 2016 re-enabled for November 2018 update
+</a>
+
+<a href="https://support.microsoft.com/help/4472027/">2019 SHA-2 Code Signing Support requirement for Windows and WSUS</a>
+
+<a href="https://go.microsoft.com/fwlink/?linkid=2005509">Deploying Windows 10 Feature Updates to 24/7 Mission Critical Devices</a>
+
+## Discover
+
+Learn more about Windows as a service and its value to your organization.
+
+<img src="images/discover-land.png">
+
+<a href="waas-overview.md">Overview of Windows as a service</a>
+
+<a href="waas-quick-start.md">Quick guide to Windows as a service</a>
+
+<a href="windows-analytics-overview.md">Windows Analytics overview</a>
+
+<a href="../deploy-whats-new.md">What's new in Windows 10 deployment</a>
+
+<a href="https://channel9.msdn.com/events/Ignite/2015/BRK3303">How Microsoft IT deploys Windows 10</a></font>
+
+## Plan
+
+Prepare to implement Windows as a service effectively using the right tools, products, and strategies.
+
+<img src="images/plan-land.png" alt="" />
+
+<a href="https://www.microsoft.com/en-us/windowsforbusiness/simplified-updates">Simplified updates</a>
+
+<a href="https://www.microsoft.com/itpro/windows-10/end-user-readiness">Windows 10 end user readiness</a>
+
+<a href="https://developer.microsoft.com/windows/ready-for-windows#/">Ready for Windows</a>
+
+<a href="../upgrade/manage-windows-upgrades-with-upgrade-readiness.md">Manage Windows upgrades with Upgrade Readiness</a>
+
+<a href="https://www.microsoft.com/itshowcase/windows10deployment">Preparing your organization for a seamless Windows 10 deployment</a>
+
+## Deploy
+
+Secure your organization's deployment investment.
+
+<img src="images/deploy-land.png" alt="" />
+
+<a href="index.md">Update Windows 10 in the enterprise</a>
+
+<a href="https://www.microsoft.com/itshowcase/Article/Content/668/Deploying-Windows-10-at-Microsoft-as-an-inplace-upgrade">Deploying as an in-place upgrade</a>
+
+<a href="waas-configure-wufb.md">Configure Windows Update for Business</a>
+
+<a href="waas-optimize-windows-10-updates.md#express-update-delivery">Express update delivery</a>
+
+<a href="../planning/windows-10-deployment-considerations.md">Windows 10 deployment considerations</a>
+
+
+## Microsoft Ignite 2018
+<img src="images/ignite-land.jpg" alt="" width="640" height="320"/>
+
+Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service.
+
+[BRK2417: What’s new in Windows Analytics: An Intro to Desktop Analytics](https://myignite.techcommunity.microsoft.com/sessions/64324#ignite-html-anchor)
+
+[BRK3018: Deploying Windows 10 in the enterprise using traditional and modern techniques](https://myignite.techcommunity.microsoft.com/sessions/64509#ignite-html-anchor)
+
+[BRK3019: Delivery Optimization deep dive: How to reduce internet bandwidth impact on your network](https://myignite.techcommunity.microsoft.com/sessions/64510#ignite-html-anchor)
+
+[BRK3020: Using AI to automate Windows and Office update staging with Windows Update for Business](https://myignite.techcommunity.microsoft.com/sessions/64513#ignite-html-anchor)
+
+[BRK3027: Deploying Windows 10: Making the update experience smooth and seamless](https://myignite.techcommunity.microsoft.com/sessions/64612#ignite-html-anchor)
+
+[BRK3039: Windows 10 and Microsoft Office 365 ProPlus lifecycle and servicing update](https://myignite.techcommunity.microsoft.com/sessions/66763#ignite-html-anchor)
+
+[BRK3211: Ask the Experts: Successfully deploying, servicing, managing Windows 10](https://myignite.techcommunity.microsoft.com/sessions/65963#ignite-html-anchor)
+
+[THR2234: Windows servicing and delivery fundamentals](https://myignite.techcommunity.microsoft.com/sessions/66741#ignite-html-anchor)
+
+[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor)
\ No newline at end of file
diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md
index 4c558115d6..0f5c91d457 100644
--- a/windows/deployment/update/windows-update-troubleshooting.md
+++ b/windows/deployment/update/windows-update-troubleshooting.md
@@ -164,12 +164,12 @@ Users may see that Windows 10 is consuming all the bandwidth in the different of
 
 The following group policies can help mitigate this: 
  
-[Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) 
-[Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) 
-[Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) 
+- Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) (Set to enabled)
+- Driver search: [Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update")
+- Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) (Set to enabled)
  
 Other components that reach out to the internet:
 
-- Windows Spotlight. [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) 
-- [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) 
-- Modern App- Windows Update installation fails. [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) 
\ No newline at end of file
+- Windows Spotlight: [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) 
+- Consumer experiences: [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) 
+- Background traffic from Windows apps: [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) 
diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md
index 15b27923b6..529808e5c4 100644
--- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md
+++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md
@@ -42,7 +42,7 @@ In order to set the WinHTTP proxy system-wide on your computers, you need to
 
 The WinHTTP scenario is most appropriate for customers who use a single proxy or f. If you have more advanced proxy requirements, refer to Scenario 3.
 
-If you want to learn more about Proxy considerations on Windows, please take a look at this post in the ieinternals blog
+If you want to learn more about proxy considerations on Windows, see [Understanding Web Proxy Configuration](https://blogs.msdn.microsoft.com/ieinternals/2013/10/11/understanding-web-proxy-configuration/).
 
 ### Logged-in user’s Internet connection
 
diff --git a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md
index b5f0b2b68b..3aabb7b13b 100644
--- a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md
+++ b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md
@@ -1,8 +1,8 @@
 ---
-title: Upgrade Readiness - Get a list of computers that are upgrade-ready (Windows 10)
+title: Upgrade Readiness - Get a list of computers that are upgrade ready (Windows 10)
 description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Readiness.
 ms.prod: w10
-author: greg-lindsay
+author: jaimeo
 ms.date: 04/19/2017
 ---
 
diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
index 76e0198780..e295b3fa32 100644
--- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
+++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
@@ -93,7 +93,7 @@ The deployment script displays the following exit codes to let you know if it wa
         <td>N/A</td>
     </tr>
     <tr>
-        <td>1 - Unexpected error occurred while executiEng the script.</td>
+        <td>1 - Unexpected error occurred while executing the script.</td>
         <td> The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again.</td>
     </tr>
     <tr>
diff --git a/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md
new file mode 100644
index 0000000000..be3d2aee32
--- /dev/null
+++ b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md
@@ -0,0 +1,48 @@
+---
+title: Monitor deployment with Upgrade Readiness
+description: Describes how to use Upgrade Readiness to monitor the deployment after Windows upgrades.
+keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, 
+ms.localizationpriority: medium
+ms.prod: w10
+author: jaimeo
+ms.author: jaimeo
+ms.date: 11/07/2018
+---
+
+# Upgrade Readiness - Step 4: Monitor
+
+Now that you have started deploying an update with Upgrade Readiness, you can use it to monitor important elements.
+
+![Upgrade Readiness dialog showing "STEP 4: Monitor" and blades for "Update progress," "Driver issues," and "User feedback"](../images/UR-monitor-main.png)
+ 
+ 
+## Update progress
+
+The **Update progress** blade allows you to monitor the progress and status of your deployment. Any device that has attepted to upgrade in the last 30 days displays the **DeploymentStatus** attribute. You'll be able to see the number of computers that have successfully upgraded, failed to upgrade, are stalled, etc.
+ 
+ 
+Selecting this blade allows you to view device-level details about the deployment. For example, select **Failed** to view the original operating system version, the target operating system version, and the reason the update failed for each of the devices that failed to upgrade. In the case of the device illustrated in the following image, an attempt was made to upgrade from Windows 10, version 1703 to 1709, but the operation timed out.
+
+!["Update progress" blade showing detailed information after selecting the "failed" item](../images/UR-update-progress-failed-detail.png)
+
+
+## Driver issues
+
+The **Driver issues** blade allows you to see Device Manager errors for your upgraded devices. We include data for all compatibility-related device errors, such as "driver not found" and "driver not started." The blade summarizes errors by error type, but you can select a particular error type to see device-level details about which device(s) are failing and where to obtain a driver.
+ 
+ 
+For example, by selecting error code **28 - driver not installed**, you would see that the device in the following image is missing the driver for a network controller. Upgrade Readiness also notifies that a suitable driver is available online through Windows Update. If this device is configured to automatically receive updates from Windows Update, this issue would likely resolve itself following the device's next Windows Update scan. If this device does not automatically receive updates from Windows Update, you would need to deliver the driver manually. 
+
+!["Driver issue" blade showing detailed information after selecting a specific driver error](../images/UR-driver-issue-detail.png)
+ 
+## User feedback
+
+The **User Feedback** blade focuses on gathering subjective feedback from your end users. If a user submits feedback through the Feedback Hub app on a device in your workspace, we will make that feedback visible to you in this blade. The Feedback Hub app is built into Windows 10 and can be accessed by typing "Feedback Hub" in the Cortana search bar.
+ 
+ 
+We recommend that you encourage your end users to submit any feedback they have through Feedback Hub. Not only will this feedback be sent directly to Microsoft for review, but you'll also be able to see it by using Upgrade Readiness. You should be aware that **feedback submitted through Feedback Hub will be publicly visible**, so it's best to avoid submitting feedback about internal line-of-business applications.
+ 
+When viewing user feedback in Upgrade Readiness, you'll be able to see the raw "Title" and "Feedback" text from the user's submission in Feedback Hub, as well as the number of upvotes the submission has received. (Since feedback is publicly visible, the number of upvotes is a global value and not specific to your company.)  If a Microsoft engineer has responded to the submission in Feedback Hub, we'll pull in the Microsoft response for you to see as well.
+
+![Example user feedback item](../images/UR-example-feedback.png)
+ 
\ No newline at end of file
diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
index 596c5c9540..d6cdab7ce2 100644
--- a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -66,7 +66,7 @@ Figure 2. The imported Windows 10 operating system after you rename it.
     -   Task sequence ID: W10-X64-UPG
     -   Task sequence name: Windows 10 Enterprise x64 RTM Upgrade
     -   Template: Standard Client Upgrade Task Sequence
-    -   Select OS: Windows 10 Enterprise x64 RTM RTM Default Image
+    -   Select OS: Windows 10 Enterprise x64 RTM Default Image
     -   Specify Product Key: Do not specify a product key at this time
     -   Full Name: Contoso
     -   Organization: Contoso
@@ -103,4 +103,4 @@ After the task sequence completes, the computer will be fully upgraded to Window
 [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
 
 [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
- 
\ No newline at end of file
+ 
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index c62c65555b..ebb0b5998f 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -52,7 +52,7 @@ To enable KMS functionality, a KMS key is installed on a KMS host; then, the hos
 For more information, see the information for Windows 7 in [Deploy KMS Activation](https://go.microsoft.com/fwlink/p/?LinkId=717032).
 
 ## Key Management Service in Windows Server 2012 R2
-Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Sever 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista.
+Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista.
 
 **Note**  
 You cannot install a client KMS key into the KMS in Windows Server.
diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md
index a127409535..7ae037d1cd 100644
--- a/windows/deployment/windows-10-pro-in-s-mode.md
+++ b/windows/deployment/windows-10-pro-in-s-mode.md
@@ -7,8 +7,8 @@ ms.localizationpriority: medium
 ms.prod: w10
 ms.sitesec: library
 ms.pagetype: deploy
-ms.date: 08/30/2018
-author: Mikeblodge
+ms.date: 12/03/2018
+author: jaimeo
 ---
 
 # Switch to Windows 10 Pro/Enterprise from S mode
@@ -16,25 +16,42 @@ author: Mikeblodge
 We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro. You can switch devices running Windows 10, version 1709 or later. Use the following information to switch to Windows 10 Pro through the Microsoft Store.
 
 > [!IMPORTANT]
-> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare metal recover (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
+> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare metal recovery (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
+
+## Switch one device through the Microsoft Store
+Use the following information to switch to Windows 10 Pro through the Microsoft Store.
+
+Note these differences affecting switching modes in various releases of Windows 10:
+
+- In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store. No other switches are possible.
+- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store.
+-  Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves.
 
-## How to switch
-If you’re running Windows 10, version 1709 or version 1803, you can switch to Windows 10 Pro through the Microsoft Store. Devices running version 1803 will only be able to switch through the Store one device at a time.
 
 1. Sign into the Microsoft Store using your Microsoft account. 
-2. Search for "S mode"
-3. In the offer, click **Buy**, **Get**, OR **Learn more.**
+2. Search for "S mode".
+3. In the offer, select **Buy**, **Get**, or **Learn more.**
+
 You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro.
 
-## Keep Line of Business apps functioning with Desktop Bridge
-Worried about your LOB apps not working in S mode? Using Desktop Bridge will enable you to convert your Line of Business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Windows Store or existing channels. 
+## Switch one or more devices by using Microsoft Intune
 
-[Explore Desktop Bridge](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-root)
+Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE - this gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle.
 
-## Repackage win32 apps into the MSIX format
-The MSIX Packaging Tool (Preview) is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store.
+1.	Start Microsoft Intune.
+2.	Navigate to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch**.
+3.	Follow the instructions to complete the switch.
+
+
+## Block users from switching
+
+You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10.
+To set this, go to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**.
+
+## S mode management with CSPs
+
+In addition to using Microsoft Intune or another modern device management tool to manage S mode, you can also use the [WindowsLicensing](https://docs.microsoft.com/windows/client-management/mdm/windowslicensing-csp) configuration service provider (CSP). In Windows 10, version 1809, we added S mode functionality that lets you switch devices, block devices from switching, and check the status (whether a device is in S mode).
 
-[Explore MSIX app Packaging Tool](https://docs.microsoft.com/windows/application-management/msix-app-packaging-tool)
 
 ## Related topics
 
diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md
index 315115e706..e16013f4db 100644
--- a/windows/deployment/windows-autopilot/TOC.md
+++ b/windows/deployment/windows-autopilot/TOC.md
@@ -3,9 +3,12 @@
 ### [Configuration requirements](windows-autopilot-requirements-configuration.md)
 ### [Network requirements](windows-autopilot-requirements-network.md)
 ### [Licensing requirements](windows-autopilot-requirements-licensing.md)
+### [Intune Connector (preview)](intune-connector.md)
 ## [Scenarios and Capabilities](windows-autopilot-scenarios.md)
 ### [Support for existing devices](existing-devices.md)
 ### [User-driven mode](user-driven.md)
+#### [Azure Active Directory joined](user-driven-aad.md)
+#### [Hybrid Azure Active Directory joined](user-driven-hybrid.md)
 ### [Self-deploying mode](self-deploying.md)
 ### [Enrollment status page](enrollment-status.md)
 ### [Windows Autopilot Reset](windows-autopilot-reset.md)
diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md
index 46286ceb3f..0eefe9fc9f 100644
--- a/windows/deployment/windows-autopilot/autopilot-faq.md
+++ b/windows/deployment/windows-autopilot/autopilot-faq.md
@@ -69,7 +69,7 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e
 
 | Question | Answer |
 | --- | --- |
-| How does Autopilot handle motherboard replacement scenarios?”  |  Motherboard replacement is out for scope for Autopilot. Any device that is repaired or serviced in a way that alters the ability to identify the device for Windows Autopilot must go through the normal OOBE process, and manually select the right settings or apply a custom image - as is the case today.  <br><br>To reuse the same device for Windows Autopilot after a motherboard replacement, the device would need to be de-registered from Autopilot, the motherboard replaced, a new 4K HH harvested, and then re-registered using the new 4K HH (or device ID). <br><br>**Note**:  An OEM will not be able to use the OEM Direct API to re-register the device, since the the OEM Direct API only accepts a tuple or PKID.  In this case, the OEM would either have to send the new 4K HH info via a CSV file to customer, and let customer reregister the device via MSfB or Intune.|
+| How does Autopilot handle motherboard replacement scenarios?”  |  Motherboard replacement is out for scope for Autopilot. Any device that is repaired or serviced in a way that alters the ability to identify the device for Windows Autopilot must go through the normal OOBE process, and manually select the right settings or apply a custom image - as is the case today.  <br><br>To reuse the same device for Windows Autopilot after a motherboard replacement, the device would need to be de-registered from Autopilot, the motherboard replaced, a new 4K HH harvested, and then re-registered using the new 4K HH (or device ID). <br><br>**Note**:  An OEM will not be able to use the OEM Direct API to re-register the device, since the OEM Direct API only accepts a tuple or PKID.  In this case, the OEM would either have to send the new 4K HH info via a CSV file to customer, and let customer reregister the device via MSfB or Intune.|
 
 ## SMBIOS
 
diff --git a/windows/deployment/windows-autopilot/images/connector-fail.png b/windows/deployment/windows-autopilot/images/connector-fail.png
new file mode 100644
index 0000000000..2d8abb5785
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/connector-fail.png differ
diff --git a/windows/deployment/windows-autopilot/intune-connector.md b/windows/deployment/windows-autopilot/intune-connector.md
new file mode 100644
index 0000000000..50ee521951
--- /dev/null
+++ b/windows/deployment/windows-autopilot/intune-connector.md
@@ -0,0 +1,52 @@
+---
+title: Intune Connector (preview) requirements
+description: Intune Connector (preview) issue workaround
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: low
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.author: greg-lindsay
+ms.date: 11/26/2018
+---
+
+
+# Intune Connector (preview) language requirements
+
+**Applies to: Windows 10**
+
+Microsoft has released a [preview for Intune connector for Active Directory](https://docs.microsoft.com/intune/windows-autopilot-hybrid) that enables user-driven [Hybrid Azure Active Directory join](user-driven-hybrid.md) for Windows Autopilot.
+
+In this preview version of the Intune Connector, you might receive an error message indicating a setup failure with the following error code and message:
+
+**0x80070658 - Error applying transforms. Verify that the specified transform paths are valid.**
+
+An [example](#example) of the error message is displayed at the bottom of this topic. 
+
+This error can be resolved by ensuring that the member server where Intune Connector is running has one of the following language packs installed and configured to be the default keyboard layout:
+
+|  |  |  |  |  |  |  |  |  |  |  | 
+| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
+| en-US | cs-CZ | da-DK | de-DE | el-GR | es-ES | fi-FI | fr-FR | hu-HU | it-IT | ja-JP |
+| ko-KR | nb-NO | nl-NL | pl-PL | pt-BR | ro-RO | ru-RU | sv-SE | tr-TR | zh-CN | zh-TW |
+
+>[!NOTE]
+>After installing the Intune Connector, you can restore the keyboard layout to its previous settings.<br>
+>This solution is a workaround and will be fully resolved in a future release of the Intune Connector.
+
+To change the default keyboard layout:
+
+1. Click **Settings > Time & language > Region and language** 
+2. Select one of the languages listed above and choose **Set as default**.
+
+If the language you need isn't listed, you can add additional languages by selecting **Add a language**.
+
+## Example
+
+The following is an example of the error message that can be displayed if one of the listed languages is not used during setup:
+
+![Connector error](images/connector-fail.png)
+
+
diff --git a/windows/deployment/windows-autopilot/user-driven-aad.md b/windows/deployment/windows-autopilot/user-driven-aad.md
index 6da9e99b33..b63517060d 100644
--- a/windows/deployment/windows-autopilot/user-driven-aad.md
+++ b/windows/deployment/windows-autopilot/user-driven-aad.md
@@ -1,19 +1,35 @@
----
-title: User-driven mode for AAD
-description: Listing of Autopilot scenarios
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: low
-ms.sitesec: library
-ms.pagetype: deploy
-author: greg-lindsay
-ms.author: greg-lindsay
-ms.date: 10/02/2018
----
-
-# Windows Autopilot user-driven mode for Azure Active Directory
-
-**Applies to: Windows 10**
-
-PLACEHOLDER.  This topic is a placeholder for the AAD-specific instuctions currently in user-driven.md.
+---
+title: User-driven mode for AAD
+description: Listing of Autopilot scenarios
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: low
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.author: greg-lindsay
+ms.date: 11/07/2018
+---
+
+# Windows Autopilot user-driven mode for Azure Active Directory join
+
+**Applies to: Windows 10**
+
+## Procedures
+
+In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed:
+
+-   Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory.  See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information.
+-   Create an Autopilot profile for user-driven mode with the desired settings.  In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected.
+-   If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group.
+
+For each device that will be deployed using user-driven deployment, these additional steps are needed:
+
+-   Ensure that the device has been added to Windows Autopilot.  This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later.  See [Adding devices to Windows Autopilot](add-devices.md) for more information.
+-   Ensure an Autopilot profile has been assigned to the device:
+    -   If using Intune and Azure Active Directory dynamic device groups, this can be done automatically.
+    -   If using Intune and Azure Active Directory static device groups, manually add the device to the device group.
+    -   If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device.
+
+Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. 
diff --git a/windows/deployment/windows-autopilot/user-driven-hybrid.md b/windows/deployment/windows-autopilot/user-driven-hybrid.md
index 6f4a760dcc..a5fa678ff4 100644
--- a/windows/deployment/windows-autopilot/user-driven-hybrid.md
+++ b/windows/deployment/windows-autopilot/user-driven-hybrid.md
@@ -9,12 +9,32 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
+ms.date: 11/12/2018
 ---
 
 
-# Windows Autopilot user-driven mode for Hybrid Azure Active Directory Join
+# Windows Autopilot user-driven mode for hybrid Azure Active Directory join
 
 **Applies to: Windows 10**
 
-PLACEHOLDER.  This topic is a placeholder for the AD-specific (hybrid) instuctions.
+Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid Azure Active Directory (AAD) joined](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan).  
+
+## Requirements
+
+To perform a user-driven hybrid AAD joined deployment using Windows Autopilot:
+
+- A Windows Autopilot profile for user-driven mode must be created and 
+    - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile.
+- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group.
+- The device must be running Windows 10, version 1809 or later.
+- The device must be connected to the Internet and have access to an Active Directory domain controller.
+- The Intune Connector for Active Directory must be installed.
+    - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. 
+
+**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default.
+
+## Step by step instructions
+
+See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid).
+
+Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. 
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md
index 1aa1ad5321..4fd86ef3b5 100644
--- a/windows/deployment/windows-autopilot/user-driven.md
+++ b/windows/deployment/windows-autopilot/user-driven.md
@@ -8,11 +8,13 @@ ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
-ms.date: 10/02/2018
+ms.date: 11/07/2018
 ms.author: greg-lindsay
-ms.date: 10/02/2018
+ms.date: 11/07/2018
 ---
 
+# Windows Autopilot user-driven mode
+
 Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device.  The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions:
 
 -   Unbox the device, plug it in, and turn it on.
@@ -24,21 +26,12 @@ After completing those simple steps, the remainder of the process is completely
 
 Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory.  Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release.  See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options.
 
-## Step by step
+## Available user-driven modes
 
-In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed:
+The following options are available for user-driven deployment:
 
--   Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory.  See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information.
--   Create an Autopilot profile for user-driven mode with the desired settings.  In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected.
--   If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group.
-
-For each machine that will be deployed using user-driven deployment, these additional steps are needed:
-
--   Ensure that the device has been added to Windows Autopilot.  This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later.  See [Adding devices to Windows Autopilot](add-devices.md) for more information.
--   Ensure an Autopilot profile has been assigned to the device:
-    -   If using Intune and Azure Active Directory dynamic device groups, this can be done automatically.
-    -   If using Intune and Azure Active Directory static device groups, manually add the device to the device group.
-    -   If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device.
+- [Azure Active Directory join](user-driven-aad.md) is available if devices do not need to be joined to an on-prem Active Directory domain.
+- [Hybrid Azure Active Directory join](user-driven-hybrid.md) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain.
 
 ## Validation
 
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md
index 2b9a7d76f8..e7df24a12c 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md
@@ -26,12 +26,13 @@ Windows Autopilot depends on specific capabilities available in Windows 10 and A
     -   Enterprise
     -   Education
 -   One of the following, to provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality:
-    -   Microsoft 365 Business subscriptions
-    -   Microsoft 365 F1 subscriptions
-    -   Microsoft 365 Enterprise E3 or E5 subscriptions, which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune)
-    -   Enterprise Mobility + Security E3 or E5 subscriptions, which include all needed Azure AD and Intune features
-    -   Azure Active Directory Premium P1 or P2 and Intune subscriptions (or an alternative MDM service)
+    -   [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business)
+    -   [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline)
+    -   [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx)
+    -   [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune)
+    -   [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features
+    -   [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/en-us/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service)
 
 Additionally, the following are also recommended but not required:
--   Office 365 ProPlus, which can be deployed easily via Intune (or other MDM services)
+-   [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services)
 -   [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise
diff --git a/windows/docfx.json b/windows/docfx.json
index f1253f1567..9ac35033eb 100644
--- a/windows/docfx.json
+++ b/windows/docfx.json
@@ -9,7 +9,7 @@
       ],
     "resource": [
         {
-          "files": ["**/images/**", "**/*.json"],
+          "files": ["**/images/**"],
           "exclude": ["**/obj/**"]
         }
     ],
diff --git a/windows/hub/index.md b/windows/hub/index.md
index 16c86b4a0f..dac41359d2 100644
--- a/windows/hub/index.md
+++ b/windows/hub/index.md
@@ -71,7 +71,7 @@ The Windows 10 operating system introduces a new way to build, deploy, and servi
 These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
   
 - [Read more about Windows as a Service](/windows/deployment/update/waas-overview)
-- [Read how much space does Windows 10 take](https://www.microsoft.com/en-us/windows/windows-10-specifications)
+
 
 ## Related topics
 [Windows 10 TechCenter](https://go.microsoft.com/fwlink/?LinkId=620009)
diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md
index a229e2df1a..5a0db3b73e 100644
--- a/windows/privacy/TOC.md
+++ b/windows/privacy/TOC.md
@@ -1,6 +1,6 @@
 # [Privacy](index.yml)
 ## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)
-## [Windows 10 and the GDPR for IT Decision Makers](gdpr-it-guidance.md)
+## [Windows and the GDPR: Information for IT Administrators and Decision Makers](gdpr-it-guidance.md)
 ## [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md)
 ## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
 ## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
@@ -14,7 +14,10 @@
 ## Full level categories
 ### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md)
 ### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md)
-## [Manage Windows 10 connection endpoints](manage-windows-endpoints.md)
+## Manage Windows 10 connection endpoints
+### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
+### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
+### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
 ### [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
 ### [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
 ## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
index dce0c91085..22aa33e4b3 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -9,7 +9,7 @@ ms.pagetype: security
 localizationpriority: high
 author: brianlic-msft
 ms.author: brianlic
-ms.date: 09/10/2018
+ms.date: 11/07/2018
 ---
 
 
@@ -28,6 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
 
 You can learn more about Windows functional and diagnostic data through these articles:
 
+
 - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
 - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
 - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
@@ -60,15 +61,15 @@ The following fields are available:
 - **DecisionMatchingInfoPostUpgrade_RS3**  The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
 - **DecisionMediaCenter_RS3**  The total DecisionMediaCenter objects targeting the next release of Windows on this device.
 - **DecisionSystemBios_RS3**  The total DecisionSystemBios objects targeting the next release of Windows on this device.
-- **InventoryLanguagePack**  The count of DecisionApplicationFile objects present on this machine targeting the next release of Windows
-- **InventorySystemBios**  The count of DecisionDevicePnp objects present on this machine targeting the next release of Windows
-- **PCFP**  The count of DecisionDriverPackage objects present on this machine targeting the next release of Windows
-- **SystemProcessorCompareExchange**  The count of DecisionMatchingInfoBlock objects present on this machine targeting the next release of Windows
-- **SystemProcessorNx**  The count of DataSourceMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows
-- **SystemProcessorSse2**  The count of DecisionMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows
-- **SystemWim**  The count of DecisionMediaCenter objects present on this machine targeting the next release of Windows
-- **SystemWindowsActivationStatus**  The count of DecisionSystemBios objects present on this machine targeting the next release of Windows
-- **SystemWlan**  The count of InventoryApplicationFile objects present on this machine.
+- **InventoryLanguagePack**  The total InventoryLanguagePack objects that are present on this device.
+- **InventorySystemBios**  The total InventorySystemBios objects that are present on this device.
+- **PCFP**  An ID for the system that is calculated by hashing hardware identifiers.
+- **SystemProcessorCompareExchange**  The total SystemProcessorCompareExchange objects that are present on this device.
+- **SystemProcessorNx**  The total SystemProcessorNx objects that are present on this device.
+- **SystemProcessorSse2**  The total SystemProcessorSse2 objects that are present on this device.
+- **SystemWim**  The total SystemWim objects that are present on this device
+- **SystemWindowsActivationStatus**  The total SystemWindowsActivationStatus objects that are present on this device.
+- **SystemWlan**  The total SystemWlan objects that are present on this device.
 - **Wmdrm_RS3**  The total Wmdrm objects targeting the next release of Windows on this device.
 
 
@@ -1472,6 +1473,12 @@ The following fields are available:
 - **SocketCount**  Number of physical CPU sockets of the machine.
 
 
+### Census.Security
+
+Provides information on several important data points about security settings.
+
+
+
 ### Census.Speech
 
 This event is used to gather basic speech settings on the device.
@@ -2058,6 +2065,23 @@ The following fields are available:
 - **devinv.dll**  The file version of the Device inventory component.
 
 
+### Microsoft.Windows.Inventory.Core.FileSigningInfoAdd
+
+This event enumerates the signatures of files, either driver packages or application executables. For driver packages, this data is collected on demand via Telecommand to limit it only to unrecognized driver packages, saving time for the client and space on the server. For applications, this data is collected for up to 10 random executables on a system.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **CatalogSigners**  Signers from catalog. Each signer starts with Chain.
+- **DriverPackageStrongName**  Optional. Available only if FileSigningInfo is collected on a driver package.
+- **EmbeddedSigners**  Embedded signers. Each signer starts with Chain.
+- **FileName**  The file name of the file whose signatures are listed.
+- **FileType**  Either exe or sys, depending on if a driver package or application executable.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **Thumbprint**  Comma separated hash of the leaf node of each signer. Semicolon is used to separate CatalogSigners from EmbeddedSigners. There will always be a trailing comma.
+
+
 ### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
 
 This event sends basic metadata about an application on the system to help keep Windows up to date.
@@ -2251,7 +2275,7 @@ The following fields are available:
 - **Enumerator**  The bus that enumerated the device
 - **HWID**  A JSON array that provides the value and order of the HWID tree for the device. See [HWID](#hwid).
 - **Inf**  The INF file name.
-- **InstallState**  The device installation state.  One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
+- **InstallState**  The device installation state.  One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
 - **InventoryVersion**  The version of the inventory file generating the events.
 - **LowerClassFilters**  Lower filter class drivers IDs installed for the device.
 - **LowerFilters**  Lower filter drivers IDs installed for the device
@@ -2379,6 +2403,90 @@ The following fields are available:
 - **InventoryVersion**  The version of the inventory file generating the events.
 
 
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
+
+Invalid variant - Provides data on the installed Office Add-ins
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
+
+Indicates that this particular data object represented by the objectInstanceId is no longer present.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
+
+Provides data on the Office identifiers.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
+
+Provides data on Office-related Internet Explorer features.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
+
+This event provides insight data on the installed Office products
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
+
+Describes Office Products installed.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
+
+This event describes various Office settings
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
+
+Indicates a new sync is being generated for this object type.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
+
+Provides data on Unified Update Platform (UUP) products and what version they are at.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
+
+
 ### Microsoft.Windows.Inventory.Indicators.Checksum
 
 This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events.
@@ -2546,14 +2654,14 @@ The following fields are available:
 - **AppVersion**  The version of the app.
 - **BuildArch**  Is the architecture x86 or x64?
 - **Environment**  Is the device on the production or int service?
-- **IsMSFTInternal**  Is this an internal Microsoft device?
-- **MachineGuid**  The CEIP machine ID.
+- **IsMSFTInternal**  TRUE if the device is an internal Microsoft device.
+- **MachineGuid**  The GUID (Globally Unique ID) that identifies the machine for the CEIP (Customer Experience Improvement Program).
 - **Market**  Which market is this in?
 - **OfficeVersion**  The version of Office that is installed.
 - **OneDriveDeviceId**  The OneDrive device ID.
 - **OSDeviceName**  Only if the device is internal to Microsoft, the device name.
 - **OSUserName**  Only if the device is internal to Microsoft, the user name.
-- **UserGuid**  A unique global user identifier.
+- **UserGuid**  The GUID (Globally Unique ID) of the user currently logged in.
 
 
 ### Microsoft.OneDrive.Sync.Updater.ComponentInstallState
@@ -2605,12 +2713,12 @@ The following fields are available:
 
 ### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult
 
-This event determines the outcome of the operation.
+This event sends information describing the result of the update.
 
 The following fields are available:
 
 - **hr**  The HResult of the operation.
-- **IsLoggingEnabled**  Is logging enabled?
+- **IsLoggingEnabled**  Indicates whether logging is enabled for the updater.
 - **UpdaterVersion**  The version of the updater.
 
 
@@ -2642,11 +2750,48 @@ The following fields are available:
 - **winInetError**  The HResult of the operation.
 
 
+## Other events
+
+### Microsoft.Xbox.XamTelemetry.AppActivationError
+
+This event indicates whether the system detected an activation error in the app.
+
+The following fields are available:
+
+- **ActivationUri**  Activation URI (Uniform Resource Identifier) used in the attempt to activate the app.
+- **AppId**  The Xbox LIVE Title ID.
+- **AppUserModelId**  The AUMID (Application User Model ID) of the app to activate.
+- **Result**  The HResult error.
+- **UserId**  The Xbox LIVE User ID (XUID).
+
+
+### Microsoft.Xbox.XamTelemetry.AppActivity
+
+This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc.
+
+The following fields are available:
+
+- **AppActionId**  The ID of the application action.
+- **AppCurrentVisibilityState**  The ID of the current application visibility state.
+- **AppId**  The Xbox LIVE Title ID of the app.
+- **AppPackageFullName**  The full name of the application package.
+- **AppPreviousVisibilityState**  The ID of the previous application visibility state.
+- **AppSessionId**  The application session ID.
+- **AppType**  The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa).
+- **BCACode**  The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application.
+- **DurationMs**  The amount of time (in milliseconds) since the last application state transition.
+- **IsTrialLicense**  This boolean value is TRUE if the application is on a trial license.
+- **LicenseType**  The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc).
+- **LicenseXuid**  If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license.
+- **ProductGuid**  The Xbox product GUID (Globally-Unique ID) of the application.
+- **UserId**  The XUID (Xbox User ID) of the current user.
+
+
 ## Remediation events
 
 ### Microsoft.Windows.Remediation.Applicable
 
-This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date.
+This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy.   
 
 The following fields are available:
 
@@ -2669,7 +2814,7 @@ The following fields are available:
 - **HResult**  The HRESULT for detection or perform action phases of the plugin.
 - **IsAppraiserLatestResult**  The HRESULT from the appraiser task.
 - **IsConfigurationCorrected**  Indicates whether the configuration of SIH task was successfully corrected.
-- **LastHresult**  The HRESULT for detection or perform action phases of the plugin.
+- **LastHresult**  The HResult of the operation.
 - **LastRun**  The date of the most recent SIH run.
 - **NextRun**  Date of the next scheduled SIH run.
 - **PackageVersion**  The version of the current remediation package.
@@ -2730,7 +2875,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Remediation.Completed
 
-This event enables completion tracking of a process that remediates issues preventing security and quality updates.
+This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy.   
 
 The following fields are available:
 
@@ -2807,7 +2952,7 @@ The following fields are available:
 - **usoScanIsNoAutoUpdateKeyPresent**  TRUE if no Auto Update registry key is set/present.
 - **usoScanIsUserLoggedOn**  TRUE if the user is logged on.
 - **usoScanPastThreshold**  TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late).
-- **usoScanType**  The type of USO (Update Session Orchestrator) scan (Interactive or Background).
+- **usoScanType**  The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background".
 - **WindowsHyberFilSysSizeInMegabytes**  The size of the Windows Hibernation file, measured in Megabytes.
 - **WindowsInstallerFolderSizeInMegabytes**  The size of the Windows Installer folder, measured in Megabytes.
 - **WindowsOldFolderSizeInMegabytes**  The size of the Windows.OLD folder, measured in Megabytes.
@@ -2819,156 +2964,17 @@ The following fields are available:
 - **WindowsSxsTempFolderSizeInMegabytes**  The size of the WinSxS (Windows Side-by-Side) Temp folder, measured in Megabytes.
 
 
-### Microsoft.Windows.Remediation.DiskCleanUnExpectedErrorEvent
-
-This event indicates that an unexpected error occurred during an update and provides information to help address the issue.
-
-The following fields are available:
-
-- **CV**  The Correlation vector.
-- **ErrorMessage**  A description of any errors encountered while the plug-in was running.
-- **GlobalEventCounter**  The client-side counter that indicates ordering of events.
-- **Hresult**  The result of the event execution.
-- **PackageVersion**  The version number of the current remediation package.
-- **SessionGuid**  GUID associated with a given execution of sediment pack.
-
-
-### Microsoft.Windows.Remediation.Error
-
-This event indicates a Sediment Pack error (update stack failure) has been detected and provides information to help address the issue.
-
-The following fields are available:
-
-- **HResult**  The result of the event execution.
-- **Message**  A message containing information about the error that occurred.
-- **PackageVersion**  The version number of the current remediation package.
-
-
-### Microsoft.Windows.Remediation.FallbackError
-
-This event indicates an error when Self Update results in a Fallback and provides information to help address the issue.
-
-The following fields are available:
-
-- **s0**  Indicates the Fallback error level. See [Microsoft.Windows.Remediation.wilResult](#microsoftwindowsremediationwilresult).
-- **wilResult**  The result of the Windows Installer Logging. See [wilResult](#wilresult).
-
-
-### Microsoft.Windows.Remediation.RemediationNotifyUserFixIssuesInvokeUIEvent
-
-This event occurs when the Notify User task executes and provides information about the cause of the notification.
-
-The following fields are available:
-
-- **CV**  The Correlation vector.
-- **GlobalEventCounter**  The client-side counter that indicates ordering of events.
-- **PackageVersion**  The version number of the current remediation package.
-- **RemediationNotifyUserFixIssuesCallResult**  The result of calling the USO (Update Session Orchestrator) sequence steps.
-- **RemediationNotifyUserFixIssuesUsoDownloadCalledHr**  The error code from the USO (Update Session Orchestrator) download call.
-- **RemediationNotifyUserFixIssuesUsoInitializedHr**  The error code from the USO (Update Session Orchestrator) initialize call.
-- **RemediationNotifyUserFixIssuesUsoProxyBlanketHr**  The error code from the USO (Update Session Orchestrator) proxy blanket call.
-- **RemediationNotifyUserFixIssuesUsoSetSessionHr**  The error code from the USO (Update Session Orchestrator) session call.
-
-
-### Microsoft.Windows.Remediation.RemediationShellFailedAutomaticAppUpdateModifyEventId
-
-This event provides the modification of the date on which an Automatic App Update scheduled task failed and provides information about the failure.
-
-The following fields are available:
-
-- **CV**  The Correlation Vector.
-- **GlobalEventCounter**  The client-side counter that indicates ordering of events.
-- **hResult**  The result of the event execution.
-- **PackageVersion**  The version number of the current remediation package.
-
-
-### Microsoft.Windows.Remediation.RemediationShellUnexpectedExceptionId
-
-This event identifies the remediation plug-in that returned an unexpected exception and provides information about the exception.
-
-The following fields are available:
-
-- **CV**  The Correlation Vector.
-- **GlobalEventCounter**  The client-side counter that indicates ordering of events.
-- **PackageVersion**  The version number of the current remediation package.
-- **RemediationShellUnexpectedExceptionId**  The ID of the remediation plug-in that caused the exception.
-
-
-### Microsoft.Windows.Remediation.RemediationUHEnableServiceFailed
-
-This event tracks the health of key update (Remediation) services and whether they are enabled.
-
-The following fields are available:
-
-- **CV**  The Correlation Vector.
-- **GlobalEventCounter**  The client-side counter that indicates ordering of events.
-- **hResult**  The result of the event execution.
-- **PackageVersion**  The version number of the current remediation package.
-- **serviceName**  The name associated with the operation.
-
-
-### Microsoft.Windows.Remediation.RemediationUpgradeSucceededDataEventId
-
-This event returns information about the upgrade upon success to help ensure Windows is up to date.
-
-The following fields are available:
-
-- **AppraiserPlugin**  TRUE / FALSE depending on whether the Appraiser plug-in task fix was successful.
-- **ClearAUOptionsPlugin**  TRUE / FALSE depending on whether the AU (Auto Updater) Options registry keys were successfully deleted.
-- **CV**  The Correlation Vector.
-- **DatetimeSyncPlugin**  TRUE / FALSE depending on whether the DateTimeSync plug-in ran successfully.
-- **DiskCleanupPlugin**  TRUE / FALSE depending on whether the DiskCleanup plug-in ran successfully.
-- **GlobalEventCounter**  The client-side counter that indicates ordering of events.
-- **NoisyHammerPlugin**  TRUE / FALSE depending on whether the NoisyHammer plug-in ran successfully.
-- **PackageVersion**  The version number of the current remediation package.
-- **RebootRequiredPlugin**  TRUE / FALSE depending on whether the Reboot plug-in ran successfully.
-- **RemediationNotifyUserFixIssuesPlugin**  TRUE / FALSE depending on whether the User Fix Issues plug-in ran successfully
-- **RemediationPostUpgradeDiskSpace**  The amount of disk space available after the upgrade.
-- **RemediationPostUpgradeHibernationSize**  The size of the Hibernation file after the upgrade.
-- **ServiceHealthPlugin**  A list of services updated by the plug-in.
-- **SIHHealthPlugin**  TRUE / FALSE depending on whether the SIH Health plug-in ran successfully.
-- **StackDataResetPlugin**  TRUE / FALSE depending on whether the update stack completed successfully.
-- **TaskHealthPlugin**  A list of tasks updated by the plug-in.
-- **UpdateApplicabilityFixerPlugin**  TRUE / FALSE depending on whether the update applicability fixer plug-in completed successfully.
-- **WindowsUpdateEndpointPlugin**  TRUE / FALSE depending on whether the Windows Update Endpoint was successful.
-
-
 ### Microsoft.Windows.Remediation.Started
 
-This event reports whether a plug-in started, to help ensure Windows is up to date.
+This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy.   
 
 The following fields are available:
 
-- **CV**  The Correlation Vector.
-- **GlobalEventCounter**  The client-side counter that indicates ordering of events.
-- **PackageVersion**  The version number of the current remediation package.
-- **PluginName**  The name of the plug-in specified for each generic plug-in event.
-- **Result**  The HRESULT for Detection or Perform Action phases of the plug-in.
-
-
-### Microsoft.Windows.Remediation.wilResult
-
-This event provides Self Update information to help keep Windows up to date.
-
-The following fields are available:
-
-- **callContext**  A list of diagnostic activities containing this error.
-- **currentContextId**  An identifier for the newest diagnostic activity containing this error.
-- **currentContextMessage**  A message associated with the most recent diagnostic activity containing this error (if any).
-- **currentContextName**  Name of the most recent diagnostic activity containing this error.
-- **failureCount**  Number of failures seen within the binary where the error occurred.
-- **failureId**  The identifier assigned to this failure.
-- **failureType**  Indicates the type of failure observed (exception, returned, error, logged error, or fail fast).
-- **fileName**  The source code file name where the error occurred.
-- **function**  The name of the function where the error occurred.
-- **hresult**  The failure error code.
-- **lineNumber**  The Line Number within the source code file where the error occurred.
-- **message**  A message associated with the failure (if any).
-- **module**  The name of the binary module in which the error occurred.
-- **originatingContextId**  The identifier for the oldest diagnostic activity containing this error.
-- **originatingContextMessage**  A message associated with the oldest diagnostic activity containing this error (if any).
-- **originatingContextName**  The name of the oldest diagnostic activity containing this error.
-- **threadId**  The identifier of the thread the error occurred on.
+- **CV**  Correlation vector.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion**  Current package version of Remediation.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
 
 
 ## Sediment events
@@ -3320,15 +3326,17 @@ The following fields are available:
 - **Time**  The system time at which the event occurred.
 
 
+## Sediment Launcher events
+
 ### Microsoft.Windows.SedimentLauncher.Applicable
 
-Indicates whether a given plugin is applicable.
+This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy.   
 
 The following fields are available:
 
 - **CV**  Correlation vector.
 - **DetectedCondition**  Boolean true if detect condition is true and perform action will be run.
-- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events.
 - **IsSelfUpdateEnabledInOneSettings**  True if self update enabled in Settings.
 - **IsSelfUpdateNeeded**  True if self update needed by device.
 - **PackageVersion**  Current package version of Remediation.
@@ -3338,97 +3346,43 @@ The following fields are available:
 
 ### Microsoft.Windows.SedimentLauncher.Completed
 
-Indicates whether a given plugin has completed its work.
+This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy.   
 
 The following fields are available:
 
 - **CV**  Correlation vector.
 - **FailedReasons**  Concatenated list of failure reasons.
-- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events.
 - **PackageVersion**  Current package version of Remediation.
 - **PluginName**  Name of the plugin specified for each generic plugin event.
 - **Result**  This is the HRESULT for detection or perform action phases of the plugin.
 - **SedLauncherExecutionResult**  HRESULT for one execution of the Sediment Launcher.
 
 
-### Microsoft.Windows.SedimentLauncher.Error
-
-This event indicates an error occurred during the execution of the plug-in. The information provided helps ensure future upgrade/update attempts are more successful.
-
-The following fields are available:
-
-- **HResult**  The result for the Detection or Perform Action phases of the plug-in.
-- **Message**  A message containing information about the error that occurred (if any).
-- **PackageVersion**  The version number of the current remediation package.
-
-
-### Microsoft.Windows.SedimentLauncher.FallbackError
-
-This event indicates that an error occurred during execution of the plug-in fallback.
-
-The following fields are available:
-
-- **s0**  Error occurred during execution of the plugin fallback. See [Microsoft.Windows.SedimentLauncher.wilResult](#microsoftwindowssedimentlauncherwilresult).
-
-
-### Microsoft.Windows.SedimentLauncher.Information
-
-This event provides general information returned from the plug-in.
-
-The following fields are available:
-
-- **HResult**  This is the HRESULT for detection or perform action phases of the plugin.
-- **Message**  Information message returned from a plugin containing only information internal to the plugins execution.
-- **PackageVersion**  Current package version of Remediation.
-
-
 ### Microsoft.Windows.SedimentLauncher.Started
 
-This event indicates that a given plug-in has started.
+This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy.   
 
 The following fields are available:
 
 - **CV**  Correlation vector.
-- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events.
 - **PackageVersion**  Current package version of Remediation.
 - **PluginName**  Name of the plugin specified for each generic plugin event.
 - **Result**  This is the HRESULT for detection or perform action phases of the plugin.
 
 
-### Microsoft.Windows.SedimentLauncher.wilResult
-
-This event provides the result from the Windows internal library.
-
-The following fields are available:
-
-- **callContext**  List of telemetry activities containing this error.
-- **currentContextId**  Identifier for the newest telemetry activity containing this error.
-- **currentContextMessage**  Custom message associated with the newest telemetry activity containing this error (if any).
-- **currentContextName**  Name of the newest telemetry activity containing this error.
-- **failureCount**  Number of failures seen within the binary where the error occurred.
-- **failureId**  Identifier assigned to this failure.
-- **failureType**  Indicates what type of failure was observed (exception, returned error, logged error or fail fast).
-- **fileName**  Source code file name where the error occurred.
-- **function**  Name of the function where the error occurred.
-- **hresult**  Failure error code.
-- **lineNumber**  Line number within the source code file where the error occurred.
-- **message**  Custom message associated with the failure (if any).
-- **module**  Name of the binary where the error occurred.
-- **originatingContextId**  Identifier for the oldest telemetry activity containing this error.
-- **originatingContextMessage**  Custom message associated with the oldest telemetry activity containing this error (if any).
-- **originatingContextName**  Name of the oldest telemetry activity containing this error.
-- **threadId**  Identifier of the thread the error occurred on.
-
+## Sediment Service events
 
 ### Microsoft.Windows.SedimentService.Applicable
 
-This event indicates whether a given plug-in is applicable.
+This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date.
 
 The following fields are available:
 
 - **CV**  Correlation vector.
 - **DetectedCondition**  Determine whether action needs to run based on device properties.
-- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events.
 - **IsSelfUpdateEnabledInOneSettings**  Indicates if self update is enabled in One Settings.
 - **IsSelfUpdateNeeded**  Indicates if self update is needed.
 - **PackageVersion**  Current package version of Remediation.
@@ -3438,13 +3392,13 @@ The following fields are available:
 
 ### Microsoft.Windows.SedimentService.Completed
 
-This event indicates whether a given plug-in has completed its work.
+This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date.
 
 The following fields are available:
 
 - **CV**  Correlation vector.
 - **FailedReasons**  List of reasons when the plugin action failed.
-- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events.
 - **PackageVersion**  Current package version of Remediation.
 - **PluginName**  Name of the plugin specified for each generic plugin event.
 - **Result**  This is the HRESULT for detection or perform action phases of the plugin.
@@ -3458,40 +3412,9 @@ The following fields are available:
 - **SedimentServiceTotalIterations**  Number of 5 second iterations service will wait before running again.
 
 
-### Microsoft.Windows.SedimentService.Error
-
-This event indicates whether an error condition occurred in the plug-in.
-
-The following fields are available:
-
-- **HResult**  This is the HRESULT for detection or perform action phases of the plugin.
-- **Message**  Custom message associated with the failure (if any).
-- **PackageVersion**  Current package version of Remediation.
-
-
-### Microsoft.Windows.SedimentService.FallbackError
-
-This event indicates whether an error occurred for a fallback in the plug-in.
-
-The following fields are available:
-
-- **s0**  Event returned when an error occurs for a fallback in the plugin. See [Microsoft.Windows.SedimentService.wilResult](#microsoftwindowssedimentservicewilresult).
-
-
-### Microsoft.Windows.SedimentService.Information
-
-This event provides general information returned from the plug-in.
-
-The following fields are available:
-
-- **HResult**  This is the HRESULT for detection or perform action phases of the plugin.
-- **Message**  Custom message associated with the failure (if any).
-- **PackageVersion**  Current package version of Remediation.
-
-
 ### Microsoft.Windows.SedimentService.Started
 
-This event indicates a specified plug-in has started. This information helps ensure Windows is up to date.
+This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date.
 
 The following fields are available:
 
@@ -3502,31 +3425,6 @@ The following fields are available:
 - **Result**  This is the HRESULT for Detection or Perform Action phases of the plugin.
 
 
-### Microsoft.Windows.SedimentService.wilResult
-
-This event provides the result from the Windows internal library.
-
-The following fields are available:
-
-- **callContext**  List of telemetry activities containing this error.
-- **currentContextId**  Identifier for the newest telemetry activity containing this error.
-- **currentContextMessage**  Custom message associated with the newest telemetry activity containing this error (if any).
-- **currentContextName**  Name of the newest telemetry activity containing this error.
-- **failureCount**  Number of failures seen within the binary where the error occurred.
-- **failureId**  Identifier assigned to this failure.
-- **failureType**  Indicates what type of failure was observed (exception, returned error, logged error or fail fast).
-- **fileName**  Source code file name where the error occurred.
-- **function**  Name of the function where the error occurred.
-- **hresult**  Failure error code.
-- **lineNumber**  Line number within the source code file where the error occurred.
-- **message**  Custom message associated with the failure (if any).
-- **module**  Name of the binary where the error occurred.
-- **originatingContextId**  Identifier for the oldest telemetry activity containing this error.
-- **originatingContextMessage**  Custom message associated with the oldest telemetry activity containing this error (if any).
-- **originatingContextName**  Name of the oldest telemetry activity containing this error.
-- **threadId**  Identifier of the thread the error occurred on.
-
-
 ## Setup events
 
 ### SetupPlatformTel.SetupPlatformTelActivityEvent
@@ -3821,7 +3719,7 @@ The following fields are available:
 - **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
 - **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to download.
 - **RevisionNumber**  Identifies the revision number of this specific piece of content.
-- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
+- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
 - **Setup360Phase**  If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
 - **ShippingMobileOperator**  The mobile operator that a device shipped on.
 - **StatusCode**  Indicates the result of a Download event (success, cancellation, failure code HResult).
@@ -4118,6 +4016,22 @@ The following fields are available:
 - **UpdateId**  Unique ID for each update.
 
 
+### Update360Telemetry.UpdateAgent_FellBackToCanonical
+
+This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
+
+The following fields are available:
+
+- **FlightId**  Unique ID for the flight (test instance version).
+- **ObjectId**  The unique value for each Update Agent mode.
+- **PackageCount**  The number of packages that fell back to “canonical”.
+- **PackageList**  PackageIDs which fell back to “canonical”.
+- **RelatedCV**  The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
+- **ScenarioId**  The ID of the update scenario.
+- **SessionId**  The ID of the update attempt.
+- **UpdateId**  The ID of the update.
+
+
 ### Update360Telemetry.UpdateAgent_Initialize
 
 This event sends data during the initialize phase of updating Windows.
@@ -4152,6 +4066,22 @@ The following fields are available:
 - **UpdateId**  Unique ID for each update.
 
 
+### Update360Telemetry.UpdateAgent_Merge
+
+This event sends data on the merge phase when updating Windows.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current reboot.
+- **FlightId**  Unique ID for the flight (test instance version).
+- **ObjectId**  The unique value for each Update Agent mode.
+- **RelatedCV**  The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
+- **Result**  The HResult of the event.
+- **ScenarioId**  The ID of the update scenario.
+- **SessionId**  The ID of the update attempt.
+- **UpdateId**  The ID of the update.
+
+
 ### Update360Telemetry.UpdateAgent_ModeStart
 
 This event sends data for the start of each mode during the process of updating Windows.
@@ -4184,6 +4114,130 @@ The following fields are available:
 - **UpdateId**  Unique ID for each update.
 
 
+### Update360Telemetry.UpdateAgentDownloadRequest
+
+This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile.
+
+The following fields are available:
+
+- **DeletedCorruptFiles**  Boolean indicating whether corrupt payload was deleted.
+- **DownloadRequests**  Number of times a download was retried.
+- **ErrorCode**  The error code returned for the current download request phase.
+- **ExtensionName**  Indicates whether the payload is related to Operating System content or a plugin.
+- **FlightId**  Unique ID for each flight.
+- **InternalFailureResult**  Indicates a non-fatal error from a plugin.
+- **ObjectId**  Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
+- **PackageCountOptional**  # of optional packages requested.
+- **PackageCountRequired**  # of required packages requested.
+- **PackageCountTotal**  Total # of packages needed.
+- **PackageCountTotalCanonical**  Total number of canonical packages.
+- **PackageCountTotalDiff**  Total number of diff packages.
+- **PackageCountTotalExpress**  Total number of express packages.
+- **PackageExpressType**  Type of express package.
+- **PackageSizeCanonical**  Size of canonical packages in bytes.
+- **PackageSizeDiff**  Size of diff packages in bytes.
+- **PackageSizeExpress**  Size of express packages in bytes.
+- **RangeRequestState**  Indicates the range request type used.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  Outcome of the download request phase of update.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each attempt (same value for initialize, download, install commit phases).
+- **UpdateId**  Unique ID for each Update.
+
+
+### Update360Telemetry.UpdateAgentInitialize
+
+This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current install phase.
+- **FlightId**  Unique ID for each flight.
+- **FlightMetadata**  Contains the FlightId and the build being flighted.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  Outcome of the install phase of the update.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionData**  String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentMitigationResult
+
+This event sends data indicating the result of each update agent mitigation.
+
+The following fields are available:
+
+- **Applicable**  Indicates whether the mitigation is applicable for the current update.
+- **CommandCount**  The number of command operations in the mitigation entry.
+- **CustomCount**  The number of custom operations in the mitigation entry.
+- **FileCount**  The number of file operations in the mitigation entry.
+- **FlightId**  Unique identifier for each flight.
+- **Index**  The mitigation index of this particular mitigation.
+- **MitigationScenario**  The update scenario in which the mitigation was executed.
+- **Name**  The friendly name of the mitigation.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **OperationIndex**  The mitigation operation index (in the event of a failure).
+- **OperationName**  The friendly name of the mitigation operation (in the event of failure).
+- **RegistryCount**  The number of registry operations in the mitigation entry.
+- **RelatedCV**  The correlation vector value generated from the latest USO scan.
+- **Result**  The HResult of this operation.
+- **ScenarioId**  The update agent scenario ID.
+- **SessionId**  Unique value for each update attempt.
+- **TimeDiff**  The amount of time spent performing the mitigation (in 100-nanosecond increments).
+- **UpdateId**  Unique ID for each Update.
+
+
+### Update360Telemetry.UpdateAgentMitigationSummary
+
+This event sends a summary of all the update agent mitigations available for an this update.
+
+
+
+### Update360Telemetry.UpdateAgentModeStart
+
+This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile.
+
+The following fields are available:
+
+- **FlightId**  Unique ID for each flight.
+- **Mode**  Indicates the mode that has started.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each update.
+- **Version**  Version of update
+
+
+### Update360Telemetry.UpdateAgentOneSettings
+
+This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
+
+
+
+### Update360Telemetry.UpdateAgentSetupBoxLaunch
+
+The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs.
+
+The following fields are available:
+
+- **ContainsExpressPackage**  Indicates whether the download package is express.
+- **FlightId**  Unique ID for each flight.
+- **FreeSpace**  Free space on OS partition.
+- **InstallCount**  Number of install attempts using the same sandbox.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **Quiet**  Indicates whether setup is running in quiet mode.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **SandboxSize**  Size of the sandbox.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each update attempt.
+- **SetupMode**  Mode of setup to be launched.
+- **UpdateId**  Unique ID for each Update.
+- **UserSession**  Indicates whether install was invoked by user actions.
+
+
 ## Upgrade events
 
 ### Setup360Telemetry.Downlevel
@@ -4242,9 +4296,9 @@ The following fields are available:
 - **Setup360Extended**  Detailed information about the phase or action when the potential failure occurred.
 - **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State**  Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
 - **TestId**  ID that uniquely identifies a group of events.
 - **WuId**  Windows Update client ID.
 
@@ -4375,6 +4429,24 @@ This event helps determine whether the device received supplemental content duri
 
 
 
+### Setup360Telemetry.Setup360MitigationResult
+
+This event sends data indicating the result of each setup mitigation.
+
+
+
+### Setup360Telemetry.Setup360MitigationSummary
+
+This event sends a summary of all the setup mitigations available for this update.
+
+
+
+### Setup360Telemetry.Setup360OneSettings
+
+This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
+
+
+
 ### Setup360Telemetry.UnexpectedEvent
 
 This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date.
@@ -4819,11 +4891,11 @@ The following fields are available:
 - **errorCode**  The error code that was returned.
 - **experimentId**  When running a test, this is used to correlate events that are part of the same test.
 - **fileID**  The ID of the file being downloaded.
-- **isVpn**  Is the device connected to a Virtual Private Network?
+- **isVpn**  Indicates whether the device is connected to a VPN (Virtual Private Network).
 - **scenarioID**  The ID of the scenario.
 - **sessionID**  The ID of the file download session.
 - **updateID**  The ID of the update being downloaded.
-- **usedMemoryStream**  Did the download use memory streaming?
+- **usedMemoryStream**  TRUE if the download is using memory streaming for App downloads.
 
 
 ### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted
@@ -4862,7 +4934,7 @@ The following fields are available:
 - **updateID**  The ID of the update being downloaded.
 - **uplinkBps**  The maximum measured available upload bandwidth (in bytes per second).
 - **uplinkUsageBps**  The upload speed (in bytes per second).
-- **usedMemoryStream**  Did the download use memory streaming?
+- **usedMemoryStream**  TRUE if the download is using memory streaming for App downloads.
 
 
 ### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused
@@ -5146,6 +5218,17 @@ The following fields are available:
 - **wuDeviceid**  The Windows Update device GUID.
 
 
+### Microsoft.Windows.Update.Orchestrator.DeferRestart
+
+This event indicates that a restart required for installing updates was postponed.
+
+The following fields are available:
+
+- **filteredDeferReason**  Applicable filtered reasons why reboot was postponed (such as user active, or low battery).
+- **raisedDeferReason**  Indicates all potential reasons for postponing restart (such as user active, or low battery).
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
 ### Microsoft.Windows.Update.Orchestrator.Detection
 
 This event indicates that a scan for a Windows Update occurred.
@@ -5192,7 +5275,7 @@ The following fields are available:
 - **EventPublishedTime**  Time when this event was generated.
 - **flightID**  The specific ID of the Windows Insider build.
 - **revisionNumber**  Update revision number.
-- **updateId**  Unique Windows Update ID.
+- **updateId**  Unique Update ID.
 - **updateScenarioType**  Update session type.
 - **UpdateStatus**  Last status of update.
 - **wuDeviceid**  Unique Device ID.
@@ -5240,6 +5323,30 @@ The following fields are available:
 - **wuDeviceid**  Unique device ID used by Windows Update.
 
 
+### Microsoft.Windows.Update.Orchestrator.LowUptimes
+
+This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure.
+
+The following fields are available:
+
+- **lowUptimeMinHours**  Current setting for the minimum number of hours needed to not be considered low uptime.
+- **lowUptimeQueryDays**  Current setting for the number of recent days to check for uptime.
+- **uptimeMinutes**  Number of minutes of uptime measured.
+- **wuDeviceid**  Unique device ID for Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection
+
+This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date.
+
+The following fields are available:
+
+- **externalOneshotupdate**  The last time a task-triggered scan was completed.
+- **interactiveOneshotupdate**  The last time an interactive scan was completed.
+- **oldlastscanOneshotupdate**  The last time a scan completed successfully.
+- **wuDeviceid**  The Windows Update Device GUID (Globally-Unique ID).
+
+
 ### Microsoft.Windows.Update.Orchestrator.PostInstall
 
 This event is sent after a Windows update install completes.
@@ -5256,6 +5363,15 @@ The following fields are available:
 - **wuDeviceid**  Unique device ID used by Windows Update.
 
 
+### Microsoft.Windows.Update.Orchestrator.PreShutdownStart
+
+This event is generated before the shutdown and commit operations.
+
+The following fields are available:
+
+- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+
+
 ### Microsoft.Windows.Update.Orchestrator.RebootFailed
 
 This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date.
@@ -5276,6 +5392,18 @@ The following fields are available:
 - **wuDeviceid**  Unique device ID used by Windows Update.
 
 
+### Microsoft.Windows.Update.Orchestrator.RefreshSettings
+
+This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date.
+
+The following fields are available:
+
+- **errorCode**  Hex code for the error message, to allow lookup of the specific error.
+- **settingsDownloadTime**  Timestamp of the last attempt to acquire settings.
+- **settingsETag**  Version identifier for the settings.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
 ### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask
 
 This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date.
@@ -5332,6 +5460,32 @@ The following fields are available:
 - **wuDeviceid**  Unique device ID used by Windows Update.
 
 
+### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed
+
+This event sends information about an update that encountered problems and was not able to complete.
+
+The following fields are available:
+
+- **errorCode**  The error code encountered.
+- **wuDeviceid**  The ID of the device in which the error occurred.
+
+
+### Microsoft.Windows.Update.Orchestrator.UsoSession
+
+This event represents the state of the USO service at start and completion.
+
+The following fields are available:
+
+- **activeSessionid**  A unique session GUID.
+- **eventScenario**  The state of the update action.
+- **interactive**  Is the USO session interactive?
+- **lastErrorcode**  The last error that was encountered.
+- **lastErrorstate**  The state of the update when the last error was encountered.
+- **sessionType**  A GUID that refers to the update session type.
+- **updateScenarioType**  A descriptive update session type.
+- **wuDeviceid**  The Windows Update device GUID.
+
+
 ### Microsoft.Windows.Update.UpdateStackServicing.CheckForUpdates
 
 This event sends data about the UpdateStackServicing check for updates, to help keep Windows up to date.
@@ -5352,6 +5506,28 @@ The following fields are available:
 - **WUDeviceID**  The Windows Update device ID.
 
 
+### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState
+
+This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot.
+
+The following fields are available:
+
+- **AcceptAutoModeLimit**  The maximum number of days for a device to automatically enter Auto Reboot mode.
+- **AutoToAutoFailedLimit**  The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown.
+- **DeviceLocalTime**  The date and time (based on the device date/time settings) the reboot mode changed.
+- **EngagedModeLimit**  The number of days to switch between DTE (Direct-to-Engaged) dialogs.
+- **EnterAutoModeLimit**  The maximum number of days a device can enter Auto Reboot mode.
+- **ETag**  The Entity Tag that represents the OneSettings version.
+- **IsForcedEnabled**  Identifies whether Forced Reboot mode is enabled for the device.
+- **IsUltimateForcedEnabled**  Identifies whether Ultimate Forced Reboot mode is enabled for the device.
+- **OldestUpdateLocalTime**  The date and time (based on the device date/time settings) this update’s reboot began pending.
+- **RebootUxState**  Identifies the reboot state: Engaged, Auto, Forced, UltimateForced.
+- **RebootVersion**  The version of the DTE (Direct-to-Engaged).
+- **SkipToAutoModeLimit**  The maximum number of days to switch to start while in Auto Reboot mode.
+- **UpdateId**  The ID of the update that is waiting for reboot to finish installation.
+- **UpdateRevision**  The revision of the update that is waiting for reboot to finish installation.
+
+
 ### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded
 
 This event is sent when a security update has successfully completed.
@@ -5390,7 +5566,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled
 
-This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up-to-date.
+This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date.
 
 The following fields are available:
 
@@ -5406,6 +5582,14 @@ The following fields are available:
 - **wuDeviceid**  The Windows Update device GUID.
 
 
+## Windows Update mitigation events
+
+### Mitigation360Telemetry.MitigationCustom.FixupEditionId
+
+This event sends data specific to the FixupEditionId mitigation used for OS Updates.
+
+
+
 ## Winlogon events
 
 ### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
index f1ca2eae5e..8e49f96e10 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -9,7 +9,7 @@ ms.pagetype: security
 localizationpriority: high
 author: brianlic-msft
 ms.author: brianlic
-ms.date: 10/10/2018
+ms.date: 11/07/2018
 ---
 
 
@@ -65,20 +65,20 @@ The following fields are available:
 - **DecisionSystemBios_RS4**  The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device.
 - **DecisionTest_RS1**  An ID for the system, calculated by hashing hardware identifiers.
 - **InventoryApplicationFile**  The count of the number of this particular object type present on this device.
-- **InventoryLanguagePack**  The count of InventoryLanguagePack objects present on this machine.
+- **InventoryLanguagePack**  The count of the number of this particular object type present on this device.
 - **InventoryMediaCenter**  The count of the number of this particular object type present on this device.
 - **InventorySystemBios**  The count of the number of this particular object type present on this device.
 - **InventoryTest**  The count of the number of this particular object type present on this device.
 - **InventoryUplevelDriverPackage**  The count of the number of this particular object type present on this device.
-- **PCFP**  An ID for the system, calculated by hashing hardware identifiers.
+- **PCFP**  The count of the number of this particular object type present on this device.
 - **SystemMemory**  The count of the number of this particular object type present on this device.
 - **SystemProcessorCompareExchange**  The count of the number of this particular object type present on this device.
 - **SystemProcessorLahfSahf**  The count of the number of this particular object type present on this device.
 - **SystemProcessorNx**  The count of the number of this particular object type present on this device.
-- **SystemProcessorPrefetchW**  The count of SystemProcessorPrefetchW objects present on this machine.
-- **SystemProcessorSse2**  The count of SystemProcessorSse2 objects present on this machine.
+- **SystemProcessorPrefetchW**  The count of the number of this particular object type present on this device.
+- **SystemProcessorSse2**  The count of the number of this particular object type present on this device.
 - **SystemTouch**  The count of the number of this particular object type present on this device.
-- **SystemWim**  The count of SystemWim objects present on this machine.
+- **SystemWim**  The count of the number of this particular object type present on this device.
 - **SystemWindowsActivationStatus**  The count of the number of this particular object type present on this device.
 - **SystemWlan**  The count of the number of this particular object type present on this device.
 - **Wmdrm_RS1**  An ID for the system, calculated by hashing hardware identifiers.
@@ -1209,6 +1209,23 @@ The following fields are available:
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
+### Microsoft.Windows.Appraiser.General.SystemWlanAdd
+
+This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **Blocking**  Is the upgrade blocked because of an emulated WLAN driver?
+- **HasWlanBlock**  Does the emulated WLAN driver have an upgrade block?
+- **WlanEmulatedDriver**  Does the device have an emulated WLAN driver?
+- **WlanExists**  Does the device support WLAN at all?
+- **WlanModulePresent**  Are any WLAN modules present?
+- **WlanNativeDriver**  Does the device have a non-emulated WLAN driver?
+
+
 ### Microsoft.Windows.Appraiser.General.SystemWlanRemove
 
 This event indicates that the SystemWlan object is no longer present.
@@ -1525,16 +1542,16 @@ The following fields are available:
 - **KvaShadow**  Microcode info of the processor.
 - **MMSettingOverride**  Microcode setting of the processor.
 - **MMSettingOverrideMask**  Microcode setting override of the processor.
-- **ProcessorArchitecture**  Retrieves the processor architecture of the installed operating system.
-- **ProcessorClockSpeed**  Clock speed of the processor in MHz.
-- **ProcessorCores**  Number of logical cores in the processor.
-- **ProcessorIdentifier**  Processor Identifier of a manufacturer.
-- **ProcessorManufacturer**  Name of the processor manufacturer.
-- **ProcessorModel**  Name of the processor model.
+- **ProcessorArchitecture**  Retrieves the processor architecture of the installed operating system. The complete list of values can be found in DimProcessorArchitecture.
+- **ProcessorClockSpeed**  Retrieves the clock speed of the processor in MHz.
+- **ProcessorCores**  Retrieves the number of cores in the processor.
+- **ProcessorIdentifier**  The processor identifier of a manufacturer.
+- **ProcessorManufacturer**  Retrieves the name of the processor's manufacturer.
+- **ProcessorModel**  Retrieves the name of the processor model.
 - **ProcessorPhysicalCores**  Number of physical cores in the processor.
-- **ProcessorUpdateRevision**  Microcode revision
+- **ProcessorUpdateRevision**  Retrieves the processor architecture of the installed operating system.
 - **ProcessorUpdateStatus**  Enum value that represents the processor microcode load status
-- **SocketCount**  Count of CPU sockets.
+- **SocketCount**  Number of physical CPU sockets of the machine.
 - **SpeculationControl**  If the system has enabled protections needed to validate the speculation control vulnerability.
 
 
@@ -1545,14 +1562,14 @@ This event provides information on about security settings used to help keep Win
 The following fields are available:
 
 - **AvailableSecurityProperties**  This field helps to enumerate and report state on the relevant security properties for Device Guard.
-- **CGRunning**  Is Credential Guard running?
+- **CGRunning**  Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running.
 - **DGState**  This field summarizes the Device Guard state.
-- **HVCIRunning**  Is HVCI running?
+- **HVCIRunning**  Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running.
 - **IsSawGuest**  Indicates whether the device is running as a Secure Admin Workstation Guest.
 - **IsSawHost**  Indicates whether the device is running as a Secure Admin Workstation Host.
 - **RequiredSecurityProperties**  Describes the required security properties to enable virtualization-based security.
-- **SecureBootCapable**  Is this device capable of running Secure Boot?
-- **VBSState**  Is virtualization-based security enabled, disabled, or running?
+- **SecureBootCapable**  Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting.
+- **VBSState**  Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation.  VBS has a tri-state that can be Disabled, Enabled, or Running.
 
 
 ### Census.Speech
@@ -1889,6 +1906,82 @@ The following fields are available:
 - **VortexHttpResponsesWithDroppedEvents**  Number of Vortex responses containing at least 1 dropped event.
 
 
+## DxgKernelTelemetry events
+
+### DxgKrnlTelemetry.GPUAdapterInventoryV2
+
+This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date.
+
+The following fields are available:
+
+- **AdapterTypeValue**  The numeric value indicating the type of Graphics adapter.
+- **aiSeqId**  The event sequence ID.
+- **bootId**  The system boot ID.
+- **ComputePreemptionLevel**  The maximum preemption level supported by GPU for compute payload.
+- **DedicatedSystemMemoryB**  The amount of system memory dedicated for GPU use (in bytes).
+- **DedicatedVideoMemoryB**  The amount of dedicated VRAM of the GPU (in bytes).
+- **DisplayAdapterLuid**  The display adapter LUID.
+- **DriverDate**  The date of the display driver.
+- **DriverRank**  The rank of the display driver.
+- **DriverVersion**  The display driver version.
+- **GPUDeviceID**  The GPU device ID.
+- **GPUPreemptionLevel**  The maximum preemption level supported by GPU for graphics payload.
+- **GPURevisionID**  The GPU revision ID.
+- **GPUVendorID**  The GPU vendor ID.
+- **InterfaceId**  The GPU interface ID.
+- **IsDisplayDevice**  Does the GPU have displaying capabilities?
+- **IsHybridDiscrete**  Does the GPU have discrete GPU capabilities in a hybrid device?
+- **IsHybridIntegrated**  Does the GPU have integrated GPU capabilities in a hybrid device?
+- **IsLDA**  Is the GPU comprised of Linked Display Adapters?
+- **IsMiracastSupported**  Does the GPU support Miracast?
+- **IsMismatchLDA**  Is at least one device in the Linked Display Adapters chain from a different vendor?
+- **IsMPOSupported**  Does the GPU support Multi-Plane Overlays?
+- **IsMsMiracastSupported**  Are the GPU Miracast capabilities driven by a Microsoft solution?
+- **IsPostAdapter**  Is this GPU the POST GPU in the device?
+- **IsRemovable**  TRUE if the adapter supports being disabled or removed.
+- **IsRenderDevice**  Does the GPU have rendering capabilities?
+- **IsSoftwareDevice**  Is this a software implementation of the GPU?
+- **MeasureEnabled**  Is the device listening to MICROSOFT_KEYWORD_MEASURES?
+- **NumVidPnSources**  The number of supported display output sources.
+- **NumVidPnTargets**  The number of supported display output targets.
+- **SharedSystemMemoryB**  The amount of system memory shared by GPU and CPU (in bytes).
+- **SubSystemID**  The subsystem ID.
+- **SubVendorID**  The GPU sub vendor ID.
+- **TelemetryEnabled**  Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
+- **TelInvEvntTrigger**  What triggered this event to be logged?  Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling)
+- **version**  The event version.
+- **WDDMVersion**  The Windows Display Driver Model version.
+
+
+## Fault Reporting events
+
+### Microsoft.Windows.FaultReporting.AppCrashEvent
+
+This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event.
+
+The following fields are available:
+
+- **AppName**  The name of the app that has crashed.
+- **AppSessionGuid**  GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend.
+- **AppTimeStamp**  The date/time stamp of the app.
+- **AppVersion**  The version of the app that has crashed.
+- **ExceptionCode**  The exception code returned by the process that has crashed.
+- **ExceptionOffset**  The address where the exception had occurred.
+- **Flags**  Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting.
+- **ModName**  Exception module name (e.g. bar.dll).
+- **ModTimeStamp**  The date/time stamp of the module.
+- **ModVersion**  The version of the module that has crashed.
+- **PackageFullName**  Store application identity.
+- **PackageRelativeAppId**  Store application identity.
+- **ProcessArchitecture**  Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ProcessCreateTime**  The time of creation of the process that has crashed.
+- **ProcessId**  The ID of the process that has crashed.
+- **ReportId**  A GUID used to identify the report. This can used to track the report across Watson.
+- **TargetAppId**  The kernel reported AppId of the application being reported.
+- **TargetAppVer**  The specific version of the application being reported
+- **TargetAsId**  The sequence number for the hanging process.
+
+
 ## Feature update events
 
 ### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed
@@ -1916,6 +2009,33 @@ This event sends basic metadata about the starting point of uninstalling a featu
 
 
 
+## Hang Reporting events
+
+### Microsoft.Windows.HangReporting.AppHangEvent
+
+This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
+
+The following fields are available:
+
+- **AppName**  The name of the app that has hung.
+- **AppSessionGuid**  GUID made up of process id used as a correlation vector for process instances in the telemetry backend.
+- **AppVersion**  The version of the app that has hung.
+- **PackageFullName**  Store application identity.
+- **PackageRelativeAppId**  Store application identity.
+- **ProcessArchitecture**  Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ProcessCreateTime**  The time of creation of the process that has hung.
+- **ProcessId**  The ID of the process that has hung.
+- **ReportId**  A GUID used to identify the report. This can used to track the report across Watson.
+- **TargetAppId**  The kernel reported AppId of the application being reported.
+- **TargetAppVer**  The specific version of the application being reported.
+- **TargetAsId**  The sequence number for the hanging process.
+- **TypeCode**  Bitmap describing the hang type.
+- **WaitingOnAppName**  If this is a cross process hang waiting for an application, this has the name of the application.
+- **WaitingOnAppVersion**  If this is a cross process hang, this has the version of the application for which it is waiting.
+- **WaitingOnPackageFullName**  If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
+- **WaitingOnPackageRelativeAppId**  If this is a cross process hang waiting for a package, this has the relative application id of the package.
+
+
 ## Inventory events
 
 ### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
@@ -1992,13 +2112,13 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
 
 The following fields are available:
 
-- **InventoryVersion**  The version of the inventory component
+- **InventoryVersion**  The version of the inventory component.
 - **ProgramIds**  The unique program identifier the driver is associated with.
 
 
 ### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
 
-The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.
+This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -2185,12 +2305,12 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
 The following fields are available:
 
 - **BusReportedDescription**  System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer.
-- **Class**  System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer.
-- **ClassGuid**  A unique identifier for the driver installed.
-- **COMPID**  Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
-- **ContainerId**  INF file name (the name could be renamed by OS, such as oemXX.inf)
-- **Description**  The version of the inventory binary generating the events.
-- **DeviceState**  The current error code for the device.
+- **Class**  The device setup class of the driver loaded for the device.
+- **ClassGuid**  The device setup class guid of the driver loaded for the device.
+- **COMPID**  The list of compat ids for the device.
+- **ContainerId**  System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer.
+- **Description**  The device description.
+- **DeviceState**  DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present
 - **DriverId**  A unique identifier for the driver installed.
 - **DriverName**  Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
 - **DriverPackageStrongName**  The immediate parent directory name in the Directory field of InventoryDriverPackage.
@@ -2703,11 +2823,188 @@ The following fields are available:
 - **UserInputTime**  The amount of time the loader application spent waiting for user input.
 
 
+## OneDrive events
+
+### Microsoft.OneDrive.Sync.Setup.APIOperation
+
+This event includes basic data about install and uninstall OneDrive API operations.
+
+The following fields are available:
+
+- **APIName**  The name of the API.
+- **Duration**  How long the operation took.
+- **IsSuccess**  Was the operation successful?
+- **ResultCode**  The result code.
+- **ScenarioName**  The name of the scenario.
+
+
+### Microsoft.OneDrive.Sync.Setup.EndExperience
+
+This event includes a success or failure summary of the installation.
+
+The following fields are available:
+
+- **APIName**  The name of the API.
+- **HResult**  The result code of the last action performed before this operation
+- **IsSuccess**  Was the operation successful?
+- **ScenarioName**  The name of the scenario.
+
+
+### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
+
+This event is related to the OS version when the OS is upgraded with OneDrive installed.
+
+The following fields are available:
+
+- **CurrentOneDriveVersion**  The current version of OneDrive.
+- **CurrentOSBuildBranch**  The current branch of the operating system.
+- **CurrentOSBuildNumber**  The current build number of the operating system.
+- **CurrentOSVersion**  The current version of the operating system.
+- **HResult**  The HResult of the operation.
+- **SourceOSBuildBranch**  The source branch of the operating system.
+- **SourceOSBuildNumber**  The source build number of the operating system.
+- **SourceOSVersion**  The source version of the operating system.
+
+
+### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation
+
+This event is related to registering or unregistering the OneDrive update task.
+
+The following fields are available:
+
+- **APIName**  The name of the API.
+- **IsSuccess**  Was the operation successful?
+- **RegisterNewTaskResult**  The HResult of the RegisterNewTask operation.
+- **ScenarioName**  The name of the scenario.
+- **UnregisterOldTaskResult**  The HResult of the UnregisterOldTask operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.ComponentInstallState
+
+This event includes basic data about the installation state of dependent OneDrive components.
+
+The following fields are available:
+
+- **ComponentName**  The name of the dependent component.
+- **isInstalled**  Is the dependent component installed?
+
+
+### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus
+
+This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken
+
+The following fields are available:
+
+- **32bit**  The status of the OneDrive overlay icon on a 32-bit operating system.
+- **64bit**  The status of the OneDrive overlay icon on a 64-bit operating system.
+
+
+### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult
+
+This event sends information describing the result of the update.
+
+The following fields are available:
+
+- **hr**  The HResult of the operation.
+- **IsLoggingEnabled**  Indicates whether logging is enabled for the updater.
+- **UpdaterVersion**  The version of the updater.
+
+
+### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult
+
+This event determines the status when downloading the OneDrive update configuration file.
+
+The following fields are available:
+
+- **hr**  The HResult of the operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus
+
+This event determines the error code that was returned when verifying Internet connectivity.
+
+The following fields are available:
+
+- **winInetError**  The HResult of the operation.
+
+
+## Other events
+
+### CbsServicingProvider.CbsCapabilityEnumeration
+
+This event reports on the results of scanning for optional Windows content on Windows Update.
+
+The following fields are available:
+
+- **architecture**  Indicates the scan was limited to the specified architecture.
+- **capabilityCount**  The number of optional content packages found during the scan.
+- **clientId**  The name of the application requesting the optional content.
+- **duration**  The amount of time it took to complete the scan.
+- **hrStatus**  The HReturn code of the scan.
+- **language**  Indicates the scan was limited to the specified language.
+- **majorVersion**  Indicates the scan was limited to the specified major version.
+- **minorVersion**  Indicates the scan was limited to the specified minor version.
+- **namespace**  Indicates the scan was limited to packages in the specified namespace.
+- **sourceFilter**  A bitmask indicating the scan checked for locally available optional content.
+- **stackBuild**  The build number of the servicing stack.
+- **stackMajorVersion**  The major version number of the servicing stack.
+- **stackMinorVersion**  The minor version number of the servicing stack.
+- **stackRevision**  The revision number of the servicing stack.
+
+
+### CbsServicingProvider.CbsCapabilitySessionFinalize
+
+This event provides information about the results of installing or uninstalling optional Windows content from Windows Update.
+
+The following fields are available:
+
+- **capabilities**  The names of the optional content packages that were installed.
+- **clientId**  The name of the application requesting the optional content.
+- **highestState**  The highest final install state of the optional content.
+- **hrStatus**  The HReturn code of the install operation.
+- **rebootCount**  The number of reboots required to complete the install.
+- **stackBuild**  The build number of the servicing stack.
+- **stackMajorVersion**  The major version number of the servicing stack.
+- **stackMinorVersion**  The minor version number of the servicing stack.
+- **stackRevision**  The revision number of the servicing stack.
+
+
+### CbsServicingProvider.CbsCapabilitySessionPended
+
+This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date.
+
+The following fields are available:
+
+- **clientId**  The name of the application requesting the optional content.
+- **pendingDecision**  Indicates the cause of reboot, if applicable.
+
+
+### Microsoft.Windows.WaaSAssessment.Error
+
+This event returns the name of the missing setting needed to determine the Operating System build age.
+
+The following fields are available:
+
+- **m**  The WaaS (“Workspace as a Service”—cloud-based “workspace”) Assessment Error String.
+
+
+### Microsoft.Xbox.XamTelemetry.AppActivationError
+
+This event indicates whether the system detected an activation error in the app.
+
+
+
+### Microsoft.Xbox.XamTelemetry.AppActivity
+
+This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc.
+
+
+
 ## Remediation events
 
 ### Microsoft.Windows.Remediation.Applicable
 
-This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date.
+This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy.   
 
 The following fields are available:
 
@@ -2716,7 +3013,6 @@ The following fields are available:
 - **AppraiserDetectCondition**  Indicates whether the plug-in passed the appraiser's check.
 - **AppraiserRegistryValidResult**  Indicates whether the registry entry checks out as valid.
 - **AppraiserTaskDisabled**  Indicates the appraiser task is disabled.
-- **AppraiserTaskValidFailed**  Indicates the Appraiser task did not function and requires intervention.
 - **CV**  Correlation vector
 - **DateTimeDifference**  The difference between local and reference clock times.
 - **DateTimeSyncEnabled**  Indicates whether the datetime sync plug-in is enabled.
@@ -2726,7 +3022,7 @@ The following fields are available:
 - **EvalAndReportAppraiserBinariesFailed**  Indicates the EvalAndReportAppraiserBinaries event failed.
 - **EvalAndReportAppraiserRegEntries**  Indicates the EvalAndReportAppraiserRegEntriesFailed event failed.
 - **EvalAndReportAppraiserRegEntriesFailed**  Indicates the EvalAndReportAppraiserRegEntriesFailed event failed.
-- **GlobalEventCounter**  Client side counter that indicates ordering of events sent by the remediation system.
+- **GlobalEventCounter**  Client side counter that indicates ordering of events.
 - **HResult**  The HRESULT for detection or perform action phases of the plugin.
 - **IsAppraiserLatestResult**  The HRESULT from the appraiser task.
 - **IsConfigurationCorrected**  Indicates whether the configuration of SIH task was successfully corrected.
@@ -2789,29 +3085,9 @@ The following fields are available:
 - **TimeServiceSyncType**  Type of sync behavior for Date & Time service on device.
 
 
-### Microsoft.Windows.Remediation.ChangePowerProfileDetection
-
-Indicates whether the remediation system can put in a request to defer a system-initiated sleep to enable installation of security or quality updates.
-
-The following fields are available:
-
-- **ActionName**  A descriptive name for the plugin action
-- **CurrentPowerPlanGUID**  The ID of the current power plan configured on the device
-- **CV**  Correlation vector
-- **GlobalEventCounter**  Counter that indicates the ordering of events on the device
-- **PackageVersion**  Current package version of remediation service
-- **RemediationBatteryPowerBatteryLevel**  Integer between 0 and 100 indicating % battery power remaining (if not on battery, expect 0)
-- **RemediationFUInProcess**  Result that shows whether the device is currently installing a feature update
-- **RemediationFURebootRequred**  Indicates that a feature update reboot required was detected so the plugin will exit.
-- **RemediationScanInProcess**  Result that shows whether the device is currently scanning for updates
-- **RemediationTargetMachine**  Result that shows whether this device is a candidate for remediation(s) that will fix update issues
-- **SetupMutexAvailable**  Result that shows whether setup mutex is available or not
-- **SysPowerStatusAC**  Result that shows whether system is on AC power or not
-
-
 ### Microsoft.Windows.Remediation.Completed
 
-This event enables completion tracking of a process that remediates issues preventing security and quality updates.
+This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy.   
 
 The following fields are available:
 
@@ -2833,7 +3109,7 @@ The following fields are available:
 - **DiskMbFreeAfterCleanup**  The amount of free hard disk space after cleanup, measured in Megabytes.
 - **DiskMbFreeBeforeCleanup**  The amount of free hard disk space before cleanup, measured in Megabytes.
 - **ForcedAppraiserTaskTriggered**  TRUE if Appraiser task ran from the plug-in.
-- **GlobalEventCounter**  Client-side counter that indicates ordering of events sent by the active user.
+- **GlobalEventCounter**  Client-side counter that indicates ordering of events.
 - **HandlerCleanupFreeDiskInMegabytes**  The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes.
 - **hasRolledBack**  Indicates whether the client machine has rolled back.
 - **hasUninstalled**  Indicates whether the client machine has uninstalled a later version of the OS.
@@ -2911,7 +3187,7 @@ The following fields are available:
 - **usoScanIsNoAutoUpdateKeyPresent**  TRUE if no Auto Update registry key is set/present.
 - **usoScanIsUserLoggedOn**  TRUE if the user is logged on.
 - **usoScanPastThreshold**  TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late).
-- **usoScanType**  The type of USO (Update Session Orchestrator) scan (Interactive or Background).
+- **usoScanType**  The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background".
 - **windows10UpgraderBlockWuUpdates**  Event to report the value of Windows 10 Upgrader BlockWuUpdates Key.
 - **windowsEditionId**  Event to report the value of Windows Edition ID.
 - **WindowsHyberFilSysSizeInMegabytes**  The size of the Windows Hibernation file, measured in Megabytes.
@@ -2926,30 +3202,14 @@ The following fields are available:
 - **windowsUpgradeRecoveredFromRs4**  Event to report the value of the Windows Upgrade Recovered key.
 
 
-### Microsoft.Windows.Remediation.RemediationShellMainExeEventId
-
-Enables tracking of completion of process that remediates issues preventing security and quality updates.
-
-The following fields are available:
-
-- **CV**  Client side counter which indicates ordering of events sent by the remediation system.
-- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by the remediation system.
-- **PackageVersion**  Current package version of Remediation.
-- **RemediationShellCanAcquireSedimentMutex**  True if the remediation was able to acquire the sediment mutex. False if it is already running.
-- **RemediationShellExecuteShellResult**  Indicates if the remediation system completed without errors.
-- **RemediationShellFoundDriverDll**  Result whether the remediation system found its component files to run properly.
-- **RemediationShellLoadedShellDriver**  Result whether the remediation system loaded its component files to run properly.
-- **RemediationShellLoadedShellFunction**  Result whether the remediation system loaded the functions from its component files to run properly.
-
-
 ### Microsoft.Windows.Remediation.Started
 
-This event reports whether a plug-in started, to help ensure Windows is up to date.
+This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy.   
 
 The following fields are available:
 
 - **CV**  Correlation vector.
-- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events.
 - **PackageVersion**  Current package version of Remediation.
 - **PluginName**  Name of the plugin specified for each generic plugin event.
 - **Result**  This is the HRESULT for detection or perform action phases of the plugin.
@@ -2970,6 +3230,41 @@ The following fields are available:
 - **Time**  The time the event was fired.
 
 
+### Microsoft.Windows.Sediment.Info.Error
+
+This event indicates an error in the updater payload. This information assists in keeping Windows up to date.
+
+
+
+### Microsoft.Windows.Sediment.OSRSS.CheckingOneSettings
+
+This event indicates the parameters that the Operating System Remediation System Service (OSRSS) uses for a secure ping to Microsoft to help ensure Windows is up to date.
+
+The following fields are available:
+
+- **CustomVer**  The registry value for targeting.
+- **IsMetered**  TRUE if the machine is on a metered network.
+- **LastVer**  The version of the last successful run.
+- **ServiceVersionMajor**  The Major version information of the component.
+- **ServiceVersionMinor**  The Minor version information of the component.
+- **Time**  The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.OSRSS.Error
+
+This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful.
+
+The following fields are available:
+
+- **FailureType**  The type of error encountered.
+- **FileName**  The code file in which the error occurred.
+- **HResult**  The failure error code.
+- **LineNumber**  The line number in the code file at which the error occurred.
+- **ServiceVersionMajor**  The Major version information of the component.
+- **ServiceVersionMinor**  The Minor version information of the component.
+- **Time**  The system time at which the event occurred.
+
+
 ### Microsoft.Windows.Sediment.OSRSS.UrlState
 
 This event indicates the state the Operating System Remediation System Service (OSRSS)  is in while attempting a download from the URL.
@@ -2984,15 +3279,17 @@ The following fields are available:
 - **Time**  System timestamp the event was fired
 
 
+## Sediment Launcher events
+
 ### Microsoft.Windows.SedimentLauncher.Applicable
 
-Indicates whether a given plugin is applicable.
+This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy.   
 
 The following fields are available:
 
 - **CV**  Correlation vector.
 - **DetectedCondition**  Boolean true if detect condition is true and perform action will be run.
-- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events.
 - **IsSelfUpdateEnabledInOneSettings**  True if self update enabled in Settings.
 - **IsSelfUpdateNeeded**  True if self update needed by device.
 - **PackageVersion**  Current package version of Remediation.
@@ -3002,98 +3299,43 @@ The following fields are available:
 
 ### Microsoft.Windows.SedimentLauncher.Completed
 
-Indicates whether a given plugin has completed its work.
+This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy.   
 
 The following fields are available:
 
 - **CV**  Correlation vector.
 - **FailedReasons**  Concatenated list of failure reasons.
-- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events.
 - **PackageVersion**  Current package version of Remediation.
 - **PluginName**  Name of the plugin specified for each generic plugin event.
 - **Result**  This is the HRESULT for detection or perform action phases of the plugin.
 - **SedLauncherExecutionResult**  HRESULT for one execution of the Sediment Launcher.
 
 
-### Microsoft.Windows.SedimentLauncher.Error
-
-Error occurred during execution of the plugin.
-
-The following fields are available:
-
-- **HResult**  The result for the Detection or Perform Action phases of the plug-in.
-- **Message**  A message containing information about the error that occurred (if any).
-- **PackageVersion**  The version number of the current remediation package.
-
-
-### Microsoft.Windows.SedimentLauncher.FallbackError
-
-This event indicates that an error occurred during execution of the plug-in fallback.
-
-The following fields are available:
-
-- **s0**  Error occurred during execution of the plugin fallback. See [Microsoft.Windows.SedimentLauncher.wilResult](#microsoftwindowssedimentlauncherwilresult).
-- **wilResult**  Result from executing wil based function. See [wilResult](#wilresult).
-
-
-### Microsoft.Windows.SedimentLauncher.Information
-
-This event provides general information returned from the plug-in.
-
-The following fields are available:
-
-- **HResult**  This is the HRESULT for detection or perform action phases of the plugin.
-- **Message**  Information message returned from a plugin containing only information internal to the plugins execution.
-- **PackageVersion**  Current package version of Remediation.
-
-
 ### Microsoft.Windows.SedimentLauncher.Started
 
-This event indicates that a given plug-in has started.
+This event sends simple device connectivity and configuration data about an application installed on the system that helps keep Windows up to date.
 
 The following fields are available:
 
 - **CV**  Correlation vector.
-- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events.
 - **PackageVersion**  Current package version of Remediation.
 - **PluginName**  Name of the plugin specified for each generic plugin event.
 - **Result**  This is the HRESULT for detection or perform action phases of the plugin.
 
 
-### Microsoft.Windows.SedimentLauncher.wilResult
-
-This event provides the result from the Windows internal library.
-
-The following fields are available:
-
-- **callContext**  List of telemetry activities containing this error.
-- **currentContextId**  Identifier for the newest telemetry activity containing this error.
-- **currentContextMessage**  Custom message associated with the newest telemetry activity containing this error (if any).
-- **currentContextName**  Name of the newest telemetry activity containing this error.
-- **failureCount**  Number of failures seen within the binary where the error occurred.
-- **failureId**  Identifier assigned to this failure.
-- **failureType**  Indicates what type of failure was observed (exception, returned error, logged error or fail fast).
-- **fileName**  Source code file name where the error occurred.
-- **function**  Name of the function where the error occurred.
-- **hresult**  Failure error code.
-- **lineNumber**  Line number within the source code file where the error occurred.
-- **message**  Custom message associated with the failure (if any).
-- **module**  Name of the binary where the error occurred.
-- **originatingContextId**  Identifier for the oldest telemetry activity containing this error.
-- **originatingContextMessage**  Custom message associated with the oldest telemetry activity containing this error (if any).
-- **originatingContextName**  Name of the oldest telemetry activity containing this error.
-- **threadId**  Identifier of the thread the error occurred on.
-
+## Sediment Service events
 
 ### Microsoft.Windows.SedimentService.Applicable
 
-This event indicates whether a given plug-in is applicable.
+This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date.
 
 The following fields are available:
 
 - **CV**  Correlation vector.
 - **DetectedCondition**  Determine whether action needs to run based on device properties.
-- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events.
 - **IsSelfUpdateEnabledInOneSettings**  Indicates if self update is enabled in One Settings.
 - **IsSelfUpdateNeeded**  Indicates if self update is needed.
 - **PackageVersion**  Current package version of Remediation.
@@ -3103,13 +3345,13 @@ The following fields are available:
 
 ### Microsoft.Windows.SedimentService.Completed
 
-This event indicates whether a given plug-in has completed its work.
+This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date.
 
 The following fields are available:
 
 - **CV**  Correlation vector.
 - **FailedReasons**  List of reasons when the plugin action failed.
-- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events.
 - **PackageVersion**  Current package version of Remediation.
 - **PluginName**  Name of the plugin specified for each generic plugin event.
 - **Result**  This is the HRESULT for detection or perform action phases of the plugin.
@@ -3123,41 +3365,9 @@ The following fields are available:
 - **SedimentServiceTotalIterations**  Number of 5 second iterations service will wait before running again.
 
 
-### Microsoft.Windows.SedimentService.Error
-
-This event indicates whether an error condition occurred in the plug-in.
-
-The following fields are available:
-
-- **HResult**  This is the HRESULT for detection or perform action phases of the plugin.
-- **Message**  Custom message associated with the failure (if any).
-- **PackageVersion**  Current package version of Remediation.
-
-
-### Microsoft.Windows.SedimentService.FallbackError
-
-This event indicates whether an error occurred for a fallback in the plug-in.
-
-The following fields are available:
-
-- **s0**  Event returned when an error occurs for a fallback in the plugin. See [Microsoft.Windows.SedimentService.wilResult](#microsoftwindowssedimentservicewilresult).
-- **wilResult**  Result for wil based function. See [wilResult](#wilresult).
-
-
-### Microsoft.Windows.SedimentService.Information
-
-This event provides general information returned from the plug-in.
-
-The following fields are available:
-
-- **HResult**  This is the HRESULT for detection or perform action phases of the plugin.
-- **Message**  Custom message associated with the failure (if any).
-- **PackageVersion**  Current package version of Remediation.
-
-
 ### Microsoft.Windows.SedimentService.Started
 
-This event indicates a specified plug-in has started. This information helps ensure Windows is up to date.
+This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date.
 
 The following fields are available:
 
@@ -3168,32 +3378,33 @@ The following fields are available:
 - **Result**  This is the HRESULT for Detection or Perform Action phases of the plugin.
 
 
-### Microsoft.Windows.SedimentService.wilResult
+## Setup events
 
-This event provides the result from the Windows internal library.
+### SetupPlatformTel.SetupPlatformTelActivityEvent
+
+This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date.
 
 The following fields are available:
 
-- **callContext**  List of telemetry activities containing this error.
-- **currentContextId**  Identifier for the newest telemetry activity containing this error.
-- **currentContextMessage**  Custom message associated with the newest telemetry activity containing this error (if any).
-- **currentContextName**  Name of the newest telemetry activity containing this error.
-- **failureCount**  Number of failures seen within the binary where the error occurred.
-- **failureId**  Identifier assigned to this failure.
-- **failureType**  Indicates what type of failure was observed (exception, returned error, logged error or fail fast).
-- **fileName**  Source code file name where the error occurred.
-- **function**  Name of the function where the error occurred.
-- **hresult**  Failure error code.
-- **lineNumber**  Line number within the source code file where the error occurred.
-- **message**  Custom message associated with the failure (if any).
-- **module**  Name of the binary where the error occurred.
-- **originatingContextId**  Identifier for the oldest telemetry activity containing this error.
-- **originatingContextMessage**  Custom message associated with the oldest telemetry activity containing this error (if any).
-- **originatingContextName**  Name of the oldest telemetry activity containing this error.
-- **threadId**  Identifier of the thread the error occurred on.
+- **FieldName**  Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
+- **GroupName**  Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+- **Value**  Value associated with the corresponding event name. For example, time-related events will include the system time
+
+
+### SetupPlatformTel.SetupPlatformTelActivityStarted
+
+This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date.
+
+The following fields are available:
+
+- **Name**  The name of the dynamic update type. Example: GDR driver
+
+
+### SetupPlatformTel.SetupPlatformTelActivityStopped
+
+This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date.
 
 
-## Setup events
 
 ### SetupPlatformTel.SetupPlatformTelEvent
 
@@ -3780,6 +3991,131 @@ The following fields are available:
 
 ## Update events
 
+### Update360Telemetry.UpdateAgent_DownloadRequest
+
+This event sends data during the download request phase of updating Windows.
+
+The following fields are available:
+
+- **DeletedCorruptFiles**  Boolean indicating whether corrupt payload was deleted.
+- **ErrorCode**  The error code returned for the current download request phase.
+- **FlightId**  Unique ID for each flight.
+- **ObjectId**  Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
+- **PackageCountOptional**  # of optional packages requested.
+- **PackageCountRequired**  # of required packages requested.
+- **PackageCountTotal**  Total # of packages needed.
+- **PackageCountTotalCanonical**  Total number of canonical packages.
+- **PackageCountTotalDiff**  Total number of diff packages.
+- **PackageCountTotalExpress**  Total number of express packages.
+- **PackageSizeCanonical**  Size of canonical packages in bytes.
+- **PackageSizeDiff**  Size of diff packages in bytes.
+- **PackageSizeExpress**  Size of express packages in bytes.
+- **RangeRequestState**  Indicates the range request type used.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  Outcome of the download request phase of update.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each attempt (same value for initialize, download, install commit phases)
+- **UpdateId**  Unique ID for each Update.
+
+
+### Update360Telemetry.UpdateAgent_FellBackToCanonical
+
+This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
+
+The following fields are available:
+
+- **FlightId**  Unique ID for the flight (test instance version).
+- **ObjectId**  The unique value for each Update Agent mode.
+- **PackageCount**  The number of packages that fell back to “canonical”.
+- **PackageList**  PackageIDs which fell back to “canonical”.
+- **RelatedCV**  The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
+- **ScenarioId**  The ID of the update scenario.
+- **SessionId**  The ID of the update attempt.
+- **UpdateId**  The ID of the update.
+
+
+### Update360Telemetry.UpdateAgent_Initialize
+
+This event sends data during the initialize phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current initialize phase.
+- **FlightId**  Unique ID for each flight.
+- **FlightMetadata**  Contains the FlightId and the build being flighted.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
+- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionData**  Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **SessionId**  Unique value for each Update Agent mode attempt .
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgent_Install
+
+This event sends data during the install phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current install phase.
+- **FlightId**  Unique ID for each flight.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Correlation vector value generated from the latest scan.
+- **Result**  Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
+- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId**  Unique value for each Update Agent mode attempt.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgent_Merge
+
+This event sends data on the merge phase when updating Windows.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current reboot.
+- **FlightId**  Unique ID for the flight (test instance version).
+- **ObjectId**  The unique value for each Update Agent mode.
+- **RelatedCV**  The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
+- **Result**  The HResult of the event.
+- **ScenarioId**  The ID of the update scenario.
+- **SessionId**  The ID of the update attempt.
+- **UpdateId**  The ID of the update.
+
+
+### Update360Telemetry.UpdateAgent_ModeStart
+
+This event sends data for the start of each mode during the process of updating Windows.
+
+The following fields are available:
+
+- **FlightId**  Unique ID for each flight.
+- **Mode**  Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  The correlation vector value generated from the latest scan.
+- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId**  Unique value for each Update Agent mode attempt.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgent_SetupBoxLaunch
+
+This event sends data during the launching of the setup box when updating Windows.
+
+The following fields are available:
+
+- **FlightId**  Unique ID for each flight.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **Quiet**  Indicates whether setup is running in quiet mode. 0 = false 1 = true
+- **RelatedCV**  Correlation vector value generated from the latest scan.
+- **SandboxSize**  The size of the sandbox folder on the device.
+- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId**  Unique value for each Update Agent mode attempt.
+- **SetupMode**  Setup mode 1 = predownload, 2 = install, 3 = finalize
+- **UpdateId**  Unique ID for each update.
+
+
 ### Update360Telemetry.UpdateAgentCommit
 
 This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
@@ -3975,6 +4311,24 @@ The following fields are available:
 - **Version**  Version of update
 
 
+### Update360Telemetry.UpdateAgentOneSettings
+
+This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
+
+The following fields are available:
+
+- **Count**  The count of applicable OneSettings for the device.
+- **FlightId**  Unique ID for the flight (test instance version).
+- **ObjectId**  The unique value for each Update Agent mode.
+- **Parameters**  The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings.
+- **RelatedCV**  The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
+- **Result**  The HResult of the event.
+- **ScenarioId**  The ID of the update scenario.
+- **SessionId**  The ID of the update attempt.
+- **UpdateId**  The ID of the update.
+- **Values**  The values sent back to the device, if applicable.
+
+
 ### Update360Telemetry.UpdateAgentPostRebootResult
 
 This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario.
@@ -4028,7 +4382,7 @@ The following fields are available:
 - **CV**  Correlation vector.
 - **DetectorVersion**  Most recently run detector version for the current campaign.
 - **GlobalEventCounter**  Client side counter that indicates the ordering of events sent by this user.
-- **key1**  UI interaction data
+- **key1**  Interaction data for the UI
 - **key10**  UI interaction data
 - **key11**  UI interaction data
 - **key12**  UI interaction data
@@ -4039,9 +4393,9 @@ The following fields are available:
 - **key17**  UI interaction data
 - **key18**  UI interaction data
 - **key19**  UI interaction data
-- **key2**  UI interaction data
+- **key2**  Interaction data for the UI
 - **key20**  UI interaction data
-- **key21**  Interaction data for the UI
+- **key21**  UI interaction data
 - **key22**  UI interaction data
 - **key23**  UI interaction data
 - **key24**  UI interaction data
@@ -4050,12 +4404,12 @@ The following fields are available:
 - **key27**  UI interaction data
 - **key28**  UI interaction data
 - **key29**  UI interaction data
-- **key3**  UI interaction data
+- **key3**  Interaction data for the UI
 - **key30**  UI interaction data
-- **key4**  UI interaction data
-- **key5**  UI interaction data
-- **key6**  UI interaction data
-- **key7**  UI interaction data
+- **key4**  Interaction data for the UI
+- **key5**  UI interaction type
+- **key6**  Current package version of UNP
+- **key7**  UI interaction type
 - **key8**  UI interaction data
 - **key9**  UI interaction data
 - **PackageVersion**  Current package version of the update notification.
@@ -4353,6 +4707,12 @@ This event sends a summary of all the setup mitigations available for this updat
 
 
 
+### Setup360Telemetry.Setup360OneSettings
+
+This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
+
+
+
 ### Setup360Telemetry.UnexpectedEvent
 
 This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date.
@@ -4402,17 +4762,37 @@ This event provides the results from the WaaSMedic engine
 The following fields are available:
 
 - **detectionSummary**  Result of each applicable detection that was run.
-- **featureAssessmentImpact**  Windows as a Service (WaaS) Assessment impact on feature updates
+- **featureAssessmentImpact**  WaaS Assessment impact for feature updates.
 - **hrEngineResult**  Indicates the WaaSMedic engine operation error codes
-- **insufficientSessions**  True, if the device has enough activity to be eligible for update diagnostics. False, if otherwise
-- **isManaged**  Indicates the device is managed for updates
-- **isWUConnected**  Indicates the device is connected to Windows Update
-- **noMoreActions**  All available WaaSMedic diagnostics have run. There are no pending diagnostics and corresponding actions
-- **qualityAssessmentImpact**  Windows as a Service (WaaS) Assessment impact for quality updates
+- **insufficientSessions**  Device not eligible for diagnostics.
+- **isManaged**  Device is managed for updates.
+- **isWUConnected**  Device is connected to Windows Update.
+- **noMoreActions**  No more applicable diagnostics.
+- **qualityAssessmentImpact**  WaaS Assessment impact for quality updates.
 - **remediationSummary**  Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on.
-- **usingBackupFeatureAssessment**  The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup feature assessments, which are determined programmatically on the client
-- **usingBackupQualityAssessment**  The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup quality assessments, which are determined programmatically on the client
-- **versionString**  Installed version of the WaaSMedic engine
+- **usingBackupFeatureAssessment**  Relying on backup feature assessment.
+- **usingBackupQualityAssessment**  Relying on backup quality assessment.
+- **versionString**  Version of the WaaSMedic engine.
+
+
+## Windows Error Reporting events
+
+### Microsoft.Windows.WERVertical.OSCrash
+
+This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+
+The following fields are available:
+
+- **BootId**  Uint32 identifying the boot number for this device.
+- **BugCheckCode**  Uint64 "bugcheck code" that identifies a proximate cause of the bug check.
+- **BugCheckParameter1**  Uint64 parameter providing additional information.
+- **BugCheckParameter2**  Uint64 parameter providing additional information.
+- **BugCheckParameter3**  Uint64 parameter providing additional information.
+- **BugCheckParameter4**  Uint64 parameter providing additional information.
+- **DumpFileAttributes**  Codes that identify the type of data contained in the dump file
+- **DumpFileSize**  Size of the dump file
+- **IsValidDumpFile**  True if the dump file is valid for the debugger, false otherwise
+- **ReportId**  WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
 
 
 ## Windows Store events
@@ -4798,144 +5178,6 @@ The following fields are available:
 
 ## Windows Update Delivery Optimization events
 
-### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled
-
-This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads.
-
-The following fields are available:
-
-- **background**  Is the download being done in the background?
-- **bytesFromCacheServer**  Bytes received from a cache host.
-- **bytesFromCDN**  The number of bytes received from a CDN source.
-- **bytesFromGroupPeers**  The number of bytes received from a peer in the same group.
-- **bytesFromIntPeers**  The number of bytes received from peers not in the same LAN or in the same group.
-- **bytesFromLocalCache**  Bytes copied over from local (on disk) cache.
-- **bytesFromPeers**  The number of bytes received from a peer in the same LAN.
-- **callerName**  Name of the API caller.
-- **cdnErrorCodes**  A list of CDN connection errors since the last FailureCDNCommunication event.
-- **cdnErrorCounts**  The number of times each error in cdnErrorCodes was encountered.
-- **clientTelId**  A random number used for device sampling.
-- **dataSourcesTotal**  Bytes received per source type, accumulated for the whole session.
-- **doErrorCode**  The Delivery Optimization error code that was returned.
-- **errorCode**  The error code that was returned.
-- **experimentId**  When running a test, this is used to correlate events that are part of the same test.
-- **fileID**  The ID of the file being downloaded.
-- **gCurMemoryStreamBytes**  Current usage for memory streaming.
-- **gMaxMemoryStreamBytes**  Maximum usage for memory streaming.
-- **isVpn**  Is the device connected to a Virtual Private Network?
-- **jobID**  Identifier for the Windows Update job.
-- **reasonCode**  Reason the action or event occurred.
-- **scenarioID**  The ID of the scenario.
-- **sessionID**  The ID of the file download session.
-- **updateID**  The ID of the update being downloaded.
-- **usedMemoryStream**  Did the download use memory streaming?
-
-
-### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted
-
-This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads.
-
-The following fields are available:
-
-- **background**  Is the download a background download?
-- **bytesFromCacheServer**  Bytes received from a cache host.
-- **bytesFromCDN**  The number of bytes received from a CDN source.
-- **bytesFromGroupPeers**  The number of bytes received from a peer in the same domain group.
-- **bytesFromIntPeers**  The number of bytes received from peers not in the same LAN or in the same domain group.
-- **bytesFromLocalCache**  Bytes copied over from local (on disk) cache.
-- **bytesFromPeers**  The number of bytes received from a peer in the same LAN.
-- **bytesRequested**  The total number of bytes requested for download.
-- **cacheServerConnectionCount**  Number of connections made to cache hosts.
-- **callerName**  Name of the API caller.
-- **cdnConnectionCount**  The total number of connections made to the CDN.
-- **cdnErrorCodes**  A list of CDN connection errors since the last FailureCDNCommunication event.
-- **cdnErrorCounts**  The number of times each error in cdnErrorCodes was encountered.
-- **cdnIp**  The IP address of the source CDN.
-- **clientTelId**  A random number used for device sampling.
-- **dataSourcesTotal**  Bytes received per source type, accumulated for the whole session.
-- **doErrorCode**  The Delivery Optimization error code that was returned.
-- **downlinkBps**  The maximum measured available download bandwidth (in bytes per second).
-- **downlinkUsageBps**  The download speed (in bytes per second).
-- **downloadMode**  The download mode used for this file download session.
-- **downloadModeSrc**  Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9).
-- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
-- **fileID**  The ID of the file being downloaded.
-- **fileSize**  The size of the file being downloaded.
-- **gCurMemoryStreamBytes**  Current usage for memory streaming.
-- **gMaxMemoryStreamBytes**  Maximum usage for memory streaming.
-- **groupConnectionCount**  The total number of connections made to peers in the same group.
-- **internetConnectionCount**  The total number of connections made to peers not in the same LAN or the same group.
-- **isVpn**  Is the device connected to a Virtual Private Network?
-- **jobID**  Identifier for the Windows Update job.
-- **lanConnectionCount**  The total number of connections made to peers in the same LAN.
-- **numPeers**  The total number of peers used for this download.
-- **restrictedUpload**  Is the upload restricted?
-- **scenarioID**  The ID of the scenario.
-- **sessionID**  The ID of the download session.
-- **totalTimeMs**  Duration of the download (in seconds).
-- **updateID**  The ID of the update being downloaded.
-- **uplinkBps**  The maximum measured available upload bandwidth (in bytes per second).
-- **uplinkUsageBps**  The upload speed (in bytes per second).
-- **usedMemoryStream**  Did the download use memory streaming?
-
-
-### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused
-
-This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads.
-
-The following fields are available:
-
-- **background**  Is the download a background download?
-- **callerName**  The name of the API caller.
-- **clientTelId**  A random number used for device sampling.
-- **errorCode**  The error code that was returned.
-- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
-- **fileID**  The ID of the file being paused.
-- **isVpn**  Is the device connected to a Virtual Private Network?
-- **jobID**  Identifier for the Windows Update job.
-- **reasonCode**  The reason for pausing the download.
-- **scenarioID**  The ID of the scenario.
-- **sessionID**  The ID of the download session.
-- **updateID**  The ID of the update being paused.
-
-
-### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted
-
-This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads.
-
-The following fields are available:
-
-- **background**  Indicates whether the download is happening in the background.
-- **bytesRequested**  Number of bytes requested for the download.
-- **callerName**  Name of the API caller.
-- **cdnUrl**  The URL of the source CDN.
-- **clientTelId**  Random number used for device selection
-- **costFlags**  A set of flags representing network cost.
-- **deviceProfile**  Identifies the usage or form factor (such as Desktop, Xbox, or VM).
-- **diceRoll**  Random number used for determining if a client will use peering.
-- **doClientVersion**  The version of the Delivery Optimization client.
-- **doErrorCode**  The Delivery Optimization error code that was returned.
-- **downloadMode**  The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100).
-- **downloadModeSrc**  Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9).
-- **errorCode**  The error code that was returned.
-- **experimentId**  ID used to correlate client/services calls that are part of the same test during A/B testing.
-- **fileID**  The ID of the file being downloaded.
-- **filePath**  The path to where the downloaded file will be written.
-- **fileSize**  Total file size of the file that was downloaded.
-- **fileSizeCaller**  Value for total file size provided by our caller.
-- **groupID**  ID for the group.
-- **isVpn**  Indicates whether the device is connected to a Virtual Private Network.
-- **jobID**  The ID of the Windows Update job.
-- **minDiskSizeGB**  The minimum disk size (in GB) policy set for the device to allow peering with delivery optimization.
-- **minDiskSizePolicyEnforced**  Indicates whether there is an enforced minimum disk size requirement for peering.
-- **minFileSizePolicy**  The minimum content file size policy to allow the download using peering with delivery optimization.
-- **peerID**  The ID for this delivery optimization client.
-- **scenarioID**  The ID of the scenario.
-- **sessionID**  The ID for the file download session.
-- **updateID**  The ID of the update being downloaded.
-- **usedMemoryStream**  Indicates whether the download used memory streaming.
-
-
 ### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
 
 This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads.
@@ -4959,20 +5201,6 @@ The following fields are available:
 - **sessionID**  The ID of the download session.
 
 
-### Microsoft.OSG.DU.DeliveryOptClient.JobError
-
-This event represents a Windows Update job error. It allows for investigation of top errors.
-
-The following fields are available:
-
-- **clientTelId**  A random number used for device sampling.
-- **doErrorCode**  Error code returned for delivery optimization.
-- **errorCode**  The error code returned.
-- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
-- **fileID**  The ID of the file being downloaded.
-- **jobID**  The Windows Update job ID.
-
-
 ## Windows Update events
 
 ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit
@@ -5067,6 +5295,24 @@ The following fields are available:
 - **updateId**  Unique ID for each Update.
 
 
+### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed
+
+This event indicates that a notification dialog box is about to be displayed to user.
+
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog
+
+This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed.
+
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog
+
+This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed.
+
+
+
 ### Microsoft.Windows.Update.NotificationUx.RebootScheduled
 
 Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update.
@@ -5085,6 +5331,18 @@ The following fields are available:
 - **wuDeviceid**  Unique device ID used by Windows Update.
 
 
+### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy
+
+This event indicates a policy is present that may restrict update activity to outside of active hours.
+
+
+
+### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours
+
+This event indicates that update activity was blocked because it is within the active hours window.
+
+
+
 ### Microsoft.Windows.Update.Orchestrator.CommitFailed
 
 This event indicates that a device was unable to restart after an update.
@@ -5114,16 +5372,16 @@ This event indicates that a scan for a Windows Update occurred.
 The following fields are available:
 
 - **deferReason**  Reason why the device could not check for updates.
-- **detectionBlockreason**  Reason for detection not completing.
+- **detectionBlockreason**  Reason for blocking detection
 - **detectionRetryMode**  Indicates whether we will try to scan again.
-- **errorCode**  The returned error code.
-- **eventScenario**  End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **errorCode**  Error value
+- **eventScenario**  End to end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
 - **flightID**  The specific ID of the Windows Insider build the device is getting.
 - **interactive**  Indicates whether the session was user initiated.
 - **revisionNumber**  Update revision number.
 - **updateId**  Update ID.
-- **updateScenarioType**  Update Session type
-- **wuDeviceid**  Device ID
+- **updateScenarioType**  The update session type.
+- **wuDeviceid**  Unique device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
@@ -5142,6 +5400,23 @@ The following fields are available:
 - **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
 
 
+### Microsoft.Windows.Update.Orchestrator.Download
+
+This event sends launch data for a Windows Update download to help keep Windows up to date.
+
+The following fields are available:
+
+- **deferReason**  Reason for download not completing.
+- **errorCode**  An error code represented as a hexadecimal value.
+- **eventScenario**  End-to-end update session ID.
+- **flightID**  The specific ID of the Windows Insider build the device is getting.
+- **interactive**  Indicates whether the session is user initiated.
+- **revisionNumber**  Update revision number.
+- **updateId**  Update ID.
+- **updateScenarioType**  The update session type.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
 ### Microsoft.Windows.Update.Orchestrator.FlightInapplicable
 
 This event indicates that the update is no longer applicable to this device.
@@ -5169,6 +5444,48 @@ The following fields are available:
 - **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
 
 
+### Microsoft.Windows.Update.Orchestrator.InitiatingReboot
+
+This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date.
+
+The following fields are available:
+
+- **EventPublishedTime**  Time of the event.
+- **flightID**  Unique update ID
+- **interactive**  Indicates whether the reboot initiation stage of the update process was entered as a result of user action.
+- **rebootOutsideOfActiveHours**  Indicates whether the reboot was to occur outside of active hours.
+- **revisionNumber**  Revision number of the update.
+- **updateId**  Update ID.
+- **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.Install
+
+This event sends launch data for a Windows Update install to help keep Windows up to date.
+
+The following fields are available:
+
+- **batteryLevel**  Current battery capacity in mWh or percentage left.
+- **deferReason**  Reason for install not completing.
+- **errorCode**  The error code reppresented by a hexadecimal value.
+- **eventScenario**  End-to-end update session ID.
+- **flightID**  The specific ID of the Windows Insider build the device is getting.
+- **flightUpdate**  Indicates whether the update is a Windows Insider build.
+- **ForcedRebootReminderSet**  A boolean value that indicates if a forced reboot will happen for updates.
+- **installCommitfailedtime**  The time it took for a reboot to happen but the upgrade failed to progress.
+- **installRebootinitiatetime**  The time it took for a reboot to be attempted.
+- **interactive**  Identifies if session is user initiated.
+- **minutesToCommit**  The time it took to install updates.
+- **rebootOutsideOfActiveHours**  Indicates whether a reboot is scheduled outside of active hours.
+- **revisionNumber**  Update revision number.
+- **updateId**  Update ID.
+- **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
 ### Microsoft.Windows.Update.Orchestrator.LowUptimes
 
 This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure.
@@ -5182,6 +5499,18 @@ The following fields are available:
 - **wuDeviceid**  Unique device ID for Windows Update.
 
 
+### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection
+
+This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date.
+
+The following fields are available:
+
+- **externalOneshotupdate**  The last time a task-triggered scan was completed.
+- **interactiveOneshotupdate**  The last time an interactive scan was completed.
+- **oldlastscanOneshotupdate**  The last time a scan completed successfully.
+- **wuDeviceid**  The Windows Update Device GUID (Globally-Unique ID).
+
+
 ### Microsoft.Windows.Update.Orchestrator.PreShutdownStart
 
 This event is generated before the shutdown and commit operations.
@@ -5191,6 +5520,166 @@ The following fields are available:
 - **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
 
 
+### Microsoft.Windows.Update.Orchestrator.RebootFailed
+
+This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date.
+
+The following fields are available:
+
+- **batteryLevel**  Current battery capacity in mWh or percentage left.
+- **deferReason**  Reason for install not completing.
+- **EventPublishedTime**  The time that the reboot failure occurred.
+- **flightID**  Unique update ID.
+- **rebootOutsideOfActiveHours**  Indicates whether a reboot was scheduled outside of active hours.
+- **RebootResults**  Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code.
+- **revisionNumber**  Update revision number.
+- **updateId**  Update ID.
+- **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.RefreshSettings
+
+This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date.
+
+The following fields are available:
+
+- **errorCode**  Hex code for the error message, to allow lookup of the specific error.
+- **settingsDownloadTime**  Timestamp of the last attempt to acquire settings.
+- **settingsETag**  Version identifier for the settings.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask
+
+This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date.
+
+The following fields are available:
+
+- **RebootTaskRestoredTime**  Time at which this reboot task was restored.
+- **wuDeviceid**  Device ID for the device on which the reboot is restored.
+
+
+### Microsoft.Windows.Update.Orchestrator.SystemNeeded
+
+This event sends data about why a device is unable to reboot, to help keep Windows up to date.
+
+The following fields are available:
+
+- **eventScenario**  End-to-end update session ID.
+- **rebootOutsideOfActiveHours**  Indicates whether a reboot is scheduled outside of active hours.
+- **revisionNumber**  Update revision number.
+- **systemNeededReason**  List of apps or tasks that are preventing the system from restarting.
+- **updateId**  Update ID.
+- **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
+
+This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **configuredPoliciescount**  Number of policies on the device.
+- **policiesNamevaluesource**  Policy name and source of policy (group policy, MDM or flight).
+- **policyCacherefreshtime**  Time when policy cache was refreshed.
+- **updateInstalluxsetting**  Indicates whether a user has set policies via a user experience option.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed
+
+This event sends information about an update that encountered problems and was not able to complete.
+
+The following fields are available:
+
+- **errorCode**  The error code encountered.
+- **wuDeviceid**  The ID of the device in which the error occurred.
+
+
+### Microsoft.Windows.Update.Orchestrator.USODiagnostics
+
+This event sends data on whether the state of the update attempt, to help keep Windows up to date.
+
+The following fields are available:
+
+- **errorCode**  result showing success or failure of current update
+- **LastApplicableUpdateFoundTime**  The time when the last applicable update was found.
+- **LastDownloadDeferredReason**  The last reason download was deferred.
+- **LastDownloadDeferredTime**  The time of the download deferral.
+- **LastDownloadFailureError**  The last download failure.
+- **LastDownloadFailureTime**  The time of the last download failure.
+- **LastInstallCompletedTime**  The time when the last successful install completed.
+- **LastInstallDeferredReason**  The reason the last install was deferred.
+- **LastInstallDeferredTime**  The time when the last install was deferred.
+- **LastInstallFailureError**  The error code associated with the last install failure.
+- **LastInstallFailureTime**  The time when the last install failed to complete.
+- **LastRebootDeferredReason**  The reason the last reboot was deferred.
+- **LastRebootDeferredTime**  The time when the last reboot was deferred.
+- **LastRebootPendingTime**  The time when the last reboot state was set to “Pending”.
+- **LastScanDeferredReason**  The reason the last scan was deferred.
+- **LastScanDeferredTime**  The time when the last scan was deferred.
+- **LastScanFailureError**  The error code for the last scan failure.
+- **LastScanFailureTime**  The time when the last scan failed.
+- **LastUpdateCheckTime**  The time of the last update check.
+- **LastUpdateDownloadTime**  The time when the last update was downloaded.
+- **LastUpgradeInstallFailureError**  The error code for the last upgrade install failure.
+- **LastUpgradeInstallFailureTime**  The time of the last upgrade install failure.
+- **LowUpTimeDetectTime**  The last time “low up-time” was detected.
+- **NoLowUpTimeDetectTime**  The last time no “low up-time” was detected.
+- **RebootRequired**  Indicates reboot is required.
+- **revisionNumber**  Unique revision number of the Update
+- **updateId**  Unique ID for Update
+- **updateState**  Progress within an update state
+- **UpgradeInProgressTime**  The amount of time a feature update has been in progress.
+- **WaaSFeatureAssessmentDays**  The number of days Feature Update Assessment has been out of date.
+- **WaaSFeatureAssessmentImpact**  The impact of the Feature Update Assessment.
+- **WaaSUpToDateAssessmentDays**  The number of days Quality Update Assessment has been out of date.
+- **WaaSUpToDateAssessmentImpact**  The impact of Quality Update Assessment.
+- **wuDeviceid**  Unique ID for Device
+
+
+### Microsoft.Windows.Update.Orchestrator.UsoSession
+
+This event represents the state of the USO service at start and completion.
+
+The following fields are available:
+
+- **activeSessionid**  A unique session GUID.
+- **eventScenario**  The state of the update action.
+- **interactive**  Is the USO session interactive?
+- **lastErrorcode**  The last error that was encountered.
+- **lastErrorstate**  The state of the update when the last error was encountered.
+- **sessionType**  A GUID that refers to the update session type.
+- **updateScenarioType**  A descriptive update session type.
+- **wuDeviceid**  The Windows Update device GUID.
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState
+
+This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot.
+
+The following fields are available:
+
+- **AcceptAutoModeLimit**  The maximum number of days for a device to automatically enter Auto Reboot mode.
+- **AutoToAutoFailedLimit**  The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown.
+- **DeviceLocalTime**  The date and time (based on the device date/time settings) the reboot mode changed.
+- **EngagedModeLimit**  The number of days to switch between DTE (Direct-to-Engaged) dialogs.
+- **EnterAutoModeLimit**  The maximum number of days a device can enter Auto Reboot mode.
+- **ETag**  The Entity Tag that represents the OneSettings version.
+- **IsForcedEnabled**  Identifies whether Forced Reboot mode is enabled for the device.
+- **IsUltimateForcedEnabled**  Identifies whether Ultimate Forced Reboot mode is enabled for the device.
+- **OldestUpdateLocalTime**  The date and time (based on the device date/time settings) this update’s reboot began pending.
+- **RebootUxState**  Identifies the reboot state: Engaged, Auto, Forced, UltimateForced.
+- **RebootVersion**  The version of the DTE (Direct-to-Engaged).
+- **SkipToAutoModeLimit**  The maximum number of days to switch to start while in Auto Reboot mode.
+- **UpdateId**  The ID of the update that is waiting for reboot to finish installation.
+- **UpdateRevision**  The revision of the update that is waiting for reboot to finish installation.
+
+
 ### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded
 
 This event is sent when a security update has successfully completed.
@@ -5209,6 +5698,25 @@ The following fields are available:
 - **Reason**  The reason sent which will cause the reboot to defer.
 
 
+### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled
+
+This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **activeHoursApplicable**  Indicates whether Active Hours applies on this device.
+- **forcedReboot**  True, if a reboot is forced on the device. Otherwise, this is False
+- **rebootArgument**  Argument for the reboot task. It also represents specific reboot related action.
+- **rebootOutsideOfActiveHours**  True, if a reboot is scheduled outside of active hours. False, otherwise.
+- **rebootScheduledByUser**  True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically.
+- **rebootState**  Current state of the reboot.
+- **revisionNumber**  Revision number of the update that is getting installed with this reboot.
+- **scheduledRebootTime**  Time scheduled for the reboot.
+- **scheduledRebootTimeInUTC**  Time scheduled for the reboot, in UTC.
+- **updateId**  Identifies which update is being scheduled.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
 ### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerFirstReadyToReboot
 
 This event is fired the first time when the reboot is required.
@@ -5227,7 +5735,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled
 
-This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up-to-date
+This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date.
 
 The following fields are available:
 
@@ -5244,6 +5752,32 @@ The following fields are available:
 - **wuDeviceid**  The Windows Update device GUID.
 
 
+## Windows Update mitigation events
+
+### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages
+
+This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates.
+
+The following fields are available:
+
+- **ClientId**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightId**  Unique identifier for each flight.
+- **InstanceId**  Unique GUID that identifies each instances of setuphost.exe.
+- **MitigationScenario**  The update scenario in which the mitigation was executed.
+- **MountedImageCount**  Number of mounted images.
+- **MountedImageMatches**  Number of mounted images that were under %systemdrive%\$Windows.~BT.
+- **MountedImagesFailed**  Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed.
+- **MountedImagesRemoved**  Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed.
+- **MountedImagesSkipped**  Number of mounted images that were not under %systemdrive%\$Windows.~BT.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  HResult of this operation.
+- **ScenarioId**  ID indicating the mitigation scenario.
+- **ScenarioSupported**  Indicates whether the scenario was supported.
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each Update.
+- **WuId**  Unique ID for the Windows Update client.
+
+
 ## Winlogon events
 
 ### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index 9af3127db4..8fed168ec8 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -9,7 +9,7 @@ ms.pagetype: security
 localizationpriority: high
 author: brianlic-msft
 ms.author: brianlic
-ms.date: 09/10/2018
+ms.date: 11/07/2018
 ---
 
 
@@ -28,6 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
 
 You can learn more about Windows functional and diagnostic data through these articles:
 
+
 - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
 - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
 - [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
@@ -35,6 +36,8 @@ You can learn more about Windows functional and diagnostic data through these ar
 - [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
 
 
+
+
 ## Appraiser events
 
 ### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
@@ -75,7 +78,7 @@ The following fields are available:
 - **DecisionSystemBios_RS3**  The total DecisionSystemBios objects targeting the next release of Windows on this device.
 - **DecisionTest_RS1**  An ID for the system, calculated by hashing hardware identifiers.
 - **InventoryApplicationFile**  The count of the number of this particular object type present on this device.
-- **InventoryLanguagePack**  The count of the number of this particular object type present on this device.
+- **InventoryLanguagePack**  The count of InventoryLanguagePack objects present on this machine.
 - **InventoryMediaCenter**  The count of the number of this particular object type present on this device.
 - **InventorySystemBios**  The count of the number of this particular object type present on this device.
 - **InventoryTest**  The count of the number of this particular object type present on this device.
@@ -575,6 +578,17 @@ The following fields are available:
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
 ### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
 
 This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date.
@@ -822,6 +836,31 @@ The following fields are available:
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
+
+This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **BootCritical**  Is the driver package marked as boot critical?
+- **Build**  The build value from the driver package.
+- **CatalogFile**  The name of the catalog file within the driver package.
+- **Class**  The device class from the driver package.
+- **ClassGuid**  The device class unique ID from the driver package.
+- **Date**  The date from the driver package.
+- **Inbox**  Is the driver package of a driver that is included with Windows?
+- **OriginalName**  The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU.
+- **Provider**  The provider of the driver package.
+- **PublishedName**  The name of the INF file after it was renamed.
+- **Revision**  The revision of the driver package.
+- **SignatureStatus**  Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2.
+- **VersionMajor**  The major version of the driver package.
+- **VersionMinor**  The minor version of the driver package.
+
+
 ### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
 
 This event indicates that the InventoryUplevelDriverPackage object is no longer present.
@@ -1179,6 +1218,23 @@ The following fields are available:
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
+### Microsoft.Windows.Appraiser.General.SystemWlanAdd
+
+This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **Blocking**  Is the upgrade blocked because of an emulated WLAN driver?
+- **HasWlanBlock**  Does the emulated WLAN driver have an upgrade block?
+- **WlanEmulatedDriver**  Does the device have an emulated WLAN driver?
+- **WlanExists**  Does the device support WLAN at all?
+- **WlanModulePresent**  Are any WLAN modules present?
+- **WlanNativeDriver**  Does the device have a non-emulated WLAN driver?
+
+
 ### Microsoft.Windows.Appraiser.General.SystemWlanRemove
 
 This event indicates that the SystemWlan object is no longer present.
@@ -1292,7 +1348,7 @@ The following fields are available:
 - **AppraiserTaskExitCode**  The Appraiser task exist code.
 - **AppraiserTaskLastRun**  The last runtime for the Appraiser task.
 - **CensusVersion**  The version of Census that generated the current data for this device.
-- **IEVersion**  Retrieves which version of Internet Explorer is running on this device.
+- **IEVersion**  IE version running on the device.
 
 
 ### Census.Battery
@@ -2594,6 +2650,91 @@ The following fields are available:
 - **CV**  Correlation vector.
 
 
+## DxgKernelTelemetry events
+
+### DxgKrnlTelemetry.GPUAdapterInventoryV2
+
+This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date.
+
+The following fields are available:
+
+- **AdapterTypeValue**  The numeric value indicating the type of Graphics adapter.
+- **aiSeqId**  The event sequence ID.
+- **bootId**  The system boot ID.
+- **BrightnessVersionViaDDI**  The version of the Display Brightness Interface.
+- **ComputePreemptionLevel**  The maximum preemption level supported by GPU for compute payload.
+- **DedicatedSystemMemoryB**  The amount of system memory dedicated for GPU use (in bytes).
+- **DedicatedVideoMemoryB**  The amount of dedicated VRAM of the GPU (in bytes).
+- **DisplayAdapterLuid**  The display adapter LUID.
+- **DriverDate**  The date of the display driver.
+- **DriverRank**  The rank of the display driver.
+- **DriverVersion**  The display driver version.
+- **DX10UMDFilePath**  The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store.
+- **DX11UMDFilePath**  The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store.
+- **DX12UMDFilePath**  The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store.
+- **DX9UMDFilePath**  The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store.
+- **GPUDeviceID**  The GPU device ID.
+- **GPUPreemptionLevel**  The maximum preemption level supported by GPU for graphics payload.
+- **GPURevisionID**  The GPU revision ID.
+- **GPUVendorID**  The GPU vendor ID.
+- **InterfaceId**  The GPU interface ID.
+- **IsDisplayDevice**  Does the GPU have displaying capabilities?
+- **IsHybridDiscrete**  Does the GPU have discrete GPU capabilities in a hybrid device?
+- **IsHybridIntegrated**  Does the GPU have integrated GPU capabilities in a hybrid device?
+- **IsLDA**  Is the GPU comprised of Linked Display Adapters?
+- **IsMiracastSupported**  Does the GPU support Miracast?
+- **IsMismatchLDA**  Is at least one device in the Linked Display Adapters chain from a different vendor?
+- **IsMPOSupported**  Does the GPU support Multi-Plane Overlays?
+- **IsMsMiracastSupported**  Are the GPU Miracast capabilities driven by a Microsoft solution?
+- **IsPostAdapter**  Is this GPU the POST GPU in the device?
+- **IsRemovable**  TRUE if the adapter supports being disabled or removed.
+- **IsRenderDevice**  Does the GPU have rendering capabilities?
+- **IsSoftwareDevice**  Is this a software implementation of the GPU?
+- **KMDFilePath**  The file path to the location of the Display Kernel Mode Driver in the Driver Store.
+- **MeasureEnabled**  Is the device listening to MICROSOFT_KEYWORD_MEASURES?
+- **NumVidPnSources**  The number of supported display output sources.
+- **NumVidPnTargets**  The number of supported display output targets.
+- **SharedSystemMemoryB**  The amount of system memory shared by GPU and CPU (in bytes).
+- **SubSystemID**  The subsystem ID.
+- **SubVendorID**  The GPU sub vendor ID.
+- **TelemetryEnabled**  Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
+- **TelInvEvntTrigger**  What triggered this event to be logged?  Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling)
+- **version**  The event version.
+- **WDDMVersion**  The Windows Display Driver Model version.
+
+
+## Fault Reporting events
+
+### Microsoft.Windows.FaultReporting.AppCrashEvent
+
+This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event.
+
+The following fields are available:
+
+- **AppName**  The name of the app that has crashed.
+- **AppSessionGuid**  GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend.
+- **AppTimeStamp**  The date/time stamp of the app.
+- **AppVersion**  The version of the app that has crashed.
+- **ExceptionCode**  The exception code returned by the process that has crashed.
+- **ExceptionOffset**  The address where the exception had occurred.
+- **Flags**  Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting.
+- **FriendlyAppName**  The description of the app that has crashed, if different from the AppName. Otherwise, the process name.
+- **IsCrashFatal**  (Deprecated) True/False to indicate whether the crash resulted in process termination.
+- **IsFatal**  True/False to indicate whether the crash resulted in process termination.
+- **ModName**  Exception module name (e.g. bar.dll).
+- **ModTimeStamp**  The date/time stamp of the module.
+- **ModVersion**  The version of the module that has crashed.
+- **PackageFullName**  Store application identity.
+- **PackageRelativeAppId**  Store application identity.
+- **ProcessArchitecture**  Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ProcessCreateTime**  The time of creation of the process that has crashed.
+- **ProcessId**  The ID of the process that has crashed.
+- **ReportId**  A GUID used to identify the report. This can used to track the report across Watson.
+- **TargetAppId**  The kernel reported AppId of the application being reported.
+- **TargetAppVer**  The specific version of the application being reported
+- **TargetAsId**  The sequence number for the hanging process.
+
+
 ## Feature update events
 
 ### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed
@@ -2618,6 +2759,34 @@ This event sends basic metadata about the starting point of uninstalling a featu
 
 
 
+## Hang Reporting events
+
+### Microsoft.Windows.HangReporting.AppHangEvent
+
+This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
+
+The following fields are available:
+
+- **AppName**  The name of the app that has hung.
+- **AppSessionGuid**  GUID made up of process id used as a correlation vector for process instances in the telemetry backend.
+- **AppVersion**  The version of the app that has hung.
+- **IsFatal**  True/False based on whether the hung application caused the creation of a Fatal Hang Report.
+- **PackageFullName**  Store application identity.
+- **PackageRelativeAppId**  Store application identity.
+- **ProcessArchitecture**  Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ProcessCreateTime**  The time of creation of the process that has hung.
+- **ProcessId**  The ID of the process that has hung.
+- **ReportId**  A GUID used to identify the report. This can used to track the report across Watson.
+- **TargetAppId**  The kernel reported AppId of the application being reported.
+- **TargetAppVer**  The specific version of the application being reported.
+- **TargetAsId**  The sequence number for the hanging process.
+- **TypeCode**  Bitmap describing the hang type.
+- **WaitingOnAppName**  If this is a cross process hang waiting for an application, this has the name of the application.
+- **WaitingOnAppVersion**  If this is a cross process hang, this has the version of the application for which it is waiting.
+- **WaitingOnPackageFullName**  If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
+- **WaitingOnPackageRelativeAppId**  If this is a cross process hang waiting for a package, this has the relative application id of the package.
+
+
 ## Inventory events
 
 ### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
@@ -2693,6 +2862,18 @@ The following fields are available:
 - **Version**  The version number of the program.
 
 
+### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
+
+This event represents what drivers an application installs.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory component.
+- **ProgramIds**  The unique program identifier the driver is associated with.
+
+
 ### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
 
 This event provides the basic metadata about the frameworks an application may depend on.
@@ -2839,6 +3020,17 @@ The following fields are available:
 - **InventoryVersion**  The version of the inventory file generating the events.
 
 
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
+
+This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
 ### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
 
 This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
@@ -2873,7 +3065,7 @@ The following fields are available:
 - **Enumerator**  The date of the driver loaded for the device.
 - **HWID**  The version of the driver loaded for the device.
 - **Inf**  The bus that enumerated the device.
-- **InstallState**  The device installation state.  One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
+- **InstallState**  The device installation state.  One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
 - **InventoryVersion**  List of hardware ids for the device.
 - **LowerClassFilters**  Lower filter class drivers IDs installed for the device
 - **LowerFilters**  Lower filter drivers IDs installed for the device
@@ -3438,6 +3630,557 @@ The following fields are available:
 - **UptimeDeltaMS**  Total time (in milliseconds) added to Uptime since the last event
 
 
+## OneDrive events
+
+### Microsoft.OneDrive.Sync.Setup.APIOperation
+
+This event includes basic data about install and uninstall OneDrive API operations.
+
+The following fields are available:
+
+- **APIName**  The name of the API.
+- **Duration**  How long the operation took.
+- **IsSuccess**  Was the operation successful?
+- **ResultCode**  The result code.
+- **ScenarioName**  The name of the scenario.
+
+
+### Microsoft.OneDrive.Sync.Setup.EndExperience
+
+This event includes a success or failure summary of the installation.
+
+The following fields are available:
+
+- **APIName**  The name of the API.
+- **HResult**  HResult of the operation
+- **IsSuccess**  Whether the operation is successful or not
+- **ScenarioName**  The name of the scenario.
+
+
+### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
+
+This event is related to the OS version when the OS is upgraded with OneDrive installed.
+
+The following fields are available:
+
+- **CurrentOneDriveVersion**  The current version of OneDrive.
+- **CurrentOSBuildBranch**  The current branch of the operating system.
+- **CurrentOSBuildNumber**  The current build number of the operating system.
+- **CurrentOSVersion**  The current version of the operating system.
+- **HResult**  The HResult of the operation.
+- **SourceOSBuildBranch**  The source branch of the operating system.
+- **SourceOSBuildNumber**  The source build number of the operating system.
+- **SourceOSVersion**  The source version of the operating system.
+
+
+### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation
+
+This event is related to registering or unregistering the OneDrive update task.
+
+The following fields are available:
+
+- **APIName**  The name of the API.
+- **IsSuccess**  Was the operation successful?
+- **RegisterNewTaskResult**  The HResult of the RegisterNewTask operation.
+- **ScenarioName**  The name of the scenario.
+- **UnregisterOldTaskResult**  The HResult of the UnregisterOldTask operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.ComponentInstallState
+
+This event includes basic data about the installation state of dependent OneDrive components.
+
+The following fields are available:
+
+- **ComponentName**  The name of the dependent component.
+- **isInstalled**  Is the dependent component installed?
+
+
+### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus
+
+This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken
+
+The following fields are available:
+
+- **32bit**  The status of the OneDrive overlay icon on a 32-bit operating system.
+- **64bit**  The status of the OneDrive overlay icon on a 64-bit operating system.
+
+
+### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult
+
+This event sends information describing the result of the update.
+
+The following fields are available:
+
+- **hr**  The HResult of the operation.
+- **IsLoggingEnabled**  Indicates whether logging is enabled for the updater.
+- **UpdaterVersion**  The version of the updater.
+
+
+### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult
+
+This event determines the status when downloading the OneDrive update configuration file.
+
+The following fields are available:
+
+- **hr**  The HResult of the operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus
+
+This event determines the error code that was returned when verifying Internet connectivity.
+
+The following fields are available:
+
+- **winInetError**  The HResult of the operation.
+
+
+## Other events
+
+### CbsServicingProvider.CbsCapabilityEnumeration
+
+This event reports on the results of scanning for optional Windows content on Windows Update.
+
+The following fields are available:
+
+- **architecture**  Indicates the scan was limited to the specified architecture.
+- **capabilityCount**  The number of optional content packages found during the scan.
+- **clientId**  The name of the application requesting the optional content.
+- **duration**  The amount of time it took to complete the scan.
+- **hrStatus**  The HReturn code of the scan.
+- **language**  Indicates the scan was limited to the specified language.
+- **majorVersion**  Indicates the scan was limited to the specified major version.
+- **minorVersion**  Indicates the scan was limited to the specified minor version.
+- **namespace**  Indicates the scan was limited to packages in the specified namespace.
+- **sourceFilter**  A bitmask indicating the scan checked for locally available optional content.
+- **stackBuild**  The build number of the servicing stack.
+- **stackMajorVersion**  The major version number of the servicing stack.
+- **stackMinorVersion**  The minor version number of the servicing stack.
+- **stackRevision**  The revision number of the servicing stack.
+
+
+### CbsServicingProvider.CbsCapabilitySessionFinalize
+
+This event provides information about the results of installing or uninstalling optional Windows content from Windows Update.
+
+The following fields are available:
+
+- **capabilities**  The names of the optional content packages that were installed.
+- **clientId**  The name of the application requesting the optional content.
+- **currentID**  The ID of the current install session.
+- **highestState**  The highest final install state of the optional content.
+- **hrStatus**  The HReturn code of the install operation.
+- **rebootCount**  The number of reboots required to complete the install.
+- **retryID**  The session ID that will be used to retry a failed operation.
+- **retryStatus**  Indicates whether the install will be retried in the event of failure.
+- **stackBuild**  The build number of the servicing stack.
+- **stackMajorVersion**  The major version number of the servicing stack.
+- **stackMinorVersion**  The minor version number of the servicing stack.
+- **stackRevision**  The revision number of the servicing stack.
+
+
+### CbsServicingProvider.CbsCapabilitySessionPended
+
+This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date.
+
+The following fields are available:
+
+- **clientId**  The name of the application requesting the optional content.
+- **pendingDecision**  Indicates the cause of reboot, if applicable.
+
+
+### CbsServicingProvider.CbsPackageRemoval
+
+This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date.
+
+The following fields are available:
+
+- **buildVersion**  The build number of the security update being uninstalled.
+- **clientId**  The name of the application requesting the uninstall.
+- **currentStateEnd**  The final state of the update after the operation.
+- **failureDetails**  Information about the cause of a failure, if applicable.
+- **failureSourceEnd**  The stage during the uninstall where the failure occurred.
+- **hrStatusEnd**  The overall exit code of the operation.
+- **initiatedOffline**  Indicates if the uninstall was initiated for a mounted Windows image.
+- **majorVersion**  The major version number of the security update being uninstalled.
+- **minorVersion**  The minor version number of the security update being uninstalled.
+- **originalState**  The starting state of the update before the operation.
+- **pendingDecision**  Indicates the cause of reboot, if applicable.
+- **primitiveExecutionContext**  The state during system startup when the uninstall was completed.
+- **revisionVersion**  The revision number of the security update being uninstalled.
+- **transactionCanceled**  Indicates whether the uninstall was cancelled.
+
+
+### Microsoft.Windows.Remediation.Applicable
+
+This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date.
+
+The following fields are available:
+
+- **ActionName**  The name of the action to be taken by the plug-in.
+- **AppraiserBinariesValidResult**  Indicates whether plug-in was appraised as valid.
+- **AppraiserDetectCondition**  Indicates whether the plug-in passed the appraiser's check.
+- **AppraiserRegistryValidResult**  Indicates whether the registry entry checks out as valid.
+- **AppraiserTaskDisabled**  Indicates the appraiser task is disabled.
+- **AppraiserTaskValidFailed**  Indicates the Appraiser task did not function and requires intervention.
+- **CV**  Correlation vector
+- **DateTimeDifference**  The difference between local and reference clock times.
+- **DateTimeSyncEnabled**  Indicates whether the datetime sync plug-in is enabled.
+- **DaysSinceLastSIH**  The number of days since the most recent SIH executed.
+- **DaysToNextSIH**  The number of days until the next scheduled SIH execution.
+- **DetectedCondition**  Indicates whether detect condition is true and the perform action will be run.
+- **EvalAndReportAppraiserBinariesFailed**  Indicates the EvalAndReportAppraiserBinaries event failed.
+- **EvalAndReportAppraiserRegEntries**  Indicates the EvalAndReportAppraiserRegEntriesFailed event failed.
+- **EvalAndReportAppraiserRegEntriesFailed**  Indicates the EvalAndReportAppraiserRegEntriesFailed event failed.
+- **GlobalEventCounter**  Client side counter that indicates ordering of events sent by the remediation system.
+- **HResult**  The HRESULT for detection or perform action phases of the plugin.
+- **IsAppraiserLatestResult**  The HRESULT from the appraiser task.
+- **IsConfigurationCorrected**  Indicates whether the configuration of SIH task was successfully corrected.
+- **LastHresult**  The HRESULT for detection or perform action phases of the plugin.
+- **LastRun**  The date of the most recent SIH run.
+- **NextRun**  Date of the next scheduled SIH run.
+- **PackageVersion**  The version of the current remediation package.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Reload**  True if SIH reload is required.
+- **RemediationNoisyHammerAcLineStatus**  Event that indicates the AC Line Status of the machine.
+- **RemediationNoisyHammerAutoStartCount**  The number of times hammer auto-started.
+- **RemediationNoisyHammerCalendarTaskEnabled**  Event that indicates Update Assistant Calendar Task is enabled.
+- **RemediationNoisyHammerCalendarTaskExists**  Event that indicates an Update Assistant Calendar Task exists.
+- **RemediationNoisyHammerCalendarTaskTriggerEnabledCount**  Event that indicates calendar triggers are enabled in the task.
+- **RemediationNoisyHammerDaysSinceLastTaskRunTime**  The number of days since the most recent hammer task ran.
+- **RemediationNoisyHammerGetCurrentSize**  Size in MB of the $GetCurrent folder.
+- **RemediationNoisyHammerIsInstalled**  TRUE if the noisy hammer is installed.
+- **RemediationNoisyHammerLastTaskRunResult**  The result of the last hammer task run.
+- **RemediationNoisyHammerMeteredNetwork**  TRUE if the machine is on a metered network.
+- **RemediationNoisyHammerTaskEnabled**  Indicates whether the Update Assistant Task (Noisy Hammer) is enabled.
+- **RemediationNoisyHammerTaskExists**  Indicates whether the Update Assistant Task (Noisy Hammer) exists.
+- **RemediationNoisyHammerTaskTriggerEnabledCount**  Indicates whether counting is enabled for the Update Assistant (Noisy Hammer) task trigger.
+- **RemediationNoisyHammerUAExitCode**  The exit code of the Update Assistant (Noisy Hammer) task.
+- **RemediationNoisyHammerUAExitState**  The code for the exit state of the Update Assistant (Noisy Hammer) task.
+- **RemediationNoisyHammerUserLoggedIn**  TRUE if there is a user logged in.
+- **RemediationNoisyHammerUserLoggedInAdmin**  TRUE if there is the user currently logged in is an Admin.
+- **RemediationShellDeviceManaged**  TRUE if the device is WSUS managed or Windows Updated disabled.
+- **RemediationShellDeviceNewOS**  TRUE if the device has a recently installed OS.
+- **RemediationShellDeviceSccm**  TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager).
+- **RemediationShellDeviceZeroExhaust**  TRUE if the device has opted out of Windows Updates completely.
+- **RemediationTargetMachine**  Indicates whether the device is a target of the specified fix.
+- **RemediationTaskHealthAutochkProxy**  True/False based on the health of the AutochkProxy task.
+- **RemediationTaskHealthChkdskProactiveScan**  True/False based on the health of the Check Disk task.
+- **RemediationTaskHealthDiskCleanup_SilentCleanup**  True/False based on the health of the Disk Cleanup task.
+- **RemediationTaskHealthMaintenance_WinSAT**  True/False based on the health of the Health Maintenance task.
+- **RemediationTaskHealthServicing_ComponentCleanupTask**  True/False based on the health of the Health Servicing Component task.
+- **RemediationTaskHealthUSO_ScheduleScanTask**  True/False based on the health of the USO (Update Session Orchestrator) Schedule task.
+- **RemediationTaskHealthWindowsUpdate_ScheduledStartTask**  True/False based on the health of the Windows Update Scheduled Start task.
+- **RemediationTaskHealthWindowsUpdate_SihbootTask**  True/False based on the health of the Sihboot task.
+- **RemediationUHServiceBitsServiceEnabled**  Indicates whether BITS service is enabled.
+- **RemediationUHServiceDeviceInstallEnabled**  Indicates whether Device Install service is enabled.
+- **RemediationUHServiceDoSvcServiceEnabled**  Indicates whether DO service is enabled.
+- **RemediationUHServiceDsmsvcEnabled**  Indicates whether DSMSVC service is enabled.
+- **RemediationUHServiceLicensemanagerEnabled**  Indicates whether License Manager service is enabled.
+- **RemediationUHServiceMpssvcEnabled**  Indicates whether MPSSVC service is enabled.
+- **RemediationUHServiceTokenBrokerEnabled**  Indicates whether Token Broker service is enabled.
+- **RemediationUHServiceTrustedInstallerServiceEnabled**  Indicates whether Trusted Installer service is enabled.
+- **RemediationUHServiceUsoServiceEnabled**  Indicates whether USO (Update Session Orchestrator) service is enabled.
+- **RemediationUHServicew32timeServiceEnabled**  Indicates whether W32 Time service is enabled.
+- **RemediationUHServiceWecsvcEnabled**  Indicates whether WECSVC service is enabled.
+- **RemediationUHServiceWinmgmtEnabled**  Indicates whether WMI service is enabled.
+- **RemediationUHServiceWpnServiceEnabled**  Indicates whether WPN service is enabled.
+- **RemediationUHServiceWuauservServiceEnabled**  Indicates whether WUAUSERV service is enabled.
+- **Result**  This is the HRESULT for Detection or Perform Action phases of the plugin.
+- **RunAppraiserFailed**  Indicates RunAppraiser failed to run correctly.
+- **RunTask**  TRUE if SIH task should be run by the plug-in.
+- **TimeServiceNTPServer**  The URL for the NTP time server used by device.
+- **TimeServiceStartType**  The startup type for the NTP time service.
+- **TimeServiceSyncDomainJoined**  True if device domain joined and hence uses DC for clock.
+- **TimeServiceSyncType**  Type of sync behavior for Date & Time service on device.
+
+
+### Microsoft.Windows.Remediation.ChangePowerProfileDetection
+
+Indicates whether the remediation system can put in a request to defer a system-initiated sleep to enable installation of security or quality updates.
+
+The following fields are available:
+
+- **ActionName**  A descriptive name for the plugin action
+- **CurrentPowerPlanGUID**  The ID of the current power plan configured on the device
+- **CV**  Correlation vector
+- **GlobalEventCounter**  Counter that indicates the ordering of events on the device
+- **PackageVersion**  Current package version of remediation service
+- **RemediationBatteryPowerBatteryLevel**  Integer between 0 and 100 indicating % battery power remaining (if not on battery, expect 0)
+- **RemediationFUInProcess**  Result that shows whether the device is currently installing a feature update
+- **RemediationFURebootRequred**  Indicates that a feature update reboot required was detected so the plugin will exit.
+- **RemediationScanInProcess**  Result that shows whether the device is currently scanning for updates
+- **RemediationTargetMachine**  Result that shows whether this device is a candidate for remediation(s) that will fix update issues
+- **SetupMutexAvailable**  Result that shows whether setup mutex is available or not
+- **SysPowerStatusAC**  Result that shows whether system is on AC power or not
+
+
+### Microsoft.Windows.Remediation.Completed
+
+This event enables completion tracking of a process that remediates issues preventing security and quality updates.
+
+The following fields are available:
+
+- **ActionName**  Name of the action to be completed by the plug-in.
+- **AppraiserTaskCreationFailed**  TRUE if the appraiser task creation failed to complete successfully.
+- **AppraiserTaskDeleteFailed**  TRUE if deletion of appraiser task failed to complete successfully.
+- **AppraiserTaskExistFailed**  TRUE if detection of the appraiser task failed to complete successfully.
+- **AppraiserTaskLoadXmlFailed**  TRUE if the Appraiser XML Loader failed to complete successfully.
+- **AppraiserTaskMissing**  TRUE if the Appraiser task is missing.
+- **AppraiserTaskTimeTriggerUpdateFailedId**  TRUE if the Appraiser Task Time Trigger failed to update successfully.
+- **AppraiserTaskValidateTaskXmlFailed**  TRUE if the Appraiser Task XML failed to complete successfully.
+- **branchReadinessLevel**  Branch readiness level policy.
+- **cloudControlState**  Value indicating whether the shell is enabled on the cloud control settings.
+- **CrossedDiskSpaceThreshold**  Indicates if cleanup resulted in hard drive usage threshold required for feature update to be exceeded.
+- **CV**  The Correlation Vector.
+- **DateTimeDifference**  The difference between the local and reference clocks.
+- **DaysSinceOsInstallation**  The number of days since the installation of the Operating System.
+- **DiskMbCleaned**  The amount of space cleaned on the hard disk, measured in Megabytes.
+- **DiskMbFreeAfterCleanup**  The amount of free hard disk space after cleanup, measured in Megabytes.
+- **DiskMbFreeBeforeCleanup**  The amount of free hard disk space before cleanup, measured in Megabytes.
+- **ForcedAppraiserTaskTriggered**  TRUE if Appraiser task ran from the plug-in.
+- **GlobalEventCounter**  Client-side counter that indicates ordering of events sent by the active user.
+- **HandlerCleanupFreeDiskInMegabytes**  The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes.
+- **hasRolledBack**  Indicates whether the client machine has rolled back.
+- **hasUninstalled**  Indicates whether the client machine has uninstalled a later version of the OS.
+- **hResult**  The result of the event execution.
+- **HResult**  The result of the event execution.
+- **installDate**  The value of installDate registry key. Indicates the install date.
+- **isNetworkMetered**  Indicates whether the client machine has uninstalled a later version of the OS.
+- **LatestState**  The final state of the plug-in component.
+- **MicrosoftCompatibilityAppraiser**  The name of the component targeted by the Appraiser plug-in.
+- **PackageVersion**  The package version for the current Remediation.
+- **PageFileCount**  The number of Windows Page files.
+- **PageFileCurrentSize**  The size of the Windows Page file, measured in Megabytes.
+- **PageFileLocation**  The storage location (directory path) of the Windows Page file.
+- **PageFilePeakSize**  The maximum amount of hard disk space used by the Windows Page file, measured in Megabytes.
+- **PluginName**  The name of the plug-in specified for each generic plug-in event.
+- **RanCleanup**  TRUE if the plug-in ran disk cleanup.
+- **RemediationBatteryPowerBatteryLevel**  Indicates the battery level at which it is acceptable to continue operation.
+- **RemediationBatteryPowerExitDueToLowBattery**  True when we exit due to low battery power.
+- **RemediationBatteryPowerOnBattery**  True if we allow execution on battery.
+- **RemediationConfigurationTroubleshooterExecuted**  True/False based on whether the Remediation Configuration Troubleshooter executed successfully.
+- **RemediationConfigurationTroubleshooterIpconfigFix**  TRUE if IPConfig Fix completed successfully.
+- **RemediationConfigurationTroubleshooterNetShFix**  TRUE if network card cache reset ran successfully.
+- **RemediationDiskCleanSizeBtWindowsFolderInMegabytes**  The size of the Windows BT folder (used to store Windows upgrade files), measured in Megabytes.
+- **RemediationDiskCleanupBTFolderEsdSizeInMB**  The size of the Windows BT folder (used to store Windows upgrade files) ESD (Electronic Software Delivery), measured in Megabytes.
+- **RemediationDiskCleanupGetCurrentEsdSizeInMB**  The size of any existing ESD (Electronic Software Delivery) folder, measured in Megabytes.
+- **RemediationDiskCleanupSearchFileSizeInMegabytes**  The size of the Cleanup Search index file, measured in Megabytes.
+- **RemediationDiskCleanupUpdateAssistantSizeInMB**  The size of the Update Assistant folder, measured in Megabytes.
+- **RemediationDoorstopChangeSucceeded**  TRUE if Doorstop registry key was successfully modified.
+- **RemediationDoorstopExists**  TRUE if there is a One Settings Doorstop value.
+- **RemediationDoorstopRegkeyError**  TRUE if an error occurred accessing the Doorstop registry key.
+- **RemediationDRFKeyDeleteSucceeded**  TRUE if the RecoveredFrom (Doorstop) registry key was successfully deleted.
+- **RemediationDUABuildNumber**  The build number of the DUA.
+- **RemediationDUAKeyDeleteSucceeded**  TRUE if the UninstallActive registry key was successfully deleted.
+- **RemediationDuplicateTokenSucceeded**  TRUE if the user token was successfully duplicated.
+- **remediationExecution**  Remediation shell is in "applying remediation" state.
+- **RemediationHibernationMigrated**  TRUE if hibernation was migrated.
+- **RemediationHibernationMigrationSucceeded**  TRUE if hibernation migration succeeded.
+- **RemediationImpersonateUserSucceeded**  TRUE if the user was successfully impersonated.
+- **RemediationNoisyHammerTaskKickOffIsSuccess**  TRUE if the NoisyHammer task started successfully.
+- **RemediationQueryTokenSucceeded**  TRUE if the user token was successfully queried.
+- **RemediationRanHibernation**  TRUE if the system entered Hibernation.
+- **RemediationRevertToSystemSucceeded**  TRUE if reversion to the system context succeeded.
+- **RemediationShellHasUpgraded**  TRUE if the device upgraded.
+- **RemediationShellMinimumTimeBetweenShellRuns**  Indicates the time between shell runs exceeded the minimum required to execute plugins.
+- **RemediationShellRunFromService**  TRUE if the shell driver was run from the service.
+- **RemediationShellSessionIdentifier**  Unique identifier tracking a shell session.
+- **RemediationShellSessionTimeInSeconds**  Indicates the time the shell session took in seconds.
+- **RemediationShellTaskDeleted**  Indicates that the shell task has been deleted so no additional sediment pack runs occur for this installation.
+- **RemediationUpdateServiceHealthRemediationResult**  The result of the Update Service Health plug-in.
+- **RemediationUpdateTaskHealthRemediationResult**  The result of the Update Task Health plug-in.
+- **RemediationUpdateTaskHealthTaskList**  A list of tasks fixed by the Update Task Health plug-in.
+- **RemediationWindowsLogSpaceFound**  The size of the Windows log files found, measured in Megabytes.
+- **RemediationWindowsLogSpaceFreed**  The amount of disk space freed by deleting the Windows log files, measured in Megabytes.
+- **RemediationWindowsSecondaryDriveFreeSpace**  The amount of free space on the secondary drive, measured in Megabytes.
+- **RemediationWindowsSecondaryDriveLetter**  The letter designation of the first secondary drive with a total capacity of 10GB or more.
+- **RemediationWindowsSecondaryDriveTotalSpace**  The total storage capacity of the secondary drive, measured in Megabytes.
+- **RemediationWindowsTotalSystemDiskSize**  The total storage capacity of the System Disk Drive, measured in Megabytes.
+- **Result**  The HRESULT for Detection or Perform Action phases of the plug-in.
+- **RunResult**  The HRESULT for Detection or Perform Action phases of the plug-in.
+- **ServiceHealthPlugin**  The nae of the Service Health plug-in.
+- **StartComponentCleanupTask**  TRUE if the Component Cleanup task started successfully.
+- **systemDriveFreeDiskSpace**  Indicates the free disk space on system drive in MBs.
+- **systemUptimeInHours**  Indicates the amount of time the system in hours has been on since the last boot.
+- **TotalSizeofOrphanedInstallerFilesInMegabytes**  The size of any orphaned Windows Installer files, measured in Megabytes.
+- **TotalSizeofStoreCacheAfterCleanupInMegabytes**  The size of the Windows Store cache after cleanup, measured in Megabytes.
+- **TotalSizeofStoreCacheBeforeCleanupInMegabytes**  The size of the Windows Store cache (prior to cleanup), measured in Megabytes.
+- **uninstallActive**  TRUE if previous uninstall has occurred for current OS
+- **usoScanDaysSinceLastScan**  The number of days since the last USO (Update Session Orchestrator) scan.
+- **usoScanInProgress**  TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans.
+- **usoScanIsAllowAutoUpdateKeyPresent**  TRUE if the AllowAutoUpdate registry key is set.
+- **usoScanIsAllowAutoUpdateProviderSetKeyPresent**  TRUE if AllowAutoUpdateProviderSet registry key is set.
+- **usoScanIsAuOptionsPresent**  TRUE if Auto Update Options registry key is set.
+- **usoScanIsFeatureUpdateInProgress**  TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans.
+- **usoScanIsNetworkMetered**  TRUE if the device is currently connected to a metered network.
+- **usoScanIsNoAutoUpdateKeyPresent**  TRUE if no Auto Update registry key is set/present.
+- **usoScanIsUserLoggedOn**  TRUE if the user is logged on.
+- **usoScanPastThreshold**  TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late).
+- **usoScanType**  The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background".
+- **windows10UpgraderBlockWuUpdates**  Event to report the value of Windows 10 Upgrader BlockWuUpdates Key.
+- **windowsEditionId**  Event to report the value of Windows Edition ID.
+- **WindowsHyberFilSysSizeInMegabytes**  The size of the Windows Hibernation file, measured in Megabytes.
+- **WindowsInstallerFolderSizeInMegabytes**  The size of the Windows Installer folder, measured in Megabytes.
+- **WindowsOldFolderSizeInMegabytes**  The size of the Windows.OLD folder, measured in Megabytes.
+- **WindowsOldSpaceCleanedInMB**  The amount of disk space freed by removing the Windows.OLD folder, measured in Megabytes.
+- **WindowsPageFileSysSizeInMegabytes**  The size of the Windows Page file, measured in Megabytes.
+- **WindowsSoftwareDistributionFolderSizeInMegabytes**  The size of the SoftwareDistribution folder, measured in Megabytes.
+- **WindowsSwapFileSysSizeInMegabytes**  The size of the Windows Swap file, measured in Megabytes.
+- **WindowsSxsFolderSizeInMegabytes**  The size of the WinSxS (Windows Side-by-Side) folder, measured in Megabytes.
+- **WindowsSxsTempFolderSizeInMegabytes**  The size of the WinSxS (Windows Side-by-Side) Temp folder, measured in Megabytes.
+- **windowsUpgradeRecoveredFromRs4**  Event to report the value of the Windows Upgrade Recovered key.
+
+
+### Microsoft.Windows.Remediation.RemediationShellMainExeEventId
+
+Enables tracking of completion of process that remediates issues preventing security and quality updates.
+
+The following fields are available:
+
+- **CV**  Client side counter which indicates ordering of events sent by the remediation system.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by the remediation system.
+- **PackageVersion**  Current package version of Remediation.
+- **RemediationShellCanAcquireSedimentMutex**  True if the remediation was able to acquire the sediment mutex. False if it is already running.
+- **RemediationShellExecuteShellResult**  Indicates if the remediation system completed without errors.
+- **RemediationShellFoundDriverDll**  Result whether the remediation system found its component files to run properly.
+- **RemediationShellLoadedShellDriver**  Result whether the remediation system loaded its component files to run properly.
+- **RemediationShellLoadedShellFunction**  Result whether the remediation system loaded the functions from its component files to run properly.
+
+
+### Microsoft.Windows.Remediation.Started
+
+This event reports whether a plug-in started, to help ensure Windows is up to date.
+
+The following fields are available:
+
+- **CV**  Correlation vector.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion**  Current package version of Remediation.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+
+
+### Microsoft.Windows.SedimentLauncher.Applicable
+
+Indicates whether a given plugin is applicable.
+
+The following fields are available:
+
+- **CV**  Correlation vector.
+- **DetectedCondition**  Boolean true if detect condition is true and perform action will be run.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **IsSelfUpdateEnabledInOneSettings**  True if self update enabled in Settings.
+- **IsSelfUpdateNeeded**  True if self update needed by device.
+- **PackageVersion**  Current package version of Remediation.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+
+
+### Microsoft.Windows.SedimentLauncher.Completed
+
+Indicates whether a given plugin has completed its work.
+
+The following fields are available:
+
+- **CV**  Correlation vector.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion**  Current package version of Remediation.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+- **SedLauncherExecutionResult**  HRESULT for one execution of the Sediment Launcher.
+
+
+### Microsoft.Windows.SedimentLauncher.Started
+
+This event indicates that a given plug-in has started.
+
+The following fields are available:
+
+- **CV**  Correlation vector.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion**  Current package version of Remediation.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+
+
+### Microsoft.Windows.SedimentService.Applicable
+
+This event indicates whether a given plug-in is applicable.
+
+The following fields are available:
+
+- **CV**  Correlation vector.
+- **DetectedCondition**  Determine whether action needs to run based on device properties.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion**  Current package version of Remediation.
+- **PluginName**  Name of the plugin.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+
+
+### Microsoft.Windows.SedimentService.Completed
+
+This event indicates whether a given plug-in has completed its work.
+
+The following fields are available:
+
+- **CV**  Correlation vector.
+- **FailedReasons**  List of reasons when the plugin action failed.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion**  Current package version of Remediation.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+- **SedimentServiceCheckTaskFunctional**  True/False if scheduled task check succeeded.
+- **SedimentServiceCurrentBytes**  Number of current private bytes of memory consumed by sedsvc.exe.
+- **SedimentServiceKillService**  True/False if service is marked for kill (Shell.KillService).
+- **SedimentServiceMaximumBytes**  Maximum bytes allowed for the service.
+- **SedimentServiceRetrievedKillService**  True/False if result of One Settings check for kill succeeded - we only send back one of these indicators (not for each call).
+- **SedimentServiceStopping**  True/False indicating whether the service is stopping.
+- **SedimentServiceTaskFunctional**  True/False if scheduled task is functional. If task is not functional this indicates plugins will be run.
+- **SedimentServiceTotalIterations**  Number of 5 second iterations service will wait before running again.
+
+
+### Microsoft.Windows.SedimentService.Started
+
+This event indicates a specified plug-in has started. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **CV**  The Correlation Vector.
+- **GlobalEventCounter**  The client-side counter that indicates ordering of events.
+- **PackageVersion**  The version number of the current remediation package.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for Detection or Perform Action phases of the plugin.
+
+
+### Microsoft.Xbox.XamTelemetry.AppActivationError
+
+This event indicates whether the system detected an activation error in the app.
+
+
+
+### Microsoft.Xbox.XamTelemetry.AppActivity
+
+This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc.
+
+The following fields are available:
+
+- **AppActionId**  The ID of the application action.
+- **AppCurrentVisibilityState**  The ID of the current application visibility state.
+- **AppId**  The Xbox LIVE Title ID of the app.
+- **AppPackageFullName**  The full name of the application package.
+- **AppPreviousVisibilityState**  The ID of the previous application visibility state.
+- **AppSessionId**  The application session ID.
+- **AppType**  The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa).
+- **BCACode**  The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application.
+- **DurationMs**  The amount of time (in milliseconds) since the last application state transition.
+- **IsTrialLicense**  This boolean value is TRUE if the application is on a trial license.
+- **LicenseType**  The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc).
+- **LicenseXuid**  If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license.
+- **ProductGuid**  The Xbox product GUID (Globally-Unique ID) of the application.
+- **UserId**  The XUID (Xbox User ID) of the current user.
+
+
 ## Privacy consent logging events
 
 ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@@ -3465,8 +4208,272 @@ The following fields are available:
 - **userRegionCode**  The current user's region setting
 
 
+## Remediation events
+
+### Microsoft.Windows.Remediation.Applicable
+
+This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy.   
+
+The following fields are available:
+
+- **ActionName**  The name of the action to be taken by the plug-in.
+- **AppraiserBinariesValidResult**  Indicates whether plug-in was appraised as valid.
+- **AppraiserDetectCondition**  Indicates whether the plug-in passed the appraiser's check.
+- **AppraiserRegistryValidResult**  Indicates whether the registry entry checks out as valid.
+- **AppraiserTaskDisabled**  Indicates the appraiser task is disabled.
+- **AppraiserTaskValidFailed**  Indicates the Appraiser task did not function and requires intervention.
+- **CV**  Correlation vector
+- **DateTimeDifference**  The difference between local and reference clock times.
+- **DateTimeSyncEnabled**  Indicates whether the datetime sync plug-in is enabled.
+- **DaysSinceLastSIH**  The number of days since the most recent SIH executed.
+- **DaysToNextSIH**  The number of days until the next scheduled SIH execution.
+- **DetectedCondition**  Indicates whether detect condition is true and the perform action will be run.
+- **EvalAndReportAppraiserBinariesFailed**  Indicates the EvalAndReportAppraiserBinaries event failed.
+- **EvalAndReportAppraiserRegEntries**  Indicates the EvalAndReportAppraiserRegEntriesFailed event failed.
+- **EvalAndReportAppraiserRegEntriesFailed**  Indicates the EvalAndReportAppraiserRegEntriesFailed event failed.
+- **GlobalEventCounter**  Client side counter that indicates ordering of events.
+- **HResult**  The HRESULT for detection or perform action phases of the plugin.
+- **IsAppraiserLatestResult**  The HRESULT from the appraiser task.
+- **IsConfigurationCorrected**  Indicates whether the configuration of SIH task was successfully corrected.
+- **LastHresult**  The HRESULT for detection or perform action phases of the plugin.
+- **LastRun**  The date of the most recent SIH run.
+- **NextRun**  Date of the next scheduled SIH run.
+- **PackageVersion**  The version of the current remediation package.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Reload**  True if SIH reload is required.
+- **RemediationNoisyHammerAcLineStatus**  Event that indicates the AC Line Status of the machine.
+- **RemediationNoisyHammerAutoStartCount**  The number of times hammer auto-started.
+- **RemediationNoisyHammerCalendarTaskEnabled**  Event that indicates Update Assistant Calendar Task is enabled.
+- **RemediationNoisyHammerCalendarTaskExists**  Event that indicates an Update Assistant Calendar Task exists.
+- **RemediationNoisyHammerCalendarTaskTriggerEnabledCount**  Event that indicates calendar triggers are enabled in the task.
+- **RemediationNoisyHammerDaysSinceLastTaskRunTime**  The number of days since the most recent hammer task ran.
+- **RemediationNoisyHammerGetCurrentSize**  Size in MB of the $GetCurrent folder.
+- **RemediationNoisyHammerIsInstalled**  TRUE if the noisy hammer is installed.
+- **RemediationNoisyHammerLastTaskRunResult**  The result of the last hammer task run.
+- **RemediationNoisyHammerMeteredNetwork**  TRUE if the machine is on a metered network.
+- **RemediationNoisyHammerTaskEnabled**  Indicates whether the Update Assistant Task (Noisy Hammer) is enabled.
+- **RemediationNoisyHammerTaskExists**  Indicates whether the Update Assistant Task (Noisy Hammer) exists.
+- **RemediationNoisyHammerTaskTriggerEnabledCount**  Indicates whether counting is enabled for the Update Assistant (Noisy Hammer) task trigger.
+- **RemediationNoisyHammerUAExitCode**  The exit code of the Update Assistant (Noisy Hammer) task.
+- **RemediationNoisyHammerUAExitState**  The code for the exit state of the Update Assistant (Noisy Hammer) task.
+- **RemediationNoisyHammerUserLoggedIn**  TRUE if there is a user logged in.
+- **RemediationNoisyHammerUserLoggedInAdmin**  TRUE if there is the user currently logged in is an Admin.
+- **RemediationShellDeviceManaged**  TRUE if the device is WSUS managed or Windows Updated disabled.
+- **RemediationShellDeviceNewOS**  TRUE if the device has a recently installed OS.
+- **RemediationShellDeviceSccm**  TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager).
+- **RemediationShellDeviceZeroExhaust**  TRUE if the device has opted out of Windows Updates completely.
+- **RemediationTargetMachine**  Indicates whether the device is a target of the specified fix.
+- **RemediationTaskHealthAutochkProxy**  True/False based on the health of the AutochkProxy task.
+- **RemediationTaskHealthChkdskProactiveScan**  True/False based on the health of the Check Disk task.
+- **RemediationTaskHealthDiskCleanup_SilentCleanup**  True/False based on the health of the Disk Cleanup task.
+- **RemediationTaskHealthMaintenance_WinSAT**  True/False based on the health of the Health Maintenance task.
+- **RemediationTaskHealthServicing_ComponentCleanupTask**  True/False based on the health of the Health Servicing Component task.
+- **RemediationTaskHealthUSO_ScheduleScanTask**  True/False based on the health of the USO (Update Session Orchestrator) Schedule task.
+- **RemediationTaskHealthWindowsUpdate_ScheduledStartTask**  True/False based on the health of the Windows Update Scheduled Start task.
+- **RemediationTaskHealthWindowsUpdate_SihbootTask**  True/False based on the health of the Sihboot task.
+- **RemediationUHServiceBitsServiceEnabled**  Indicates whether BITS service is enabled.
+- **RemediationUHServiceDeviceInstallEnabled**  Indicates whether Device Install service is enabled.
+- **RemediationUHServiceDoSvcServiceEnabled**  Indicates whether DO service is enabled.
+- **RemediationUHServiceDsmsvcEnabled**  Indicates whether DSMSVC service is enabled.
+- **RemediationUHServiceLicensemanagerEnabled**  Indicates whether License Manager service is enabled.
+- **RemediationUHServiceMpssvcEnabled**  Indicates whether MPSSVC service is enabled.
+- **RemediationUHServiceTokenBrokerEnabled**  Indicates whether Token Broker service is enabled.
+- **RemediationUHServiceTrustedInstallerServiceEnabled**  Indicates whether Trusted Installer service is enabled.
+- **RemediationUHServiceUsoServiceEnabled**  Indicates whether USO (Update Session Orchestrator) service is enabled.
+- **RemediationUHServicew32timeServiceEnabled**  Indicates whether W32 Time service is enabled.
+- **RemediationUHServiceWecsvcEnabled**  Indicates whether WECSVC service is enabled.
+- **RemediationUHServiceWinmgmtEnabled**  Indicates whether WMI service is enabled.
+- **RemediationUHServiceWpnServiceEnabled**  Indicates whether WPN service is enabled.
+- **RemediationUHServiceWuauservServiceEnabled**  Indicates whether WUAUSERV service is enabled.
+- **Result**  This is the HRESULT for Detection or Perform Action phases of the plugin.
+- **RunAppraiserFailed**  Indicates RunAppraiser failed to run correctly.
+- **RunTask**  TRUE if SIH task should be run by the plug-in.
+- **TimeServiceNTPServer**  The URL for the NTP time server used by device.
+- **TimeServiceStartType**  The startup type for the NTP time service.
+- **TimeServiceSyncDomainJoined**  True if device domain joined and hence uses DC for clock.
+- **TimeServiceSyncType**  Type of sync behavior for Date & Time service on device.
+
+
+### Microsoft.Windows.Remediation.Completed
+
+This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy.   
+
+The following fields are available:
+
+- **ActionName**  Name of the action to be completed by the plug-in.
+- **AppraiserTaskCreationFailed**  TRUE if the appraiser task creation failed to complete successfully.
+- **AppraiserTaskDeleteFailed**  TRUE if deletion of appraiser task failed to complete successfully.
+- **AppraiserTaskExistFailed**  TRUE if detection of the appraiser task failed to complete successfully.
+- **AppraiserTaskLoadXmlFailed**  TRUE if the Appraiser XML Loader failed to complete successfully.
+- **AppraiserTaskMissing**  TRUE if the Appraiser task is missing.
+- **AppraiserTaskTimeTriggerUpdateFailedId**  TRUE if the Appraiser Task Time Trigger failed to update successfully.
+- **AppraiserTaskValidateTaskXmlFailed**  TRUE if the Appraiser Task XML failed to complete successfully.
+- **branchReadinessLevel**  Branch readiness level policy.
+- **cloudControlState**  Value indicating whether the shell is enabled on the cloud control settings.
+- **CrossedDiskSpaceThreshold**  Indicates if cleanup resulted in hard drive usage threshold required for feature update to be exceeded.
+- **CV**  The Correlation Vector.
+- **DateTimeDifference**  The difference between the local and reference clocks.
+- **DaysSinceOsInstallation**  The number of days since the installation of the Operating System.
+- **DiskMbCleaned**  The amount of space cleaned on the hard disk, measured in Megabytes.
+- **DiskMbFreeAfterCleanup**  The amount of free hard disk space after cleanup, measured in Megabytes.
+- **DiskMbFreeBeforeCleanup**  The amount of free hard disk space before cleanup, measured in Megabytes.
+- **ForcedAppraiserTaskTriggered**  TRUE if Appraiser task ran from the plug-in.
+- **GlobalEventCounter**  Client-side counter that indicates ordering of events.
+- **HandlerCleanupFreeDiskInMegabytes**  The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes.
+- **hasRolledBack**  Indicates whether the client machine has rolled back.
+- **hasUninstalled**  Indicates whether the client machine has uninstalled a later version of the OS.
+- **hResult**  The result of the event execution.
+- **HResult**  The result of the event execution.
+- **installDate**  The value of installDate registry key. Indicates the install date.
+- **isNetworkMetered**  Indicates whether the client machine has uninstalled a later version of the OS.
+- **LatestState**  The final state of the plug-in component.
+- **MicrosoftCompatibilityAppraiser**  The name of the component targeted by the Appraiser plug-in.
+- **PackageVersion**  The package version for the current Remediation.
+- **PageFileCount**  The number of Windows Page files.
+- **PageFileCurrentSize**  The size of the Windows Page file, measured in Megabytes.
+- **PageFileLocation**  The storage location (directory path) of the Windows Page file.
+- **PageFilePeakSize**  The maximum amount of hard disk space used by the Windows Page file, measured in Megabytes.
+- **PluginName**  The name of the plug-in specified for each generic plug-in event.
+- **RanCleanup**  TRUE if the plug-in ran disk cleanup.
+- **RemediationBatteryPowerBatteryLevel**  Indicates the battery level at which it is acceptable to continue operation.
+- **RemediationBatteryPowerExitDueToLowBattery**  True when we exit due to low battery power.
+- **RemediationBatteryPowerOnBattery**  True if we allow execution on battery.
+- **RemediationConfigurationTroubleshooterExecuted**  True/False based on whether the Remediation Configuration Troubleshooter executed successfully.
+- **RemediationConfigurationTroubleshooterIpconfigFix**  TRUE if IPConfig Fix completed successfully.
+- **RemediationConfigurationTroubleshooterNetShFix**  TRUE if network card cache reset ran successfully.
+- **RemediationDiskCleanSizeBtWindowsFolderInMegabytes**  The size of the Windows BT folder (used to store Windows upgrade files), measured in Megabytes.
+- **RemediationDiskCleanupBTFolderEsdSizeInMB**  The size of the Windows BT folder (used to store Windows upgrade files) ESD (Electronic Software Delivery), measured in Megabytes.
+- **RemediationDiskCleanupGetCurrentEsdSizeInMB**  The size of any existing ESD (Electronic Software Delivery) folder, measured in Megabytes.
+- **RemediationDiskCleanupSearchFileSizeInMegabytes**  The size of the Cleanup Search index file, measured in Megabytes.
+- **RemediationDiskCleanupUpdateAssistantSizeInMB**  The size of the Update Assistant folder, measured in Megabytes.
+- **RemediationDoorstopChangeSucceeded**  TRUE if Doorstop registry key was successfully modified.
+- **RemediationDoorstopExists**  TRUE if there is a One Settings Doorstop value.
+- **RemediationDoorstopRegkeyError**  TRUE if an error occurred accessing the Doorstop registry key.
+- **RemediationDRFKeyDeleteSucceeded**  TRUE if the RecoveredFrom (Doorstop) registry key was successfully deleted.
+- **RemediationDUABuildNumber**  The build number of the DUA.
+- **RemediationDUAKeyDeleteSucceeded**  TRUE if the UninstallActive registry key was successfully deleted.
+- **RemediationDuplicateTokenSucceeded**  TRUE if the user token was successfully duplicated.
+- **remediationExecution**  Remediation shell is in "applying remediation" state.
+- **RemediationHibernationMigrated**  TRUE if hibernation was migrated.
+- **RemediationHibernationMigrationSucceeded**  TRUE if hibernation migration succeeded.
+- **RemediationImpersonateUserSucceeded**  TRUE if the user was successfully impersonated.
+- **RemediationNoisyHammerTaskKickOffIsSuccess**  TRUE if the NoisyHammer task started successfully.
+- **RemediationQueryTokenSucceeded**  TRUE if the user token was successfully queried.
+- **RemediationRanHibernation**  TRUE if the system entered Hibernation.
+- **RemediationRevertToSystemSucceeded**  TRUE if reversion to the system context succeeded.
+- **RemediationShellHasUpgraded**  TRUE if the device upgraded.
+- **RemediationShellMinimumTimeBetweenShellRuns**  Indicates the time between shell runs exceeded the minimum required to execute plugins.
+- **RemediationShellRunFromService**  TRUE if the shell driver was run from the service.
+- **RemediationShellSessionIdentifier**  Unique identifier tracking a shell session.
+- **RemediationShellSessionTimeInSeconds**  Indicates the time the shell session took in seconds.
+- **RemediationShellTaskDeleted**  Indicates that the shell task has been deleted so no additional sediment pack runs occur for this installation.
+- **RemediationUpdateServiceHealthRemediationResult**  The result of the Update Service Health plug-in.
+- **RemediationUpdateTaskHealthRemediationResult**  The result of the Update Task Health plug-in.
+- **RemediationUpdateTaskHealthTaskList**  A list of tasks fixed by the Update Task Health plug-in.
+- **RemediationWindowsLogSpaceFound**  The size of the Windows log files found, measured in Megabytes.
+- **RemediationWindowsLogSpaceFreed**  The amount of disk space freed by deleting the Windows log files, measured in Megabytes.
+- **RemediationWindowsSecondaryDriveFreeSpace**  The amount of free space on the secondary drive, measured in Megabytes.
+- **RemediationWindowsSecondaryDriveLetter**  The letter designation of the first secondary drive with a total capacity of 10GB or more.
+- **RemediationWindowsSecondaryDriveTotalSpace**  The total storage capacity of the secondary drive, measured in Megabytes.
+- **RemediationWindowsTotalSystemDiskSize**  The total storage capacity of the System Disk Drive, measured in Megabytes.
+- **Result**  The HRESULT for Detection or Perform Action phases of the plug-in.
+- **RunResult**  The HRESULT for Detection or Perform Action phases of the plug-in.
+- **ServiceHealthPlugin**  The nae of the Service Health plug-in.
+- **StartComponentCleanupTask**  TRUE if the Component Cleanup task started successfully.
+- **systemDriveFreeDiskSpace**  Indicates the free disk space on system drive in MBs.
+- **systemUptimeInHours**  Indicates the amount of time the system in hours has been on since the last boot.
+- **TotalSizeofOrphanedInstallerFilesInMegabytes**  The size of any orphaned Windows Installer files, measured in Megabytes.
+- **TotalSizeofStoreCacheAfterCleanupInMegabytes**  The size of the Windows Store cache after cleanup, measured in Megabytes.
+- **TotalSizeofStoreCacheBeforeCleanupInMegabytes**  The size of the Windows Store cache (prior to cleanup), measured in Megabytes.
+- **uninstallActive**  TRUE if previous uninstall has occurred for current OS
+- **usoScanDaysSinceLastScan**  The number of days since the last USO (Update Session Orchestrator) scan.
+- **usoScanInProgress**  TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans.
+- **usoScanIsAllowAutoUpdateKeyPresent**  TRUE if the AllowAutoUpdate registry key is set.
+- **usoScanIsAllowAutoUpdateProviderSetKeyPresent**  TRUE if AllowAutoUpdateProviderSet registry key is set.
+- **usoScanIsAuOptionsPresent**  TRUE if Auto Update Options registry key is set.
+- **usoScanIsFeatureUpdateInProgress**  TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans.
+- **usoScanIsNetworkMetered**  TRUE if the device is currently connected to a metered network.
+- **usoScanIsNoAutoUpdateKeyPresent**  TRUE if no Auto Update registry key is set/present.
+- **usoScanIsUserLoggedOn**  TRUE if the user is logged on.
+- **usoScanPastThreshold**  TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late).
+- **usoScanType**  The type of USO (Update Session Orchestrator) scan (Interactive or Background).
+- **windows10UpgraderBlockWuUpdates**  Event to report the value of Windows 10 Upgrader BlockWuUpdates Key.
+- **windowsEditionId**  Event to report the value of Windows Edition ID.
+- **WindowsHyberFilSysSizeInMegabytes**  The size of the Windows Hibernation file, measured in Megabytes.
+- **WindowsInstallerFolderSizeInMegabytes**  The size of the Windows Installer folder, measured in Megabytes.
+- **WindowsOldFolderSizeInMegabytes**  The size of the Windows.OLD folder, measured in Megabytes.
+- **WindowsOldSpaceCleanedInMB**  The amount of disk space freed by removing the Windows.OLD folder, measured in Megabytes.
+- **WindowsPageFileSysSizeInMegabytes**  The size of the Windows Page file, measured in Megabytes.
+- **WindowsSoftwareDistributionFolderSizeInMegabytes**  The size of the SoftwareDistribution folder, measured in Megabytes.
+- **WindowsSwapFileSysSizeInMegabytes**  The size of the Windows Swap file, measured in Megabytes.
+- **WindowsSxsFolderSizeInMegabytes**  The size of the WinSxS (Windows Side-by-Side) folder, measured in Megabytes.
+- **WindowsSxsTempFolderSizeInMegabytes**  The size of the WinSxS (Windows Side-by-Side) Temp folder, measured in Megabytes.
+- **windowsUpgradeRecoveredFromRs4**  Event to report the value of the Windows Upgrade Recovered key.
+
+
+### Microsoft.Windows.Remediation.Started
+
+This event sends simple device connectivity and configuration data about an application installed on the system that helps keep Windows up to date.   
+
+The following fields are available:
+
+- **CV**  Correlation vector.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events within Remediation application.
+- **PackageVersion**  Current package version of Remediation application.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+
+
 ## Sediment events
 
+### Microsoft.Windows.Sediment.Info.DetailedState
+
+This event is sent when detailed state information is needed from an update trial run.
+
+The following fields are available:
+
+- **Data**  Data relevant to the state, such as what percent of disk space the directory takes up.
+- **Id**  Identifies the trial being run, such as a disk related trial.
+- **ReleaseVer**  The version of the component.
+- **State**  The state of the reporting data from the trial, such as the top-level directory analysis.
+- **Time**  The time the event was fired.
+
+
+### Microsoft.Windows.Sediment.Info.Error
+
+This event indicates an error in the updater payload. This information assists in keeping Windows up to date.
+
+
+
+### Microsoft.Windows.Sediment.OSRSS.CheckingOneSettings
+
+This event indicates the parameters that the Operating System Remediation System Service (OSRSS) uses for a secure ping to Microsoft to help ensure Windows is up to date.
+
+The following fields are available:
+
+- **CustomVer**  The registry value for targeting.
+- **IsMetered**  TRUE if the machine is on a metered network.
+- **LastVer**  The version of the last successful run.
+- **ServiceVersionMajor**  The Major version information of the component.
+- **ServiceVersionMinor**  The Minor version information of the component.
+- **Time**  The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.OSRSS.Error
+
+This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful.
+
+The following fields are available:
+
+- **FailureType**  The type of error encountered.
+- **FileName**  The code file in which the error occurred.
+- **HResult**  The failure error code.
+- **LineNumber**  The line number in the code file at which the error occurred.
+- **ServiceVersionMajor**  The Major version information of the component.
+- **ServiceVersionMinor**  The Minor version information of the component.
+- **Time**  The system time at which the event occurred.
+
+
 ### Microsoft.Windows.Sediment.OSRSS.UrlState
 
 This event indicates the state the Operating System Remediation System Service (OSRSS)  is in while attempting a download from the URL.
@@ -3481,8 +4488,116 @@ The following fields are available:
 - **Time**  System timestamp when the event was started.
 
 
+## Sediment Service events 
+
+### Microsoft.Windows.SedimentService.Applicable
+
+This event sends simple device connectivity and configuration data about a service installed on the system that helps keep Windows up to date.    
+
+The following fields are available:
+
+- **CV**  Correlation vector.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events within Remediation application.
+- **PackageVersion**  Current package version of Remediation application.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+
+
+### Microsoft.Windows.SedimentService.Completed
+
+This event sends simple device connectivity and configuration data about a service installed on the system that helps keep Windows up to date.    
+
+The following fields are available:
+
+- **CV**  Correlation vector.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events within Remediation application.
+- **PackageVersion**  Current package version of Remediation application.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+
+
+### Microsoft.Windows.SedimentService.Started
+
+This event sends simple device connectivity and configuration data about a service installed on the system that helps keep Windows up to date.    
+
+The following fields are available:
+
+- **CV**  Correlation vector.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events within Remediation application.
+- **PackageVersion**  Current package version of Remediation application.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+
+
+## Sediment Launcher events
+
+### Microsoft.Windows.SedimentLauncher.Applicable
+
+This event sends simple device connectivity and configuration data about an application installed on the system that helps keep Windows up to date.   
+
+The following fields are available:
+
+- **CV**  Correlation vector.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events within Remediation application.
+- **PackageVersion**  Current package version of Remediation application.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+
+
+### Microsoft.Windows.SedimentLauncher.Completed
+
+This event sends simple device connectivity and configuration data about an application installed on the system that helps keep Windows up to date.   
+
+The following fields are available:
+
+- **CV**  Correlation vector.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events within Remediation application.
+- **PackageVersion**  Current package version of Remediation application.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+
+
+### Microsoft.Windows.SedimentLauncher.Started
+
+This event sends simple device connectivity and configuration data about an application installed on the system that helps keep Windows up to date.   
+
+The following fields are available:
+
+- **CV**  Correlation vector.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events within Remediation application.
+- **PackageVersion**  Current package version of Remediation application.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+
+
 ## Setup events
 
+### SetupPlatformTel.SetupPlatformTelActivityEvent
+
+This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FieldName**  Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
+- **GroupName**  Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+- **Value**  Value associated with the corresponding event name. For example, time-related events will include the system time
+
+
+### SetupPlatformTel.SetupPlatformTelActivityStarted
+
+This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date.
+
+The following fields are available:
+
+- **Name**  The name of the dynamic update type. Example: GDR driver
+
+
+### SetupPlatformTel.SetupPlatformTelActivityStopped
+
+This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date.
+
+
+
 ### SetupPlatformTel.SetupPlatformTelEvent
 
 This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios.
@@ -3961,14 +5076,31 @@ The following fields are available:
 - **SignatureAlgorithm**  Hash algorithm for the metadata signature
 - **SLSPrograms**  A test program a machine may be opted in. Examples include "Canary" and "Insider Fast".
 - **StatusCode**  Result code of the event (success, cancellation, failure code HResult)
-- **TimestampTokenCertThumbprint**  The thumbprint of the encoded timestamp token.
+- **TimestampTokenCertThumbprint**  Thumbprint of the encoded timestamp token.
 - **TimestampTokenId**  Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed.
 - **UpdateId**  Identifier associated with the specific piece of content
-- **ValidityWindowInDays**  The validity window that's in effect when verifying the timestamp.
+- **ValidityWindowInDays**  Validity window in effect when verifying the timestamp
 
 
 ## Update events
 
+### Update360Telemetry.Revert
+
+This event sends data relating to the Revert phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the Revert phase.
+- **FlightId**  Unique ID for the flight (test instance version).
+- **ObjectId**  The unique value for each Update Agent mode.
+- **RebootRequired**  Indicates reboot is required.
+- **RelatedCV**  The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
+- **Result**  The HResult of the event.
+- **ScenarioId**  The ID of the update scenario.
+- **SessionId**  The ID of the update attempt.
+- **UpdateId**  The ID of the update.
+
+
 ### Update360Telemetry.UpdateAgentCommit
 
 This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
@@ -4104,6 +5236,52 @@ The following fields are available:
 - **UpdateId**  Unique ID for each update.
 
 
+### Update360Telemetry.UpdateAgentMitigationResult
+
+This event sends data indicating the result of each update agent mitigation.
+
+The following fields are available:
+
+- **Applicable**  Indicates whether the mitigation is applicable for the current update.
+- **CommandCount**  The number of command operations in the mitigation entry.
+- **CustomCount**  The number of custom operations in the mitigation entry.
+- **FileCount**  The number of file operations in the mitigation entry.
+- **FlightId**  Unique identifier for each flight.
+- **Index**  The mitigation index of this particular mitigation.
+- **MitigationScenario**  The update scenario in which the mitigation was executed.
+- **Name**  The friendly name of the mitigation.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **OperationIndex**  The mitigation operation index (in the event of a failure).
+- **OperationName**  The friendly name of the mitigation operation (in the event of failure).
+- **RegistryCount**  The number of registry operations in the mitigation entry.
+- **RelatedCV**  The correlation vector value generated from the latest USO scan.
+- **Result**  The HResult of this operation.
+- **ScenarioId**  The update agent scenario ID.
+- **SessionId**  Unique value for each update attempt.
+- **TimeDiff**  The amount of time spent performing the mitigation (in 100-nanosecond increments).
+- **UpdateId**  Unique ID for each Update.
+
+
+### Update360Telemetry.UpdateAgentMitigationSummary
+
+This event sends a summary of all the update agent mitigations available for an this update.
+
+The following fields are available:
+
+- **Applicable**  The count of mitigations that were applicable to the system and scenario.
+- **Failed**  The count of mitigations that failed.
+- **FlightId**  Unique identifier for each flight.
+- **MitigationScenario**  The update scenario in which the mitigations were attempted.
+- **ObjectId**  The unique value for each Update Agent mode.
+- **RelatedCV**  The correlation vector value generated from the latest USO scan.
+- **Result**  The HResult of this operation.
+- **ScenarioId**  The update agent scenario ID.
+- **SessionId**  Unique value for each update attempt.
+- **TimeDiff**  The amount of time spent performing all mitigations (in 100-nanosecond increments).
+- **Total**  Total number of mitigations that were available.
+- **UpdateId**  Unique ID for each update.
+
+
 ### Update360Telemetry.UpdateAgentModeStart
 
 This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile.
@@ -4120,6 +5298,24 @@ The following fields are available:
 - **Version**  Version of update
 
 
+### Update360Telemetry.UpdateAgentOneSettings
+
+This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
+
+The following fields are available:
+
+- **Count**  The count of applicable OneSettings for the device.
+- **FlightId**  Unique ID for the flight (test instance version).
+- **ObjectId**  The unique value for each Update Agent mode.
+- **Parameters**  The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings.
+- **RelatedCV**  The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
+- **Result**  The HResult of the event.
+- **ScenarioId**  The ID of the update scenario.
+- **SessionId**  The ID of the update attempt.
+- **UpdateId**  The ID of the update.
+- **Values**  The values sent back to the device, if applicable.
+
+
 ### Update360Telemetry.UpdateAgentPostRebootResult
 
 This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario.
@@ -4136,6 +5332,12 @@ The following fields are available:
 - **UpdateId**  Unique ID for each update.
 
 
+### Update360Telemetry.UpdateAgentReboot
+
+This event sends information indicating that a request has been sent to suspend an update.
+
+
+
 ### Update360Telemetry.UpdateAgentSetupBoxLaunch
 
 The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs.
@@ -4185,7 +5387,7 @@ The following fields are available:
 - **key19**  UI interaction data
 - **key2**  Interaction data for the UI
 - **key20**  UI interaction data
-- **key21**  Interaction data for the UI
+- **key21**  UI interaction data
 - **key22**  UI interaction data
 - **key23**  UI interaction data
 - **key24**  UI interaction data
@@ -4197,10 +5399,10 @@ The following fields are available:
 - **key3**  Interaction data for the UI
 - **key30**  UI interaction data
 - **key4**  Interaction data for the UI
-- **key5**  UI interaction data
-- **key6**  UI interaction data
-- **key7**  Interaction data for the UI
-- **key8**  Interaction data for the UI
+- **key5**  UI interaction type
+- **key6**  Current package version of UNP
+- **key7**  UI interaction type
+- **key8**  UI interaction data
 - **key9**  UI interaction data
 - **PackageVersion**  Current package version of the update notification.
 - **schema**  UI interaction type.
@@ -4314,6 +5516,7 @@ The following fields are available:
 - **DownloadRequestAttributes**  The attributes we send to DCAT.
 - **ResultCode**  The result returned from the initialization of Facilitator with the URL/attributes.
 - **Scenario**  Dynamic Update scenario (Image DU, or Setup DU).
+- **Url**  The Delivery Catalog (DCAT) URL we send the request to.
 - **Version**  Version of Facilitator.
 
 
@@ -4376,9 +5579,9 @@ The following fields are available:
 - **Setup360Extended**  Detailed information about the phase or action when the potential failure occurred.
 - **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State**  Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
 - **TestId**  ID that uniquely identifies a group of events.
 - **WuId**  Windows Update client ID.
 
@@ -4524,6 +5727,67 @@ The following fields are available:
 - **TargetBuild**  Build of the target OS.
 
 
+### Setup360Telemetry.Setup360MitigationResult
+
+This event sends data indicating the result of each setup mitigation.
+
+The following fields are available:
+
+- **Applicable**  TRUE if the mitigation is applicable for the current update.
+- **ClientId**  In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **CommandCount**  The number of command operations in the mitigation entry.
+- **CustomCount**  The number of custom operations in the mitigation entry.
+- **FileCount**  The number of file operations in the mitigation entry.
+- **FlightData**  The unique identifier for each flight (test release).
+- **Index**  The mitigation index of this particular mitigation.
+- **InstanceId**  The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE.
+- **MitigationScenario**  The update scenario in which the mitigation was executed.
+- **Name**  The friendly (descriptive) name of the mitigation.
+- **OperationIndex**  The mitigation operation index (in the event of a failure).
+- **OperationName**  The friendly (descriptive) name of the mitigation operation (in the event of failure).
+- **RegistryCount**  The number of registry operations in the mitigation entry.
+- **ReportId**  In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM.
+- **Result**  HResult of this operation.
+- **ScenarioId**  Setup360 flow type.
+- **TimeDiff**  The amount of time spent performing the mitigation (in 100-nanosecond increments).
+
+
+### Setup360Telemetry.Setup360MitigationSummary
+
+This event sends a summary of all the setup mitigations available for this update.
+
+The following fields are available:
+
+- **Applicable**  The count of mitigations that were applicable to the system and scenario.
+- **ClientId**  The Windows Update client ID passed to Setup.
+- **Failed**  The count of mitigations that failed.
+- **FlightData**  The unique identifier for each flight (test release).
+- **InstanceId**  The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE.
+- **MitigationScenario**  The update scenario in which the mitigations were attempted.
+- **ReportId**  In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM.
+- **Result**  HResult of this operation.
+- **ScenarioId**  Setup360 flow type.
+- **TimeDiff**  The amount of time spent performing the mitigation (in 100-nanosecond increments).
+- **Total**  The total number of mitigations that were available.
+
+
+### Setup360Telemetry.Setup360OneSettings
+
+This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
+
+The following fields are available:
+
+- **ClientId**  The Windows Update client ID passed to Setup.
+- **Count**  The count of applicable OneSettings for the device.
+- **FlightData**  The ID for the flight (test instance version).
+- **InstanceId**  The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe.
+- **Parameters**  The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings.
+- **ReportId**  The Update ID passed to Setup.
+- **Result**  The HResult of the event error.
+- **ScenarioId**  The update scenario ID.
+- **Values**  Values sent back to the device, if applicable.
+
+
 ### Setup360Telemetry.UnexpectedEvent
 
 This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date.
@@ -4570,6 +5834,26 @@ The following fields are available:
 - **versionString**  Version of the WaaSMedic engine.
 
 
+## Windows Error Reporting events
+
+### Microsoft.Windows.WERVertical.OSCrash
+
+This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+
+The following fields are available:
+
+- **BootId**  Uint32 identifying the boot number for this device.
+- **BugCheckCode**  Uint64 "bugcheck code" that identifies a proximate cause of the bug check.
+- **BugCheckParameter1**  Uint64 parameter providing additional information.
+- **BugCheckParameter2**  Uint64 parameter providing additional information.
+- **BugCheckParameter3**  Uint64 parameter providing additional information.
+- **BugCheckParameter4**  Uint64 parameter providing additional information.
+- **DumpFileAttributes**  Codes that identify the type of data contained in the dump file
+- **DumpFileSize**  Size of the dump file
+- **IsValidDumpFile**  True if the dump file is valid for the debugger, false otherwise
+- **ReportId**  WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
+
+
 ## Windows Error Reporting MTT events
 
 ### Microsoft.Windows.WER.MTT.Denominator
@@ -4982,7 +6266,7 @@ The following fields are available:
 
 - **current**  Result of currency check.
 - **dismOperationSucceeded**  Dism uninstall operation status.
-- **hResult**  Failure error code.
+- **hResult**  Failure Error code.
 - **oSVersion**  Build number of the device.
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
@@ -5023,7 +6307,7 @@ The following fields are available:
 
 - **current**  Result of currency check.
 - **dismOperationSucceeded**  Dism uninstall operation status.
-- **hResult**  Failure error code.
+- **hResult**  Failure Error code.
 - **oSVersion**  Build number of the device.
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
@@ -5058,45 +6342,128 @@ This event sends basic telemetry on the success of the rollback of the Quality/L
 
 ## Windows Update Delivery Optimization events
 
-### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled
 
-This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads.
+This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads.
 
 The following fields are available:
 
-- **background**  Indicates whether the download is happening in the background.
-- **bytesRequested**  Number of bytes requested for the download.
+- **background**  Is the download being done in the background?
+- **bytesFromCacheServer**  Bytes received from a cache host.
+- **bytesFromCDN**  The number of bytes received from a CDN source.
+- **bytesFromGroupPeers**  The number of bytes received from a peer in the same group.
+- **bytesFromIntPeers**  The number of bytes received from peers not in the same LAN or in the same group.
+- **bytesFromLocalCache**  Bytes copied over from local (on disk) cache.
+- **bytesFromPeers**  The number of bytes received from a peer in the same LAN.
 - **callerName**  Name of the API caller.
-- **cdnUrl**  The URL of the source CDN
-- **costFlags**  A set of flags representing network cost.
-- **deviceProfile**  Identifies the usage or form factor (such as Desktop, Xbox, or VM).
-- **diceRoll**  Random number used for determining if a client will use peering.
-- **doClientVersion**  The version of the Delivery Optimization client.
-- **doErrorCode**  The Delivery Optimization error code that was returned.
-- **downloadMode**  The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100).
-- **downloadModeSrc**  Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9).
+- **cdnErrorCodes**  A list of CDN connection errors since the last FailureCDNCommunication event.
+- **cdnErrorCounts**  The number of times each error in cdnErrorCodes was encountered.
+- **dataSourcesTotal**  Bytes received per source type, accumulated for the whole session.
 - **errorCode**  The error code that was returned.
-- **experimentId**  ID used to correlate client/services calls that are part of the same test during A/B testing.
+- **experimentId**  When running a test, this is used to correlate events that are part of the same test.
 - **fileID**  The ID of the file being downloaded.
-- **filePath**  The path to where the downloaded file will be written.
-- **fileSize**  Total file size of the file that was downloaded.
-- **fileSizeCaller**  Value for total file size provided by our caller.
-- **groupID**  ID for the group.
-- **isEncrypted**  Indicates whether the download is encrypted.
-- **isVpn**  Indicates whether the device is connected to a Virtual Private Network.
-- **jobID**  The ID of the Windows Update job.
-- **minDiskSizeGB**  The minimum disk size (in GB) policy set for the device to allow peering with delivery optimization.
-- **minDiskSizePolicyEnforced**  Indicates whether there is an enforced minimum disk size requirement for peering.
-- **minFileSizePolicy**  The minimum content file size policy to allow the download using peering with delivery optimization.
-- **peerID**  The ID for this delivery optimization client.
-- **predefinedCallerName**  Name of the API caller.
+- **gCurMemoryStreamBytes**  Current usage for memory streaming.
+- **gMaxMemoryStreamBytes**  Maximum usage for memory streaming.
+- **isVpn**  Indicates whether the device is connected to a VPN (Virtual Private Network).
+- **jobID**  Identifier for the Windows Update job.
+- **predefinedCallerName**  The name of the API Caller.
+- **reasonCode**  Reason the action or event occurred.
 - **scenarioID**  The ID of the scenario.
-- **sessionID**  The ID for the file download session.
-- **setConfigs**  A JSON representation of the configurations that have been set, and their sources.
+- **sessionID**  The ID of the file download session.
 - **updateID**  The ID of the update being downloaded.
-- **usedMemoryStream**  Indicates whether the download used memory streaming.
+- **usedMemoryStream**  TRUE if the download is using memory streaming for App downloads.
 
 
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted
+
+This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **background**  Is the download a background download?
+- **bytesFromCacheServer**  Bytes received from a cache host.
+- **bytesFromCDN**  The number of bytes received from a CDN source.
+- **bytesFromGroupPeers**  The number of bytes received from a peer in the same domain group.
+- **bytesFromIntPeers**  The number of bytes received from peers not in the same LAN or in the same domain group.
+- **bytesFromLocalCache**  Bytes copied over from local (on disk) cache.
+- **bytesFromPeers**  The number of bytes received from a peer in the same LAN.
+- **bytesRequested**  The total number of bytes requested for download.
+- **cacheServerConnectionCount**  Number of connections made to cache hosts.
+- **callerName**  Name of the API caller.
+- **cdnConnectionCount**  The total number of connections made to the CDN.
+- **cdnErrorCodes**  A list of CDN connection errors since the last FailureCDNCommunication event.
+- **cdnErrorCounts**  The number of times each error in cdnErrorCodes was encountered.
+- **cdnIp**  The IP address of the source CDN.
+- **dataSourcesTotal**  Bytes received per source type, accumulated for the whole session.
+- **doErrorCode**  The Delivery Optimization error code that was returned.
+- **downlinkBps**  The maximum measured available download bandwidth (in bytes per second).
+- **downlinkUsageBps**  The download speed (in bytes per second).
+- **downloadMode**  The download mode used for this file download session.
+- **downloadModeSrc**  Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9).
+- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID**  The ID of the file being downloaded.
+- **fileSize**  The size of the file being downloaded.
+- **gCurMemoryStreamBytes**  Current usage for memory streaming.
+- **gMaxMemoryStreamBytes**  Maximum usage for memory streaming.
+- **groupConnectionCount**  The total number of connections made to peers in the same group.
+- **internetConnectionCount**  The total number of connections made to peers not in the same LAN or the same group.
+- **isEncrypted**  TRUE if the file is encrypted and will be decrypted after download.
+- **isVpn**  Is the device connected to a Virtual Private Network?
+- **jobID**  Identifier for the Windows Update job.
+- **lanConnectionCount**  The total number of connections made to peers in the same LAN.
+- **numPeers**  The total number of peers used for this download.
+- **predefinedCallerName**  The name of the API Caller.
+- **restrictedUpload**  Is the upload restricted?
+- **scenarioID**  The ID of the scenario.
+- **sessionID**  The ID of the download session.
+- **totalTimeMs**  Duration of the download (in seconds).
+- **updateID**  The ID of the update being downloaded.
+- **uplinkBps**  The maximum measured available upload bandwidth (in bytes per second).
+- **uplinkUsageBps**  The upload speed (in bytes per second).
+- **usedMemoryStream**  TRUE if the download is using memory streaming for App downloads.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused
+
+This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **background**  Is the download a background download?
+- **callerName**  The name of the API caller.
+- **errorCode**  The error code that was returned.
+- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID**  The ID of the file being paused.
+- **isVpn**  Is the device connected to a Virtual Private Network?
+- **jobID**  Identifier for the Windows Update job.
+- **predefinedCallerName**  The name of the API Caller object.
+- **reasonCode**  The reason for pausing the download.
+- **scenarioID**  The ID of the scenario.
+- **sessionID**  The ID of the download session.
+- **updateID**  The ID of the update being paused.
+
+### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
+
+This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **cdnHeaders**  The HTTP headers returned by the CDN.
+- **cdnIp**  The IP address of the CDN.
+- **cdnUrl**  The URL of the CDN.
+- **clientTelId**  A random number used for device sampling.
+- **errorCode**  The error code that was returned.
+- **errorCount**  The total number of times this error code was seen since the last FailureCdnCommunication event was encountered.
+- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID**  The ID of the file being downloaded.
+- **httpStatusCode**  The HTTP status code returned by the CDN.
+- **isHeadRequest**  The type of  HTTP request that was sent to the CDN. Example: HEAD or GET
+- **peerType**  The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.).
+- **requestOffset**  The byte offset within the file in the sent request.
+- **requestSize**  The size of the range requested from the CDN.
+- **responseSize**  The size of the range response received from the CDN.
+- **sessionID**  The ID of the download session.
+
 ## Windows Update events
 
 ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary
@@ -5443,7 +6810,7 @@ The following fields are available:
 
 - **displayNeededReason**  List of reasons for needing display.
 - **eventScenario**  Indicates the purpose of the event (scan started, succeeded, failed, etc.).
-- **filteredDeferReason**  Applicable filtered reasons why reboot was postponed (such as user active, or low battery).
+- **filteredDeferReason**  Applicable filtered reasons why reboot was postponed (such as user active, or low battery)..
 - **gameModeReason**  Name of the executable that caused the game mode state check to start.
 - **ignoredReason**  List of reasons that were intentionally ignored.
 - **raisedDeferReason**  Indicates all potential reasons for postponing restart (such as user active, or low battery).
@@ -5462,9 +6829,9 @@ The following fields are available:
 
 - **deferReason**  Reason why the device could not check for updates.
 - **detectionBlockingPolicy**  State of update action.
-- **detectionBlockreason**  Reason for blocking detection
+- **detectionBlockreason**  If we retry to scan
 - **detectionRetryMode**  Indicates whether we will try to scan again.
-- **errorCode**  Error info
+- **errorCode**  State of update action
 - **eventScenario**  End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
 - **flightID**  The specific ID of the Windows Insider build the device is getting.
 - **interactive**  Indicates whether the session was user initiated.
@@ -5472,7 +6839,7 @@ The following fields are available:
 - **revisionNumber**  Update revision number.
 - **scanTriggerSource**  Source of the triggered scan.
 - **updateId**  Update ID.
-- **updateScenarioType**  Source of the triggered scan
+- **updateScenarioType**  Update Session type
 - **wuDeviceid**  Device ID
 
 
@@ -5557,7 +6924,7 @@ This event is sent during update scan, download, or install, and indicates that
 
 The following fields are available:
 
-- **configVersion**  Escalation config version on device .
+- **configVersion**  Escalation config version on device.
 - **downloadElapsedTime**  Indicates how long since the download is required on device.
 - **downloadRiskLevel**  At-risk level of download phase.
 - **installElapsedTime**  Indicates how long since the install is required on device.
@@ -5585,7 +6952,7 @@ This event indicates that the update is no longer applicable to this device.
 
 The following fields are available:
 
-- **EventPublishedTime**  Time when this event was generated
+- **EventPublishedTime**  Time when this event was generated.
 - **flightID**  The specific ID of the Windows Insider build.
 - **revisionNumber**  Update revision number.
 - **updateId**  Unique Windows Update ID.
@@ -5633,7 +7000,7 @@ The following fields are available:
 - **deferReason**  Reason for install not completing.
 - **errorCode**  The error code reppresented by a hexadecimal value.
 - **eventScenario**  End-to-end update session ID.
-- **flightID**  The specific ID of the Windows Insider build the device is getting.
+- **flightID**  Unique update ID
 - **flightUpdate**  Indicates whether the update is a Windows Insider build.
 - **ForcedRebootReminderSet**  A boolean value that indicates if a forced reboot will happen for updates.
 - **installCommitfailedtime**  The time it took for a reboot to happen but the upgrade failed to progress.
@@ -5648,6 +7015,31 @@ The following fields are available:
 - **wuDeviceid**  Unique device ID used by Windows Update.
 
 
+### Microsoft.Windows.Update.Orchestrator.LowUptimes
+
+This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure.
+
+The following fields are available:
+
+- **isLowUptimeMachine**  Is the machine considered low uptime or not.
+- **lowUptimeMinHours**  Current setting for the minimum number of hours needed to not be considered low uptime.
+- **lowUptimeQueryDays**  Current setting for the number of recent days to check for uptime.
+- **uptimeMinutes**  Number of minutes of uptime measured.
+- **wuDeviceid**  Unique device ID for Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection
+
+This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date.
+
+The following fields are available:
+
+- **externalOneshotupdate**  The last time a task-triggered scan was completed.
+- **interactiveOneshotupdate**  The last time an interactive scan was completed.
+- **oldlastscanOneshotupdate**  The last time a scan completed successfully.
+- **wuDeviceid**  The Windows Update Device GUID (Globally-Unique ID).
+
+
 ### Microsoft.Windows.Update.Orchestrator.PostInstall
 
 This event is sent after a Windows update install completes.
@@ -5723,6 +7115,18 @@ The following fields are available:
 - **wuDeviceid**  Unique device ID used by Windows Update.
 
 
+### Microsoft.Windows.Update.Orchestrator.RefreshSettings
+
+This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date.
+
+The following fields are available:
+
+- **errorCode**  Hex code for the error message, to allow lookup of the specific error.
+- **settingsDownloadTime**  Timestamp of the last attempt to acquire settings.
+- **settingsETag**  Version identifier for the settings.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
 ### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask
 
 This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date.
@@ -5819,6 +7223,76 @@ The following fields are available:
 - **wuDeviceid**  Unique device ID used by Windows Update.
 
 
+### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed
+
+This event sends information about an update that encountered problems and was not able to complete.
+
+The following fields are available:
+
+- **errorCode**  The error code encountered.
+- **wuDeviceid**  The ID of the device in which the error occurred.
+
+
+### Microsoft.Windows.Update.Orchestrator.USODiagnostics
+
+This event sends data on whether the state of the update attempt, to help keep Windows up to date.
+
+The following fields are available:
+
+- **LastApplicableUpdateFoundTime**  The time when the last applicable update was found.
+- **LastDownloadDeferredReason**  The last reason download was deferred.
+- **LastDownloadDeferredTime**  The time of the download deferral.
+- **LastDownloadFailureError**  The last download failure.
+- **LastDownloadFailureTime**  The time of the last download failure.
+- **LastInstallCompletedTime**  The time when the last successful install completed.
+- **LastInstallDeferredReason**  The reason the last install was deferred.
+- **LastInstallDeferredTime**  The time when the last install was deferred.
+- **LastInstallFailureError**  The error code associated with the last install failure.
+- **LastInstallFailureTime**  The time when the last install failed to complete.
+- **LastRebootDeferredReason**  The reason the last reboot was deferred.
+- **LastRebootDeferredTime**  The time when the last reboot was deferred.
+- **LastRebootPendingTime**  The time when the last reboot state was set to “Pending”.
+- **LastScanDeferredReason**  The reason the last scan was deferred.
+- **LastScanDeferredTime**  The time when the last scan was deferred.
+- **LastScanFailureError**  The error code for the last scan failure.
+- **LastScanFailureTime**  The time when the last scan failed.
+- **LastUpdateCheckTime**  The time of the last update check.
+- **LastUpdateDownloadTime**  The time when the last update was downloaded.
+- **LastUpgradeInstallFailureError**  The error code for the last upgrade install failure.
+- **LastUpgradeInstallFailureTime**  The time of the last upgrade install failure.
+- **LowUpTimeDetectTime**  The last time “low up-time” was detected.
+- **NoLowUpTimeDetectTime**  The last time no “low up-time” was detected.
+- **RebootRequired**  Indicates reboot is required.
+- **UpgradeInProgressTime**  The amount of time a feature update has been in progress.
+- **WaaSFeatureAssessmentDays**  The number of days Feature Update Assessment has been out of date.
+- **WaaSFeatureAssessmentImpact**  The impact of the Feature Update Assessment.
+- **WaaSUpToDateAssessmentDays**  The number of days Quality Update Assessment has been out of date.
+- **WaaSUpToDateAssessmentImpact**  The impact of Quality Update Assessment.
+- **wuDeviceid**  Unique ID for Device
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState
+
+This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot.
+
+The following fields are available:
+
+- **AcceptAutoModeLimit**  The maximum number of days for a device to automatically enter Auto Reboot mode.
+- **AutoToAutoFailedLimit**  The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown.
+- **DeviceLocalTime**  The date and time (based on the device date/time settings) the reboot mode changed.
+- **EngagedModeLimit**  The number of days to switch between DTE (Direct-to-Engaged) dialogs.
+- **EnterAutoModeLimit**  The maximum number of days a device can enter Auto Reboot mode.
+- **ETag**  The Entity Tag that represents the OneSettings version.
+- **IsForcedEnabled**  Identifies whether Forced Reboot mode is enabled for the device.
+- **IsUltimateForcedEnabled**  Identifies whether Ultimate Forced Reboot mode is enabled for the device.
+- **OldestUpdateLocalTime**  The date and time (based on the device date/time settings) this update’s reboot began pending.
+- **RebootUxState**  Identifies the reboot state: Engaged, Auto, Forced, UltimateForced.
+- **RebootVersion**  The version of the DTE (Direct-to-Engaged).
+- **SkipToAutoModeLimit**  The maximum number of days to switch to start while in Auto Reboot mode.
+- **UpdateId**  The ID of the update that is waiting for reboot to finish installation.
+- **UpdateRevision**  The revision of the update that is waiting for reboot to finish installation.
+
+
 ### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded
 
 This event is sent when a security update has successfully completed.
@@ -5872,6 +7346,25 @@ The following fields are available:
 - **TaskName**  Name of the task
 
 
+### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled
+
+This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date.
+
+The following fields are available:
+
+- **activeHoursApplicable**  Is the restart respecting Active Hours?
+- **IsEnhancedEngagedReboot**  TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE.
+- **rebootArgument**  The arguments that are passed to the OS for the restarted.
+- **rebootOutsideOfActiveHours**  Was the restart scheduled outside of Active Hours?
+- **rebootScheduledByUser**  Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device.
+- **rebootState**  The state of the restart.
+- **revisionNumber**  The revision number of the OS being updated.
+- **scheduledRebootTime**  Time of the scheduled reboot
+- **scheduledRebootTimeInUTC**  Time of the scheduled restart, in Coordinated Universal Time.
+- **updateId**  The Windows Update device GUID.
+- **wuDeviceid**  The Windows Update device GUID.
+
+
 ## Windows Update mitigation events
 
 ### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages
@@ -5880,21 +7373,21 @@ This event sends data specific to the CleanupSafeOsImages mitigation used for OS
 
 The following fields are available:
 
-- **ClientId**  Unique identifier for each flight.
-- **FlightId**  Unique GUID that identifies each instances of setuphost.exe.
-- **InstanceId**  The update scenario in which the mitigation was executed.
-- **MitigationScenario**  Number of mounted images.
-- **MountedImageCount**  Number of mounted images that were under %systemdrive%\$Windows.~BT.
-- **MountedImageMatches**  Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed.
-- **MountedImagesFailed**  Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed.
-- **MountedImagesRemoved**  Number of mounted images that were not under %systemdrive%\$Windows.~BT.
-- **MountedImagesSkipped**  Correlation vector value generated from the latest USO scan.
-- **RelatedCV**  HResult of this operation.
-- **Result**  ID indicating the mitigation scenario.
-- **ScenarioId**  Indicates whether the scenario was supported.
-- **ScenarioSupported**  Unique value for each update attempt.
-- **SessionId**  Unique ID for each Update.
-- **UpdateId**  Unique ID for the Windows Update client.
+- **ClientId**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightId**  Unique identifier for each flight.
+- **InstanceId**  Unique GUID that identifies each instances of setuphost.exe.
+- **MitigationScenario**  The update scenario in which the mitigation was executed.
+- **MountedImageCount**  Number of mounted images.
+- **MountedImageMatches**  Number of mounted images that were under %systemdrive%\$Windows.~BT.
+- **MountedImagesFailed**  Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed.
+- **MountedImagesRemoved**  Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed.
+- **MountedImagesSkipped**  Number of mounted images that were not under %systemdrive%\$Windows.~BT.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  HResult of this operation.
+- **ScenarioId**  ID indicating the mitigation scenario.
+- **ScenarioSupported**  Indicates whether the scenario was supported.
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each Update.
 - **WuId**  Unique ID for the Windows Update client.
 
 
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index 0755ce1e09..f86fc65600 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -9,7 +9,7 @@ ms.pagetype: security
 localizationpriority: high
 author: brianlic-msft
 ms.author: brianlic
-ms.date: 10/03/2018
+ms.date: 11/07/2018
 ---
 
 
@@ -20,7 +20,7 @@ ms.date: 10/03/2018
 - Windows 10, version 1809
 
 
-The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information.
+The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information.
 
 The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
 
@@ -281,7 +281,7 @@ The following fields are available:
 - **DatasourceApplicationFile_TH1**  The count of the number of this particular object type present on this device.
 - **DatasourceApplicationFile_TH2**  The count of the number of this particular object type present on this device.
 - **DatasourceDevicePnp_RS1**  The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device.
-- **DatasourceDevicePnp_RS2**  The count of DatasourceApplicationFile objects present on this machine targeting the next release of Windows
+- **DatasourceDevicePnp_RS2**  The total DatasourceDevicePnp objects targeting Windows 10 version 1703 present on this device.
 - **DatasourceDevicePnp_RS3**  The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
 - **DatasourceDevicePnp_RS4**  The count of the number of this particular object type present on this device.
 - **DatasourceDevicePnp_RS4Setup**  The count of the number of this particular object type present on this device.
@@ -295,7 +295,7 @@ The following fields are available:
 - **DatasourceDriverPackage_TH1**  The count of the number of this particular object type present on this device.
 - **DatasourceDriverPackage_TH2**  The count of the number of this particular object type present on this device.
 - **DataSourceMatchingInfoBlock_RS1**  The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device.
-- **DataSourceMatchingInfoBlock_RS2**  The count of DatasourceDevicePnp objects present on this machine targeting the next release of Windows
+- **DataSourceMatchingInfoBlock_RS2**  The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device.
 - **DataSourceMatchingInfoBlock_RS3**  The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
 - **DataSourceMatchingInfoBlock_RS4**  The count of the number of this particular object type present on this device.
 - **DataSourceMatchingInfoBlock_RS4Setup**  The count of the number of this particular object type present on this device.
@@ -309,7 +309,7 @@ The following fields are available:
 - **DataSourceMatchingInfoPassive_TH1**  The count of the number of this particular object type present on this device.
 - **DataSourceMatchingInfoPassive_TH2**  The count of the number of this particular object type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_RS1**  The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
-- **DataSourceMatchingInfoPostUpgrade_RS2**  The count of DatasourceDriverPackage objects present on this machine targeting the next release of Windows
+- **DataSourceMatchingInfoPostUpgrade_RS2**  The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device.
 - **DataSourceMatchingInfoPostUpgrade_RS3**  The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
 - **DataSourceMatchingInfoPostUpgrade_RS4**  The count of the number of this particular object type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_RS4Setup**  The count of the number of this particular object type present on this device.
@@ -330,7 +330,7 @@ The following fields are available:
 - **DecisionApplicationFile_TH1**  The count of the number of this particular object type present on this device.
 - **DecisionApplicationFile_TH2**  The count of the number of this particular object type present on this device.
 - **DecisionDevicePnp_RS1**  The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device.
-- **DecisionDevicePnp_RS2**  The count of DataSourceMatchingInfoBlock objects present on this machine targeting the next release of Windows
+- **DecisionDevicePnp_RS2**  The total DecisionDevicePnp objects targeting Windows 10 version 1703 present on this device.
 - **DecisionDevicePnp_RS3**  The total DecisionDevicePnp objects targeting the next release of Windows on this device.
 - **DecisionDevicePnp_RS4**  The count of the number of this particular object type present on this device.
 - **DecisionDevicePnp_RS4Setup**  The count of the number of this particular object type present on this device.
@@ -344,7 +344,7 @@ The following fields are available:
 - **DecisionDriverPackage_TH1**  The count of the number of this particular object type present on this device.
 - **DecisionDriverPackage_TH2**  The count of the number of this particular object type present on this device.
 - **DecisionMatchingInfoBlock_RS1**  The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device.
-- **DecisionMatchingInfoBlock_RS2**  The count of DataSourceMatchingInfoPassive objects present on this machine targeting the next release of Windows
+- **DecisionMatchingInfoBlock_RS2**  The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device.
 - **DecisionMatchingInfoBlock_RS3**  The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
 - **DecisionMatchingInfoBlock_RS4**  The count of the number of this particular object type present on this device.
 - **DecisionMatchingInfoBlock_RS4Setup**  The count of the number of this particular object type present on this device.
@@ -358,14 +358,14 @@ The following fields are available:
 - **DecisionMatchingInfoPassive_TH1**  The count of the number of this particular object type present on this device.
 - **DecisionMatchingInfoPassive_TH2**  The count of the number of this particular object type present on this device.
 - **DecisionMatchingInfoPostUpgrade_RS1**  The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
-- **DecisionMatchingInfoPostUpgrade_RS2**  The count of DataSourceMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows
+- **DecisionMatchingInfoPostUpgrade_RS2**  The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device.
 - **DecisionMatchingInfoPostUpgrade_RS3**  The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
 - **DecisionMatchingInfoPostUpgrade_RS4**  The count of the number of this particular object type present on this device.
 - **DecisionMatchingInfoPostUpgrade_RS4Setup**  The count of the number of this particular object type present on this device.
 - **DecisionMatchingInfoPostUpgrade_TH1**  The count of the number of this particular object type present on this device.
 - **DecisionMatchingInfoPostUpgrade_TH2**  The count of the number of this particular object type present on this device.
 - **DecisionMediaCenter_RS1**  The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device.
-- **DecisionMediaCenter_RS2**  The count of DatasourceSystemBios objects present on this machine targeting the next release of Windows
+- **DecisionMediaCenter_RS2**  The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device.
 - **DecisionMediaCenter_RS3**  The total DecisionMediaCenter objects targeting the next release of Windows on this device.
 - **DecisionMediaCenter_RS4**  The count of the number of this particular object type present on this device.
 - **DecisionMediaCenter_RS4Setup**  The count of the number of this particular object type present on this device.
@@ -395,7 +395,7 @@ The following fields are available:
 - **SystemWindowsActivationStatus**  The count of the number of this particular object type present on this device.
 - **SystemWlan**  The count of the number of this particular object type present on this device.
 - **Wmdrm_RS1**  An ID for the system, calculated by hashing hardware identifiers.
-- **Wmdrm_RS2**  The count of InventoryLanguagePack objects present on this machine.
+- **Wmdrm_RS2**  The total Wmdrm objects targeting Windows 10 version 1703 present on this device.
 - **Wmdrm_RS3**  The total Wmdrm objects targeting the next release of Windows on this device.
 - **Wmdrm_RS4**  The total Wmdrm objects targeting Windows 10, version 1803 present on this device.
 - **Wmdrm_RS4Setup**  The count of the number of this particular object type present on this device.
@@ -1818,14 +1818,18 @@ The following fields are available:
 - **AdvertisingId**  Current state of the advertising ID setting.
 - **AppDiagnostics**  Current state of the app diagnostics setting.
 - **Appointments**  Current state of the calendar setting.
+- **AppointmentsSystem**  Current state of the calendar setting.
 - **Bluetooth**  Current state of the Bluetooth capability setting.
 - **BluetoothSync**  Current state of the Bluetooth sync capability setting.
 - **BroadFileSystemAccess**  Current state of the broad file system access setting.
 - **CellularData**  Current state of the cellular data capability setting.
 - **Chat**  Current state of the chat setting.
+- **ChatSystem**  Current state of the chat setting.
 - **Contacts**  Current state of the contacts setting.
+- **ContactsSystem**  Current state of the Contacts setting.
 - **DocumentsLibrary**  Current state of the documents library setting.
 - **Email**  Current state of the email setting.
+- **EmailSystem**  Current state of the email setting.
 - **FindMyDevice**  Current state of the "find my device" setting.
 - **GazeInput**  Current state of the gaze input setting.
 - **HumanInterfaceDevice**  Current state of the human interface device setting.
@@ -1837,6 +1841,7 @@ The following fields are available:
 - **Microphone**  Current state of the microphone setting.
 - **PhoneCall**  Current state of the phone call setting.
 - **PhoneCallHistory**  Current state of the call history setting.
+- **PhoneCallHistorySystem**  Current state of the call history setting.
 - **PicturesLibrary**  Current state of the pictures library setting.
 - **Radios**  Current state of the radios setting.
 - **SensorsCustom**  Current state of the custom sensor setting.
@@ -1846,6 +1851,7 @@ The following fields are available:
 - **USB**  Current state of the USB setting.
 - **UserAccountInformation**  Current state of the account information setting.
 - **UserDataTasks**  Current state of the tasks setting.
+- **UserDataTasksSystem**  Current state of the tasks setting.
 - **UserNotificationListener**  Current state of the notifications setting.
 - **VideosLibrary**  Current state of the videos library setting.
 - **Webcam**  Current state of the camera setting.
@@ -1979,14 +1985,18 @@ The following fields are available:
 - **AdvertisingId**  Current state of the advertising ID setting.
 - **AppDiagnostics**  Current state of the app diagnostics setting.
 - **Appointments**  Current state of the calendar setting.
+- **AppointmentsSystem**  Current state of the calendar setting.
 - **Bluetooth**  Current state of the Bluetooth capability setting.
 - **BluetoothSync**  Current state of the Bluetooth sync capability setting.
 - **BroadFileSystemAccess**  Current state of the broad file system access setting.
 - **CellularData**  Current state of the cellular data capability setting.
 - **Chat**  Current state of the chat setting.
+- **ChatSystem**  Current state of the chat setting.
 - **Contacts**  Current state of the contacts setting.
+- **ContactsSystem**  Current state of the contacts setting.
 - **DocumentsLibrary**  Current state of the documents library setting.
 - **Email**  Current state of the email setting.
+- **EmailSystem**  Current state of the email setting.
 - **GazeInput**  Current state of the gaze input setting.
 - **HumanInterfaceDevice**  Current state of the human interface device setting.
 - **InkTypeImprovement**  Current state of the improve inking and typing setting.
@@ -1998,6 +2008,7 @@ The following fields are available:
 - **Microphone**  Current state of the microphone setting.
 - **PhoneCall**  Current state of the phone call setting.
 - **PhoneCallHistory**  Current state of the call history setting.
+- **PhoneCallHistorySystem**  Current state of the call history setting.
 - **PicturesLibrary**  Current state of the pictures library setting.
 - **Radios**  Current state of the radios setting.
 - **SensorsCustom**  Current state of the custom sensor setting.
@@ -2007,6 +2018,7 @@ The following fields are available:
 - **USB**  Current state of the USB setting.
 - **UserAccountInformation**  Current state of the account information setting.
 - **UserDataTasks**  Current state of the tasks setting.
+- **UserDataTasksSystem**  Current state of the tasks setting.
 - **UserNotificationListener**  Current state of the notifications setting.
 - **VideosLibrary**  Current state of the videos library setting.
 - **Webcam**  Current state of the camera setting.
@@ -2256,6 +2268,59 @@ The following fields are available:
 
 ## Component-based servicing events
 
+### CbsServicingProvider.CbsCapabilityEnumeration
+
+This event reports on the results of scanning for optional Windows content on Windows Update.
+
+The following fields are available:
+
+- **architecture**  Indicates the scan was limited to the specified architecture.
+- **capabilityCount**  The number of optional content packages found during the scan.
+- **clientId**  The name of the application requesting the optional content.
+- **duration**  The amount of time it took to complete the scan.
+- **hrStatus**  The HReturn code of the scan.
+- **language**  Indicates the scan was limited to the specified language.
+- **majorVersion**  Indicates the scan was limited to the specified major version.
+- **minorVersion**  Indicates the scan was limited to the specified minor version.
+- **namespace**  Indicates the scan was limited to packages in the specified namespace.
+- **sourceFilter**  A bitmask indicating the scan checked for locally available optional content.
+- **stackBuild**  The build number of the servicing stack.
+- **stackMajorVersion**  The major version number of the servicing stack.
+- **stackMinorVersion**  The minor version number of the servicing stack.
+- **stackRevision**  The revision number of the servicing stack.
+
+
+### CbsServicingProvider.CbsCapabilitySessionFinalize
+
+This event provides information about the results of installing or uninstalling optional Windows content from Windows Update.
+
+The following fields are available:
+
+- **capabilities**  The names of the optional content packages that were installed.
+- **clientId**  The name of the application requesting the optional content.
+- **currentID**  The ID of the current install session.
+- **highestState**  The highest final install state of the optional content.
+- **hrLCUReservicingStatus**  Indicates whether the optional content was updated to the latest available version.
+- **hrStatus**  The HReturn code of the install operation.
+- **rebootCount**  The number of reboots required to complete the install.
+- **retryID**  The session ID that will be used to retry a failed operation.
+- **retryStatus**  Indicates whether the install will be retried in the event of failure.
+- **stackBuild**  The build number of the servicing stack.
+- **stackMajorVersion**  The major version number of the servicing stack.
+- **stackMinorVersion**  The minor version number of the servicing stack.
+- **stackRevision**  The revision number of the servicing stack.
+
+
+### CbsServicingProvider.CbsCapabilitySessionPended
+
+This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date.
+
+The following fields are available:
+
+- **clientId**  The name of the application requesting the optional content.
+- **pendingDecision**  Indicates the cause of reboot, if applicable.
+
+
 ### CbsServicingProvider.CbsLateAcquisition
 
 This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date.
@@ -2266,6 +2331,28 @@ The following fields are available:
 - **RetryID**  The ID identifying the retry attempt to update the listed packages.
 
 
+### CbsServicingProvider.CbsPackageRemoval
+
+This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date.
+
+The following fields are available:
+
+- **buildVersion**  The build number of the security update being uninstalled.
+- **clientId**  The name of the application requesting the uninstall.
+- **currentStateEnd**  The final state of the update after the operation.
+- **failureDetails**  Information about the cause of a failure, if applicable.
+- **failureSourceEnd**  The stage during the uninstall where the failure occurred.
+- **hrStatusEnd**  The overall exit code of the operation.
+- **initiatedOffline**  Indicates if the uninstall was initiated for a mounted Windows image.
+- **majorVersion**  The major version number of the security update being uninstalled.
+- **minorVersion**  The minor version number of the security update being uninstalled.
+- **originalState**  The starting state of the update before the operation.
+- **pendingDecision**  Indicates the cause of reboot, if applicable.
+- **primitiveExecutionContext**  The state during system startup when the uninstall was completed.
+- **revisionVersion**  The revision number of the security update being uninstalled.
+- **transactionCanceled**  Indicates whether the uninstall was cancelled.
+
+
 ## Deployment extensions
 
 ### DeploymentTelemetry.Deployment_End
@@ -3009,6 +3096,87 @@ The following fields are available:
 - **CV**  Correlation vector.
 
 
+## DxgKernelTelemetry events
+
+### DxgKrnlTelemetry.GPUAdapterInventoryV2
+
+This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date.
+
+The following fields are available:
+
+- **AdapterTypeValue**  The numeric value indicating the type of Graphics adapter.
+- **aiSeqId**  The event sequence ID.
+- **bootId**  The system boot ID.
+- **BrightnessVersionViaDDI**  The version of the Display Brightness Interface.
+- **ComputePreemptionLevel**  The maximum preemption level supported by GPU for compute payload.
+- **DedicatedSystemMemoryB**  The amount of system memory dedicated for GPU use (in bytes).
+- **DedicatedVideoMemoryB**  The amount of dedicated VRAM of the GPU (in bytes).
+- **DisplayAdapterLuid**  The display adapter LUID.
+- **DriverDate**  The date of the display driver.
+- **DriverRank**  The rank of the display driver.
+- **DriverVersion**  The display driver version.
+- **DX10UMDFilePath**  The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store.
+- **DX11UMDFilePath**  The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store.
+- **DX12UMDFilePath**  The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store.
+- **DX9UMDFilePath**  The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store.
+- **GPUDeviceID**  The GPU device ID.
+- **GPUPreemptionLevel**  The maximum preemption level supported by GPU for graphics payload.
+- **GPURevisionID**  The GPU revision ID.
+- **GPUVendorID**  The GPU vendor ID.
+- **InterfaceId**  The GPU interface ID.
+- **IsDisplayDevice**  Does the GPU have displaying capabilities?
+- **IsHybridDiscrete**  Does the GPU have discrete GPU capabilities in a hybrid device?
+- **IsHybridIntegrated**  Does the GPU have integrated GPU capabilities in a hybrid device?
+- **IsLDA**  Is the GPU comprised of Linked Display Adapters?
+- **IsMiracastSupported**  Does the GPU support Miracast?
+- **IsMismatchLDA**  Is at least one device in the Linked Display Adapters chain from a different vendor?
+- **IsMPOSupported**  Does the GPU support Multi-Plane Overlays?
+- **IsMsMiracastSupported**  Are the GPU Miracast capabilities driven by a Microsoft solution?
+- **IsPostAdapter**  Is this GPU the POST GPU in the device?
+- **IsRemovable**  TRUE if the adapter supports being disabled or removed.
+- **IsRenderDevice**  Does the GPU have rendering capabilities?
+- **IsSoftwareDevice**  Is this a software implementation of the GPU?
+- **KMDFilePath**  The file path to the location of the Display Kernel Mode Driver in the Driver Store.
+- **MeasureEnabled**  Is the device listening to MICROSOFT_KEYWORD_MEASURES?
+- **NumVidPnSources**  The number of supported display output sources.
+- **NumVidPnTargets**  The number of supported display output targets.
+- **SharedSystemMemoryB**  The amount of system memory shared by GPU and CPU (in bytes).
+- **SubSystemID**  The subsystem ID.
+- **SubVendorID**  The GPU sub vendor ID.
+- **TelemetryEnabled**  Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
+- **TelInvEvntTrigger**  What triggered this event to be logged?  Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling)
+- **version**  The event version.
+- **WDDMVersion**  The Windows Display Driver Model version.
+
+
+## Hang Reporting events
+
+### Microsoft.Windows.HangReporting.AppHangEvent
+
+This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
+
+The following fields are available:
+
+- **AppName**  The name of the app that has hung.
+- **AppSessionGuid**  GUID made up of process id used as a correlation vector for process instances in the telemetry backend.
+- **AppVersion**  The version of the app that has hung.
+- **IsFatal**  True/False based on whether the hung application caused the creation of a Fatal Hang Report.
+- **PackageFullName**  Store application identity.
+- **PackageRelativeAppId**  Store application identity.
+- **ProcessArchitecture**  Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ProcessCreateTime**  The time of creation of the process that has hung.
+- **ProcessId**  The ID of the process that has hung.
+- **ReportId**  A GUID used to identify the report. This can used to track the report across Watson.
+- **TargetAppId**  The kernel reported AppId of the application being reported.
+- **TargetAppVer**  The specific version of the application being reported.
+- **TargetAsId**  The sequence number for the hanging process.
+- **TypeCode**  Bitmap describing the hang type.
+- **WaitingOnAppName**  If this is a cross process hang waiting for an application, this has the name of the application.
+- **WaitingOnAppVersion**  If this is a cross process hang, this has the version of the application for which it is waiting.
+- **WaitingOnPackageFullName**  If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
+- **WaitingOnPackageRelativeAppId**  If this is a cross process hang waiting for a package, this has the relative application id of the package.
+
+
 ## Inventory events
 
 ### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
@@ -3104,8 +3272,8 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
 
 The following fields are available:
 
-- **InventoryVersion**  The version of the inventory component
-- **ProgramIds**  The unique program identifier the driver is associated with
+- **InventoryVersion**  The version of the inventory component.
+- **ProgramIds**  The unique program identifier the driver is associated with.
 
 
 ### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
@@ -3308,9 +3476,10 @@ The following fields are available:
 - **DriverVerDate**  Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
 - **DriverVerVersion**  The immediate parent directory name in the Directory field of InventoryDriverPackage.
 - **Enumerator**  The date of the driver loaded for the device.
+- **ExtendedInfs**  The extended INF file names.
 - **HWID**  The version of the driver loaded for the device.
 - **Inf**  The bus that enumerated the device.
-- **InstallState**  The device installation state.  One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
+- **InstallState**  The device installation state.  One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
 - **InventoryVersion**  List of hardware ids for the device.
 - **LowerClassFilters**  Lower filter class drivers IDs installed for the device
 - **LowerFilters**  Lower filter drivers IDs installed for the device
@@ -3463,6 +3632,18 @@ The following fields are available:
 - **InventoryVersion**  The version of the inventory file generating the events.
 
 
+### Microsoft.Windows.Inventory.Core.StartUtcJsonTrace
+
+This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the beginning of the event download, and that tracing should begin.
+
+
+
+### Microsoft.Windows.Inventory.Core.StopUtcJsonTrace
+
+This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end of the event download, and that tracing should end.
+
+
+
 ### Microsoft.Windows.Inventory.General.AppHealthStaticAdd
 
 This event sends details collected for a specific application on the source device.
@@ -3510,27 +3691,27 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
 
 The following fields are available:
 
-- **AddinCLSID**  The CLSID for the Office add-in.
-- **AddInId**  Office add-in ID.
-- **AddinType**  Office add-in Type.
-- **BinFileTimestamp**  Timestamp of the Office add-in.
-- **BinFileVersion**  Version of the Office add-in.
-- **Description**  Office add-in description.
-- **FileId**  FileId of the Office add-in.
-- **FileSize**  File size of the Office add-in.
-- **FriendlyName**  Friendly name for office add-in.
-- **FullPath**  Unexpanded path to the office add-in.
+- **AddinCLSID**  The CLSID for the Office addin
+- **AddInId**  Office addin ID
+- **AddinType**  The type of the Office addin.
+- **BinFileTimestamp**  Timestamp of the Office addin
+- **BinFileVersion**  Version of the Office addin
+- **Description**  Office addin description
+- **FileId**  FileId of the Office addin
+- **FileSize**  File size of the Office addin
+- **FriendlyName**  Friendly name for office addin
+- **FullPath**  Unexpanded path to the office addin
 - **InventoryVersion**  The version of the inventory binary generating the events.
-- **LoadBehavior**  Uint32 that describes the load behavior.
-- **OfficeApplication**  The office application for this add-in.
-- **OfficeArchitecture**  Architecture of the add-in.
-- **OfficeVersion**  The office version for this add-in.
-- **OutlookCrashingAddin**  Boolean that indicates if crashes have been found for this add-in.
-- **ProductCompany**  The name of the company associated with the Office add-in.
-- **ProductName**  The product name associated with the Office add-in.
-- **ProductVersion**  The version associated with the Office add-in.
-- **ProgramId**  The unique program identifier of the Office add-in.
-- **Provider**  Name of the provider for this add-in.
+- **LoadBehavior**  Uint32 that describes the load behavior
+- **OfficeApplication**  The office application for this addin
+- **OfficeArchitecture**  Architecture of the addin
+- **OfficeVersion**  The office version for this addin
+- **OutlookCrashingAddin**  Boolean that indicates if crashes have been found for this addin
+- **ProductCompany**  The name of the company associated with the Office addin
+- **ProductName**  The product name associated with the Office addin
+- **ProductVersion**  The version associated with the Office addin
+- **ProgramId**  The unique program identifier of the Office addin
+- **Provider**  Name of the provider for this addin
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
@@ -3908,6 +4089,153 @@ The following fields are available:
 - **UserInputTime**  The amount of time the loader application spent waiting for user input.
 
 
+## OneDrive events
+
+### Microsoft.OneDrive.Sync.Updater.ComponentInstallState
+
+This event includes basic data about the installation state of dependent OneDrive components.
+
+The following fields are available:
+
+- **ComponentName**  The name of the dependent component.
+- **isInstalled**  Is the dependent component installed?
+
+
+### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus
+
+This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken
+
+The following fields are available:
+
+- **32bit**  The status of the OneDrive overlay icon on a 32-bit operating system.
+- **64bit**  The status of the OneDrive overlay icon on a 64-bit operating system.
+
+
+### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult
+
+This event sends information describing the result of the update.
+
+The following fields are available:
+
+- **hr**  The HResult of the operation.
+- **IsLoggingEnabled**  Indicates whether logging is enabled for the updater.
+- **UpdaterVersion**  The version of the updater.
+
+
+### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult
+
+This event determines the status when downloading the OneDrive update configuration file.
+
+The following fields are available:
+
+- **hr**  The HResult of the operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus
+
+This event determines the error code that was returned when verifying Internet connectivity.
+
+The following fields are available:
+
+- **winInetError**  The HResult of the operation.
+
+
+## Other events
+
+### Microsoft.Windows.Kits.WSK.WskImageCreate
+
+This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures.
+
+The following fields are available:
+
+- **Phase**  The image creation phase. Values are “Start” or “End”.
+- **WskVersion**  The version of the Windows System Kit being used.
+
+
+### Microsoft.Windows.Kits.WSK.WskImageCustomization
+
+This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures.
+
+The following fields are available:
+
+- **Mode**  The mode of update to image configuration files. Values are “New” or “Update”.
+- **Phase**  The image creation phase. Values are “Start” or “End”.
+- **Type**  The type of update to image configuration files. Values are “Apps” or “Drivers”.
+- **WskVersion**  The version of the Windows System Kit being used.
+
+
+### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate
+
+This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures.
+
+The following fields are available:
+
+- **Architecture**  The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”.
+- **OsEdition**  The Operating System Edition that the workspace will target.
+- **Phase**  The image creation phase. Values are “Start” or “End”.
+- **WskVersion**  The version of the Windows System Kit being used.
+
+
+### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General
+
+This event provides information about application properties to indicate the successful execution.
+
+The following fields are available:
+
+- **AppMode**  Indicates the mode the app is being currently run around privileges.
+- **ExitCode**  Indicates the exit code of the app.
+- **Help**  Indicates if the app needs to be launched in the help mode.
+- **ParseError**  Indicates if there was a parse error during the execution.
+- **RightsAcquired**  Indicates if the right privileges were acquired for successful execution.
+- **RightsWereEnabled**  Indicates if the right privileges were enabled for successful execution.
+- **TestMode**  Indicates whether the app is being run in test mode.
+
+
+### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount
+
+This event provides information about the properties of user accounts in the Administrator group.
+
+The following fields are available:
+
+- **Internal**  Indicates the internal property associated with the count group.
+- **LastError**  The error code (if applicable) for the cause of the failure to get the count of the user account.
+
+
+### Microsoft.Xbox.XamTelemetry.AppActivationError
+
+This event indicates whether the system detected an activation error in the app.
+
+The following fields are available:
+
+- **ActivationUri**  Activation URI (Uniform Resource Identifier) used in the attempt to activate the app.
+- **AppId**  The Xbox LIVE Title ID.
+- **AppUserModelId**  The AUMID (Application User Model ID) of the app to activate.
+- **Result**  The HResult error.
+- **UserId**  The Xbox LIVE User ID (XUID).
+
+
+### Microsoft.Xbox.XamTelemetry.AppActivity
+
+This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc.
+
+The following fields are available:
+
+- **AppActionId**  The ID of the application action.
+- **AppCurrentVisibilityState**  The ID of the current application visibility state.
+- **AppId**  The Xbox LIVE Title ID of the app.
+- **AppPackageFullName**  The full name of the application package.
+- **AppPreviousVisibilityState**  The ID of the previous application visibility state.
+- **AppSessionId**  The application session ID.
+- **AppType**  The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa).
+- **BCACode**  The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application.
+- **DurationMs**  The amount of time (in milliseconds) since the last application state transition.
+- **IsTrialLicense**  This boolean value is TRUE if the application is on a trial license.
+- **LicenseType**  The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc).
+- **LicenseXuid**  If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license.
+- **ProductGuid**  The Xbox product GUID (Globally-Unique ID) of the application.
+- **UserId**  The XUID (Xbox User ID) of the current user.
+
+
 ## Privacy consent logging events
 
 ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@@ -3936,6 +4264,43 @@ The following fields are available:
 - **userRegionCode**  The current user's region setting
 
 
+## Setup events
+
+### SetupPlatformTel.SetupPlatformTelActivityEvent
+
+This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FieldName**  Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
+- **GroupName**  Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+- **Value**  Value associated with the corresponding event name. For example, time-related events will include the system time
+
+
+### SetupPlatformTel.SetupPlatformTelActivityStarted
+
+This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date.
+
+The following fields are available:
+
+- **Name**  The name of the dynamic update type. Example: GDR driver
+
+
+### SetupPlatformTel.SetupPlatformTelActivityStopped
+
+This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date.
+
+
+
+### SetupPlatformTel.SetupPlatfOrmTelEvent
+
+This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios.
+
+The following fields are available:
+
+- **GroupName**  Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+
+
 ## Software update events
 
 ### SoftwareUpdateClientTelemetry.CheckForUpdates
@@ -4010,7 +4375,7 @@ The following fields are available:
 - **ScanDurationInSeconds**  The number of seconds a scan took
 - **ScanEnqueueTime**  The number of seconds it took to initialize a scan
 - **ScanProps**  This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates).
-- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.).
+- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.).
 - **ServiceUrl**  The environment URL a device is configured to scan with
 - **ShippingMobileOperator**  The mobile operator that a device shipped on.
 - **StatusCode**  Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
@@ -4092,7 +4457,7 @@ The following fields are available:
 - **RepeatFailCount**  Indicates whether this specific piece of content has previously failed.
 - **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to download.
 - **RevisionNumber**  Identifies the revision number of this specific piece of content.
-- **ServiceGuid**  An ID that represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
+- **ServiceGuid**  An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
 - **Setup360Phase**  If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
 - **ShippingMobileOperator**  The mobile operator that a device shipped on.
 - **SizeCalcTime**  Time taken (in seconds) to calculate the total download size of the payload.
@@ -4169,7 +4534,7 @@ The following fields are available:
 - **RepeatFailCount**  Indicates whether this specific piece of content has previously failed.
 - **RepeatFailFlag**  Indicates whether this specific piece of content previously failed to install.
 - **RevisionNumber**  The revision number of this specific piece of content.
-- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
+- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
 - **Setup360Phase**  If the install is for an operating system upgrade, indicates which phase of the upgrade is underway.
 - **ShippingMobileOperator**  The mobile operator that a device shipped on.
 - **StatusCode**  Indicates the result of an installation event (success, cancellation, failure code HResult).
@@ -4219,7 +4584,7 @@ The following fields are available:
 - **RelatedCV**  The previous correlation vector that was used by the client before swapping with a new one.
 - **RepeatFailCount**  Indicates whether this specific piece of content has previously failed.
 - **RevisionNumber**  Identifies the revision number of this specific piece of content.
-- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.).
+- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
 - **StatusCode**  Result code of the event (success, cancellation, failure code HResult).
 - **TargetGroupId**  For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
 - **TargetingVersion**  For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
@@ -4240,7 +4605,7 @@ The following fields are available:
 - **CmdLineArgs**  Command line arguments passed in by the caller.
 - **EventInstanceID**  A globally unique identifier for the event instance.
 - **EventScenario**  Indicates the purpose of the event (scan started, succeeded, failed, etc.).
-- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.).
+- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
 - **StatusCode**  Result code of the event (success, cancellation, failure code HResult).
 - **WUDeviceID**  Unique device ID controlled by the software distribution client.
 
@@ -4279,7 +4644,7 @@ The following fields are available:
 - **RelatedCV**  The previous correlation vector that was used by the client before swapping with a new one.
 - **RepeatFailCount**  Indicates whether this specific piece of content previously failed.
 - **RevisionNumber**  Identifies the revision number of this specific piece of content.
-- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.).
+- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
 - **StatusCode**  Result code of the event (success, cancellation, failure code HResult).
 - **TargetGroupId**  For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
 - **TargetingVersion**  For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
@@ -4300,7 +4665,7 @@ The following fields are available:
 - **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
 - **NumberOfApplicableUpdates**  The number of updates ultimately deemed applicable to the system after the detection process is complete.
 - **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one.
-- **ServiceGuid**  An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.).
+- **ServiceGuid**  An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.).
 - **WUDeviceID**  The unique device ID controlled by the software distribution client.
 
 
@@ -4334,6 +4699,296 @@ The following fields are available:
 - **LinkSpeed**  The adapter link speed.
 
 
+## Update events
+
+### Update360Telemetry.Revert
+
+This event sends data relating to the Revert phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the Revert phase.
+- **FlightId**  Unique ID for the flight (test instance version).
+- **ObjectId**  The unique value for each Update Agent mode.
+- **RebootRequired**  Indicates reboot is required.
+- **RelatedCV**  The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
+- **Result**  The HResult of the event.
+- **RevertResult**  The result code returned for the Revert operation.
+- **ScenarioId**  The ID of the update scenario.
+- **SessionId**  The ID of the update attempt.
+- **UpdateId**  The ID of the update.
+
+
+### Update360Telemetry.UpdateAgentCommit
+
+This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current install phase.
+- **FlightId**  Unique ID for each flight.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  Outcome of the install phase of the update.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentDownloadRequest
+
+This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile.
+
+The following fields are available:
+
+- **DeletedCorruptFiles**  Boolean indicating whether corrupt payload was deleted.
+- **DownloadRequests**  Number of times a download was retried.
+- **ErrorCode**  The error code returned for the current download request phase.
+- **ExtensionName**  Indicates whether the payload is related to Operating System content or a plugin.
+- **FlightId**  Unique ID for each flight.
+- **InternalFailureResult**  Indicates a non-fatal error from a plugin.
+- **ObjectId**  Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
+- **PackageCategoriesSkipped**  Indicates package categories that were skipped, if applicable.
+- **PackageCountOptional**  Number of optional packages requested.
+- **PackageCountRequired**  Number of required packages requested.
+- **PackageCountTotal**  Total number of packages needed.
+- **PackageCountTotalCanonical**  Total number of canonical packages.
+- **PackageCountTotalDiff**  Total number of diff packages.
+- **PackageCountTotalExpress**  Total number of express packages.
+- **PackageExpressType**  Type of express package.
+- **PackageSizeCanonical**  Size of canonical packages in bytes.
+- **PackageSizeDiff**  Size of diff packages in bytes.
+- **PackageSizeExpress**  Size of express packages in bytes.
+- **RangeRequestState**  Indicates the range request type used.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  Outcome of the download request phase of update.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each attempt (same value for initialize, download, install commit phases).
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentExpand
+
+This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
+
+The following fields are available:
+
+- **ElapsedTickCount**  Time taken for expand phase.
+- **EndFreeSpace**  Free space after expand phase.
+- **EndSandboxSize**  Sandbox size after expand phase.
+- **ErrorCode**  The error code returned for the current install phase.
+- **FlightId**  Unique ID for each flight.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each update attempt.
+- **StartFreeSpace**  Free space before expand phase.
+- **StartSandboxSize**  Sandbox size after expand phase.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentFellBackToCanonical
+
+This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
+
+The following fields are available:
+
+- **FlightId**  Unique ID for each flight.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **PackageCount**  Number of packages that feel back to canonical.
+- **PackageList**  PackageIds which fell back to canonical.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentInitialize
+
+This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current install phase.
+- **FlightId**  Unique ID for each flight.
+- **FlightMetadata**  Contains the FlightId and the build being flighted.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  Outcome of the install phase of the update.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionData**  String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentInstall
+
+This event sends data for the install phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current install phase.
+- **ExtensionName**  Indicates whether the payload is related to Operating System content or a plugin.
+- **FlightId**  Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
+- **InternalFailureResult**  Indicates a non-fatal error from a plugin.
+- **ObjectId**  Correlation vector value generated from the latest USO scan.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  The result for the current install phase.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentMerge
+
+The UpdateAgentMerge event sends data on the merge phase when updating Windows.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current merge phase.
+- **FlightId**  Unique ID for each flight.
+- **MergeId**  The unique ID to join two update sessions being merged.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Related correlation vector value.
+- **Result**  Outcome of the merge phase of the update.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each attempt.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentMitigationResult
+
+This event sends data indicating the result of each update agent mitigation.
+
+The following fields are available:
+
+- **Applicable**  Indicates whether the mitigation is applicable for the current update.
+- **CommandCount**  The number of command operations in the mitigation entry.
+- **CustomCount**  The number of custom operations in the mitigation entry.
+- **FileCount**  The number of file operations in the mitigation entry.
+- **FlightId**  Unique identifier for each flight.
+- **Index**  The mitigation index of this particular mitigation.
+- **MitigationScenario**  The update scenario in which the mitigation was executed.
+- **Name**  The friendly name of the mitigation.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **OperationIndex**  The mitigation operation index (in the event of a failure).
+- **OperationName**  The friendly name of the mitigation operation (in the event of failure).
+- **RegistryCount**  The number of registry operations in the mitigation entry.
+- **RelatedCV**  The correlation vector value generated from the latest USO scan.
+- **Result**  The HResult of this operation.
+- **ScenarioId**  The update agent scenario ID.
+- **SessionId**  Unique value for each update attempt.
+- **TimeDiff**  The amount of time spent performing the mitigation (in 100-nanosecond increments).
+- **UpdateId**  Unique ID for each Update.
+
+
+### Update360Telemetry.UpdateAgentMitigationSummary
+
+This event sends a summary of all the update agent mitigations available for an this update.
+
+The following fields are available:
+
+- **Applicable**  The count of mitigations that were applicable to the system and scenario.
+- **Failed**  The count of mitigations that failed.
+- **FlightId**  Unique identifier for each flight.
+- **MitigationScenario**  The update scenario in which the mitigations were attempted.
+- **ObjectId**  The unique value for each Update Agent mode.
+- **RelatedCV**  The correlation vector value generated from the latest USO scan.
+- **Result**  The HResult of this operation.
+- **ScenarioId**  The update agent scenario ID.
+- **SessionId**  Unique value for each update attempt.
+- **TimeDiff**  The amount of time spent performing all mitigations (in 100-nanosecond increments).
+- **Total**  Total number of mitigations that were available.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentModeStart
+
+This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile.
+
+The following fields are available:
+
+- **FlightId**  Unique ID for each flight.
+- **Mode**  Indicates the mode that has started.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each update.
+- **Version**  Version of update
+
+
+### Update360Telemetry.UpdateAgentOneSettings
+
+This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
+
+The following fields are available:
+
+- **Count**  The count of applicable OneSettings for the device.
+- **FlightId**  Unique ID for the flight (test instance version).
+- **ObjectId**  The unique value for each Update Agent mode.
+- **Parameters**  The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings.
+- **RelatedCV**  The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
+- **Result**  The HResult of the event.
+- **ScenarioId**  The ID of the update scenario.
+- **SessionId**  The ID of the update attempt.
+- **UpdateId**  The ID of the update.
+- **Values**  The values sent back to the device, if applicable.
+
+
+### Update360Telemetry.UpdateAgentPostRebootResult
+
+This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current post reboot phase.
+- **FlightId**  The specific ID of the Windows Insider build the device is getting.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **PostRebootResult**  Indicates the Hresult.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentReboot
+
+This event sends information indicating that a request has been sent to suspend an update.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current reboot.
+- **FlightId**  Unique ID for the flight (test instance version).
+- **ObjectId**  The unique value for each Update Agent mode.
+- **RelatedCV**  The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
+- **Result**  The HResult of the event.
+- **ScenarioId**  The ID of the update scenario.
+- **SessionId**  The ID of the update attempt.
+- **UpdateId**  The ID of the update.
+
+
+### Update360Telemetry.UpdateAgentSetupBoxLaunch
+
+The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs.
+
+The following fields are available:
+
+- **ContainsExpressPackage**  Indicates whether the download package is express.
+- **FlightId**  Unique ID for each flight.
+- **FreeSpace**  Free space on OS partition.
+- **InstallCount**  Number of install attempts using the same sandbox.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **Quiet**  Indicates whether setup is running in quiet mode.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **SandboxSize**  Size of the sandbox.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each update attempt.
+- **SetupMode**  Mode of setup to be launched.
+- **UpdateId**  Unique ID for each Update.
+- **UserSession**  Indicates whether install was invoked by user actions.
+
+
 ## Upgrade events
 
 ### FacilitatorTelemetry.DCATDownload
@@ -4364,6 +5019,197 @@ The following fields are available:
 - **Version**  Version of Facilitator.
 
 
+### Setup360Telemetry.Downlevel
+
+This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ClientId**  If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
+- **FlightData**  Unique value that identifies the flight.
+- **HostOSBuildNumber**  The build number of the downlevel OS.
+- **HostOsSkuName**  The operating system edition which is running Setup360 instance (downlevel OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId**  In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  More detailed information about phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback).
+- **Setup360Result**  The result of Setup360 (HRESULT used to diagnose errors).
+- **Setup360Scenario**  The Setup360 flow type (for example, Boot, Media, Update, MCT).
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of the target OS).
+- **State**  Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  An ID that uniquely identifies a group of events.
+- **WuId**  This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
+
+
+### Setup360Telemetry.Finalize
+
+This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData**  Unique value that identifies the flight.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
+- **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  More detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  ID that uniquely identifies a group of events.
+- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+
+
+### Setup360Telemetry.OsUninstall
+
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall.
+
+The following fields are available:
+
+- **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData**  Unique value that identifies the flight.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Detailed information about the phase or action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId**  ID that uniquely identifies a group of events.
+- **WuId**  Windows Update client ID.
+
+
+### Setup360Telemetry.PostRebootInstall
+
+This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ClientId**  With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData**  Unique value that identifies the flight.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
+
+
+### Setup360Telemetry.PreDownloadQuiet
+
+This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId**  Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData**  Unique value that identifies the flight.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous operating system).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId**  Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
+- **TestId**  ID that uniquely identifies a group of events.
+- **WuId**  This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
+
+
+### Setup360Telemetry.PreDownloadUX
+
+This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process.
+
+The following fields are available:
+
+- **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous operating system.
+- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous operating system).
+- **InstanceId**  Unique GUID that identifies each instance of setuphost.exe.
+- **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of the target OS).
+- **State**  The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  ID that uniquely identifies a group of events.
+- **WuId**  Windows Update client ID.
+
+
+### Setup360Telemetry.PreInstallQuiet
+
+This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData**  Unique value that identifies the flight.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
+- **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Scenario**  Setup360 flow type (Boot, Media, Update, MCT).
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+
+
+### Setup360Telemetry.PreInstallUX
+
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date.  Specifically, it indicates the outcome of the PreinstallUX portion of the update process.
+
+The following fields are available:
+
+- **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData**  Unique value that identifies the flight.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type, Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  Windows Update client ID.
+
+
+### Setup360Telemetry.Setup360
+
+This event sends data about OS deployment scenarios, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ClientId**  Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FieldName**  Retrieves the data point.
+- **FlightData**  Specifies a unique identifier for each group of Windows Insider builds.
+- **InstanceId**  Retrieves a unique identifier for each instance of a setup session.
+- **ReportId**  Retrieves the report ID.
+- **ScenarioId**  Retrieves the deployment scenario.
+- **Value**  Retrieves the value associated with the corresponding FieldName.
+
+
 ### Setup360Telemetry.Setup360DynamicUpdate
 
 This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date.
@@ -4381,6 +5227,89 @@ The following fields are available:
 - **TargetBuild**  Build of the target OS.
 
 
+### Setup360Telemetry.Setup360MitigationResult
+
+This event sends data indicating the result of each setup mitigation.
+
+The following fields are available:
+
+- **Applicable**  TRUE if the mitigation is applicable for the current update.
+- **ClientId**  In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **CommandCount**  The number of command operations in the mitigation entry.
+- **CustomCount**  The number of custom operations in the mitigation entry.
+- **FileCount**  The number of file operations in the mitigation entry.
+- **FlightData**  The unique identifier for each flight (test release).
+- **Index**  The mitigation index of this particular mitigation.
+- **InstanceId**  The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE.
+- **MitigationScenario**  The update scenario in which the mitigation was executed.
+- **Name**  The friendly (descriptive) name of the mitigation.
+- **OperationIndex**  The mitigation operation index (in the event of a failure).
+- **OperationName**  The friendly (descriptive) name of the mitigation operation (in the event of failure).
+- **RegistryCount**  The number of registry operations in the mitigation entry.
+- **ReportId**  In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM.
+- **Result**  HResult of this operation.
+- **ScenarioId**  Setup360 flow type.
+- **TimeDiff**  The amount of time spent performing the mitigation (in 100-nanosecond increments).
+
+
+### Setup360Telemetry.Setup360MitigationSummary
+
+This event sends a summary of all the setup mitigations available for this update.
+
+The following fields are available:
+
+- **Applicable**  The count of mitigations that were applicable to the system and scenario.
+- **ClientId**  The Windows Update client ID passed to Setup.
+- **Failed**  The count of mitigations that failed.
+- **FlightData**  The unique identifier for each flight (test release).
+- **InstanceId**  The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE.
+- **MitigationScenario**  The update scenario in which the mitigations were attempted.
+- **ReportId**  In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM.
+- **Result**  HResult of this operation.
+- **ScenarioId**  Setup360 flow type.
+- **TimeDiff**  The amount of time spent performing the mitigation (in 100-nanosecond increments).
+- **Total**  The total number of mitigations that were available.
+
+
+### Setup360Telemetry.Setup360OneSettings
+
+This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
+
+The following fields are available:
+
+- **ClientId**  The Windows Update client ID passed to Setup.
+- **Count**  The count of applicable OneSettings for the device.
+- **FlightData**  The ID for the flight (test instance version).
+- **InstanceId**  The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe.
+- **Parameters**  The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings.
+- **ReportId**  The Update ID passed to Setup.
+- **Result**  The HResult of the event error.
+- **ScenarioId**  The update scenario ID.
+- **Values**  Values sent back to the device, if applicable.
+
+
+### Setup360Telemetry.UnexpectedEvent
+
+This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData**  Unique value that identifies the flight.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
+- **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+
+
 ## Windows as a Service diagnostic events
 
 ### Microsoft.Windows.WaaSMedic.SummaryEvent
@@ -4407,6 +5336,50 @@ The following fields are available:
 - **waasMedicRunMode**  Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter.
 
 
+## Windows Error Reporting events
+
+### Microsoft.Windows.WERVertical.OSCrash
+
+This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+
+The following fields are available:
+
+- **BootId**  Uint32 identifying the boot number for this device.
+- **BugCheckCode**  Uint64 "bugcheck code" that identifies a proximate cause of the bug check.
+- **BugCheckParameter1**  Uint64 parameter providing additional information.
+- **BugCheckParameter2**  Uint64 parameter providing additional information.
+- **BugCheckParameter3**  Uint64 parameter providing additional information.
+- **BugCheckParameter4**  Uint64 parameter providing additional information.
+- **DumpFileAttributes**  Codes that identify the type of data contained in the dump file
+- **DumpFileSize**  Size of the dump file
+- **IsValidDumpFile**  True if the dump file is valid for the debugger, false otherwise
+- **ReportId**  WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
+
+
+## Windows Update Delivery Optimization events
+
+### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
+
+This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **cdnHeaders**  The HTTP headers returned by the CDN.
+- **cdnIp**  The IP address of the CDN.
+- **cdnUrl**  The URL of the CDN.
+- **errorCode**  The error code that was returned.
+- **errorCount**  The total number of times this error code was seen since the last FailureCdnCommunication event was encountered.
+- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID**  The ID of the file being downloaded.
+- **httpStatusCode**  The HTTP status code returned by the CDN.
+- **isHeadRequest**  The type of  HTTP request that was sent to the CDN. Example: HEAD or GET
+- **peerType**  The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.).
+- **requestOffset**  The byte offset within the file in the sent request.
+- **requestSize**  The size of the range requested from the CDN.
+- **responseSize**  The size of the range response received from the CDN.
+- **sessionID**  The ID of the download session.
+
+
 ## Windows Update events
 
 ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary
@@ -4525,6 +5498,32 @@ The following fields are available:
 - **updateId**  Unique identifier for each update.
 
 
+### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed
+
+This event indicates that a notification dialog box is about to be displayed to user.
+
+The following fields are available:
+
+- **AcceptAutoModeLimit**  The maximum number of days for a device to automatically enter Auto Reboot mode.
+- **AutoToAutoFailedLimit**  The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown.
+- **DaysSinceRebootRequired**  Number of days since restart was required.
+- **DeviceLocalTime**  The local time on the device sending the event.
+- **EngagedModeLimit**  The number of days to switch between DTE dialog boxes.
+- **EnterAutoModeLimit**  The maximum number of days for a device to enter Auto Reboot mode.
+- **ETag**  OneSettings versioning value.
+- **IsForcedEnabled**  Indicates whether Forced Reboot mode is enabled for this device.
+- **IsUltimateForcedEnabled**  Indicates whether Ultimate Forced Reboot mode is enabled for this device.
+- **NotificationUxState**  Indicates which dialog box is shown.
+- **NotificationUxStateString**  Indicates which dialog box is shown.
+- **RebootUxState**  Indicates  the state of the restart (Engaged, Auto, Forced, or UltimateForced).
+- **RebootUxStateString**  Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced).
+- **RebootVersion**  Version of DTE.
+- **SkipToAutoModeLimit**  The minimum length of time to pass in restart pending before a device can be put into auto mode.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UtcTime**  The time the dialog box notification will be displayed, in Coordinated Universal Time.
+
+
 ### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog
 
 This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed..
@@ -4541,6 +5540,65 @@ The following fields are available:
 - **UtcTime**  The time that the dialog box was displayed, in Coordinated Universal Time.
 
 
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog
+
+This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime**  The local time of the device sending the event.
+- **ETag**  OneSettings versioning value.
+- **ExitCode**  Indicates how users exited the dialog box.
+- **RebootVersion**  Version of DTE.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UserResponseString**  The option that the user chose in this dialog box.
+- **UtcTime**  The time that the dialog box was displayed, in Coordinated Universal Time.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog
+
+This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime**  Time the dialog box was shown on the local device.
+- **ETag**  OneSettings versioning value.
+- **ExitCode**  Indicates how users exited the dialog box.
+- **RebootVersion**  Version of DTE.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UserResponseString**  The option that user chose in this dialog box.
+- **UtcTime**  The time that dialog box was displayed, in Coordinated Universal Time.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog
+
+This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime**  The time at which the reboot reminder dialog was shown (based on the local device time settings).
+- **ETag**  The OneSettings versioning value.
+- **ExitCode**  Indicates how users exited the reboot reminder dialog box.
+- **RebootVersion**  The version of the DTE (Direct-to-Engaged).
+- **UpdateId**  The ID of the update that is waiting for reboot to finish installation.
+- **UpdateRevision**  The revision of the update that is waiting for reboot to finish installation.
+- **UserResponseString**  The option chosen by the user on the reboot dialog box.
+- **UtcTime**  The time at which the reboot reminder dialog was shown (in UTC).
+
+
+### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy
+
+This event indicates a policy is present that may restrict update activity to outside of active hours.
+
+The following fields are available:
+
+- **activeHoursEnd**  The end of the active hours window.
+- **activeHoursStart**  The start of the active hours window.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
 ### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel
 
 This event indicates that Windows Update activity was blocked due to low battery level.
@@ -4553,6 +5611,22 @@ The following fields are available:
 - **wuDeviceid**  Device ID.
 
 
+### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
+
+This event indicates the reboot was postponed due to needing a display.
+
+The following fields are available:
+
+- **displayNeededReason**  Reason the display is needed.
+- **eventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **rebootOutsideOfActiveHours**  Indicates whether the reboot was to occur outside of active hours.
+- **revisionNumber**  Revision number of the update.
+- **updateId**  Update ID.
+- **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated.
+- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+
+
 ### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit
 
 This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update.
@@ -4592,6 +5666,162 @@ The following fields are available:
 - **wuDeviceid**  The Windows Update device ID.
 
 
+### Microsoft.Windows.Update.Orchestrator.FlightInapplicable
+
+This event indicates that the update is no longer applicable to this device.
+
+The following fields are available:
+
+- **EventPublishedTime**  Time when this event was generated.
+- **flightID**  The specific ID of the Windows Insider build.
+- **revisionNumber**  Update revision number.
+- **updateId**  Unique Windows Update ID.
+- **updateScenarioType**  Update session type.
+- **UpdateStatus**  Last status of update.
+- **UUPFallBackConfigured**  Indicates whether UUP fallback is configured.
+- **wuDeviceid**  Unique Device ID.
+
+
+### Microsoft.Windows.Update.Orchestrator.InitiatingReboot
+
+This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date.
+
+The following fields are available:
+
+- **EventPublishedTime**  Time of the event.
+- **flightID**  Unique update ID
+- **interactive**  Indicates whether the reboot initiation stage of the update process was entered as a result of user action.
+- **rebootOutsideOfActiveHours**  Indicates whether the reboot was to occur outside of active hours.
+- **revisionNumber**  Revision number of the update.
+- **updateId**  Update ID.
+- **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.Install
+
+This event sends launch data for a Windows Update install to help keep Windows up to date.
+
+The following fields are available:
+
+- **batteryLevel**  Current battery capacity in mWh or percentage left.
+- **deferReason**  Reason for install not completing.
+- **errorCode**  The error code reppresented by a hexadecimal value.
+- **eventScenario**  End-to-end update session ID.
+- **flightID**  Unique update ID
+- **flightUpdate**  Indicates whether the update is a Windows Insider build.
+- **ForcedRebootReminderSet**  A boolean value that indicates if a forced reboot will happen for updates.
+- **IgnoreReasonsForRestart**  The reason(s) a Postpone Restart command was ignored.
+- **installCommitfailedtime**  The time it took for a reboot to happen but the upgrade failed to progress.
+- **installRebootinitiatetime**  The time it took for a reboot to be attempted.
+- **interactive**  Identifies if session is user initiated.
+- **minutesToCommit**  The time it took to install updates.
+- **rebootOutsideOfActiveHours**  Indicates whether a reboot is scheduled outside of active hours.
+- **revisionNumber**  Update revision number.
+- **updateId**  Update ID.
+- **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.LowUptimes
+
+This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure.
+
+The following fields are available:
+
+- **availableHistoryMinutes**  The number of minutes available from the local machine activity history.
+- **isLowUptimeMachine**  Is the machine considered low uptime or not.
+- **lowUptimeMinHours**  Current setting for the minimum number of hours needed to not be considered low uptime.
+- **lowUptimeQueryDays**  Current setting for the number of recent days to check for uptime.
+- **uptimeMinutes**  Number of minutes of uptime measured.
+- **wuDeviceid**  Unique device ID for Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection
+
+This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date.
+
+The following fields are available:
+
+- **externalOneshotupdate**  The last time a task-triggered scan was completed.
+- **interactiveOneshotupdate**  The last time an interactive scan was completed.
+- **oldlastscanOneshotupdate**  The last time a scan completed successfully.
+- **wuDeviceid**  The Windows Update Device GUID (Globally-Unique ID).
+
+
+### Microsoft.Windows.Update.Orchestrator.PreShutdownStart
+
+This event is generated before the shutdown and commit operations.
+
+The following fields are available:
+
+- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+
+
+### Microsoft.Windows.Update.Orchestrator.RebootFailed
+
+This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date.
+
+The following fields are available:
+
+- **batteryLevel**  Current battery capacity in mWh or percentage left.
+- **deferReason**  Reason for install not completing.
+- **EventPublishedTime**  The time that the reboot failure occurred.
+- **flightID**  Unique update ID.
+- **rebootOutsideOfActiveHours**  Indicates whether a reboot was scheduled outside of active hours.
+- **RebootResults**  Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code.
+- **revisionNumber**  Update revision number.
+- **updateId**  Update ID.
+- **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.RefreshSettings
+
+This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date.
+
+The following fields are available:
+
+- **errorCode**  Hex code for the error message, to allow lookup of the specific error.
+- **settingsDownloadTime**  Timestamp of the last attempt to acquire settings.
+- **settingsETag**  Version identifier for the settings.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask
+
+This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date.
+
+The following fields are available:
+
+- **RebootTaskMissedTimeUTC**  The time when the reboot task was scheduled to run, but did not.
+- **RebootTaskNextTimeUTC**  The time when the reboot task was rescheduled for.
+- **RebootTaskRestoredTime**  Time at which this reboot task was restored.
+- **wuDeviceid**  Device ID for the device on which the reboot is restored.
+
+
+### Microsoft.Windows.Update.Orchestrator.ScanTriggered
+
+This event indicates that Update Orchestrator has started a scan operation.
+
+The following fields are available:
+
+- **errorCode**  The error code returned for the current scan operation.
+- **eventScenario**  Indicates the purpose of sending this event.
+- **interactive**  Indicates whether the scan is interactive.
+- **isDTUEnabled**  Indicates whether DTU (internal abbreviation for Direct Feature Update) channel is enabled on the client system.
+- **isScanPastSla**  Indicates whether the SLA has elapsed for scanning.
+- **isScanPastTriggerSla**  Indicates whether the SLA has elapsed for triggering a scan.
+- **minutesOverScanSla**  Indicates how many minutes the scan exceeded the scan SLA.
+- **minutesOverScanTriggerSla**  Indicates how many minutes the scan exceeded the scan trigger SLA.
+- **scanTriggerSource**  Indicates what caused the scan.
+- **updateScenarioType**  The update session type.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
 ### Microsoft.Windows.Update.Orchestrator.StickUpdate
 
 This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update.
@@ -4602,6 +5832,22 @@ The following fields are available:
 - **wuDeviceid**  Unique device ID controlled by the software distribution client.
 
 
+### Microsoft.Windows.Update.Orchestrator.SystemNeeded
+
+This event sends data about why a device is unable to reboot, to help keep Windows up to date.
+
+The following fields are available:
+
+- **eventScenario**  End-to-end update session ID.
+- **rebootOutsideOfActiveHours**  Indicates whether a reboot is scheduled outside of active hours.
+- **revisionNumber**  Update revision number.
+- **systemNeededReason**  List of apps or tasks that are preventing the system from restarting.
+- **updateId**  Update ID.
+- **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
 ### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours
 
 This event indicates that update activity was stopped due to active hours starting.
@@ -4636,6 +5882,111 @@ The following fields are available:
 - **wuDeviceid**  Unique device ID controlled by the software distribution client.
 
 
+### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
+
+This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **configuredPoliciescount**  Number of policies on the device.
+- **policiesNamevaluesource**  Policy name and source of policy (group policy, MDM or flight).
+- **policyCacherefreshtime**  Time when policy cache was refreshed.
+- **updateInstalluxsetting**  Indicates whether a user has set policies via a user experience option.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired
+
+This event sends data about whether an update required a reboot to help keep Windows up to date.
+
+The following fields are available:
+
+- **flightID**  The specific ID of the Windows Insider build the device is getting.
+- **interactive**  Indicates whether the reboot initiation stage of the update process was entered as a result of user action.
+- **revisionNumber**  Update revision number.
+- **updateId**  Update ID.
+- **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed
+
+This event sends information about an update that encountered problems and was not able to complete.
+
+The following fields are available:
+
+- **errorCode**  The error code encountered.
+- **wuDeviceid**  The ID of the device in which the error occurred.
+
+
+### Microsoft.Windows.Update.Orchestrator.UsoSession
+
+This event represents the state of the USO service at start and completion.
+
+The following fields are available:
+
+- **activeSessionid**  A unique session GUID.
+- **eventScenario**  The state of the update action.
+- **interactive**  Is the USO session interactive?
+- **lastErrorcode**  The last error that was encountered.
+- **lastErrorstate**  The state of the update when the last error was encountered.
+- **sessionType**  A GUID that refers to the update session type.
+- **updateScenarioType**  A descriptive update session type.
+- **wuDeviceid**  The Windows Update device GUID.
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState
+
+This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot.
+
+The following fields are available:
+
+- **AcceptAutoModeLimit**  The maximum number of days for a device to automatically enter Auto Reboot mode.
+- **AutoToAutoFailedLimit**  The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown.
+- **DeviceLocalTime**  The date and time (based on the device date/time settings) the reboot mode changed.
+- **EngagedModeLimit**  The number of days to switch between DTE (Direct-to-Engaged) dialogs.
+- **EnterAutoModeLimit**  The maximum number of days a device can enter Auto Reboot mode.
+- **ETag**  The Entity Tag that represents the OneSettings version.
+- **IsForcedEnabled**  Identifies whether Forced Reboot mode is enabled for the device.
+- **IsUltimateForcedEnabled**  Identifies whether Ultimate Forced Reboot mode is enabled for the device.
+- **OldestUpdateLocalTime**  The date and time (based on the device date/time settings) this update’s reboot began pending.
+- **RebootUxState**  Identifies the reboot state: Engaged, Auto, Forced, UltimateForced.
+- **RebootVersion**  The version of the DTE (Direct-to-Engaged).
+- **SkipToAutoModeLimit**  The maximum number of days to switch to start while in Auto Reboot mode.
+- **UpdateId**  The ID of the update that is waiting for reboot to finish installation.
+- **UpdateRevision**  The revision of the update that is waiting for reboot to finish installation.
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded
+
+This event is sent when a security update has successfully completed.
+
+The following fields are available:
+
+- **UtcTime**  The Coordinated Universal Time that the restart was no longer needed.
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled
+
+This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **activeHoursApplicable**  Indicates whether Active Hours applies on this device.
+- **IsEnhancedEngagedReboot**  Indicates whether Enhanced reboot was enabled.
+- **rebootArgument**  Argument for the reboot task. It also represents specific reboot related action.
+- **rebootOutsideOfActiveHours**  True, if a reboot is scheduled outside of active hours. False, otherwise.
+- **rebootScheduledByUser**  True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically.
+- **rebootState**  Current state of the reboot.
+- **rebootUsingSmartScheduler**  Indicates that the reboot is scheduled by SmartScheduler.
+- **revisionNumber**  Revision number of the OS.
+- **scheduledRebootTime**  Time scheduled for the reboot.
+- **scheduledRebootTimeInUTC**  Time scheduled for the reboot, in UTC.
+- **updateId**  Identifies which update is being scheduled.
+- **wuDeviceid**  Unique DeviceID
+
+
 ### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask
 
 This event is sent when MUSE broker schedules a task.
@@ -4646,4 +5997,73 @@ The following fields are available:
 - **TaskName**  Name of the task.
 
 
+### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled
+
+This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date.
+
+The following fields are available:
+
+- **activeHoursApplicable**  Is the restart respecting Active Hours?
+- **IsEnhancedEngagedReboot**  TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE.
+- **rebootArgument**  The arguments that are passed to the OS for the restarted.
+- **rebootOutsideOfActiveHours**  Was the restart scheduled outside of Active Hours?
+- **rebootScheduledByUser**  Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device.
+- **rebootState**  The state of the restart.
+- **rebootUsingSmartScheduler**  TRUE if the reboot should be performed by the Smart Scheduler. Otherwise, FALSE.
+- **revisionNumber**  The revision number of the OS being updated.
+- **scheduledRebootTime**  Time of the scheduled reboot
+- **scheduledRebootTimeInUTC**  Time of the scheduled restart, in Coordinated Universal Time.
+- **updateId**  The Windows Update device GUID.
+- **wuDeviceid**  The Windows Update device GUID.
+
+
+## Windows Update mitigation events
+
+### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages
+
+This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates.
+
+The following fields are available:
+
+- **ClientId**  Unique identifier for each flight.
+- **FlightId**  Unique GUID that identifies each instances of setuphost.exe.
+- **InstanceId**  The update scenario in which the mitigation was executed.
+- **MitigationScenario**  Number of mounted images.
+- **MountedImageCount**  Number of mounted images that were under %systemdrive%\$Windows.~BT.
+- **MountedImageMatches**  Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed.
+- **MountedImagesFailed**  Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed.
+- **MountedImagesRemoved**  Number of mounted images that were not under %systemdrive%\$Windows.~BT.
+- **MountedImagesSkipped**  Correlation vector value generated from the latest USO scan.
+- **RelatedCV**  HResult of this operation.
+- **Result**  ID indicating the mitigation scenario.
+- **ScenarioId**  Indicates whether the scenario was supported.
+- **ScenarioSupported**  Unique value for each update attempt.
+- **SessionId**  Unique ID for each Update.
+- **UpdateId**  Unique ID for the Windows Update client.
+- **WuId**  Unique ID for the Windows Update client.
+
+
+### Mitigation360Telemetry.MitigationCustom.FixupEditionId
+
+This event sends data specific to the FixupEditionId mitigation used for OS updates.
+
+The following fields are available:
+
+- **ClientId**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **EditionIdUpdated**  Determine whether EditionId was changed.
+- **FlightId**  Unique identifier for each flight.
+- **InstanceId**  Unique GUID that identifies each instances of setuphost.exe.
+- **MitigationScenario**  The update scenario in which the mitigation was executed.
+- **ProductEditionId**  Expected EditionId value based on GetProductInfo.
+- **ProductType**  Value returned by GetProductInfo.
+- **RegistryEditionId**  EditionId value in the registry.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  HResult of this operation.
+- **ScenarioId**  ID indicating the mitigation scenario.
+- **ScenarioSupported**  Indicates whether the scenario was supported.
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each update.
+- **WuId**  Unique ID for the Windows Update client.
+
+
 
diff --git a/windows/privacy/gdpr-it-guidance.md b/windows/privacy/gdpr-it-guidance.md
index dd46e67249..273464ae5a 100644
--- a/windows/privacy/gdpr-it-guidance.md
+++ b/windows/privacy/gdpr-it-guidance.md
@@ -1,5 +1,5 @@
 ---
-title: Windows 10 and the GDPR for IT Decision Makers
+title: Windows and the GDPR-Information for IT Administrators and Decision Makers
 description: Use this topic to understand the relationship between users in your organization and Microsoft in the context of the GDPR (General Data Protection Regulation).
 keywords: privacy, GDPR, windows, IT
 ms.prod: w10
@@ -11,12 +11,17 @@ author: danihalfin
 ms.author: daniha
 ms.date: 05/11/2018
 ---
-# Windows 10 and the GDPR for IT Decision Makers
+# Windows and the GDPR: Information for IT Administrators and Decision Makers
 
 Applies to:
+- Windows 10, version 1809
 - Windows 10, version 1803
 - Windows 10, version 1709
 - Windows 10, version 1703
+- Windows 10 Team Edition, version 1703 for Surface Hub
+- Windows Server 2019
+- Windows Server 2016
+- Windows Analytics
 
 This topic provides IT Decision Makers with a basic understanding of the relationship between users in an organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn what role an IT organization plays for that relationship.
 
@@ -35,7 +40,7 @@ Here are some GDPR fundamentals:
 * The European law establishes strict global data privacy requirements governing how organizations manage and protect personal data while respecting individual choice – no matter where data is sent, processed, or stored.
 * A request by an individual to an organization to take an action on their personal data is referred to here as a *data subject request*, or *DSR*.
 
-Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR requires significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization.
+Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR required significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization.
 
 ### What is personal data under the GDPR?
 
@@ -87,7 +92,7 @@ It is important to differentiate between two distinct types of data Windows serv
 A user action, such as performing a Skype call, usually triggers the collection and transmission of Windows *functional data*. Some Windows components and applications connecting to Microsoft services also exchange Windows functional data to provide user functionality.
 
 Some other examples of Windows functional data:
-* The Weather app which uses the device’s location to retrieve local weather or community news.
+* The Weather app which can use the device’s location to retrieve local weather or community news.
 * Wallpaper and desktop settings that are synchronized across multiple devices.
 
 For more info on how IT Professionals can manage Windows functional data sent from an organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
@@ -100,10 +105,10 @@ Some examples of diagnostic data include:
 * The type of hardware being used, information about installed apps and usage details, and reliability data on drivers running on the device.
 * For users who have turned on “Tailored experiences”, it can be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for the needs of the user.
 
-To find more about what information is collected, how it is handled, and the available Windows diagnostic data levels, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data) and [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
+Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced", and "Full". For a detailed discussion about these diagnostic data levels please see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). To find more about what information is collected and how it is handled, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data).
 
 >[!IMPORTANT]
->Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data to the respective publisher. Please contact them for further guidance on how to control the diagnostic data collection level and transmission of these publishers.
+>Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data. Please contact the publisher for further guidance on how to control the diagnostic data collection level and transmission of these applications and services.
 
 ### Windows services where Microsoft is the processor under the GDPR
 
@@ -123,7 +128,7 @@ As a result, in terms of the GDPR, the organization that has subscribed to Windo
 >The IT organization must explicitly enable Windows Analytics for a device after the organization subscribes.
 
 >[!IMPORTANT]
->Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for a particular device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device.
+>Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device.
 
 #### Windows Defender ATP
 
@@ -140,27 +145,43 @@ The following table lists in what GDPR mode – controller or processor – Wind
 
 | Service | Microsoft GDPR mode of operation |
 | --- | --- |
-| Windows Functional data | Controller |
+| Windows Functional data | Controller or Processor* |
 | Windows Diagnostic data | Controller |
 | Windows Analytics | Processor |
 | Windows Defender Advanced Threat Detection (ATP) | Processor |
 
 *Table 1: Windows 10 GDPR modes of operations for different Windows 10 services*
 
-## Recommended diagnostic data level settings
+*/*Depending on which application/feature this is referring to.*
 
-Windows diagnostic data collection level can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques.
+##  Windows diagnostic data and Windows 10
 
-* For Windows 10, version 1803, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics). Those organizations who wish to share the smallest set of events for Windows Analytics can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” filtering mechanism that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics.
+
+### Recommended Windows 10 settings
+
+Windows diagnostic data collection level for Windows 10 can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques.
+
+* For Windows 10, version 1803 and version 1809, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics).
 
 >[!NOTE]
 >For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
 
 * For Windows 10, version 1709, and Windows 10, version 1703, the recommended Windows diagnostic level configuration for EEA and Switzerland commercial users is “Basic”.
 
-* For Windows 7, Microsoft recommends configuring enterprise devices for Windows Analytics to facilitate upgrade planning to Windows 10.
+>[!NOTE]
+>For Windows 7, Microsoft recommends [configuring enterprise devices for Windows Analytics](/windows/deployment/update/windows-analytics-get-started) to facilitate upgrade planning to Windows 10.
 
-## Controlling the data collection and notification about it
+### Additional information for Windows Analytics
+
+Some Windows Analytics solutions and functionality, such as Update Compliance, works with “Basic” as minimum Windows diagnostic level. Other solutions and functionality of Windows Analytics, such as Device Health, require “Enhanced”.
+
+Those organizations who wish to share the smallest set of events for Windows Analytics and have set the Windows diagnostic level to “Enhanced” can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” setting. This filtering mechanism was that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics.
+
+>[!NOTE]
+>Additional information can be found at [Windows Analytics and privacy](/windows/deployment/update/windows-analytics-privacy
+).
+
+## Controlling Windows 10 data collection and notification about it
 
 Windows 10 sends diagnostic data to Microsoft services, and some of that data can contain personal data. Both the user and the IT organization have the ability to control the transmission of that data to Microsoft.
 
@@ -200,10 +221,43 @@ IT Professionals that are interested in this configuration, see [Windows 10 pers
 
 To find out more about the network connections that Windows components make to Microsoft as well as the privacy settings that affect data shared with either Microsoft or apps, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) and [Manage Windows 10 connection endpoints](manage-windows-endpoints.md). These articles describe how these settings can be managed by an IT Professional.
 
-## At-a-glance: the relationship between an IT organization and the GDPR
+### At-a-glance: the relationship between an IT organization and the GDPR
 
 Because Microsoft is a controller for data collected by Windows 10, the user can work with Microsoft to satisfy GDPR requirements. While this relationship between Microsoft and a user is evident in a consumer scenario, an IT organization can influence that relationship in an enterprise scenario. For example, the IT organization has the ability to centrally configure the Windows diagnostic data level by using Group Policy or MDM settings.
 
+## Windows Server
+
+Windows Server follows the same mechanisms as Windows 10 for handling of personal data – for example, when collecting Windows diagnostic data.
+
+More detailed information about Windows Server and the GDPR is available at Beginning your General Data Protection Regulation (GDPR) journey for Windows Server.
+
+### Windows diagnostic data and Windows Server
+
+The lowest diagnostic data setting level supported on Windows Server 2016 and Windows Server 2019 through management policies is “Security”. The lowest diagnostic data setting supported through the Settings UI is “Basic”. The default diagnostic data level for all Windows Server 2016 and Windows Server 2019 editions is “Enhanced”.
+
+IT administrators can configure the Windows Server diagnostic data settings using familiar management tools, such as Group Policy, MDM, or Windows Provisioning. IT administrators can also manually change settings using Registry Editor. Setting the Windows Server diagnostic data levels through a management policy overrides any device-level settings.
+
+There are two options for deleting Windows diagnostic data from a Windows Server machine:
+
+- If the “Desktop Experience” option was chosen during the installation of Windows Server 2019, then there are the same options available for an IT administrator that end users have with Windows 10, version 1803 and version 1809, to submit a request for deleting that device’s diagnostic data. This is done by clicking the **Delete** button in the **Delete diagnostic data** section of **Start > Settings > Privacy > Diagnostics & feedback**.
+- Microsoft has provided a [PowerShell cmdlet](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata) that IT administrators can use to delete Windows diagnostic data via the command line on a machine running Windows Server 2016 or Windows Server 2019. This cmdlet provides the same functionality for deleting Windows diagnostic data as with Desktop Experience on Windows Server 2019. For more information, see [the PowerShell Gallery](https://www.powershellgallery.com/packages/WindowsDiagnosticData).
+
+### Backups and Windows Server
+
+Backups, including live backups and backups that are stored locally within an organization or in the cloud, can contain personal data.
+
+- Backups an organizations creates, for example by using Windows Server Backup (WSB), are under its control. For example, for exporting personal data contained in a backup, the organization needs to restore the appropriate backup sets to facilitate the respective data subject request (DSR).
+- The GDPR also applies when storing backups in the cloud. For example, an organization can use Microsoft Azure Backup to backup files and folders from physical or virtual Windows Server machines (located on-premises or in Azure) to the cloud. The organization that is subscribed to this backup service also has the obligation to restore the data in order to exercise the respective DSR.
+
+## Windows 10 Team Edition, Version 1703 for Surface Hub
+
+Surface Hub is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. For removing Windows diagnostic data sent to Microsoft for a Surface Hub, Microsoft created the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store.
+
+>[!NOTE]
+>Additional apps running on the device, that are not delivered as part of the in-box experience of Surface Hub, may implement their own diagnostic data collection and transmission functionality independently to collect and process personal data. Please contact the app publisher for further guidance on how to control this.
+
+An IT administrator can configure privacy- related settings, such as setting the Windows diagnostic data level to Basic. Surface Hub does not support group policy for centralized management; however, IT administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, please see [Manage settings with an MDM provider](https://docs.microsoft.com/surface-hub/manage-settings-with-mdm-for-surface-hub).
+
 ## Further reading
 
 ### Optional settings / features that further improve the protection of personal data
@@ -215,11 +269,11 @@ Personal data protection is one of the goals of the GDPR. One way of improving p
 
 ### Windows Security Baselines
 
-Microsoft has created Windows Security Baselines to efficiently configure Windows 10. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines).
+Microsoft has created Windows Security Baselines to efficiently configure Windows 10 and Windows Server. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines).
 
 ### Windows Restricted Traffic Limited Functionality Baseline
 
-To make it easier to deploy settings that restrict connections from Windows 10 to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887).
+To make it easier to deploy settings that restrict connections from Windows 10 and Windows Server to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887).
 
 >[!IMPORTANT]
 >Some of the settings of the Windows Restricted Traffic Limited Functionality Baseline will reduce the functionality and security configuration of a device in the organization and are therefore not recommended.
diff --git a/windows/privacy/gdpr-win10-whitepaper.md b/windows/privacy/gdpr-win10-whitepaper.md
index 5a54e998e6..a8a0214f4a 100644
--- a/windows/privacy/gdpr-win10-whitepaper.md
+++ b/windows/privacy/gdpr-win10-whitepaper.md
@@ -293,7 +293,7 @@ For example, employees can’t send protected work files from a personal email a
 #### Capabilities to classify, assign permissions and share data
 Windows Information Protection is designed to coexist with advanced data loss prevention (DLP) capabilities found in Office 365 ProPlus, Azure Information Protection, and Azure Rights Management. Advanced DLP prevents printing, for example, or protects work data that is emailed outside your company. 
 
-To continously protect your data, regardless of where it is stored, with whom it is shared, or if the device is running iOS, Android or Windows, the classification and protection needs to be built into the file itself, so this protection can travel with the data wherever it goes. Microsoft Azure Information Protection (AIP) is designed to provide this persistent data protection both on-premises and in the cloud.
+To continuously protect your data, regardless of where it is stored, with whom it is shared, or if the device is running iOS, Android or Windows, the classification and protection needs to be built into the file itself, so this protection can travel with the data wherever it goes. Microsoft Azure Information Protection (AIP) is designed to provide this persistent data protection both on-premises and in the cloud.
 
 Data classification is an important part of any data governance plan. Adopting a classification scheme that applies throughout your business can be particularly helpful in responding to what the GDPR calls data subject (for example, your EU employee or customer) requests, because it enables enterprises to identify more readily and process personal data requests.
 
@@ -332,4 +332,4 @@ This article does not provide you with any legal rights to any intellectual prop
 
 Published September 2017<br>
 Version 1.0<br>
-© 2017 Microsoft. All rights reserved.
\ No newline at end of file
+© 2017 Microsoft. All rights reserved.
diff --git a/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md b/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md
new file mode 100644
index 0000000000..ee8ecf4a8b
--- /dev/null
+++ b/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md
@@ -0,0 +1,92 @@
+---
+title: MICROSOFT WINDOWS DIAGNOSTIC DATA FOR POWERSHELL
+description: MICROSOFT SOFTWARE LICENSE TERMS
+keywords: privacy, license, terms
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: danihalfin
+ms.author: daniha
+ms.date: 11/16/2018
+robots: noindex,nofollow
+---
+
+MICROSOFT SOFTWARE LICENSE TERMS
+
+MICROSOFT WINDOWS DIAGNOSTIC DATA FOR POWERSHELL
+
+
+
+These license terms are an agreement between you and Microsoft Corporation (or one of its affiliates). They apply to the software named above and any Microsoft services or software updates (except to the extent such services or updates are accompanied by new or additional terms, in which case those different terms apply prospectively and do not alter your or Microsoft’s rights relating to pre-updated software or services). IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW. BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS.
+
+1. INSTALLATION AND USE RIGHTS.
+
+a) General. You may install and use any number of copies of the software.
+
+b) Third Party Software. The software may include third party applications that Microsoft, not the third party, licenses to you under this agreement. Any included notices for third party applications are for your information only.
+
+2. DATA COLLECTION. The software may collect information about you and your use of the software and send that to Microsoft. Microsoft may use this information to provide services and improve Microsoft’s products and services. Your opt-out rights, if any, are described in the product documentation. Some features in the software may enable collection of data from users of your applications that access or use the software. If you use these features to enable data collection in your applications, you must comply with applicable law, including getting any required user consent, and maintain a prominent privacy policy that accurately informs users about how you use, collect, and share their data. You can learn more about Microsoft’s data collection and use in the product documentation and the Microsoft Privacy Statement at https://go.microsoft.com/fwlink/?LinkId=512132. You agree to comply with all applicable provisions of the Microsoft Privacy Statement.
+
+3. SCOPE OF LICENSE. The software is licensed, not sold. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you will not (and have no right to):
+
+a) work around any technical limitations in the software that only allow you to use it in certain ways;
+
+b) reverse engineer, decompile or disassemble the software;
+
+c) remove, minimize, block, or modify any notices of Microsoft or its suppliers in the software;
+
+d) use the software in any way that is against the law or to create or propagate malware; or
+
+e) share, publish, distribute, or lend the software, provide the software as a stand-alone hosted solution for others to use, or transfer the software or this agreement to any third party.
+
+4. EXPORT RESTRICTIONS. You must comply with all domestic and international export laws and regulations that apply to the software, which include restrictions on destinations, end users, and end use. For further information on export restrictions, visit http://aka.ms/exporting.
+
+5. SUPPORT SERVICES. Microsoft is not obligated under this agreement to provide any support services for the software. Any support provided is “as is”, “with all faults”, and without warranty of any kind.
+
+6. ENTIRE AGREEMENT. This agreement, and any other terms Microsoft may provide for supplements, updates, or third-party applications, is the entire agreement for the software.
+
+7. APPLICABLE LAW AND PLACE TO RESOLVE DISPUTES. If you acquired the software in the United States or Canada, the laws of the state or province where you live (or, if a business, where your principal place of business is located) govern the interpretation of this agreement, claims for its breach, and all other claims (including consumer protection, unfair competition, and tort claims), regardless of conflict of laws principles. If you acquired the software in any other country, its laws apply. If U.S. federal jurisdiction exists, you and Microsoft consent to exclusive jurisdiction and venue in the federal court in King County, Washington for all disputes heard in court. If not, you and Microsoft consent to exclusive jurisdiction and venue in the Superior Court of King County, Washington for all disputes heard in court.
+
+8. CONSUMER RIGHTS; REGIONAL VARIATIONS. This agreement describes certain legal rights. You may have other rights, including consumer rights, under the laws of your state, province, or country. Separate and apart from your relationship with Microsoft, you may also have rights with respect to the party from which you acquired the software. This agreement does not change those other rights if the laws of your state, province, or country do not permit it to do so. For example, if you acquired the software in one of the below regions, or mandatory country law applies, then the following provisions apply to you:
+
+a) Australia. You have statutory guarantees under the Australian Consumer Law and nothing in this agreement is intended to affect those rights.
+
+b) Canada. If you acquired this software in Canada, you may stop receiving updates by turning off the automatic update feature, disconnecting your device from the Internet (if and when you re-connect to the Internet, however, the software will resume checking for and installing updates), or uninstalling the software. The product documentation, if any, may also specify how to turn off updates for your specific device or software.
+
+c) Germany and Austria.
+
+i.	Warranty. The properly licensed software will perform substantially as described in any Microsoft materials that accompany the software. However, Microsoft gives no contractual guarantee in relation to the licensed software.
+
+ii.	Limitation of Liability. In case of intentional conduct, gross negligence, claims based on the Product Liability Act, as well as, in case of death or personal or physical injury, Microsoft is liable according to the statutory law.
+
+Subject to the foregoing clause ii., Microsoft will only be liable for slight negligence if Microsoft is in breach of such material contractual obligations, the fulfillment of which facilitate the due performance of this agreement, the breach of which would endanger the purpose of this agreement and the compliance with which a party may constantly trust in (so-called "cardinal obligations"). In other cases of slight negligence, Microsoft will not be liable for slight negligence.
+
+9. DISCLAIMER OF WARRANTY. THE SOFTWARE IS LICENSED “AS IS.” YOU BEAR THE RISK OF USING IT. MICROSOFT GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. TO THE EXTENT PERMITTED UNDER APPLICABLE LAWS, MICROSOFT EXCLUDES ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
+
+10. LIMITATION ON AND EXCLUSION OF DAMAGES. IF YOU HAVE ANY BASIS FOR RECOVERING DAMAGES DESPITE THE PRECEDING DISCLAIMER OF WARRANTY, YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
+
+This limitation applies to (a) anything related to the software, services, content (including code) on third party Internet sites, or third party applications; and (b) claims for breach of contract, warranty, guarantee, or condition; strict liability, negligence, or other tort; or any other claim; in each case to the extent permitted by applicable law.
+
+It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your state, province, or country may not allow the exclusion or limitation of incidental, consequential, or other damages.
+
+
+
+Please note: As this software is distributed in Canada, some of the clauses in this agreement are provided below in French.
+
+Remarque: Ce logiciel étant distribué au Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français.
+
+EXONÉRATION DE GARANTIE. Le logiciel visé par une licence est offert « tel quel ». Toute utilisation de ce logiciel est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection des consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
+
+LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
+
+Cette limitation concerne:
+
+•	tout ce qui est relié au logiciel, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers; et
+
+•	les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
+
+Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard.
+
+EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas.
\ No newline at end of file
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 865d98939f..757bf80259 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -16,8 +16,9 @@ ms.date: 06/05/2018
 
 **Applies to**
 
--   Windows 10 Enterprise, version 1607 and newer
--   Windows Server 2016
+- Windows 10 Enterprise, version 1607 and newer
+- Windows Server 2016
+- Windows Server 2019
 
 If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
 
@@ -43,6 +44,12 @@ Note that **Get Help** and **Give us Feedback** links no longer work after the W
 
 We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
 
+## What's new in Windows 10, version 1809 Enterprise edition
+
+Here's a list of changes that were made to this article for Windows 10, version 1809:
+
+- Added a policy to disable Windows Defender SmartScreen
+
 ## What's new in Windows 10, version 1803 Enterprise edition
 
 Here's a list of changes that were made to this article for Windows 10, version 1803:
@@ -74,17 +81,17 @@ Here's a list of changes that were made to this article for Windows 10, version
 
 - Added the following Group Policies:
 
-    - Prevent managing SmartScreen Filter
-    - Turn off Compatibility View
-    - Turn off Automatic Download and Install of updates
-    - Do not connect to any Windows Update locations
-    - Turn off access to all Windows Update features
-    - Specify Intranet Microsoft update service location
-    - Enable Windows NTP client
-    - Turn off Automatic download of the ActiveX VersionList
-    - Allow Automatic Update of Speech Data
-    - Accounts: Block Microsoft Accounts
-    - Do not use diagnostic data for tailored experiences
+  - Prevent managing SmartScreen Filter
+  - Turn off Compatibility View
+  - Turn off Automatic Download and Install of updates
+  - Do not connect to any Windows Update locations
+  - Turn off access to all Windows Update features
+  - Specify Intranet Microsoft update service location
+  - Enable Windows NTP client
+  - Turn off Automatic download of the ActiveX VersionList
+  - Allow Automatic Update of Speech Data
+  - Accounts: Block Microsoft Accounts
+  - Do not use diagnostic data for tailored experiences
 
 ## <a href="" id="bkmk-othersettings"></a>Management options for each setting
 
@@ -99,19 +106,19 @@ The following table lists management options for each setting, beginning with Wi
 
 | Setting | UI | Group Policy | MDM policy | Registry | Command line |
 | - | :-: | :-: | :-: | :-: | :-: |
-| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | | |
+| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
-| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
-| [5. Find My Device](#find-my-device) | | ![Check mark](images/checkmark.png) | | | |
-| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |  |
 | [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |  |
-| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [16. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) |
@@ -142,6 +149,7 @@ The following table lists management options for each setting, beginning with Wi
 | [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [22. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [23. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[23.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [24. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) |
 | [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
@@ -202,6 +210,63 @@ See the following table for a summary of the management settings for Windows Ser
 | [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) |
 | [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | |
 
+### Settings for Windows Server 2019
+
+See the following table for a summary of the management settings for Windows Server 2019.
+
+| Setting | UI | Group Policy | MDM policy | Registry | Command line |
+| - | :-: | :-: | :-: | :-: | :-: |
+| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |  |
+| [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |  |
+| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [16. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) |
+| [17. Settings > Privacy](#bkmk-settingssection) | | | | | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[17.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[17.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[17.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[17.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[17.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)| ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[17.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[17.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[17.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[17.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[17.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[17.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[17.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[17.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[17.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[17.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[17.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[17.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[17.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[17.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[17.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [19. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) |  |  | |
+| [20. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [22. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| [23. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[23.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [24. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) |
+| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[26.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |  | |
+| [27. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | |
+
 ## How to configure each setting
 
 Use the following sections for more information about how to configure each setting.
@@ -219,18 +284,18 @@ For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server
 
 - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update**
 
-    -and-
+  -and-
 
 1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**.
 2. Double-click **Certificate Path Validation Settings**.
 3. On the **Network Retrieval** tab, select the **Define these policy settings** check box.
 4. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box, and then click **OK**.
 
-    -or-
+  -or-
 
 - Create the registry path **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot** and then add a REG\_DWORD registry setting, named **DisableRootAutoUpdate**, with a value of 1.
 
-    -and-
+  -and-
 
 1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**.
 2. Double-click **Certificate Path Validation Settings**.
@@ -294,11 +359,11 @@ In Windows 10, version 1507 and Windows 10, version 1511, when you enable the **
 
 9.  Configure the **Protocols and Ports** page with the following info, and then click **OK**.
 
-    -   For **Protocol type**, choose **TCP**.
+  - For **Protocol type**, choose **TCP**.
 
-    -   For **Local port**, choose **All Ports**.
+  - For **Local port**, choose **All Ports**.
 
-    -   For **Remote port**, choose **All ports**.
+  - For **Remote port**, choose **All ports**.
 
 
 If your organization tests network traffic, do not use a network proxy as Windows Firewall does not block proxy traffic. Instead, use a network traffic analyzer. Based on your needs, there are many network traffic analyzers available at no cost.
@@ -316,39 +381,47 @@ For Windows 10 only, the following Cortana MDM policies are available in the [Po
 
 You can prevent Windows from setting the time automatically.
 
--   To turn off the feature in the UI: **Settings** &gt; **Time & language** &gt; **Date & time** &gt; **Set time automatically**
+- To turn off the feature in the UI: **Settings** &gt; **Time & language** &gt; **Date & time** &gt; **Set time automatically**
 
-    -or-
+  -or-
 
--   Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
+- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
 
 After that, configure the following:
 
--   Disable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Enable Windows NTP Server** &gt; **Windows Time Service** &gt; **Configure Windows NTP Client**
+- Disable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Enable Windows NTP Server** &gt; **Windows Time Service** &gt; **Configure Windows NTP Client**
 
     > [!NOTE]
     > This is only available on Windows 10, version 1703 and later. If you're using Windows 10, version 1607, the Group Policy setting is **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Windows Time Service** &gt; **Time Providers** &gt; **Enable Windows NTP Client**
 
-    -or -
+  -or -
 
 -  Create a new REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient** and set it to 0 (zero).
 
 
 ### <a href="" id="bkmk-devinst"></a>4. Device metadata retrieval
 
-To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Device Installation** &gt; **Prevent device metadata retrieval from the Internet**.
+To prevent Windows from retrieving device metadata from the Internet:
 
-You can also create a new REG\_DWORD registry setting named **PreventDeviceMetadataFromNetwork** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata** and set it to 1 (one).
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Device Installation** &gt; **Prevent device metadata retrieval from the Internet**.
+
+  -or -
+
+- Create a new REG\_DWORD registry setting named **PreventDeviceMetadataFromNetwork** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata** and set it to 1 (one).
+
+  -or -
+
+- Apply the DeviceInstallation/PreventDeviceMetadataFromNetwork MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork).
 
 ### <a href="" id="find-my-device"></a>5. Find My Device
 
 To turn off Find My Device:
 
--   Turn off the feature in the UI
+- Turn off the feature in the UI
 
-    -or-
+  -or-
 
--   Disable the Group Policy: **Computer Configuration** > **Administrative Template** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**
+- Disable the Group Policy: **Computer Configuration** > **Administrative Template** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**
 
 You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FindMyDevice\\AllowFindMyDevice** to 0 (zero).
 
@@ -364,9 +437,9 @@ If you're running Windows 10, version 1607, Windows Server 2016, or later:
 
 - In Windows 10, version 1703, you can apply the System/AllowFontProviders MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
 
-    -   **false**. Font streaming is disabled.
+  - **false**. Font streaming is disabled.
 
-    -   **true**. Font streaming is enabled.
+  - **true**. Font streaming is enabled.
 
 If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting named **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters** with a value of 1.
 
@@ -393,35 +466,35 @@ To turn off Insider Preview builds for Windows 10:
 > [!NOTE]
 > If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
 
--   Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Insider Program** > **Stop Insider Preview builds**.
+- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Insider Program** > **Stop Insider Preview builds**.
 
-    -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds** &gt; **Toggle user control over Insider builds**.
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds** &gt; **Toggle user control over Insider builds**.
 
-    -or -
+  -or -
 
 -  Create a new REG\_DWORD registry setting named **AllowBuildPreview** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PreviewBuilds** with a vlue of 0 (zero)
 
-    -or-
+  -or-
 
--   Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
+- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
 
-    -   **0**. Users cannot make their devices available for downloading and installing preview software.
+  - **0**. Users cannot make their devices available for downloading and installing preview software.
 
-    -   **1**. Users can make their devices available for downloading and installing preview software.
+  - **1**. Users can make their devices available for downloading and installing preview software.
 
-    -   **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
+  - **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
 
-    -or-
+  -or-
 
--   Create a provisioning package: **Runtime settings** &gt; **Policies** &gt; **System** &gt; **AllowBuildPreview**, where:
+- Create a provisioning package: **Runtime settings** &gt; **Policies** &gt; **System** &gt; **AllowBuildPreview**, where:
 
-    -   **0**. Users cannot make their devices available for downloading and installing preview software.
+  - **0**. Users cannot make their devices available for downloading and installing preview software.
 
-    -   **1**. Users can make their devices available for downloading and installing preview software.
+  - **1**. Users can make their devices available for downloading and installing preview software.
 
-    -   **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
+  - **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
 
 ### <a href="" id="bkmk-ie"></a>8. Internet Explorer
 
@@ -475,7 +548,7 @@ You can turn this off by:
 
 -  Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Features** > **Add-on Management** > **Turn off Automatic download of the ActiveX VersionList**
 
-    -or -
+  -or -
 
 -  Changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
 
@@ -485,11 +558,11 @@ For more info, see [Out-of-date ActiveX control blocking](https://technet.micros
 
 To turn off Live Tiles:
 
--   Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage**
+- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage**
 
-    -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one).
+- Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one).
 
 In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start.
 
@@ -497,31 +570,31 @@ In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start.
 
 To turn off mail synchronization for Microsoft Accounts that are configured on a device:
 
--   In **Settings** &gt; **Accounts** &gt; **Your email and accounts**, remove any connected Microsoft Accounts.
+- In **Settings** &gt; **Accounts** &gt; **Your email and accounts**, remove any connected Microsoft Accounts.
 
-    -or-
+  -or-
 
--   Remove any Microsoft Accounts from the Mail app.
+- Remove any Microsoft Accounts from the Mail app.
 
-    -or-
+  -or-
 
--   Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device.
+- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device.
 
 To turn off the Windows Mail app:
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Mail** &gt; **Turn off Windows Mail application**
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Mail** &gt; **Turn off Windows Mail application**
 
-    -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **ManualLaunchAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Mail** with a value of 0 (zero).
+- Create a REG\_DWORD registry setting named **ManualLaunchAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Mail** with a value of 0 (zero).
 
 ### <a href="" id="bkmk-microsoft-account"></a>11. Microsoft Account
 
 To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways.
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt; **Security Options** &gt; **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**.
+- Apply the Group Policy: **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt; **Security Options** &gt; **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**.
 
-    -or-
+  -or-
 
 - Create a REG\_DWORD registry setting named **NoConnectedUser** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System** with a value of 3.
 To disable the Microsoft Account Sign-In Assistant:
@@ -547,7 +620,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
 | Configure Do Not Track         | Choose whether employees can send Do Not Track headers.<br /> Default: Disabled                     |
 | Configure Password Manager                            | Choose whether employees can save passwords locally on their devices. <br /> Default: Enabled       |
 | Configure search suggestions in Address Bar              | Choose whether the Address Bar shows search suggestions. <br /> Default: Enabled                    |
-| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)  <br/> Configure SmartScreen Filter (Windows Server 2016)                      | Choose whether Windows Defender SmartScreen is turned on or off.  <br /> Default: Enabled                            |
+| Configure Windows Defender SmartScreen (Windows 10, version 1703)               | Choose whether Windows Defender SmartScreen is turned on or off.  <br /> Default: Enabled                            |
 | Allow web content on New Tab page                     | Choose whether a new tab page appears.  <br /> Default: Enabled                                     |
 | Configure Start pages                       | Choose the Start page for domain-joined devices. <br /> Set this to **\<about:blank\>**        |
 | Prevent the First Run webpage from opening on Microsoft Edge                       | Choose whether employees see the First Run webpage. <br /> Default: Disabled        |
@@ -606,48 +679,48 @@ In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2
 
 You can turn off NCSI by doing one of the following:
 
--   Enable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Internet Communication Management** &gt; **Internet Communication Settings** &gt; **Turn off Windows Network Connectivity Status Indicator active tests**
+- Enable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Internet Communication Management** &gt; **Internet Communication Settings** &gt; **Turn off Windows Network Connectivity Status Indicator active tests**
 
-- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy.
+- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests) with a value of 1.
 
 > [!NOTE]
 > After you apply this policy, you must restart the device for the policy setting to take effect.
 
 -or-
 
--   Create a REG\_DWORD registry setting named **NoActiveProbe** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator** with a value of 1 (one).
+- Create a REG\_DWORD registry setting named **NoActiveProbe** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator** with a value of 1 (one).
 
 ### <a href="" id="bkmk-offlinemaps"></a>14. Offline maps
 
 You can turn off the ability to download and update offline maps.
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Maps** &gt; **Turn off Automatic Download and Update of Map Data**
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Maps** &gt; **Turn off Automatic Download and Update of Map Data**
 
-    -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **AutoDownloadAndUpdateMapData** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero).
+- Create a REG\_DWORD registry setting named **AutoDownloadAndUpdateMapData** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero).
 
-    -and-
+  -and-
 
 - In Windows 10, version 1607 and later, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page**
 
-    -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **AllowUntriggeredNetworkTrafficOnSettingsPage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero).
+- Create a REG\_DWORD registry setting named **AllowUntriggeredNetworkTrafficOnSettingsPage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero).
 
 ### <a href="" id="bkmk-onedrive"></a>15. OneDrive
 
 To turn off OneDrive in your organization:
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **OneDrive** &gt; **Prevent the usage of OneDrive for file storage**
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **OneDrive** &gt; **Prevent the usage of OneDrive for file storage**
 
-    -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **DisableFileSyncNGSC** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\OneDrive** with a value of 1 (one).
+- Create a REG\_DWORD registry setting named **DisableFileSyncNGSC** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\OneDrive** with a value of 1 (one).
 
-    -and-
+  -and-
 
--   Create a REG\_DWORD registry setting named **PreventNetworkTrafficPreUserSignIn** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\OneDrive** with a value of 1 (one).
+- Create a REG\_DWORD registry setting named **PreventNetworkTrafficPreUserSignIn** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\OneDrive** with a value of 1 (one).
 
 ### <a href="" id="bkmk-preinstalledapps"></a>16. Preinstalled apps
 
@@ -655,117 +728,117 @@ Some preinstalled apps get content before they are opened to ensure a great expe
 
 To remove the News app:
 
--   Right-click the app in Start, and then click **Uninstall**.
+- Right-click the app in Start, and then click **Uninstall**.
 
-    -or-
+  -or-
 
--   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
 
-    -and-
+  -and-
 
     Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage**
 
 To remove the Weather app:
 
--   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
 
-    -and-
+  -and-
 
     Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage**
 
 To remove the Money app:
 
--   Right-click the app in Start, and then click **Uninstall**.
+- Right-click the app in Start, and then click **Uninstall**.
 
-    -or-
+  -or-
 
--   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
 
-    -and-
+  -and-
 
     Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage**
 
 To remove the Sports app:
 
--   Right-click the app in Start, and then click **Uninstall**.
+- Right-click the app in Start, and then click **Uninstall**.
 
-    -or-
+  -or-
 
--   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
 
-    -and-
+  -and-
 
     Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage**
 
 To remove the Twitter app:
 
--   Right-click the app in Start, and then click **Uninstall**.
+- Right-click the app in Start, and then click **Uninstall**.
 
-    -or-
+  -or-
 
--   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
 
-    -and-
+  -and-
 
     Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage**
 
 To remove the XBOX app:
 
--   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
 
-    -and-
+  -and-
 
     Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage**
 
 To remove the Sway app:
 
--   Right-click the app in Start, and then click **Uninstall**.
+- Right-click the app in Start, and then click **Uninstall**.
 
-    -or-
+  -or-
 
--   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
 
-    -and-
+  -and-
 
     Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage**
 
 To remove the OneNote app:
 
--   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
 
-    -and-
+  -and-
 
     Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage**
 
 To remove the Get Office app:
 
--   Right-click the app in Start, and then click **Uninstall**.
+- Right-click the app in Start, and then click **Uninstall**.
 
-    -or-
+  -or-
 
--   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
 
-    -and-
+  -and-
 
     Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage**
 
 To remove the Get Skype app:
 
--   Right-click the Sports app in Start, and then click **Uninstall**.
+- Right-click the Sports app in Start, and then click **Uninstall**.
 
-    -or-
+  -or-
 
--   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
 
-    -and-
+  -and-
 
     Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage**
 
 To remove the Sticky notes app:
 
--   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftStickyNotes"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftStickyNotes"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
 
-    -and-
+  -and-
 
     Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage**
 
@@ -773,43 +846,43 @@ To remove the Sticky notes app:
 
 Use Settings &gt; Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
 
--   [17.1 General](#bkmk-general)
+- [17.1 General](#bkmk-general)
 
--   [17.2 Location](#bkmk-priv-location)
+- [17.2 Location](#bkmk-priv-location)
 
--   [17.3 Camera](#bkmk-priv-camera)
+- [17.3 Camera](#bkmk-priv-camera)
 
--   [17.4 Microphone](#bkmk-priv-microphone)
+- [17.4 Microphone](#bkmk-priv-microphone)
 
--   [17.5 Notifications](#bkmk-priv-notifications)
+- [17.5 Notifications](#bkmk-priv-notifications)
 
--   [17.6 Speech, inking, & typing](#bkmk-priv-speech)
+- [17.6 Speech, inking, & typing](#bkmk-priv-speech)
 
--   [17.7 Account info](#bkmk-priv-accounts)
+- [17.7 Account info](#bkmk-priv-accounts)
 
--   [17.8 Contacts](#bkmk-priv-contacts)
+- [17.8 Contacts](#bkmk-priv-contacts)
 
--   [17.9 Calendar](#bkmk-priv-calendar)
+- [17.9 Calendar](#bkmk-priv-calendar)
 
--   [17.10 Call history](#bkmk-priv-callhistory)
+- [17.10 Call history](#bkmk-priv-callhistory)
 
--   [17.11 Email](#bkmk-priv-email)
+- [17.11 Email](#bkmk-priv-email)
 
--   [17.12 Messaging](#bkmk-priv-messaging)
+- [17.12 Messaging](#bkmk-priv-messaging)
 
--   [17.13 Radios](#bkmk-priv-radios)
+- [17.13 Radios](#bkmk-priv-radios)
 
--   [17.14 Other devices](#bkmk-priv-other-devices)
+- [17.14 Other devices](#bkmk-priv-other-devices)
 
--   [17.15 Feedback & diagnostics](#bkmk-priv-feedback)
+- [17.15 Feedback & diagnostics](#bkmk-priv-feedback)
 
--   [17.16 Background apps](#bkmk-priv-background)
+- [17.16 Background apps](#bkmk-priv-background)
 
--   [17.17 Motion](#bkmk-priv-motion)
+- [17.17 Motion](#bkmk-priv-motion)
 
--   [17.18 Tasks](#bkmk-priv-tasks)
+- [17.18 Tasks](#bkmk-priv-tasks)
 
--   [17.19 App Diagnostics](#bkmk-priv-diag)
+- [17.19 App Diagnostics](#bkmk-priv-diag)
 
 ### <a href="" id="bkmk-general"></a>17.1 General
 
@@ -822,33 +895,33 @@ To turn off **Let apps use advertising ID to make ads more interesting to you ba
 > [!NOTE]
 > When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-    -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **User Profiles** &gt; **Turn off the advertising ID**.
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **User Profiles** &gt; **Turn off the advertising ID**.
 
-    -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero).
+- Create a REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero).
 
-    -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one).
+- Create a REG\_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one).
 
 To turn off **Let websites provide locally relevant content by accessing my language list**:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-    -or-
+  -or-
 
--   Create a new REG\_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile** with a value of 1.
+- Create a new REG\_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile** with a value of 1.
 
 To turn off **Let Windows track app launches to improve Start and search results**:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-    -or-
+  -or-
 
 - Create a REG_DWORD registry setting named **Start_TrackProgs** in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced** with value of 0 (zero).
 
@@ -859,51 +932,33 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin
 > [!NOTE]
 > When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-    -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **User Profiles** &gt; **Turn off the advertising ID**.
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **User Profiles** &gt; **Turn off the advertising ID**.
 
-    -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero).
+- Create a REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero).
 
-    -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one).
+- Create a REG\_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one).
 
 To turn off **Turn on SmartScreen Filter to check web content (URLs) that Microsoft Store apps use**:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-    -or-
+  -or-
 
--   In Windows Server 2016, apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Edge** &gt; **Configure SmartScreen Filter**.
-    In Windows 10, version 1703, apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Edge** &gt; **Configure Windows Defender SmartScreen Filter**.
+- Create a provisioning package, using:
+  - For Internet Explorer: **Runtime settings > Policies > Browser > AllowSmartScreen**
+  - For Microsoft Edge: **Runtime settings > Policies > MicrosoftEdge > AllowSmartScreen**
 
-    In Windows Server 2016, apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **File Explorer** &gt; **Configure Windows SmartScreen**.
-    In Windows 10, version 1703 , apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **File Explorer** &gt; **Configure Windows Defender SmartScreen**.
+  -or-
 
-    -or-
-
--   Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
-
-    -or-
-
--   Create a provisioning package, using:
-
-    -   For Internet Explorer: **Runtime settings** &gt; **Policies** &gt; **Browser** &gt; **AllowSmartScreen**
-
-    -   For Microsoft Edge: **Runtime settings** &gt; **Policies** &gt; **MicrosoftEdge** &gt; **AllowSmartScreen**
-
-    -or-
-
--   Create a REG\_DWORD registry setting named **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost** with a value of 0 (zero).
-
-    -or-
-
--   Create a REG\_DWORD registry setting named **EnableSmartScreen** in **HKEY\_LOCAL\_MACHINE\\Sofware\\Policies\\Microsoft\\Windows\\System** with a value of 0 (zero).
+- Create a REG_DWORD registry setting named **EnableWebContentEvaluation** in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost** with a value of 0 (zero).
 
 To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
 
@@ -912,35 +967,35 @@ To turn off **Send Microsoft info about how I write to help us improve typing an
 
 
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-    -or-
+  -or-
 
--   Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
+- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
 
-    -   **0**. Not allowed
+  - **0**. Not allowed
 
-    -   **1**. Allowed (default)
+  - **1**. Allowed (default)
 
 To turn off **Let websites provide locally relevant content by accessing my language list**:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-    -or-
+  -or-
 
--   Create a new REG\_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile** with a value of 1.
+- Create a new REG\_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile** with a value of 1.
 
 To turn off **Let apps on my other devices open apps and continue experiences on this devices**:
 
 - Turn off the feature in the UI.
 
-    -or-
+  -or-
 
--   Disable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Group Policy** &gt; **Continue experiences on this device**.
+- Disable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Group Policy** &gt; **Continue experiences on this device**.
 
-    -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **EnableCdp** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a value of 0 (zero).
+- Create a REG\_DWORD registry setting named **EnableCdp** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a value of 0 (zero).
 
 To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**:
 
@@ -952,58 +1007,58 @@ In the **Location** area, you choose whether devices have access to location-spe
 
 To turn off **Location for this device**:
 
--   Click the **Change** button in the UI.
+- Click the **Change** button in the UI.
 
-    -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Location and Sensors** &gt; **Turn off location**.
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Location and Sensors** &gt; **Turn off location**.
 
-   -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG\_DWORD registry setting named **LetAppsAccessLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
-    -or-
+  -or-
 
--   Apply the System/AllowLocation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+- Apply the System/AllowLocation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
 
-    -   **0**. Turned off and the employee can't turn it back on.
+  - **0**. Turned off and the employee can't turn it back on.
 
-    -   **1**. Turned on, but lets the employee choose whether to use it. (default)
+  - **1**. Turned on, but lets the employee choose whether to use it. (default)
 
-    -   **2**. Turned on and the employee can't turn it off.
+  - **2**. Turned on and the employee can't turn it off.
 
     > [!NOTE]
     > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](https://msdn.microsoft.com/library/dn905224.aspx).
 
-    -or-
+  -or-
 
--   Create a provisioning package, using **Runtime settings** &gt; **Policies** &gt; **System** &gt; **AllowLocation**, where
+- Create a provisioning package, using **Runtime settings** &gt; **Policies** &gt; **System** &gt; **AllowLocation**, where
 
-    -   **No**. Turns off location service.
+  - **No**. Turns off location service.
 
-    -   **Yes**. Turns on location service. (default)
+  - **Yes**. Turns on location service. (default)
 
 To turn off **Location**:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access location**
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access location**
 
-    -   Set the **Select a setting** box to **Force Deny**.
+  - Set the **Select a setting** box to **Force Deny**.
 
-   -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **DisableLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one).
+- Create a REG\_DWORD registry setting named **DisableLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one).
 
-    -or-
+  -or-
 
 To turn off **Location history**:
 
--   Erase the history using the **Clear** button in the UI.
+- Erase the history using the **Clear** button in the UI.
 
 To turn off **Choose apps that can use your location**:
 
--   Turn off each app using the UI.
+- Turn off each app using the UI.
 
 ### <a href="" id="bkmk-priv-camera"></a>17.3 Camera
 
@@ -1011,40 +1066,40 @@ In the **Camera** area, you can choose which apps can access a device's camera.
 
 To turn off **Let apps use my camera**:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-    -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access the camera**
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access the camera**
 
-    -   Set the **Select a setting** box to **Force Deny**.
+  - Set the **Select a setting** box to **Force Deny**.
 
-   -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessCamera** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG\_DWORD registry setting named **LetAppsAccessCamera** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
-    -or-
+  -or-
 
--   Apply the Camera/AllowCamera MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
 
-    -   **0**. Apps can't use the camera.
+  - **0**. Apps can't use the camera.
 
-    -   **1**. Apps can use the camera.
+  - **1**. Apps can use the camera.
 
     > [!NOTE]
     > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](https://msdn.microsoft.com/library/dn905224.aspx).
 
-   -or-
+  -or-
 
--   Create a provisioning package with use Windows ICD, using **Runtime settings** &gt; **Policies** &gt; **Camera** &gt; **AllowCamera**, where:
+- Create a provisioning package with use Windows ICD, using **Runtime settings** &gt; **Policies** &gt; **Camera** &gt; **AllowCamera**, where:
 
-    -   **0**. Apps can't use the camera.
+  - **0**. Apps can't use the camera.
 
-    -   **1**. Apps can use the camera.
+  - **1**. Apps can use the camera.
 
 To turn off **Choose apps that can use your camera**:
 
--   Turn off the feature in the UI for each app.
+- Turn off the feature in the UI for each app.
 
 ### <a href="" id="bkmk-priv-microphone"></a>17.4 Microphone
 
@@ -1052,29 +1107,29 @@ In the **Microphone** area, you can choose which apps can access a device's micr
 
 To turn off **Let apps use my microphone**:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-   -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access the microphone**
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access the microphone**
 
-    -   Set the **Select a setting** box to **Force Deny**.
+  - Set the **Select a setting** box to **Force Deny**.
 
-    -or-
+  -or-
 
--    Apply the Privacy/LetAppsAccessMicrophone MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmicrophone), where:
+-  Apply the Privacy/LetAppsAccessMicrophone MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmicrophone), where:
 
-    -   **0**. User in control
-    -   **1**. Force allow
-    -   **2**. Force deny
+  - **0**. User in control
+  - **1**. Force allow
+  - **2**. Force deny
 
-    -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessMicrophone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
+- Create a REG\_DWORD registry setting named **LetAppsAccessMicrophone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
 
 To turn off **Choose apps that can use your microphone**:
 
--   Turn off the feature in the UI for each app.
+- Turn off the feature in the UI for each app.
 
 ### <a href="" id="bkmk-priv-notifications"></a>17.5 Notifications
 
@@ -1083,45 +1138,45 @@ To turn off **Choose apps that can use your microphone**:
 
 To turn off notifications network usage:
 
--   Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn off Notifications network usage**
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn off Notifications network usage**
 
-    -   Set to **Enabled**.
+  - Set to **Enabled**.
 
-    -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one)
+- Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one)
 
-    -or-
+  -or-
 
 
--   Apply the Notifications/DisallowCloudNotification MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-notifications#notifications-disallowcloudnotification), where:
+- Apply the Notifications/DisallowCloudNotification MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-notifications#notifications-disallowcloudnotification), where:
 
-    -   **0**. WNS notifications allowed
-    -   **1**. No WNS notifications allowed
+  - **0**. WNS notifications allowed
+  - **1**. No WNS notifications allowed
 
 In the **Notifications** area, you can also choose which apps have access to notifications.
 
 To turn off **Let apps access my notifications**:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-   -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access notifications**
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access notifications**
 
-    -   Set the **Select a setting** box to **Force Deny**.
+  - Set the **Select a setting** box to **Force Deny**.
 
-    -or-
+  -or-
 
--    Apply the Privacy/LetAppsAccessNotifications MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessnotifications), where:
+-  Apply the Privacy/LetAppsAccessNotifications MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessnotifications), where:
 
-    -   **0**. User in control
-    -   **1**. Force allow
-    -   **2**. Force deny
+  - **0**. User in control
+  - **1**. Force allow
+  - **2**. Force deny
 
-    -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
+- Create a REG\_DWORD registry setting named **LetAppsAccessNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
 
 ### <a href="" id="bkmk-priv-speech"></a>17.6 Speech, inking, & typing
 
@@ -1132,19 +1187,19 @@ In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better
 
 To turn off the functionality:
 
--   Click the **Stop getting to know me** button, and then click **Turn off**.
+- Click the **Stop getting to know me** button, and then click **Turn off**.
 
-   -or-
+  -or-
 
--   Enable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Regional and Language Options** &gt; **Handwriting personalization** &gt; **Turn off automatic learning**
+- Enable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Regional and Language Options** &gt; **Handwriting personalization** &gt; **Turn off automatic learning**
 
-       -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **RestrictImplicitInkCollection** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** with a value of 1 (one).
+- Create a REG\_DWORD registry setting named **RestrictImplicitInkCollection** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** with a value of 1 (one).
 
-   -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Personalization\\Settings** with a value of 0 (zero).
+- Create a REG\_DWORD registry setting named **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Personalization\\Settings** with a value of 0 (zero).
 
    -and-
 
@@ -1158,10 +1213,10 @@ If you're running at least Windows 10, version 1607, you can turn off updates to
 
 Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Speech_AllowSpeechModelUpdate), where:
 
--   **0** (default). Not allowed.
--   **1**. Allowed.
+- **0** (default). Not allowed.
+- **1**. Allowed.
 
-   -or-
+  -or-
 
 - Create a REG\_DWORD registry setting named **ModelDownloadAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Preferences** with a value of 0 (zero).
 
@@ -1171,29 +1226,29 @@ In the **Account Info** area, you can choose which apps can access your name, pi
 
 To turn off **Let apps access my name, picture, and other account info**:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-   -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access account information**
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access account information**
 
-    -   Set the **Select a setting** box to **Force Deny**.
+  - Set the **Select a setting** box to **Force Deny**.
 
-   -or-
+  -or-
 
--    Apply the Privacy/LetAppsAccessAccountInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessaccountinfo), where:
+-  Apply the Privacy/LetAppsAccessAccountInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessaccountinfo), where:
 
-    -   **0**. User in control
-    -   **1**. Force allow
-    -   **2**. Force deny
+  - **0**. User in control
+  - **1**. Force allow
+  - **2**. Force deny
 
-    -or-
+  -or-
 
 - Create a REG\_DWORD registry setting named **LetAppsAccessAccountInfo** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 To turn off **Choose the apps that can access your account info**:
 
--   Turn off the feature in the UI for each app.
+- Turn off the feature in the UI for each app.
 
 ### <a href="" id="bkmk-priv-contacts"></a>17.8 Contacts
 
@@ -1201,23 +1256,23 @@ In the **Contacts** area, you can choose which apps can access an employee's con
 
 To turn off **Choose apps that can access contacts**:
 
--   Turn off the feature in the UI for each app.
+- Turn off the feature in the UI for each app.
 
-   -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access contacts**
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access contacts**
 
-    -   Set the **Select a setting** box to **Force Deny**.
+  - Set the **Select a setting** box to **Force Deny**.
 
-   -or-
+  -or-
 
--    Apply the Privacy/LetAppsAccessContacts MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscontacts), where:
+-  Apply the Privacy/LetAppsAccessContacts MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscontacts), where:
 
-     -   **0**. User in control
-     -   **1**. Force allow
-     -   **2**. Force deny
+   - **0**. User in control
+   - **1**. Force allow
+   - **2**. Force deny
 
-   -or-
+  -or-
 
 - Create a REG\_DWORD registry setting named **LetAppsAccessContacts** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
@@ -1227,29 +1282,29 @@ In the **Calendar** area, you can choose which apps have access to an employee's
 
 To turn off **Let apps access my calendar**:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-   -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access the calendar**
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access the calendar**
 
-    -   Set the **Select a setting** box to **Force Deny**.
+  - Set the **Select a setting** box to **Force Deny**.
 
-   -or-
+  -or-
 
--    Apply the Privacy/LetAppsAccessCalendar MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscalendar), where:
+-  Apply the Privacy/LetAppsAccessCalendar MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscalendar), where:
 
-    -   **0**. User in control
-    -   **1**. Force allow
-    -   **2**. Force deny
+  - **0**. User in control
+  - **1**. Force allow
+  - **2**. Force deny
 
-   -or-
+  -or-
 
 - Create a REG\_DWORD registry setting named **LetAppsAccessCalendar** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 To turn off **Choose apps that can access calendar**:
 
--   Turn off the feature in the UI for each app.
+- Turn off the feature in the UI for each app.
 
 ### <a href="" id="bkmk-priv-callhistory"></a>17.10 Call history
 
@@ -1257,25 +1312,25 @@ In the **Call history** area, you can choose which apps have access to an employ
 
 To turn off **Let apps access my call history**:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-   -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access call history**
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access call history**
 
-    -   Set the **Select a setting** box to **Force Deny**.
+  - Set the **Select a setting** box to **Force Deny**.
 
-       -or-
+  -or-
 
-    -    Apply the Privacy/LetAppsAccessCallHistory MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscallhistory), where:
+  -  Apply the Privacy/LetAppsAccessCallHistory MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscallhistory), where:
 
-    -   **0**. User in control
-    -   **1**. Force allow
-    -   **2**. Force deny
+  - **0**. User in control
+  - **1**. Force allow
+  - **2**. Force deny
 
-        -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessCallHistory** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG\_DWORD registry setting named **LetAppsAccessCallHistory** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 ### <a href="" id="bkmk-priv-email"></a>17.11 Email
 
@@ -1283,25 +1338,25 @@ In the **Email** area, you can choose which apps have can access and send email.
 
 To turn off **Let apps access and send email**:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-   -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access email**
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access email**
 
-    -   Set the **Select a setting** box to **Force Deny**.
+  - Set the **Select a setting** box to **Force Deny**.
 
-        -or-
+  -or-
 
-    -    Apply the Privacy/LetAppsAccessEmail MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessemail), where:
+  -  Apply the Privacy/LetAppsAccessEmail MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessemail), where:
 
-        -   **0**. User in control
-        -   **1**. Force allow
-        -   **2**. Force deny
+     - **0**. User in control
+     - **1**. Force allow
+     - **2**. Force deny
 
-     -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessEmail** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG\_DWORD registry setting named **LetAppsAccessEmail** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 ### <a href="" id="bkmk-priv-messaging"></a>17.12 Messaging
 
@@ -1309,29 +1364,29 @@ In the **Messaging** area, you can choose which apps can read or send messages.
 
 To turn off **Let apps read or send messages (text or MMS)**:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-    -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access messaging**
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access messaging**
 
-    -   Set the **Select a setting** box to **Force Deny**.
+  - Set the **Select a setting** box to **Force Deny**.
 
-    -or-
+  -or-
 
--    Apply the Privacy/LetAppsAccessMessaging MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmessaging), where:
+-  Apply the Privacy/LetAppsAccessMessaging MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmessaging), where:
 
-    -   **0**. User in control
-    -   **1**. Force allow
-    -   **2**. Force deny
+  - **0**. User in control
+  - **1**. Force allow
+  - **2**. Force deny
 
-    -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessMessaging** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG\_DWORD registry setting named **LetAppsAccessMessaging** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 To turn off **Choose apps that can read or send messages**:
 
--   Turn off the feature in the UI for each app.
+- Turn off the feature in the UI for each app.
 
 ### <a href="" id="bkmk-priv-phone-calls"></a>17.13 Phone calls
 
@@ -1339,30 +1394,30 @@ In the **Phone calls** area, you can choose which apps can make phone calls.
 
 To turn off **Let apps make phone calls**:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-    -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps make phone calls**
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps make phone calls**
 
-    -   Set the **Select a setting** box to **Force Deny**.
+  - Set the **Select a setting** box to **Force Deny**.
 
-    -or-
+  -or-
 
--    Apply the Privacy/LetAppsAccessPhone MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone), where:
+-  Apply the Privacy/LetAppsAccessPhone MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone), where:
 
-    -   **0**. User in control
-    -   **1**. Force allow
-    -   **2**. Force deny
+  - **0**. User in control
+  - **1**. Force allow
+  - **2**. Force deny
 
-    -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessPhone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG\_DWORD registry setting named **LetAppsAccessPhone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 
 To turn off **Choose apps that can make phone calls**:
 
--   Turn off the feature in the UI for each app.
+- Turn off the feature in the UI for each app.
 
 ### <a href="" id="bkmk-priv-radios"></a>17.14 Radios
 
@@ -1370,30 +1425,30 @@ In the **Radios** area, you can choose which apps can turn a device's radio on o
 
 To turn off **Let apps control radios**:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-    -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps control radios**
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps control radios**
 
-    -   Set the **Select a setting** box to **Force Deny**.
+  - Set the **Select a setting** box to **Force Deny**.
 
-    -or-
+  -or-
 
--    Apply the Privacy/LetAppsAccessRadios MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessradios), where:
+-  Apply the Privacy/LetAppsAccessRadios MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessradios), where:
 
-    -   **0**. User in control
-    -   **1**. Force allow
-    -   **2**. Force deny
+  - **0**. User in control
+  - **1**. Force allow
+  - **2**. Force deny
 
-    -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessRadios** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG\_DWORD registry setting named **LetAppsAccessRadios** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 
 To turn off **Choose apps that can control radios**:
 
--   Turn off the feature in the UI for each app.
+- Turn off the feature in the UI for each app.
 
 ### <a href="" id="bkmk-priv-other-devices"></a>17.15 Other devices
 
@@ -1401,44 +1456,42 @@ In the **Other Devices** area, you can choose whether devices that aren't paired
 
 To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-     -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps sync with devices**
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps sync with devices**
 
-    -or-
+  -or-
 
--    Apply the Privacy/LetAppsSyncWithDevices MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappssyncwithdevices), where:
+- Apply the Privacy/LetAppsSyncWithDevices MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappssyncwithdevices), where:
 
-      -   **0**. User in control
-      -   **1**. Force allow
-      -   **2**. Force deny
+    - **0**. User in control
+    - **1**. Force allow
+    - **2**. Force deny
 
+  -or-
 
-     -or-
-
--   Create a REG\_DWORD registry setting named **LetAppsSyncWithDevices** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG\_DWORD registry setting named **LetAppsSyncWithDevices** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-    -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access trusted devices**
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access trusted devices**
 
-    -   Set the **Select a setting** box to **Force Deny**.
+- Set the **Select a setting** box to **Force Deny**.
 
-    -or-
+  -or-
 
--    Apply the **Privacy/LetAppsAccessTrustedDevices** MDM policy from the [Policy CSP](/windows/client-management/mdm/policy-csp-privacy.md#privacy-letappsaccesstrusteddevices
+- Apply the **Privacy/LetAppsAccessTrustedDevices** MDM policy from the [Policy CSP](/windows/client-management/mdm/policy-csp-privacy.md#privacy-letappsaccesstrusteddevices
 ), where:
 
-        - **0**. User in control
-        - **1**. Force allow
-        - **2**. Force deny
-
+     - **0**. User in control
+     - **1**. Force allow
+     - **2**. Force deny
 
 ### <a href="" id="bkmk-priv-feedback"></a>17.16 Feedback & diagnostics
 
@@ -1451,23 +1504,23 @@ To change how frequently **Windows should ask for my feedback**:
 
 
 
--   To change from **Automatically (Recommended)**, use the drop-down list in the UI.
+- To change from **Automatically (Recommended)**, use the drop-down list in the UI.
 
-   -or-
+  -or-
 
--   Enable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds** &gt; **Do not show feedback notifications**
+- Enable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds** &gt; **Do not show feedback notifications**
 
-   -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **DoNotShowFeedbackNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection** with a value of 1 (one).
+- Create a REG\_DWORD registry setting named **DoNotShowFeedbackNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection** with a value of 1 (one).
 
-   -or-
+  -or-
 
--   Create the registry keys (REG\_DWORD type):
+- Create the registry keys (REG\_DWORD type):
 
-    -   HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds
+  - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds
 
-    -   HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod
+  - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod
 
     Based on these settings:
 
@@ -1482,48 +1535,48 @@ To change how frequently **Windows should ask for my feedback**:
 
 To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**:
 
--   Click either the **Basic** or **Full** options.
+- Click either the **Basic** or **Full** options.
 
-   -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** and select the appropriate option for your deployment.
+- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** and select the appropriate option for your deployment.
 
-   -or-
+  -or-
 
--   Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry** with a value of 0-3, as appropriate for your deployment (see below for the values for each level).
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry** with a value of 0-3, as appropriate for your deployment (see below for the values for each level).
 
 > [!NOTE]
 > If the **Security** option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The **Security** option is only available in Windows 10 Enterprise edition.
 
-   -or-
+  -or-
 
--   Apply the System/AllowTelemetry MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
 
-    -   **0**. Maps to the **Security** level.
+  - **0**. Maps to the **Security** level.
 
-    -   **1**. Maps to the **Basic** level.
+  - **1**. Maps to the **Basic** level.
 
-    -   **2**. Maps to the **Enhanced** level.
+  - **2**. Maps to the **Enhanced** level.
 
-    -   **3**. Maps to the **Full** level.
+  - **3**. Maps to the **Full** level.
 
-   -or-
+  -or-
 
--   Create a provisioning package, using **Runtime settings** &gt; **Policies** &gt; **System** &gt; **AllowTelemetry**, where:
+- Create a provisioning package, using **Runtime settings** &gt; **Policies** &gt; **System** &gt; **AllowTelemetry**, where:
 
-    -   **0**. Maps to the **Security** level.
+  - **0**. Maps to the **Security** level.
 
-    -   **1**. Maps to the **Basic** level.
+  - **1**. Maps to the **Basic** level.
 
-    -   **2**. Maps to the **Enhanced** level.
+  - **2**. Maps to the **Enhanced** level.
 
-    -   **3**. Maps to the **Full** level.
+  - **3**. Maps to the **Full** level.
 
 To turn off tailored experiences with relevant tips and recommendations by using your diagnostics data:
 
 - Turn off the feature in the UI.
 
-    -or-
+  -or-
 
 - Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**
 
@@ -1533,25 +1586,25 @@ In the **Background Apps** area, you can choose which apps can run in the backgr
 
 To turn off **Let apps run in the background**:
 
--   In **Background apps**, set **Let apps run in the background** to **Off**.
+- In **Background apps**, set **Let apps run in the background** to **Off**.
 
-     -or-
+  -or-
 
--   In **Background apps**, turn off the feature for each app.
+- In **Background apps**, turn off the feature for each app.
 
-     -or-
+  -or-
 
--   Apply the Group Policy (only applicable for Windows 10, version 1703): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background**
+- Apply the Group Policy (only applicable for Windows 10, version 1703): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background**
 
-    -   Set the **Select a setting** box to **Force Deny**.
+  - Set the **Select a setting** box to **Force Deny**.
 
-    -or-
+  -or-
 
--    Apply the Privacy/LetAppsRunInBackground MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessruninbackground), where:
+-  Apply the Privacy/LetAppsRunInBackground MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessruninbackground), where:
 
-    -   **0**. User in control
-    -   **1**. Force allow
-    -   **2**. Force deny
+  - **0**. User in control
+  - **1**. Force allow
+  - **2**. Force deny
 
 > [!NOTE]
 > Some apps, including Cortana and Search, might not function as expected if you set **Let apps run in the background** to **Force Deny**.
@@ -1562,23 +1615,23 @@ In the **Motion** area, you can choose which apps have access to your motion dat
 
 To turn off **Let Windows and your apps use your motion data and collect motion history**:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-     -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access motion**
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access motion**
 
-   -or-
+  -or-
 
--    Apply the Privacy/LetAppsAccessMotion MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmotion), where:
+-  Apply the Privacy/LetAppsAccessMotion MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmotion), where:
 
-    -   **0**. User in control
-    -   **1**. Force allow
-    -   **2**. Force deny
+  - **0**. User in control
+  - **1**. Force allow
+  - **2**. Force deny
 
-   -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessMotion** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG\_DWORD registry setting named **LetAppsAccessMotion** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 ### <a href="" id="bkmk-priv-tasks"></a>17.19 Tasks
 
@@ -1586,21 +1639,21 @@ In the **Tasks** area, you can choose which apps have access to your tasks.
 
 To turn this off:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-     -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks**
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks**
 
-    -   Set the **Select a setting** box to **Force Deny**.
+  - Set the **Select a setting** box to **Force Deny**.
 
-        -or-
+  -or-
 
--    Apply the Privacy/LetAppsAccessTasks MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesstasks), where:
+-  Apply the Privacy/LetAppsAccessTasks MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesstasks), where:
 
-    -   **0**. User in control
-    -   **1**. Force allow
-    -   **2**. Force deny
+  - **0**. User in control
+  - **1**. Force allow
+  - **2**. Force deny
 
 ### <a href="" id="bkmk-priv-diag"></a>17.20 App Diagnostics
 
@@ -1608,19 +1661,19 @@ In the **App diagnostics** area, you can choose which apps have access to your d
 
 To turn this off:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-     -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access dignostic information about other apps**
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access dignostic information about other apps**
 
-    -or-
+  -or-
 
--    Apply the Privacy/LetAppsGetDiagnosticInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsgetdiagnosticinfo), where:
+-  Apply the Privacy/LetAppsGetDiagnosticInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsgetdiagnosticinfo), where:
 
-    -   **0**. User in control
-    -   **1**. Force allow
-    -   **2**. Force deny
+  - **0**. User in control
+  - **1**. Force allow
+  - **2**. Force deny
 
 
 ### <a href="" id="bkmk-spp"></a>18. Software Protection Platform
@@ -1631,11 +1684,11 @@ For Windows 10:
 
 - Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Software Protection Platform** &gt; **Turn off KMS Client Online AVS Validation**
 
-   -or-
+  -or-
 
--   Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled.
+- Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled.
 
-   -or-
+  -or-
 
 - Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
 
@@ -1643,7 +1696,7 @@ For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Co
 
 - Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Software Protection Platform** &gt; **Turn off KMS Client Online AVS Validation**
 
-   -or-
+  -or-
 
 - Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
 
@@ -1661,31 +1714,31 @@ For Windows 10:
 
 You can control if your settings are synchronized:
 
--   In the UI: **Settings** &gt; **Accounts** &gt; **Sync your settings**
+- In the UI: **Settings** &gt; **Accounts** &gt; **Sync your settings**
 
-    -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Sync your settings** &gt; **Do not sync**
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Sync your settings** &gt; **Do not sync**
 
-    -or-
+  -or-
 
--   Create a REG\_DWORD registry setting named **DisableSettingSync** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and another named **DisableSettingSyncUserOverride** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 1 (one).
+- Create a REG\_DWORD registry setting named **DisableSettingSync** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and another named **DisableSettingSyncUserOverride** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 1 (one).
 
-    -or-
+  -or-
 
--   Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed.
+- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed.
 
-    -or-
+  -or-
 
--   Create a provisioning package, using **Runtime settings** &gt; **Policies** &gt; **Experience** &gt; **AllowSyncMySettings**, where
+- Create a provisioning package, using **Runtime settings** &gt; **Policies** &gt; **Experience** &gt; **AllowSyncMySettings**, where
 
-    -   **No**. Settings are not synchronized.
+  - **No**. Settings are not synchronized.
 
-    -   **Yes**. Settings are synchronized. (default)
+  - **Yes**. Settings are synchronized. (default)
 
 To turn off Messaging cloud sync:
 
--   Create a REG\_DWORD registry setting named **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging** with a value of 0 (zero).
+- Create a REG\_DWORD registry setting named **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging** with a value of 0 (zero).
 
 ### <a href="" id="bkmk-teredo"></a>21. Teredo
 
@@ -1694,15 +1747,15 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command.
 >[!NOTE]
 >If you disable Teredo, some XBOX gaming features and Windows Update Delivery Optimization will not work.
 
--   Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** &gt; **TCPIP Settings** &gt; **IPv6 Transition Technologies** &gt; **Set Teredo State** and set it to **Disabled State**.
+- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** &gt; **TCPIP Settings** &gt; **IPv6 Transition Technologies** &gt; **Set Teredo State** and set it to **Disabled State**.
 
-    -or-
+  -or-
 
--   Create a new REG\_SZ registry setting named **Teredo_State** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TCPIP\\v6Transition** with a value of **Disabled**.
+- Create a new REG\_SZ registry setting named **Teredo_State** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TCPIP\\v6Transition** with a value of **Disabled**.
 
-    -or-
+  -or-
 
--   From an elevated command prompt, run **netsh interface teredo set state disabled**
+- From an elevated command prompt, run **netsh interface teredo set state disabled**
 
 ### <a href="" id="bkmk-wifisense"></a>22. Wi-Fi Sense
 
@@ -1713,23 +1766,23 @@ Wi-Fi Sense automatically connects devices to known hotspots and to the wireless
 
 To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**:
 
--   Turn off the feature in the UI.
+- Turn off the feature in the UI.
 
-    -or-
+  -or-
 
--   Disable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Network** &gt; **WLAN Service** &gt; **WLAN Settings** &gt; **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**.
+- Disable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Network** &gt; **WLAN Service** &gt; **WLAN Settings** &gt; **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**.
 
-    -or-
+  -or-
 
--   Create a new REG\_DWORD registry setting named **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config** with a value of 0 (zero).
+- Create a new REG\_DWORD registry setting named **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config** with a value of 0 (zero).
 
-    -or-
+  -or-
 
--   Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620909).
+- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620909).
 
-    -or-
+  -or-
 
--   Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620910).
+- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620910).
 
 When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
 
@@ -1737,55 +1790,55 @@ When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings scr
 
 You can disconnect from the Microsoft Antimalware Protection Service.
 
--   Disable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender Antivirus** &gt; **MAPS** &gt; **Join Microsoft MAPS**
+- Disable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender Antivirus** &gt; **MAPS** &gt; **Join Microsoft MAPS**
 
-    -or-
+  -or-
 
--   Delete the registry setting **named** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates**.
+- Delete the registry setting **named** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates**.
 
-    -or-
+  -or-
 
--   For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+- For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
 
-    -or-
+  -or-
 
--   Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero).
+- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero).
 
-    -and-
+  -and-
 
     From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0**
 
 You can stop sending file samples back to Microsoft.
 
--   Set the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender Antivirus** &gt; **MAPS** &gt; **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**.
+- Set the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender Antivirus** &gt; **MAPS** &gt; **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**.
 
-    -or-
+  -or-
 
--   For Windows 10 only, apply the Defender/SubmitSamplesConsent MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender), where:
+- For Windows 10 only, apply the Defender/SubmitSamplesConsent MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender), where:
 
-    -   **0**. Always prompt.
+  - **0**. Always prompt.
 
-    -   **1**. (default) Send safe samples automatically.
+  - **1**. (default) Send safe samples automatically.
 
-    -   **2**. Never send.
+  - **2**. Never send.
 
-    -   **3**. Send all samples automatically.
+  - **3**. Send all samples automatically.
 
-    -or-
+  -or-
 
--   Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send.
+- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send.
 
 You can stop downloading definition updates:
 
--   Enable the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender Antivirus** &gt; **Signature Updates** &gt; **Define the order of sources for downloading definition updates** and set it to **FileShares**.
+- Enable the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender Antivirus** &gt; **Signature Updates** &gt; **Define the order of sources for downloading definition updates** and set it to **FileShares**.
 
-    -and-
+  -and-
 
--   Disable the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender Antivirus** &gt; **Signature Updates** &gt; **Define file shares for downloading definition updates** and set it to nothing.
+- Disable the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender Antivirus** &gt; **Signature Updates** &gt; **Define file shares for downloading definition updates** and set it to nothing.
 
-    -or-
+  -or-
 
--   Create a new REG\_SZ registry setting named **FallbackOrder** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates** with a value of **FileShares**.
+- Create a new REG\_SZ registry setting named **FallbackOrder** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates** with a value of **FileShares**.
 
 For Windows 10 only, you can stop Enhanced Notifications:
 
@@ -1793,19 +1846,49 @@ For Windows 10 only, you can stop Enhanced Notifications:
 
 You can also use the registry to turn off Malicious Software Reporting Tool diagnostic data by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
 
+### <a href="" id="bkmk-defender-smartscreen"></a>23.1 Windows Defender SmartScreen
+
+To disable Windows Defender Smartscreen:
+
+- In Group Policy, configure - **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen** : **Disable**
+
+   -and-
+
+- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows Defender SmartScreen** : **Disable**
+
+   -and-
+
+- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure app install control** : **Enable**
+
+  -or-
+
+- Create a REG_DWORD registry setting named **EnableSmartScreen** in **HKEY_LOCAL_MACHINE\Sofware\Policies\Microsoft\Windows\System** with a value of 0 (zero).
+
+   -and-
+
+- Create a REG_DWORD registry setting named **ConfigureAppInstallControlEnabled** in **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen** with a value of 1.
+ 
+   -and-
+
+- Create a SZ registry setting named **ConfigureAppInstallControl** in **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen** with a value of **Anywhere**.
+
+  -or-
+
+- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
+
 ### <a href="" id="bkmk-wmp"></a>24. Windows Media Player
 
 To remove Windows Media Player on Windows 10:
 
--   From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**.
+- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**.
 
-    -or-
+  -or-
 
--   Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
+- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
 
 To remove Windows Media Player on Windows Server 2016:
 
--   Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
+- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
 
 ### <a href="" id="bkmk-spotlight"></a>25. Windows Spotlight
 
@@ -1818,51 +1901,51 @@ If you're running Windows 10, version 1607 or later, you only need to enable the
     > [!NOTE]
     > This must be done within 15 minutes after Windows 10 is installed. Alternatively, you can create an image with this setting.
 
-    -or-
+  -or-
 
--   For Windows 10 only, apply the Experience/AllowWindowsSpotlight MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience), with a value of 0 (zero).
+- For Windows 10 only, apply the Experience/AllowWindowsSpotlight MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience), with a value of 0 (zero).
 
-    -or-
+  -or-
 
--   Create a new REG\_DWORD registry setting named **DisableWindowsSpotlightFeatures** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one).
+- Create a new REG\_DWORD registry setting named **DisableWindowsSpotlightFeatures** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one).
 
 If you're not running Windows 10, version 1607 or later, you can use the other options in this section.
 
--   Configure the following in **Settings**:
+- Configure the following in **Settings**:
 
-    -   **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Get fun facts, tips, tricks and more on your lock screen**.
+  - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Get fun facts, tips, tricks and more on your lock screen**.
 
         > [!NOTE]
         > In Windows 10, version 1507 and Windows 10, version 1511, this setting was named **Show me tips, tricks, and more on the lock screen**.
 
-    -   **Personalization** &gt; **Start** &gt; **Occasionally show suggestions in Start**.
+  - **Personalization** &gt; **Start** &gt; **Occasionally show suggestions in Start**.
 
-    -   **System** &gt; **Notifications & actions** &gt; **Show me tips about Windows**.
+  - **System** &gt; **Notifications & actions** &gt; **Show me tips about Windows**.
 
-    -or-
+  -or-
 
--   Apply the Group Policies:
+- Apply the Group Policies:
 
-    -   **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Force a specific default lock screen image**.
-        -   Add a location in the **Path to local lock screen image** box.
+  - **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Force a specific default lock screen image**.
+     - Add a location in the **Path to local lock screen image** box.
 
-        -   Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
+     - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
 
-        > [!NOTE]
-        > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Do not display the lock screen**. Alternatively, you can create a new REG\_SZ registry setting nameed **LockScreenImage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting named **LockScreenOverlaysDisabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of 1 (one).
+       > [!NOTE]
+       > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Do not display the lock screen**. Alternatively, you can create a new REG\_SZ registry setting nameed **LockScreenImage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting named **LockScreenOverlaysDisabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of 1 (one).
 
 
-    -   **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Cloud Content** &gt; **Do not show Windows tips**.
+  - **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Cloud Content** &gt; **Do not show Windows tips**.
 
-    -or-
+  -or-
 
-    -   Create a new REG\_DWORD registry setting named **DisableSoftLanding** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one).
+  - Create a new REG\_DWORD registry setting named **DisableSoftLanding** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one).
 
-    -   **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Cloud Content** &gt; **Turn off Microsoft consumer experiences**.
+  - **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Cloud Content** &gt; **Turn off Microsoft consumer experiences**.
 
-        -or-
+  -or-
 
-    -   Create a new REG\_DWORD registry setting named **DisableWindowsConsumerFeatures** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one).
+  - Create a new REG\_DWORD registry setting named **DisableWindowsConsumerFeatures** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one).
 
 For more info, see [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight).
 
@@ -1873,17 +1956,17 @@ This will also turn off automatic app updates, and the Microsoft Store will be d
 In addition, new email accounts cannot be created by clicking **Settings** > **Accounts** > **Email & app accounts** > **Add an account**.
 On Windows Server 2016, this will block Microsoft Store calls from Universal Windows Apps.
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Store** &gt; **Disable all apps from Microsoft Store**.
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Store** &gt; **Disable all apps from Microsoft Store**.
 
-    -or-
+  -or-
 
-    -   Create a new REG\_DWORD registry setting named **DisableStoreApps** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 1 (one).
+  - Create a new REG\_DWORD registry setting named **DisableStoreApps** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 1 (one).
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Store** &gt; **Turn off Automatic Download and Install of updates**.
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Store** &gt; **Turn off Automatic Download and Install of updates**.
 
-    -or-
+  -or-
 
-    -   Create a new REG\_DWORD registry setting named **AutoDownload** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 2 (two).
+  - Create a new REG\_DWORD registry setting named **AutoDownload** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 2 (two).
 
 ### <a href="" id="bkmk-apps-for-websites"></a>26.1 Apps for websites
 
@@ -1905,7 +1988,7 @@ In Windows 10, version 1607, you can stop network traffic related to Windows Upd
 
 You can set up Delivery Optimization from the **Settings** UI.
 
--   Go to **Settings** &gt; **Update & security** &gt; **Windows Update** &gt; **Advanced options** &gt; **Choose how updates are delivered**.
+- Go to **Settings** &gt; **Update & security** &gt; **Windows Update** &gt; **Advanced options** &gt; **Choose how updates are delivered**.
 
 ### <a href="" id="bkmk-wudo-gp"></a>27.2 Delivery Optimization Group Policies
 
@@ -1954,47 +2037,47 @@ For more info about Delivery Optimization in general, see [Windows Update Delive
 
 You can turn off Windows Update by setting the following registry entries:
 
--   Add a REG\_DWORD value named **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
+- Add a REG\_DWORD value named **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
 
-    -and-
+  -and-
 
--   Add a REG\_DWORD value named **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
+- Add a REG\_DWORD value named **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
 
-    -and-
+  -and-
 
--   Add a REG\_DWORD value named **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1.
+- Add a REG\_DWORD value named **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1.
 
-    -or-
+  -or-
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Update** &gt; **Do not connect to any Windows Update Internet locations**.
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Update** &gt; **Do not connect to any Windows Update Internet locations**.
 
-    -and-
+  -and-
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Internet Communication Management** &gt; **Internet Communication Settings** &gt; **Turn off access to all Windows Update features**.
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Internet Communication Management** &gt; **Internet Communication Settings** &gt; **Turn off access to all Windows Update features**.
 
-    -and-
+  -and-
 
--   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Update** &gt; **Specify intranet Microsoft update service location** and set the **Set the alternate download server** to " ".
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Update** &gt; **Specify intranet Microsoft update service location** and set the **Set the alternate download server** to " ".
 
 
 You can turn off automatic updates by doing one of the following. This is not recommended.
 
--   Add a REG\_DWORD value named **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5.
+- Add a REG\_DWORD value named **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5.
 
-    -or-
+  -or-
 
--   For Windows 10 only, apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update), where:
+- For Windows 10 only, apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update), where:
 
-    -   **0**. Notify the user before downloading the update.
+  - **0**. Notify the user before downloading the update.
 
-    -   **1**. Auto install the update and then notify the user to schedule a device restart.
+  - **1**. Auto install the update and then notify the user to schedule a device restart.
 
-    -   **2** (default). Auto install and restart.
+  - **2** (default). Auto install and restart.
 
-    -   **3**. Auto install and restart at a specified time.
+  - **3**. Auto install and restart at a specified time.
 
-    -   **4**. Auto install and restart without end-user control.
+  - **4**. Auto install and restart without end-user control.
 
-    -   **5**. Turn off automatic updates.
+  - **5**. Turn off automatic updates.
 
 To learn more, see [Device update management](https://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](https://technet.microsoft.com/library/cc720539.aspx).
diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md
new file mode 100644
index 0000000000..92c2dfc96e
--- /dev/null
+++ b/windows/privacy/manage-windows-1709-endpoints.md
@@ -0,0 +1,488 @@
+---
+title: Connection endpoints for Windows 10, version 1709
+description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact.
+keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+author: danihalfin
+ms.author: daniha
+ms.date: 6/26/2018
+---
+# Manage connection endpoints for Windows 10, version 1709
+
+**Applies to**
+
+- Windows 10, version 1709
+
+Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
+
+-	Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
+-	Connecting to email servers to send and receive email.
+-	Connecting to the web for every day web browsing.
+-	Connecting to the cloud to store and access backups.
+-	Using your location to show a weather forecast.
+
+This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
+Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). 
+Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. 
+
+We used the following methodology to derive these network endpoints:
+
+1.	Set up the latest version of Windows 10 on a test virtual machine using the default settings. 
+2.	Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
+3.	Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.  
+4.	Compile reports on traffic going to public IP addresses.
+5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+## Windows 10 Enterprise connection endpoints
+
+## Apps
+
+The following endpoint is used to download updates to the Weather app Live Tile. 
+If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| explorer        | HTTP     | tile-service.weather.microsoft.com  |
+
+The following endpoint is used for OneNote Live Tile. 
+To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
+If you disable the Microsoft store, other Store apps cannot be installed or updated. 
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTPS   | cdn.onenote.net/livetile/?Language=en-US |
+
+The following endpoints are used for Twitter updates. 
+To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
+If you disable the Microsoft store, other Store apps cannot be installed or updated. 
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTPS   | wildcard.twimg.com |
+| svchost.exe |             | oem.twimg.com/windows/tile.xml |
+
+The following endpoint is used for Facebook updates. 
+To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
+If you disable the Microsoft store, other Store apps cannot be installed or updated. 
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  |    | star-mini.c10r.facebook.com |
+
+The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. 
+To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
+If you disable the Microsoft store, other Store apps cannot be installed or updated. 
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net |
+
+The following endpoint is used for Candy Crush Saga updates. 
+To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
+If you disable the Microsoft store, other Store apps cannot be installed or updated. 
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | TLS v1.2    | candycrushsoda.king.com |
+
+The following endpoint is used for by the Microsoft Wallet app. 
+To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
+If you disable the Microsoft store, other Store apps cannot be installed or updated. 
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com |
+
+The following endpoint is used by the Groove Music app for update HTTP handler status. 
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com |
+
+## Cortana and Search
+
+The following endpoint is used to get images that are used for Microsoft Store suggestions.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| searchui        | HTTPS |store-images.s-microsoft.com  |
+
+The following endpoint is used to update Cortana greetings, tips, and Live Tiles.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost  | HTTPS   | www.bing.com/client |
+
+The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. 
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost  | HTTPS   | www.bing.com/proactive |
+
+The following endpoint is used by Cortana to report diagnostic and diagnostic data information.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| searchui <br> backgroundtaskhost | HTTPS   | www.bing.com/threshold/xls.aspx |
+
+## Certificates
+
+The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses.
+
+Additionally, it is used to download certificates that are publicly known to be fraudulent.
+These settings are critical for both Windows security and the overall security of the Internet. 
+We do not recommend blocking this endpoint.
+If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost        | HTTP     | ctldl.windowsupdate.com | 
+
+## Device authentication
+
+The following endpoint is used to authenticate a device.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|   | HTTPS   | login.live.com/ppsecure |
+
+## Device metadata
+
+The following endpoint is used to retrieve device metadata.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|   |    | dmd.metaservices.microsoft.com.akadns.net |
+
+## Diagnostic Data
+
+The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost |   | cy2.vortex.data.microsoft.com.akadns.net |
+
+The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost |    | v10.vortex-win.data.microsoft.com/collect/v1 |
+
+The following endpoints are used by Windows Error Reporting.
+To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| wermgr |        | watson.telemetry.microsoft.com  |
+|        | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net |
+
+## Font streaming
+
+The following endpoints are used to download fonts on demand.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost  |     | fs.microsoft.com      |
+|          |     | fs.microsoft.com/fs/windows/config.json | 
+
+## Licensing
+
+The following endpoint is used for online activation and some app licensing.
+To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| licensemanager  | HTTPS   | licensing.mp.microsoft.com/v7.0/licenses/content |
+
+## Location
+
+The following endpoint is used for location data.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTP   | location-inference-westus.cloudapp.net  |
+
+## Maps
+
+The following endpoint is used to check for updates to maps that have been downloaded for offline use.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS   | *g.akamaiedge.net  |
+
+## Microsoft account
+
+The following endpoints are used for Microsoft accounts to sign in. 
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  |   | login.msa.akadns6.net  |
+| system32\Auth.Host.exe | HTTPS | auth.gfx.ms |
+
+## Microsoft Store
+
+The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  |    | *.wns.windows.com |
+
+The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. 
+To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTP   | storecatalogrevocation.storequality.microsoft.com |
+
+The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). 
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTPS   | img-prod-cms-rt-microsoft-com.akamaized.net |
+
+The following endpoints are used to communicate with Microsoft Store. 
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTP   | storeedgefd.dsx.mp.microsoft.com  |
+|  | HTTP   | pti.store.microsoft.com  |
+||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.|
+
+## Network Connection Status Indicator (NCSI)
+
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. 
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTP   | www.msftconnecttest.com/connecttest.txt |
+
+## Office
+
+The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). 
+You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
+If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|   |    | *.a-msedge.net  | 
+| hxstr  |    | *.c-msedge.net  | 
+|   |    | *.e-msedge.net  |
+|   |    | *.s-msedge.net  |
+
+The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). 
+You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
+If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\Auth.Host.exe | HTTPS | outlook.office365.com |
+
+The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net|
+
+## OneDrive
+
+The following endpoint is a redirection service that’s used to automatically update URLs.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| onedrive | HTTP \ HTTPS   | g.live.com/1rewlive5skydrive/ODSUProduction |
+
+The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
+To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| onedrive | HTTPS   | oneclient.sfx.ms |
+
+## Settings
+
+The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| dmclient |   | cy2.settings.data.microsoft.com.akadns.net  |
+
+The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| dmclient  | HTTPS  | settings.data.microsoft.com |
+
+The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS   | settings-win.data.microsoft.com |
+
+## Skype
+
+The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com |
+
+
+
+## Windows Defender
+
+The following endpoint is used for Windows Defender when Cloud-based Protection is enabled.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|   |    | wdcp.microsoft.com |
+
+The following endpoints are used for Windows Defender definition updates.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|   |    | definitionupdates.microsoft.com |
+|MpCmdRun.exe|HTTPS|go.microsoft.com |
+
+## Windows Spotlight
+
+The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight).
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost  | HTTPS   | arc.msn.com |
+| backgroundtaskhost  |    | g.msn.com.nsatc.net |
+|    |TLS v1.2| *.search.msn.com |
+|   | HTTPS   | ris.api.iris.microsoft.com |
+|    | HTTPS | query.prod.cms.rt.microsoft.com |
+
+## Windows Update
+
+The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost  | HTTPS   | *.prod.do.dsp.mp.microsoft.com  |
+
+The following endpoints are used to download operating system patches and updates. 
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTP  | *.windowsupdate.com |
+|         | HTTP   | fg.download.windowsupdate.com.c.footprint.net |
+
+The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates. 
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  |            | cds.d2s7q6s2.hwcdn.net |
+
+The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates. 
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  |  HTTP          | *wac.phicdn.net |
+|  |                | *wac.edgecastcdn.net |
+
+The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired).
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost |    | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net |
+
+The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost |    | emdl.ws.microsoft.com  |
+
+The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. 
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS   | fe2.update.microsoft.com |
+| svchost |    | fe3.delivery.mp.microsoft.com  |
+|       |      | fe3.delivery.dsp.mp.microsoft.com.nsatc.net |
+| svchost | HTTPS   | sls.update.microsoft.com |
+
+The following endpoint is used for content regulation.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS   | tsfe.trafficshaping.dsp.mp.microsoft.com |
+
+The following endpoints are used to download content.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  |    | a122.dscd.akamai.net  |
+|  |    | a1621.g.akamai.net   |
+
+## Microsoft forward link redirection service (FWLink)
+
+The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer.
+
+If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|Various|HTTPS|go.microsoft.com|
+
+## Other Windows 10 versions and editions
+
+To view endpoints for other versions of Windows 10 enterprise, see:
+- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
+
+To view endpoints for non-Enterprise Windows 10 editions, see:
+- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
+- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
+
+## Related links
+
+- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
+- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)
\ No newline at end of file
diff --git a/windows/privacy/manage-windows-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md
similarity index 67%
rename from windows/privacy/manage-windows-endpoints.md
rename to windows/privacy/manage-windows-1803-endpoints.md
index 721814aabe..5cbbfcd3d1 100644
--- a/windows/privacy/manage-windows-endpoints.md
+++ b/windows/privacy/manage-windows-1803-endpoints.md
@@ -1,5 +1,5 @@
 ---
-title: Windows 10 connection endpoints
+title: Connection endpoints for Windows 10, version 1803
 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact.
 keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
 ms.prod: w10
@@ -10,11 +10,11 @@ author: danihalfin
 ms.author: daniha
 ms.date: 6/26/2018
 ---
-# Manage Windows 10 connection endpoints
+# Manage connection endpoints for Windows 10, version 1803
 
 **Applies to**
 
-- Windows 10, version 1709 and later
+- Windows 10, version 1803
 
 Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
 
@@ -46,252 +46,248 @@ We used the following methodology to derive these network endpoints:
 The following endpoint is used to download updates to the Weather app Live Tile. 
 If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| explorer        | HTTP     | tile-service.weather.microsoft.com  | 1709 |
-|   | HTTP  | blob.weather.microsoft.com | 1803 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| explorer        | HTTP     | tile-service.weather.microsoft.com  |
+|   | HTTP  | blob.weather.microsoft.com |
 
 The following endpoint is used for OneNote Live Tile. 
 To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
 If you disable the Microsoft store, other Store apps cannot be installed or updated. 
 Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|  | HTTPS   | cdn.onenote.net/livetile/?Language=en-US | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTPS   | cdn.onenote.net/livetile/?Language=en-US |
 
 The following endpoints are used for Twitter updates. 
 To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
 If you disable the Microsoft store, other Store apps cannot be installed or updated. 
 Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|  | HTTPS   | wildcard.twimg.com | 1709 |
-| svchost.exe |             | oem.twimg.com/windows/tile.xml | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTPS   | wildcard.twimg.com |
+| svchost.exe |             | oem.twimg.com/windows/tile.xml |
 
 The following endpoint is used for Facebook updates. 
 To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
 If you disable the Microsoft store, other Store apps cannot be installed or updated. 
 Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|  |    | star-mini.c10r.facebook.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  |    | star-mini.c10r.facebook.com |
 
 The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. 
 To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
 If you disable the Microsoft store, other Store apps cannot be installed or updated. 
 Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net |
 
 The following endpoint is used for Candy Crush Saga updates. 
 To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
 If you disable the Microsoft store, other Store apps cannot be installed or updated. 
 Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|  | TLS v1.2    | candycrushsoda.king.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | TLS v1.2    | candycrushsoda.king.com |
 
 The following endpoint is used for by the Microsoft Wallet app. 
 To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
 If you disable the Microsoft store, other Store apps cannot be installed or updated. 
 Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com |
 
 The following endpoint is used by the Groove Music app for update HTTP handler status. 
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com |
 
 ## Cortana and Search
 
 The following endpoint is used to get images that are used for Microsoft Store suggestions.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| searchui        | HTTPS |store-images.s-microsoft.com  | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| searchui        | HTTPS |store-images.s-microsoft.com  |
 
 The following endpoint is used to update Cortana greetings, tips, and Live Tiles.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| backgroundtaskhost  | HTTPS   | www.bing.com/client | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost  | HTTPS   | www.bing.com/client |
 
 The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. 
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| backgroundtaskhost  | HTTPS   | www.bing.com/proactive | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost  | HTTPS   | www.bing.com/proactive |
 
 The following endpoint is used by Cortana to report diagnostic and diagnostic data information.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| searchui <br> backgroundtaskhost | HTTPS   | www.bing.com/threshold/xls.aspx | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| searchui <br> backgroundtaskhost | HTTPS   | www.bing.com/threshold/xls.aspx |
 
 ## Certificates
 
-The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. 
+The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost        | HTTP     | ctldl.windowsupdate.com | 1709 |
-
-The following endpoints are used to download certificates that are publicly known to be fraudulent.
+Additionally, it is used to download certificates that are publicly known to be fraudulent.
 These settings are critical for both Windows security and the overall security of the Internet. 
 We do not recommend blocking this endpoint.
 If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost        | HTTP     | ctldl.windowsupdate.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost        | HTTP     | ctldl.windowsupdate.com | 
 
 ## Device authentication
 
 The following endpoint is used to authenticate a device.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|   | HTTPS   | login.live.com/ppsecure | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|   | HTTPS   | login.live.com/ppsecure |
 
 ## Device metadata
 
 The following endpoint is used to retrieve device metadata.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|   |    | dmd.metaservices.microsoft.com.akadns.net | 1709 |
-|   |  HTTP  | dmd.metaservices.microsoft.com | 1803 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|   |    | dmd.metaservices.microsoft.com.akadns.net |
+|   |  HTTP  | dmd.metaservices.microsoft.com |
 
 ## Diagnostic Data
 
 The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost |   | cy2.vortex.data.microsoft.com.akadns.net | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost |   | cy2.vortex.data.microsoft.com.akadns.net |
 
 The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost |    | v10.vortex-win.data.microsoft.com/collect/v1 | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost |    | v10.vortex-win.data.microsoft.com/collect/v1 |
 
 The following endpoints are used by Windows Error Reporting.
 To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| wermgr |        | watson.telemetry.microsoft.com  | 1709 |
-|        | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| wermgr |        | watson.telemetry.microsoft.com  |
+|        | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net |
 
 ## Font streaming
 
 The following endpoints are used to download fonts on demand.
 If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost  |     | fs.microsoft.com      | 1709 |
-|          |     | fs.microsoft.com/fs/windows/config.json | 1709 | 
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost  |     | fs.microsoft.com      |
+|          |     | fs.microsoft.com/fs/windows/config.json | 
 
 ## Licensing
 
 The following endpoint is used for online activation and some app licensing.
 To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| licensemanager  | HTTPS   | licensing.mp.microsoft.com/v7.0/licenses/content | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| licensemanager  | HTTPS   | licensing.mp.microsoft.com/v7.0/licenses/content |
 
 ## Location
 
 The following endpoint is used for location data.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|  | HTTP   | location-inference-westus.cloudapp.net  | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTP   | location-inference-westus.cloudapp.net  |
 
 ## Maps
 
 The following endpoint is used to check for updates to maps that have been downloaded for offline use.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost | HTTPS   | *g.akamaiedge.net  | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS   | *g.akamaiedge.net  |
 
 ## Microsoft account
 
 The following endpoints are used for Microsoft accounts to sign in. 
 If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|  |   | login.msa.akadns6.net  | 1709 |
-| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  |   | login.msa.akadns6.net  |
+| system32\Auth.Host.exe | HTTPS | auth.gfx.ms |
 
 ## Microsoft Store
 
 The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|  |    | *.wns.windows.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  |    | *.wns.windows.com |
 
 The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. 
 To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|  | HTTP   | storecatalogrevocation.storequality.microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTP   | storecatalogrevocation.storequality.microsoft.com |
 
 The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). 
 If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|  | HTTPS   | img-prod-cms-rt-microsoft-com.akamaized.net | 1709 |
-| backgroundtransferhost | HTTPS   | store-images.microsoft.com | 1803 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTPS   | img-prod-cms-rt-microsoft-com.akamaized.net |
+| backgroundtransferhost | HTTPS   | store-images.microsoft.com |
 
 The following endpoints are used to communicate with Microsoft Store. 
 If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|  | HTTP   | storeedgefd.dsx.mp.microsoft.com  | 1709 |
-|  | HTTP   | pti.store.microsoft.com  | 1709 |
-||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| 1709 |
-| svchost | HTTPS | displaycatalog.mp.microsoft.com | 1803 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTP   | storeedgefd.dsx.mp.microsoft.com  |
+|  | HTTP   | pti.store.microsoft.com  |
+||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.|
+| svchost | HTTPS | displaycatalog.mp.microsoft.com |
 
 ## Network Connection Status Indicator (NCSI)
 
 Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. 
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|  | HTTP   | www.msftconnecttest.com/connecttest.txt | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTP   | www.msftconnecttest.com/connecttest.txt |
 
 ## Office
 
@@ -299,74 +295,74 @@ The following endpoints are used to connect to the Office 365 portal's shared in
 You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
 If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|   |    | *.a-msedge.net  | 1709 | 
-| hxstr  |    | *.c-msedge.net  | 1709 | 
-|   |    | *.e-msedge.net  | 1709 |
-|   |    | *.s-msedge.net  | 1709 |
-|   | HTTPS | ocos-office365-s2s.msedge.net | 1803 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|   |    | *.a-msedge.net  | 
+| hxstr  |    | *.c-msedge.net  | 
+|   |    | *.e-msedge.net  |
+|   |    | *.s-msedge.net  |
+|   | HTTPS | ocos-office365-s2s.msedge.net |
 
 The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). 
 You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
 If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| system32\Auth.Host.exe | HTTPS | outlook.office365.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\Auth.Host.exe | HTTPS | outlook.office365.com |
 
 The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net|
 
 ## OneDrive
 
 The following endpoint is a redirection service that’s used to automatically update URLs.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| onedrive | HTTP \ HTTPS   | g.live.com/1rewlive5skydrive/ODSUProduction | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| onedrive | HTTP \ HTTPS   | g.live.com/1rewlive5skydrive/ODSUProduction |
 
 The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
 To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| onedrive | HTTPS   | oneclient.sfx.ms | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| onedrive | HTTPS   | oneclient.sfx.ms |
 
 ## Settings
 
 The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| dmclient |   | cy2.settings.data.microsoft.com.akadns.net  | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| dmclient |   | cy2.settings.data.microsoft.com.akadns.net  |
 
 The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| dmclient  | HTTPS  | settings.data.microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| dmclient  | HTTPS  | settings.data.microsoft.com |
 
 The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost | HTTPS   | settings-win.data.microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS   | settings-win.data.microsoft.com |
 
 ## Skype
 
 The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com |
 
 
 
@@ -375,102 +371,102 @@ The following endpoint is used to retrieve Skype configuration values. To turn o
 The following endpoint is used for Windows Defender when Cloud-based Protection is enabled.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|   |    | wdcp.microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|   |    | wdcp.microsoft.com |
 
 The following endpoints are used for Windows Defender definition updates.
 If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|   |    | definitionupdates.microsoft.com | 1709 |
-|MpCmdRun.exe|HTTPS|go.microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|   |    | definitionupdates.microsoft.com |
+|MpCmdRun.exe|HTTPS|go.microsoft.com |
 
 ## Windows Spotlight
 
 The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.
 If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight).
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| backgroundtaskhost  | HTTPS   | arc.msn.com | 1709 |
-| backgroundtaskhost  |    | g.msn.com.nsatc.net | 1709 |
-|    |TLS v1.2| *.search.msn.com | 1709 |
-|   | HTTPS   | ris.api.iris.microsoft.com | 1709 |
-|    | HTTPS | query.prod.cms.rt.microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost  | HTTPS   | arc.msn.com |
+| backgroundtaskhost  |    | g.msn.com.nsatc.net |
+|    |TLS v1.2| *.search.msn.com |
+|   | HTTPS   | ris.api.iris.microsoft.com |
+|    | HTTPS | query.prod.cms.rt.microsoft.com |
 
 ## Windows Update
 
 The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost  | HTTPS   | *.prod.do.dsp.mp.microsoft.com  | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost  | HTTPS   | *.prod.do.dsp.mp.microsoft.com  |
 
 The following endpoints are used to download operating system patches and updates. 
 If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost | HTTP  | *.windowsupdate.com | 1709 |
-|         | HTTP   | fg.download.windowsupdate.com.c.footprint.net | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTP  | *.windowsupdate.com |
+|         | HTTP   | fg.download.windowsupdate.com.c.footprint.net |
 
 The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates. 
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|  |            | cds.d2s7q6s2.hwcdn.net | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  |            | cds.d2s7q6s2.hwcdn.net |
 
 The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates. 
 If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|  |  HTTP          | *wac.phicdn.net | 1709 |
-|  |                | *wac.edgecastcdn.net | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  |  HTTP          | *wac.phicdn.net |
+|  |                | *wac.edgecastcdn.net |
 
 The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired).
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost |    | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost |    | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net |
 
 The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost |    | emdl.ws.microsoft.com  | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost |    | emdl.ws.microsoft.com  |
 
 The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. 
 If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost | HTTPS   | fe2.update.microsoft.com | 1709 |
-| svchost |    | fe3.delivery.mp.microsoft.com  | 1709 |
-|       |      | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | 1709 |
-| svchost | HTTPS   | sls.update.microsoft.com | 1709 |
-|   | HTTP | *.dl.delivery.mp.microsoft.com | 1803 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS   | fe2.update.microsoft.com |
+| svchost |    | fe3.delivery.mp.microsoft.com  |
+|       |      | fe3.delivery.dsp.mp.microsoft.com.nsatc.net |
+| svchost | HTTPS   | sls.update.microsoft.com |
+|   | HTTP | *.dl.delivery.mp.microsoft.com |
 
 The following endpoint is used for content regulation.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-| svchost | HTTPS   | tsfe.trafficshaping.dsp.mp.microsoft.com | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS   | tsfe.trafficshaping.dsp.mp.microsoft.com |
 
 The following endpoints are used to download content.
 If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|  |    | a122.dscd.akamai.net  | 1709 |
-|  |    | a1621.g.akamai.net   | 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  |    | a122.dscd.akamai.net  |
+|  |    | a1621.g.akamai.net   |
 
 ## Microsoft forward link redirection service (FWLink)
 
@@ -478,12 +474,16 @@ The following endpoint is used by the Microsoft forward link redirection service
 
 If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.
 
-| Source process | Protocol | Destination | Applies from Windows 10 version |
-|----------------|----------|------------|----------------------------------|
-|Various|HTTPS|go.microsoft.com| 1709 |
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|Various|HTTPS|go.microsoft.com|
 
 ## Other Windows 10 editions
 
+To view endpoints for other versions of Windows 10 enterprise, see:
+- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
+
 To view endpoints for non-Enterprise Windows 10 editions, see:
 - [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
 - [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md
new file mode 100644
index 0000000000..dd3a50a2fe
--- /dev/null
+++ b/windows/privacy/manage-windows-1809-endpoints.md
@@ -0,0 +1,524 @@
+---
+title: Connection endpoints for Windows 10, version 1803
+description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact.
+keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+author: danihalfin
+ms.author: daniha
+ms.date: 6/26/2018
+---
+# Manage connection endpoints for Windows 10, version 1809
+
+**Applies to**
+
+- Windows 10, version 1809
+
+Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
+
+-	Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
+-	Connecting to email servers to send and receive email.
+-	Connecting to the web for every day web browsing.
+-	Connecting to the cloud to store and access backups.
+-	Using your location to show a weather forecast.
+
+This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
+Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). 
+Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. 
+
+We used the following methodology to derive these network endpoints:
+
+1.	Set up the latest version of Windows 10 on a test virtual machine using the default settings. 
+2.	Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
+3.	Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.  
+4.	Compile reports on traffic going to public IP addresses.
+5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+## Windows 10 Enterprise connection endpoints
+
+## Apps
+
+The following endpoint is used to download updates to the Weather app Live Tile. 
+If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| explorer        | HTTP     | tile-service.weather.microsoft.com  |
+|   | HTTP  | blob.weather.microsoft.com |
+
+The following endpoint is used for OneNote Live Tile. 
+To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
+If you disable the Microsoft store, other Store apps cannot be installed or updated. 
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTPS   | cdn.onenote.net/livetile/?Language=en-US |
+
+The following endpoints are used for Twitter updates. 
+To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
+If you disable the Microsoft store, other Store apps cannot be installed or updated. 
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTPS   | wildcard.twimg.com |
+| svchost.exe |             | oem.twimg.com/windows/tile.xml |
+
+The following endpoint is used for Facebook updates. 
+To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
+If you disable the Microsoft store, other Store apps cannot be installed or updated. 
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  |    | star-mini.c10r.facebook.com |
+
+The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. 
+To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
+If you disable the Microsoft store, other Store apps cannot be installed or updated. 
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net |
+
+The following endpoint is used for Candy Crush Saga updates. 
+To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
+If you disable the Microsoft store, other Store apps cannot be installed or updated. 
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | TLS v1.2    | candycrushsoda.king.com |
+
+The following endpoint is used for by the Microsoft Wallet app. 
+To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). 
+If you disable the Microsoft store, other Store apps cannot be installed or updated. 
+Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com |
+
+The following endpoint is used by the Groove Music app for update HTTP handler status. 
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com |
+
+The following endpoints are used when using the Whiteboard app.
+To turn off traffic for this endpoint [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTPS | wbd.ms |
+|  | HTTPS | int.whiteboard.microsoft.com |
+|  | HTTPS | whiteboard.microsoft.com |
+|  | HTTP / HTTPS | whiteboard.ms |
+
+## Cortana and Search
+
+The following endpoint is used to get images that are used for Microsoft Store suggestions.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| searchui        | HTTPS |store-images.s-microsoft.com  |
+
+The following endpoint is used to update Cortana greetings, tips, and Live Tiles.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost  | HTTPS   | www.bing.com/client |
+
+The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. 
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost  | HTTPS   | www.bing.com/proactive |
+
+The following endpoint is used by Cortana to report diagnostic and diagnostic data information.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| searchui <br> backgroundtaskhost | HTTPS   | www.bing.com/threshold/xls.aspx |
+
+## Certificates
+
+The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses.
+
+Additionally, it is used to download certificates that are publicly known to be fraudulent.
+These settings are critical for both Windows security and the overall security of the Internet. 
+We do not recommend blocking this endpoint.
+If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost        | HTTP     | ctldl.windowsupdate.com | 
+
+## Device authentication
+
+The following endpoint is used to authenticate a device.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|   | HTTPS   | login.live.com/ppsecure |
+
+## Device metadata
+
+The following endpoint is used to retrieve device metadata.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|   |    | dmd.metaservices.microsoft.com.akadns.net |
+|   |  HTTP  | dmd.metaservices.microsoft.com |
+
+## Diagnostic Data
+
+The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost |   | cy2.vortex.data.microsoft.com.akadns.net |
+
+The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 |
+
+The following endpoints are used by Windows Error Reporting.
+To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| wermgr |        | watson.telemetry.microsoft.com  |
+|        | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net |
+
+## Font streaming
+
+The following endpoints are used to download fonts on demand.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost  |     | fs.microsoft.com      |
+|          |     | fs.microsoft.com/fs/windows/config.json | 
+
+## Licensing
+
+The following endpoint is used for online activation and some app licensing.
+To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| licensemanager  | HTTPS   | licensing.mp.microsoft.com/v7.0/licenses/content |
+
+## Location
+
+The following endpoint is used for location data.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTP   | location-inference-westus.cloudapp.net  |
+|  | HTTPS | inference.location.live.net |
+
+## Maps
+
+The following endpoint is used to check for updates to maps that have been downloaded for offline use.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS   | *g.akamaiedge.net  |
+
+## Microsoft account
+
+The following endpoints are used for Microsoft accounts to sign in. 
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  |   | login.msa.akadns6.net  |
+| system32\Auth.Host.exe | HTTPS | auth.gfx.ms |
+|  |   | us.configsvc1.live.com.akadns.net |
+
+## Microsoft Store
+
+The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  |  HTTPS  | *.wns.windows.com |
+
+The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. 
+To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTP   | storecatalogrevocation.storequality.microsoft.com |
+
+The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). 
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTPS   | img-prod-cms-rt-microsoft-com.akamaized.net |
+| backgroundtransferhost | HTTPS   | store-images.microsoft.com |
+
+The following endpoints are used to communicate with Microsoft Store. 
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTP   | storeedgefd.dsx.mp.microsoft.com  |
+|  | HTTP \ HTTPS   | pti.store.microsoft.com  |
+||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.|
+| svchost | HTTPS | displaycatalog.mp.microsoft.com |
+
+## Network Connection Status Indicator (NCSI)
+
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. 
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTP   | www.msftconnecttest.com/connecttest.txt |
+
+## Office
+
+The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). 
+You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
+If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|   |    | *.a-msedge.net  | 
+| hxstr  |    | *.c-msedge.net  | 
+|   |    | *.e-msedge.net  |
+|   |    | *.s-msedge.net  |
+|   | HTTPS | ocos-office365-s2s.msedge.net |
+|   | HTTPS | nexusrules.officeapps.live.com |
+|   | HTTPS | officeclient.microsoft.com |
+
+The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). 
+You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
+If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| system32\Auth.Host.exe | HTTPS | outlook.office365.com |
+
+The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net|
+
+The following endpoint is used to connect the Office To-Do app to it's cloud service.
+To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|   |HTTPS|to-do.microsoft.com|
+
+## OneDrive
+
+The following endpoint is a redirection service that’s used to automatically update URLs.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| onedrive | HTTP \ HTTPS   | g.live.com/1rewlive5skydrive/ODSUProduction |
+
+The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
+To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| onedrive | HTTPS   | oneclient.sfx.ms |
+
+## Settings
+
+The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| dmclient |   | cy2.settings.data.microsoft.com.akadns.net  |
+
+The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| dmclient  | HTTPS  | settings.data.microsoft.com |
+
+The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS   | settings-win.data.microsoft.com |
+
+## Skype
+
+The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com |
+|  | HTTPS | browser.pipe.aria.microsoft.com |
+|  |  | skypeecs-prod-usw-0-b.cloudapp.net |
+
+## Windows Defender
+
+The following endpoint is used for Windows Defender when Cloud-based Protection is enabled.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|   |    | wdcp.microsoft.com |
+
+The following endpoints are used for Windows Defender definition updates.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|   |    | definitionupdates.microsoft.com |
+|MpCmdRun.exe|HTTPS|go.microsoft.com |
+
+The following endpoints are used for Windows Defender Smartscreen reporting and notifications.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Smartscreen notifications will no appear.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  | HTTPS | ars.smartscreen.microsoft.com |
+|  | HTTPS | unitedstates.smartscreen-prod.microsoft.com |
+|  |  | smartscreen-sn3p.smartscreen.microsoft.com |  
+
+## Windows Spotlight
+
+The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight).
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| backgroundtaskhost  | HTTPS   | arc.msn.com |
+| backgroundtaskhost  |    | g.msn.com.nsatc.net |
+|    |TLS v1.2| *.search.msn.com |
+|   | HTTPS   | ris.api.iris.microsoft.com |
+|    | HTTPS | query.prod.cms.rt.microsoft.com |
+
+## Windows Update
+
+The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost  | HTTPS   | *.prod.do.dsp.mp.microsoft.com  |
+
+The following endpoints are used to download operating system patches and updates. 
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTP  | *.windowsupdate.com |
+|         | HTTP   | fg.download.windowsupdate.com.c.footprint.net |
+
+The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates. 
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  |            | cds.d2s7q6s2.hwcdn.net |
+
+The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates. 
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  |  HTTP          | *wac.phicdn.net |
+|  |                | *wac.edgecastcdn.net |
+
+The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired).
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost |    | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net |
+
+The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost |    | emdl.ws.microsoft.com  |
+
+The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. 
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS   | fe2.update.microsoft.com |
+| svchost |    | fe3.delivery.mp.microsoft.com  |
+|       |      | fe3.delivery.dsp.mp.microsoft.com.nsatc.net |
+| svchost | HTTPS   | sls.update.microsoft.com |
+|   | HTTP | *.dl.delivery.mp.microsoft.com |
+
+The following endpoint is used for content regulation.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | HTTPS   | tsfe.trafficshaping.dsp.mp.microsoft.com |
+
+The following endpoints are used to download content.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|  |    | a122.dscd.akamai.net  |
+|  |    | a1621.g.akamai.net   |
+
+## Microsoft forward link redirection service (FWLink)
+
+The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer.
+
+If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+|Various|HTTPS|go.microsoft.com|
+
+## Other Windows 10 editions
+
+To view endpoints for other versions of Windows 10 enterprise, see:
+- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
+
+To view endpoints for non-Enterprise Windows 10 editions, see:
+- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
+- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
+
+## Related links
+
+- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
+- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index 7ae1ab1d14..a3d175023d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -19,7 +19,7 @@ Windows Hello for Business authentication is passwordless, two-factor authentica
 Azure Active Directory joined devices authenticate to Azure during sign-in and can optional authenticate to Active Directory.  Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.<br>
 
 [Azure AD join authentication to Azure Active Directory](#Azure-AD-join-authentication-to-Azure-Active-Directory)<br>
-[Azure AD join authentication to Active Direcotry using a Key](#Azure-AD-join-authentication-to-Active-Direcotry-using-a-Key)<br>
+[Azure AD join authentication to Active Directory using a Key](#Azure-AD-join-authentication-to-Active-Directory-using-a-Key)<br>
 [Azure AD join authentication to Active Directory using a Certificate](#Azure-AD-join-authentication-to-Active-Directory-using-a-Certificate)<br>
 [Hybrid Azure AD join authentication using a Key](#Hybrid-Azure-AD-join-authentication-using-a-Key)<br>
 [Hybrid Azure AD join authentication using a Certificate](#Hybrid-Azure-AD-join-authentication-using-a-Certificate)<br>
@@ -38,7 +38,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
 
 [Return to top](#Windows-Hello-for-Business-and-Authentication)
 ## Azure AD join authentication to Active Directory using a Key
-![Azure AD join authentication to Active Direotory using a Key](images/howitworks/auth-aadj-keytrust-kerb.png)
+![Azure AD join authentication to Active Directory using a Key](images/howitworks/auth-aadj-keytrust-kerb.png)
 
 
 | Phase  | Description  |
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index d47f46ccc8..d855efc036 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -100,7 +100,7 @@ Sign-in to a domain controller or management workstation with access equivalent
 4. Type **NDES Servers** in **Enter the object names to select**.  Click **OK**.  Click **OK** on the **Active Directory Domain Services** success dialog.
 
 > [!NOTE]
-> For high-availabilty, you should have more than one NDES server to service Windows Hello for Business certificate requests.  You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration.
+> For high-availability, you should have more than one NDES server to service Windows Hello for Business certificate requests.  You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration.
 
 ### Create the NDES Service Account
 The Network Device Enrollment Services (NDES) role runs under a service account. Typically, it is preferential to run services using a Group Managed Service Account (GMSA).  While the NDES role can be configured to run using a GMSA, the Intune Certificate Connector was not designed nor tested using a GMSA and is considered an unsupported configuration.  The deployment uses a normal services account.
@@ -686,4 +686,4 @@ You have successfully completed the configuration.  Add users that need to enrol
 > * Install and Configure the NDES Role
 > * Configure Network Device Enrollment Services to work with Microsoft Intune
 > * Download, Install, and Configure the Intune Certificate Connector
-> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile)
\ No newline at end of file
+> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index ed91c63c54..20620f9410 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -75,7 +75,7 @@ If you do not have an existing public key infrastructure, please review [Certifi
 
 > [!IMPORTANT]
 > For Azure AD joined device to authenticate to and use on-premises resources, ensure you:
-> * Install the root certificate authority certificate for your organization in the user's trusted root certifcate store.
+> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store.
 > * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url.
 
 ### Section Review ###
@@ -84,7 +84,7 @@ If you do not have an existing public key infrastructure, please review [Certifi
 > *  Minimum Windows Server 2012 Certificate Authority.
 > *  Enterprise Certificate Authority.
 > *  Functioning public key infrastructure.
-> *  Root certifcate authority certificate (Azure AD Joined devices).
+> *  Root certificate authority certificate (Azure AD Joined devices).
 > *  Highly available certificate revocation list (Azure AD Joined devices).
   
 ## Azure Active Directory ##
@@ -131,7 +131,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation
 > * Review the overview and uses of Azure Multifactor Authentication.
 > * Review your Azure Active Directory subscription for Azure Multifactor Authentication.
 > * Create an Azure Multifactor Authentication Provider, if necessary.
-> * Configure Azure Multufactor Authentiation features and settings.
+> * Configure Azure Multifactor Authentiation features and settings.
 > * Understand the different User States and their effect on Azure Multifactor Authentication.
 > * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server Active Directory Federation Services, if necessary.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
index 621818ce66..70dd6093e7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
@@ -19,7 +19,7 @@ ms.date: 08/19/2018
 -   Key trust
 
 
-## Directory Syncrhonization
+## Directory Synchronization
 
 In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure.  Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.  
 
diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
new file mode 100644
index 0000000000..fb9afb773b
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
@@ -0,0 +1,31 @@
+---
+title: Microsoft-compatible security key 
+description: Windows�10 enables users to sign in to their device using a security key. How is  a Microsoft-compatible security key different (and better) than any other FIDO2 security key
+keywords: FIDO2, security key, CTAP, Hello, WHFB
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: aabhathipsay
+ms.author: aathipsa
+ms.localizationpriority: medium
+ms.date: 11/14/2018
+---
+# What is a Microsoft-compatible security key? 
+> [!Warning]
+> Some information relates to pre-released product that may change before it is commercially released.  Microsoft makes no warranties, express or implied, with respect to the information provided here. 
+
+
+Microsoft has been aligned with the [FIDO Alliance](https://fidoalliance.org/) with a mission to replace passwords with an easy to use, strong 2FA credential. We have been working with our partners to extensively test and deliver a seamless and secure authentication experience to end users.
+
+The [FIDO2 CTAP specification](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html) contains a few optional features and extensions which are crucial to provide that seamless and secure experience. 
+
+A security key **MUST** implement the following features and extensions from the FIDO2 CTAP protocol to be Microsoft-compatible:
+
+| #</br> | Feature / Extension trust</br> | Why is this required? </br> |
+| --- | --- | --- | 
+| 1 | Resident key | This feature enables the security key to be portable, where your credential is stored on the security key |
+| 2 | Client pin | This feature enables you to protect your credentials with a second factor and applies to security keys that do not have an user interface|
+| 3 | hmac-secret | This extension ensures you can sign-in to your device when it's off-line or in airplane mode |
+| 4 | Multiple accounts per RP | This feature ensures you can use the same security key across multiple services like Microsoft Account (MSA) and Azure Active Directory (AAD) |
+ 
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 0836a4dfc0..89535ec25d 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -22,7 +22,7 @@ Over the past few years, Microsoft has continued their commitment to enabling a
 ### 1. Develop a password replacement offering
 Before you move away from passwords, you need something to replace them.  With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single-sign on to Azure Active Directory and Active Directory.
 
-Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely.  Users are likely to useWindows Hello for Business because of its convenience, especially when combined with biometrics.  However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
+Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely.  Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics.  However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
 
 ### 2. Reduce user-visible password surface area
 With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface.  The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never user it.  This state helps decondition users from providing a password any time a password prompt shows on their computer.  This is a how passwords are phished.  Users who rarely, it at all, use their password are unlikely to provide it.  Password prompts are no longer the norm.
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index 15f9ab184e..851edc7279 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: operate
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 09/19/2018
+ms.date: 11/16/2018
 ---
 
 # How User Account Control works
@@ -182,7 +182,7 @@ To better understand each component, review the table below:
 </ul>
 <p>Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.</p><br>
 </li>
-<li><p><b>Never notify (Disable UAC)</b> will:</p>
+<li><p><b>Never notify (Disable UAC prompts)</b> will:</p>
 <ul>
 <li>Not notify you when programs try to install software or make changes to your computer.</li>
 <li>Not notify you when you make changes to Windows settings.</li>
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
index 585264179f..cb56f52198 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -8,7 +8,7 @@ ms.pagetype: security
 ms.sitesec: library
 ms.localizationpriority: medium
 author: brianlic-msft
-ms.date: 10/13/2017
+ms.date: 11/16/2018
 ---
 
 # Secure the Windows 10 boot process
@@ -122,9 +122,5 @@ Measured Boot uses the power of UEFI, TPM, and Windows 10 to give you a way to
 ## Summary
 Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows 10, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; it’s leaps and bounds ahead of everything else. With Windows 10, you can truly trust the integrity of your operating system.
 
-For more information:
-
--  Watch a [video demonstration of Secure Boot](https://technet.microsoft.com/windows/jj737995.aspx)
-
 ## Additional resources
 -  [Windows 10 Enterprise Evaluation](https://technet.microsoft.com/evalcenter/hh699156.aspx?ocid=wc-tn-wctc)
diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md
index db918c0ba6..6f31a72d96 100644
--- a/windows/security/information-protection/tpm/manage-tpm-lockout.md
+++ b/windows/security/information-protection/tpm/manage-tpm-lockout.md
@@ -31,7 +31,7 @@ The industry standards from the Trusted Computing Group (TCG) specify that TPM m
 
 **TPM 2.0**
 
-TPM 2.0 devices have standardized lockout behavior which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 2 hours. This means that every continuous two hours of powered on operation without an event which increases the counter will cause the counter to decrease by 1.
+TPM 2.0 devices have standardized lockout behavior which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows 10 configures the maximum count to be 32 and the healing time to be 10 minutes. This means that every continuous ten minutes of powered on operation without an event which increases the counter will cause the counter to decrease by 1.
 
 If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. This value is no longer retained by default starting with Windows 10 version 1607.
 
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
index 7fa22e10ce..46b264ae30 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -9,7 +9,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/16/2018
+ms.date: 11/29/2018
 ---
 
 # TPM recommendations
@@ -64,6 +64,9 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
 
 -   While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
 
+> [!NOTE]
+> TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
+
 ## Discrete, Integrated or Firmware TPM?
 
 There are three implementation options for TPMs:
@@ -113,6 +116,10 @@ The following table defines which Windows features require TPM support.
 | TPM Platform Crypto Provider Key Storage Provider| Yes | Yes| Yes                |          |
 | Virtual Smart Card      | Yes           | Yes               | Yes                |          |
 | Certificate storage     | No            | Yes               | Yes                | TPM is only required when the certificate is stored in the TPM. |
+| Autopilot               | Yes           | No                | Yes                | TPM 2.0 and UEFI firmware is required. |
+| SecureBIO               | Yes           | No                | Yes                | TPM 2.0 and UEFI firmware is required. |
+| DRTM                    | Yes           | No                | Yes                | TPM 2.0 and UEFI firmware is required. |
+
 
 ## OEM Status on TPM 2.0 system availability and certified parts
 
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index 1b4e9f6f6f..9b287bed8c 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -9,7 +9,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms-author: v-anbic
-ms.date: 08/21/2018
+ms.date: 11/29/2018
 ---
 
 # Trusted Platform Module Technology Overview
@@ -69,7 +69,7 @@ Some things that you can check on the device are:
 -   Is SecureBoot supported and enabled?
 
 > [!NOTE]
->  Windows 10 and Windows Server 2016 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1).
+>  Windows 10 and Windows Server 2016 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
 
 ## Supported versions for device health attestation
 
diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
index 67d918b484..b1005f382d 100644
--- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
+++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: justinha
 ms.localizationpriority: medium
-ms.date: 10/12/2018
+ms.date: 11/28/2018
 ---
 
 # How Windows Information Protection protects files with a sensitivity label 
@@ -27,13 +27,15 @@ Microsoft information protection technologies work together as an integrated sol
 
 Microsoft information protection technologies include:
 
-- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects data at rest on endpoint devices, and manages apps to protect data in use.
+- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP. 
 
 - [Office 365 Information Protection](https://docs.microsoft.com/office365/securitycompliance/office-365-info-protection-for-gdpr-overview) is a solution to classify, protect, and monitor personal data in Office 365 and other first-party or third-party Software-as-a-Service (SaaS) apps.
 
-- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps:
+- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services.
 
-  ![Sensitivity labels](images/sensitivity-labels.png)
+End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps:
+
+![Sensitivity labels](images/sensitivity-labels.png)
 
 ## Default WIP behaviors for a sensitivity label
 
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 8ce020a25f..33ec5598fe 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 ms.author: justinha
-ms.date: 06/18/2018
+ms.date: 11/08/2018
 ms.localizationpriority: medium
 ---
 
@@ -24,6 +24,10 @@ With the increase of employee-owned devices in the enterprise, there’s also an
 
 Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.
 
+## Video: Protect enterprise data from being accidentally copied to the wrong place
+
+> [!Video https://www.microsoft.com/en-us/videoplayer/embed/RE2IGhh]
+
 ## Prerequisites
 You’ll need this software to run WIP in your enterprise:
 
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 3145f56988..d1c214ecbe 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -6,6 +6,7 @@
 #### [Attack surface reduction](windows-defender-atp/overview-attack-surface-reduction.md)
 ##### [Hardware-based isolation](windows-defender-atp/overview-hardware-based-isolation.md)
 ###### [Application isolation](windows-defender-application-guard/wd-app-guard-overview.md)
+####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
 ###### [System isolation](windows-defender-atp/how-hardware-based-containers-help-protect-windows.md)
 ##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
 ##### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
@@ -23,6 +24,7 @@
 ###### [Investigate incidents](windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md)
 
 
+
 ##### Alerts queue
 ###### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
 ###### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md)
@@ -80,82 +82,17 @@
 ##### [Custom detections](windows-defender-atp/overview-custom-detections.md)
 ###### [Create custom detections rules](windows-defender-atp/custom-detection-rules.md)
 
+ 
 
 #### [Management and APIs](windows-defender-atp/management-apis.md)
 ##### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-##### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
-######Actor
-####### [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
-####### [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
-######Alerts
-####### [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
-####### [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
-######Domain
-####### [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
-####### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
-
-######File
-####### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
-####### [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
-####### [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
-####### [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
-
-######IP
-####### [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
-####### [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
-######Machines
-####### [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
-####### [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
-####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
-####### [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-####### [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
-####### [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
-####### [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
-####### [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
-####### [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-####### [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
-####### [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
-####### [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-####### [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
-####### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
-####### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
-####### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
-######Machines Security States
-####### [Get MachineSecurityStates collection](windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md)
-######Machine Groups
-####### [Get MachineGroups collection](windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md)
-
-######User
-####### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
-####### [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
-####### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
-
-######Windows updates (KB) info
-####### [Get KbInfo collection](windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md)
-######Common Vulnerabilities and Exposures (CVE) to KB map
-####### [Get CVE-KB map](windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md)
- 
+##### [Windows Defender ATP APIs](windows-defender-atp/apis-intro.md)
 ##### [Managed security service provider support](windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md)
 
 #### [Microsoft threat protection](windows-defender-atp/threat-protection-integration.md)
 #####  [Protect users, data, and devices with conditional access](windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md)
 ##### [Microsoft Cloud App Security integration overview](windows-defender-atp/microsoft-cloud-app-security-integration.md)
+##### [Information protection in Windows overview](windows-defender-atp/information-protection-in-windows-overview.md)
 
 
 
@@ -186,12 +123,14 @@
 ### [Configure and manage capabilities](windows-defender-atp/onboard.md)
 #### [Configure attack surface reduction](windows-defender-atp/configure-attack-surface-reduction.md)
 ##### [Hardware-based isolation](windows-defender-application-guard/install-wd-app-guard.md)
-###### [Confguration settings](windows-defender-application-guard/configure-wd-app-guard.md) 
+###### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md) 
 ##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
-##### [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-###### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md)
-####### [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
-####### [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
+##### Device control
+###### [Control USB devices](device-control/control-usb-devices-using-intune.md)
+###### [Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+####### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md)
+######## [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
+######## [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
 ##### [Exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md)
 ###### [Customize exploit protection](windows-defender-exploit-guard/customize-exploit-protection.md)
 ###### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
@@ -290,6 +229,153 @@
 ###### [Troubleshoot onboarding issues](windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
 ####### [Troubleshoot subscription and portal access issues](windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
    
+##### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/use-apis.md)
+###### Create your app
+####### [Get access on behalf of a user](windows-defender-atp/exposed-apis-create-app-nativeapp.md)
+####### [Get access without a user](windows-defender-atp/exposed-apis-create-app-webapp.md)
+###### [Supported Windows Defender ATP APIs](windows-defender-atp/exposed-apis-list.md)
+####### [Advanced Hunting](windows-defender-atp/run-advanced-query-api.md)
+
+####### [Alert](windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md)
+######## [List alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Create alert](windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)
+######## [Update Alert](windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert related domains information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert related IPs information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md)
+
+####### Domain
+######## [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md)
+######## [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md)
+######## [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md)
+
+####### [File](windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md)
+######## [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md)
+######## [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md)
+######## [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md)
+
+####### IP
+######## [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md)
+######## [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md)
+######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
+
+####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md)
+######## [List machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md)
+######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
+######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
+######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Add or Remove machine tags](windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md)
+######## [Find machines by IP](windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md)
+
+
+####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md)
+######## [List Machine Actions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
+######## [Get Machine Action](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
+######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md)
+######## [Get investigation package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md)
+######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md)
+######## [Release machine from isolation](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md)
+######## [Restrict app execution](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md)
+######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
+######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md)
+######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
+######## [Stop and quarantine file](windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
+
+####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md)
+######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md)
+
+
+###### How to use APIs - Samples
+####### Advanced Hunting API
+######## [Schedule advanced Hunting using Microsoft Flow](windows-defender-atp/run-advanced-query-sample-ms-flow.md)
+######## [Advanced Hunting using PowerShell](windows-defender-atp/run-advanced-query-sample-powershell.md)
+######## [Advanced Hunting using Python](windows-defender-atp/run-advanced-query-sample-python.md)
+######## [Create custom Power BI reports](windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md)
+####### Multiple APIs
+######## [PowerShell](windows-defender-atp/exposed-apis-full-sample-powershell.md)
+####### [Using OData Queries](windows-defender-atp/exposed-apis-odata-samples.md)
+
+##### [Use the Windows Defender ATP exposed APIs (deprecated)](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)
+###### [Supported Windows Defender ATP APIs (deprecated)](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
+#######Actor (deprecated)
+######## [Get actor information (deprecated)](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
+######## [Get actor related alerts (deprecated)](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+#######Alerts (deprecated)
+######## [Get alerts (deprecated)](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get alert information by ID (deprecated)](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+######## [Get alert related actor information (deprecated)](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+######## [Get alert related domain information (deprecated)](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+######## [Get alert related file information (deprecated)](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+######## [Get alert related IP information (deprecated)](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+######## [Get alert related machine information (deprecated)](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+#######Domain (deprecated)
+########  [Get domain related alerts (deprecated)](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get domain related machines (deprecated)](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+######## [Get domain statistics (deprecated)](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
+######## [Is domain seen in organization (deprecated)](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+
+#######File(deprecated)
+######## [Block file (deprecated)](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
+######## [Get file information (deprecated)](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
+######## [Get file related alerts (deprecated)](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get file related machines (deprecated)](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
+######## [Get file statistics (deprecated)](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
+######## [Get FileActions collection (deprecated)](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+######## [Unblock file (deprecated)](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
+
+#######IP (deprecated)
+######## [Get IP related alerts (deprecated)](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get IP related machines (deprecated)](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+######## [Get IP statistics (deprecated)](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
+######## [Is IP seen in organization (deprecated)](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+#######Machines (deprecated)
+######## [Collect investigation package (deprecated)](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
+######## [Find machine information by IP (deprecated)](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+######## [Get machines (deprecated)](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
+######## [Get FileMachineAction object (deprecated)](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+######## [Get FileMachineActions collection (deprecated)](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+######## [Get machine by ID (deprecated)](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
+######## [Get machine log on users (deprecated)](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+######## [Get machine related alerts (deprecated)](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get MachineAction object (deprecated)](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
+######## [Get MachineActions collection (deprecated)](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+######## [Get machines (deprecated)](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
+######## [Get package SAS URI (deprecated)](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+######## [Isolate machine (deprecated)](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
+######## [Release machine from isolation (deprecated)](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
+######## [Remove app restriction (deprecated)](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+######## [Request sample (deprecated)](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
+######## [Restrict app execution (deprecated)](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
+######## [Run antivirus scan (deprecated)](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
+######## [Stop and quarantine file (deprecated)](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+
+#######User (deprecated)
+######## [Get alert related user information (deprecated)](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+######## [Get user information (deprecated)](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
+######## [Get user related alerts (deprecated)](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get user related machines (deprecated)](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
+
+
+#####Windows updates (KB) info
+###### [Get KbInfo collection](windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md)
+#####Common Vulnerabilities and Exposures (CVE) to KB map
+###### [Get CVE-KB map](windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md)
+ 
+
+
+
+
+
+
+
+
 ##### API for custom alerts
 ###### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md)
 ###### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)
@@ -326,6 +412,7 @@
 #### Configure Microsoft threat protection integration
 ##### [Configure conditional access](windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md)
 ##### [Configure Microsoft Cloud App Security integration](windows-defender-atp/microsoft-cloud-app-security-config.md)
+##### [Configure information protection in Windows](windows-defender-atp/information-protection-in-windows-config.md)
 
 
 
diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
new file mode 100644
index 0000000000..6629438e93
--- /dev/null
+++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
@@ -0,0 +1,86 @@
+---
+title: How to control USB devices and other removable media using Intune (Windows 10)
+description: You can configure Intune settings to reduce threats from removable storage such as USB devices.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+ms.author: justinha
+author: justinha
+ms.date: 11/15/2018
+---
+
+# How to control USB devices and other removable media using Intune
+
+**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+
+
+You can configure Intune settings to reduce threats from removable storage such as USB devices, including:   
+
+- [Block unwanted removeable storage](#block-unwanted-removable-storage)
+- [Protect allowed removable storage](#protect-allowed-removable-storage)
+
+Protecting allowed removeable storage requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). 
+We recommend enabling real-time protection for improved scanning performance, especially for large storage devices.  
+If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives.
+You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted.
+
+> [!NOTE]
+> These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For data loss prevention on Windows 10 devices, you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device.
+
+## Block unwanted removeable storage
+
+1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
+2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. 
+
+   ![Create device configuration profile](images/create-device-configuration-profile.png)
+
+3. Use the following settings: 
+
+   - Name: Windows 10 Device Configuration 
+   - Description: Block removeable storage and USB connections 
+   - Platform: Windows 10 and later 
+   - Profile type: Device restrictions 
+
+   ![Create profile](images/create-profile.png)
+
+4. Click **Configure** > **General**.  
+
+5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**.
+
+   ![General settings](images/general-settings.png)
+
+6. Click **OK** to close **General** settings and **Device restrictions**.
+
+7. Click **Create** to save the profile.
+
+Alternatively, you can create a custom profile in Intune and configure [DeviceInstallation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) policies.  
+
+## Protect allowed removable storage 
+
+These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). 
+
+1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
+2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. 
+
+   ![Create device configuration profile](images/create-device-configuration-profile.png)
+
+3. Use the following settings:
+
+   - Name: Type a name for the profile 
+   - Description: Type a description 
+   - Platform: Windows 10 or later 
+   - Profile type: Endpoint protection 
+
+   ![Create enpoint protection profile](images/create-endpoint-protection-profile.png)
+
+4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**. 
+
+5. For **Unsigned and untrusted processes that run from USB**, choose **Block**. 
+
+   ![Block untrusted processes](images/block-untrusted-processes.png)
+
+6. Click **OK** to close **Attack Surface Reduction**, **Windows Defender Exploit Guard**, and **Endpoint protection**.
+
+7. Click **Create** to save the profile.
\ No newline at end of file
diff --git a/windows/security/threat-protection/device-control/images/block-untrusted-processes.png b/windows/security/threat-protection/device-control/images/block-untrusted-processes.png
new file mode 100644
index 0000000000..3080e0d1f0
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/block-untrusted-processes.png differ
diff --git a/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png
new file mode 100644
index 0000000000..9d295dfa6b
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png differ
diff --git a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png
new file mode 100644
index 0000000000..1e0f0587a3
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png differ
diff --git a/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png
new file mode 100644
index 0000000000..eaba30b27f
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png differ
diff --git a/windows/security/threat-protection/device-control/images/create-profile.png b/windows/security/threat-protection/device-control/images/create-profile.png
new file mode 100644
index 0000000000..ada168228e
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/create-profile.png differ
diff --git a/windows/security/threat-protection/device-control/images/general-settings.png b/windows/security/threat-protection/device-control/images/general-settings.png
new file mode 100644
index 0000000000..152822dc29
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/general-settings.png differ
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index a83dc7afac..028116204e 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -63,8 +63,8 @@ To further reinforce the security perimeter of your network, Windows Defender AT
 
 <a name="edr"></a>
 
-**[Endpoint protection and response](windows-defender-atp/overview-endpoint-detection-response.md)**<br>
-Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. 
+**[Endpoint detection and response](windows-defender-atp/overview-endpoint-detection-response.md)**<br>
+Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. 
 
 - [Alerts](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
 - [Historical endpoint data](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
index 43bef2e93e..34297ac109 100644
--- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
+++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
@@ -1,14 +1,14 @@
 ---
 title: Top scoring in industry antivirus tests
 description: Windows Defender Antivirus consistently achieves high scores in independent tests. View the latest scores and analysis.
-keywords: security, malware, av-comparatives, av-test, av, antivirus
+keywords: security, malware, av-comparatives, av-test, av, antivirus, windows, defender, scores
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
-ms.date: 09/05/2018
+ms.date: 11/07/2018
 ---
 
 # Top scoring in industry antivirus tests
@@ -18,18 +18,16 @@ ms.date: 09/05/2018
 We want to be transparent and have gathered top industry reports that demonstrate our enterprise antivirus capabilities. Note that these tests only provide results for antivirus and do not test for additional security protections.
 
 In the real world, millions of devices are protected from cyberattacks every day, sometimes [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). Windows Defender Antivirus is  part of the  [next generation](https://www.youtube.com/watch?v=Xy3MOxkX_o4) Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) security stack which addresses the latest and most sophisticated threats today. In many cases, customers might not even know they were protected. That's because Windows Defender Antivirus detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies.
-
-> [!TIP]
-> Learn why [Windows Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise?ocid=cx-docs-avreports).
-
 <br></br><br></br>
 ![AV-TEST logo](./images/av-test-logo.png)
 
 ## AV-TEST: Perfect protection score of 6.0/6.0 in the latest test
 
 The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
+> [!NOTE]
+> [Download our latest analysis: Examining the AV-TEST July-August results](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y)
 
-### July-August 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2018/microsoft-windows-defender-antivirus-4.12--4.18-183212/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y) <sup>**Latest**</sup>
+### July-August 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2018/microsoft-windows-defender-antivirus-4.12--4.18-183212/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y)
 
  Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 20,022 malware samples. With the latest results, Windows Defender Antivirus has achieved 100% on 14 of the 16 most recent antivirus tests (combined "Real-World" and "Prevalent malware").
 
diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md
index b76c90029c..c9e7ce8541 100644
--- a/windows/security/threat-protection/intelligence/worms-malware.md
+++ b/windows/security/threat-protection/intelligence/worms-malware.md
@@ -25,7 +25,7 @@ Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have
 
 * **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as infostealers, spammers, clickers, downloaders, and rogues.
 
-* **Bondat** typically arrives through fictitious Nullsoft Sciptable Install System (NSIS) Java installers and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server.
+* **Bondat** typically arrives through fictitious Nullsoft Scriptable Install System (NSIS), Java installers, and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server.
 
 Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they are doing, they try to avoid detection by security software.
 
@@ -45,4 +45,4 @@ Download [Microsoft Security Essentials](https://www.microsoft.com/download/deta
 
 In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
 
-For more general tips, see [prevent malware infection](prevent-malware-infection.md).
\ No newline at end of file
+For more general tips, see [prevent malware infection](prevent-malware-infection.md).
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 5388ad4fd7..5afa6d82b1 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 ms.author: sagaudre
 author: brianlic-msft
-ms.date: 06/25/2018
+ms.date: 11/26/2018
 ---
 
 # Microsoft Security Compliance Toolkit 1.0
@@ -22,6 +22,7 @@ The SCT enables administrators to effectively manage their enterprise’s Group
 The Security Compliance Toolkit consists of:
 
 -   Windows 10 security baselines
+    -   Windows 10 Version 1809 (October 2018 Update)
     -   Windows 10 Version 1803 (April 2018 Update)
     -   Windows 10 Version 1709 (Fall Creators Update)
     -   Windows 10 Version 1703 (Creators Update)
@@ -30,6 +31,7 @@ The Security Compliance Toolkit consists of:
     -   Windows 10 Version 1507
 
 -   Windows Server security baselines
+    -   Windows Server 2019
     -   Windows Server 2016
     -   Windows Server 2012 R2
 
diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
index 5b63d093b8..d5b8c58676 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
@@ -60,7 +60,7 @@ The following table lists the actual and effective default values for this polic
 | Server type or GPO | Default value |
 | - | - |
 | Default Domain Policy | Not defined 
-| Default Domain Controler Policy | Not defined 
+| Default Domain Controller Policy | Not defined 
 | Stand-Alone Server Default Settings | Disabled 
 | DC Effective Default Settings | Disabled 
 | Member Server Effective Default Settings | Disabled 
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
index 6028668431..0c05506d7b 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
@@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: brianlic-msft
-ms.date: 04/19/2017
+author: justinha
+ms.date: 11/13/2018
 ---
 
 # Minimum password age
@@ -20,7 +20,7 @@ Describes the best practices, location, values, policy management, and security
 
 ## Reference
 
-The **Minimum password age** policy setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
+The **Minimum password age** policy setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow password changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
 
 ### Possible values
 
@@ -29,9 +29,16 @@ The **Minimum password age** policy setting determines the period of time (in da
 
 ### Best practices
 
-Set **Minimum password age** to a value of 2 days. Setting the number of days to 0 allows immediate password changes, which is not recommended.
+[Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend setting **Minimum password age** to 1 day. 
 
-If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box. Otherwise, the user will not be able to change the password until the number of days specified by **Minimum password age**.
+Setting the number of days to 0 allows immediate password changes, which is not recommended. 
+Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again. 
+For example, suppose a password is "Ra1ny day!" and the history requirement is 24. 
+If the minimum password age is 0, the password can be changed 24 times in a row until finally changed back to "Ra1ny day!". 
+The minimum password age of 1 day prevents that.
+
+If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box. 
+Otherwise, the user will not be able to change the password until the number of days specified by **Minimum password age**.
 
 ### Location
 
@@ -70,11 +77,11 @@ To address password reuse, you must use a combination of security settings. Usin
 
 ### Countermeasure
 
-Configure the **Minimum password age** policy setting to a value of at least 2 days. Users should know about this limitation and contact the Help Desk if they need to change their password during that two-day period. If you configure the number of days to 0, immediate password changes would be allowed, which we do not recommend.
+Configure the **Minimum password age** policy setting to a value of 1 day. Users should know about this limitation and contact the Help Desk to change a password sooner. If you configure the number of days to 0, immediate password changes would be allowed, which we do not recommend.
 
 ### Potential impact
 
-If you set a password for a user but wants that user to change the password when the user first logs on, the administrator must select the **User must change password at next logon** check box, or the user cannot change the password until the next day.
+If you set a password for a user but want that user to change the password when the user first logs on, the administrator must select the **User must change password at next logon** check box, or the user cannot change the password until the next day.
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
index bba7a2624e..ae91d8d14b 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: brianlic-msft
-ms.date: 08/29/2017
+ms.date: 11/16/2018
 ---
 
 # System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
@@ -50,7 +50,7 @@ Additionally, if a data drive is password-protected, it can be accessed by a FIP
 
 ### Best practices
 
--   For use with TLS, set this policy to **Enabled**. Client devices with this policy setting enabled will be unable to communicate through digitally encrypted or signed protocols with servers that do not support these algorithms. Client devices that are connected to the network and do not support these algorithms cannot use servers that require the algorithms for network communications. If you enable this policy setting, you must also configure Internet Explorer to use TLS.
+There are no best practices for this setting. Our previous guidance had recommended a setting of **Enabled**, primarily to align with US Federal government recommendations. [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend this setting be **Not Defined**, meaning that we leave the decision to customers. For a deeper explanation, see [Why We’re Not Recommending “FIPS Mode” Anymore](https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/).
 
 ### Location
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
index 801b935d4e..e063f1fda5 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 09/03/2018
+ms.date: 11/13/2018
 ---
 
 # Enable and configure antivirus always-on protection and monitoring
@@ -42,7 +42,7 @@ Location | Setting | Description | Default setting (if not configured)
 ---|---|---|---
 Real-time protection | Monitor file and program activity on your computer | The Windows Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled
 Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the SmartScreen filter, which scans files before and during downloading | Enabled
-Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Windows Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have disabled real-time protection | Enabled
+Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Windows Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled | Enabled
 Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled
 Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring | Enabled
 Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index 781b5ba5d5..97f4d15615 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -301,11 +301,10 @@ This setting will help ensure protection for a VM that has been offline for some
 
 ### Exclusions
 On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page:
-- [Automatic exclusions for Windows Server Antimalware](https://technet.microsoft.com/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender)
+- [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus)
 
 ## Additional resources
 
 - [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( http://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s)
-- [Project VRC: Windows Defender Antivirus impact and best practices on VDI](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/)
 - [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS)
 - [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
index 569d88a51c..10d6f5bedc 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 09/03/2018
+ms.date: 11/16/2018
 ---
 
 # Restore quarantined files in Windows Defender AV
@@ -25,7 +25,7 @@ If Windows Defender Antivirus is configured to detect and remediate threats on y
 1. Open **Windows Security**.
 2. Click **Virus & threat protection** and then click **Threat History**.
 3. Under **Quarantined threats**, click **See full history**.
-4. Click **Restore** for any items you want to keep. (If you prefer to remove them, you can click **Remove**.)
+4. Click an item you want to keep, then click **Restore**. (If you prefer to remove the item, you can click **Remove**.)
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md
index 123f439d6f..8b71416a15 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.md
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@@ -22,6 +22,7 @@
 ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
 ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
 ### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md)
+### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md)
 ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)
 #### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md)
 #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
index ce654afdd8..b5d1cd4483 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
@@ -65,7 +65,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi
     ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
     ```
 
-After you complete these steps, the WDAC binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security.
+After you complete these steps, the WDAC binary file (DeviceGuardPolicy.bin) and original .xml file (InitialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security.
 
 > [!Note] 
 > We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
new file mode 100644
index 0000000000..b1018f5e79
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
@@ -0,0 +1,39 @@
+---
+title: Querying Application Control events centrally using Advanced hunting   (Windows 10)
+description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: mdsakibMSFT
+ms.author: justinha
+ms.date: 12/06/2018
+---
+
+# Querying Application Control events centrally using Advanced hunting  
+
+A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. 
+While Event Viewer helps to see the impact on a single system, IT Pros want to gauge the impact across many systems. 
+
+In November 2018, we added functionality in Windows Defender Advanced Threat Protection (Windows Defender ATP) that makes it easy to view WDAC events centrally from all systems that are connected to Windows Defender ATP. 
+
+Advanced hunting in Windows Defender ATP allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”. 
+This capability is supported beginning with Windows version 1607.
+
+Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Windows Defender ATP:
+
+```
+MiscEvents
+| where EventTime > ago(7d) and
+ActionType startswith "AppControl"
+| summarize Machines=dcount(ComputerName) by ActionType
+| order by Machines desc
+```
+
+The query results can be used for several important functions related to managing WDAC including:
+
+- Assessing the impact of deploying policies in audit mode 
+  Since applications still run in audit mode, it is an ideal way to see the impact and correctness of the rules included in the policy. Integrating the generated events with Advanced hunting makes it much easier to have broad deployments of audit mode policies and see how the included rules would impact those systems in real world usage. This audit mode data will help streamline the transition to using policies in enforced mode.
+- Monitoring blocks from policies in enforced mode
+  Policies deployed in enforced mode may block executables or scripts that fail to meet any of the included allow rules. Legitimate new applications and updates or potentially unwanted or malicious software could be blocked. In either case, the Advanced hunting queries report the blocks for further investigation. 
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index 2c07c12e12..27e5ec8d90 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: jsuther1974
-ms.date: 05/03/2018
+ms.date: 11/28/2018
 ---
 
 # Windows Defender Application Control 
@@ -17,6 +17,7 @@ ms.date: 05/03/2018
 
 -   Windows 10
 -   Windows Server 2016
+-   Windows Server 2019 
 
 With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. 
 In most organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. 
@@ -36,9 +37,9 @@ WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs
 
 ## WDAC System Requirements
 
-WDAC policies can only be created on computers running Windows 10 Enterprise or Windows Server 2016. 
+WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Professional editions or Windows Server 2016. 
 They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and managed via Mobile Device Management (MDM), such as Microsoft Intune. 
-Group Policy can also be used to distribute Group Policy Objects that contain WDAC policies on computers running Windows 10 Enterprise or Windows Server 2016. 
+Group Policy or Intune can be used to distribute WDAC policies. 
 
 ## New and changed functionality
 
diff --git a/windows/security/threat-protection/windows-defender-application-guard/TOC.md b/windows/security/threat-protection/windows-defender-application-guard/TOC.md
new file mode 100644
index 0000000000..9e42b2b691
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-guard/TOC.md
@@ -0,0 +1,7 @@
+# [Windows Defender Application Guard](wd-app-guard-overview.md)
+
+## [System requirements](reqs-wd-app-guard.md)
+## [Install WDAG](install-wd-app-guard.md)
+## [Configure WDAG policies](configure-wd-app-guard.md)
+## [Test scenarios](test-scenarios-wd-app-guard.md)
+## [FAQ](faq-wd-app-guard.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
index b4f08ff71c..16fa6c33df 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
@@ -8,14 +8,14 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: justinha
 ms.author: justinha
-ms.date: 09/07/2018
+ms.date: 11/27/2018
 ---
 
 # Windows Defender Application Guard overview
 
 **Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
  
-Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete. 
+Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. 
 
 ## What is Application Guard and how does it work?
 Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.
diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index f05f3f551f..5e93dae32c 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -4,6 +4,7 @@
 ### [Attack surface reduction](overview-attack-surface-reduction.md)
 #### [Hardware-based isolation](overview-hardware-based-isolation.md)
 ##### [Application isolation](../windows-defender-application-guard/wd-app-guard-overview.md)
+###### [System requirements](../windows-defender-application-guard/reqs-wd-app-guard.md)
 ##### [System isolation](how-hardware-based-containers-help-protect-windows.md)
 #### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
 #### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
@@ -16,7 +17,6 @@
 #### [Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
 
 
-
 #### [Incidents queue](incidents-queue.md)
 ##### [View and organize the Incidents queue](view-incidents-queue.md)
 ##### [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md)
@@ -84,80 +84,14 @@
 
 ### [Management and APIs](management-apis.md)
 #### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-#### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)
-#####Actor
-###### [Get actor information](get-actor-information-windows-defender-advanced-threat-protection.md)
-###### [Get actor related alerts](get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
-#####Alerts
-###### [Get alerts](get-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
-###### [Get alert related actor information](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related domain information](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related IP information](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
-
-#####Domain
-###### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection.md)
-###### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
-
-#####File
-###### [Block file API](block-file-windows-defender-advanced-threat-protection.md)
-###### [Get file information](get-file-information-windows-defender-advanced-threat-protection.md)
-###### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection.md)
-###### [Get FileActions collection API](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Unblock file API](unblock-file-windows-defender-advanced-threat-protection.md)
-
-#####IP
-###### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection.md)
-###### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection.md)
-#####Machines
-###### [Collect investigation package API](collect-investigation-package-windows-defender-advanced-threat-protection.md)
-###### [Find machine information by IP](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
-###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineAction object API](get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineActions collection API](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection.md)
-###### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
-###### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get MachineAction object API](get-machineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get MachineActions collection API](get-machineactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get package SAS URI API](get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-###### [Isolate machine API](isolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Release machine from isolation API](unisolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Remove app restriction API](unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Request sample API](request-sample-windows-defender-advanced-threat-protection.md)
-###### [Restrict app execution API](restrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Run antivirus scan API](run-av-scan-windows-defender-advanced-threat-protection.md)
-###### [Stop and quarantine file API](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
-#####Machines Security States
-###### [Get MachineSecurityStates collection](get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md)
-#####Machine Groups
-###### [Get MachineGroups collection](get-machinegroups-collection-windows-defender-advanced-threat-protection.md)
-#####User
-###### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
-###### [Get user information](get-user-information-windows-defender-advanced-threat-protection.md)
-###### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md)
-#####Windows updates (KB) info
-###### [Get KbInfo collection](get-kbinfo-collection-windows-defender-advanced-threat-protection.md)
-#####Common Vulnerabilities and Exposures (CVE) to KB map
-###### [Get CVE-KB map](get-cvekbmap-collection-windows-defender-advanced-threat-protection.md)
-
- 
+#### [Windows Defender ATP APIs](apis-intro.md)
 #### [Managed security service provider support](mssp-support-windows-defender-advanced-threat-protection.md)
 
 
 ### [Microsoft Threat Protection](threat-protection-integration.md)
 ####  [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md)
-#### [Microsoft Cloud App Security integration overview](microsoft-cloud-app-security-integration.md)
+#### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md)
+#### [Information protection in Windows overview](information-protection-in-windows-overview.md)
 
 
 ### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
@@ -181,17 +115,19 @@
 ##### [Network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
 #### [Evaluate next generation protection](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
 
-### [Access the Windows Security app](community-windows-defender-advanced-threat-protection.md)
+### [Access the Windows Defender Security Center Community Center](community-windows-defender-advanced-threat-protection.md)
 
 ## [Configure and manage capabilities](onboard.md)
 ### [Configure attack surface reduction](configure-attack-surface-reduction.md)
 #### [Hardware-based isolation](../windows-defender-application-guard/install-wd-app-guard.md)
 ##### [Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md) 
 #### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
-#### [Device control](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-##### [Memory integrity](../windows-defender-exploit-guard/memory-integrity.md)
-###### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
-###### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
+#### Device control
+##### [Control USB devices](../device-control/control-usb-devices-using-intune.md)
+##### [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+###### [Memory integrity](../windows-defender-exploit-guard/memory-integrity.md)
+####### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
+####### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
 #### [Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)
 ##### [Customize exploit protection](../windows-defender-exploit-guard/customize-exploit-protection.md)
 ##### [Import/export configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
@@ -289,6 +225,160 @@
 ##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
 ###### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
   
+
+#### [Use the Windows Defender ATP exposed APIs](use-apis.md)
+##### Create your app
+###### [Get access on behalf of a user](exposed-apis-create-app-nativeapp.md)
+###### [Get access without a user](exposed-apis-create-app-webapp.md)
+##### [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+###### [Advanced Hunting](run-advanced-query-api.md)
+
+###### [Alert](alerts-windows-defender-advanced-threat-protection-new.md)
+####### [List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)
+####### [Update Alert](update-alert-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert related domains information](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert related IPs information](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md)
+
+###### Domain
+####### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection-new.md)
+####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md)
+
+###### [File](files-windows-defender-advanced-threat-protection-new.md)
+####### [Get file information](get-file-information-windows-defender-advanced-threat-protection-new.md)
+####### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md)
+
+###### IP
+####### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection-new.md)
+####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
+
+###### [Machine](machine-windows-defender-advanced-threat-protection-new.md)
+####### [List machines](get-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
+####### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
+####### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Add or Remove machine tags](add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md)
+####### [Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md)
+
+###### [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md)
+####### [List Machine Actions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
+####### [Get Machine Action](get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
+####### [Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md)
+####### [Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md)
+####### [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md)
+####### [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md)
+####### [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md)
+####### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
+####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md)
+####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
+####### [Stop and quarantine file](stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
+
+###### [User](user-windows-defender-advanced-threat-protection-new.md)
+####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md)
+
+##### How to use APIs - Samples
+###### Advanced Hunting API
+####### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md)
+####### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
+####### [Advanced Hunting using Python](run-advanced-query-sample-python.md)
+####### [Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md)
+###### Multiple APIs
+####### [PowerShell](exposed-apis-full-sample-powershell.md)
+###### [Using OData Queries](exposed-apis-odata-samples.md)
+
+#### [Use the Windows Defender ATP exposed APIs (deprecated)](exposed-apis-windows-defender-advanced-threat-protection.md)
+##### [Supported Windows Defender ATP APIs (deprecated)](supported-apis-windows-defender-advanced-threat-protection.md)
+######Actor (deprecated)
+####### [Get actor information (deprecated)](get-actor-information-windows-defender-advanced-threat-protection.md)
+####### [Get actor related alerts (deprecated)](get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+######Alerts (deprecated)
+####### [Get alerts (deprecated)](get-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get alert information by ID (deprecated)](get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get alert related actor information (deprecated)](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related domain information (deprecated)](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related file information (deprecated)](get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related IP information (deprecated)](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related machine information (deprecated)](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+######Domain (deprecated)
+#######  [Get domain related alerts (deprecated)](get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get domain related machines (deprecated)](get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get domain statistics (deprecated)](get-domain-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is domain seen in organization (deprecated)](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+
+######File(deprecated)
+####### [Block file (deprecated)](block-file-windows-defender-advanced-threat-protection.md)
+####### [Get file information (deprecated)](get-file-information-windows-defender-advanced-threat-protection.md)
+####### [Get file related alerts (deprecated)](get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get file related machines (deprecated)](get-file-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get file statistics (deprecated)](get-file-statistics-windows-defender-advanced-threat-protection.md)
+####### [Get FileActions collection (deprecated)](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Unblock file (deprecated)](unblock-file-windows-defender-advanced-threat-protection.md)
+
+######IP (deprecated)
+####### [Get IP related alerts (deprecated)](get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get IP related machines (deprecated)](get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get IP statistics (deprecated)](get-ip-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is IP seen in organization (deprecated)](is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+######Machines (deprecated)
+####### [Collect investigation package (deprecated)](collect-investigation-package-windows-defender-advanced-threat-protection.md)
+####### [Find machine information by IP (deprecated)](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+####### [Get machines (deprecated)](get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineAction object (deprecated)](get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineActions collection (deprecated)](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machine by ID (deprecated)](get-machine-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get machine log on users (deprecated)](get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+####### [Get machine related alerts (deprecated)](get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get MachineAction object (deprecated)](get-machineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get MachineActions collection (deprecated)](get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machines (deprecated)](get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get package SAS URI (deprecated)](get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+####### [Isolate machine (deprecated)](isolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Release machine from isolation (deprecated)](unisolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Remove app restriction (deprecated)](unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Request sample (deprecated)](request-sample-windows-defender-advanced-threat-protection.md)
+####### [Restrict app execution (deprecated)](restrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Run antivirus scan (deprecated)](run-av-scan-windows-defender-advanced-threat-protection.md)
+####### [Stop and quarantine file (deprecated)](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+
+######User (deprecated)
+####### [Get alert related user information (deprecated)](get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+####### [Get user information (deprecated)](get-user-information-windows-defender-advanced-threat-protection.md)
+####### [Get user related alerts (deprecated)](get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get user related machines (deprecated)](get-user-related-machines-windows-defender-advanced-threat-protection.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 #### API for custom alerts
 ##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
 ##### [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
@@ -322,7 +412,8 @@
 
 ### Configure Microsoft Threat Protection integration
 #### [Configure conditional access](configure-conditional-access-windows-defender-advanced-threat-protection.md)
-#### [Configure Microsoft Cloud App Security integration](microsoft-cloud-app-security-config.md)
+#### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md)
+####[Configure information protection in Windows](information-protection-in-windows-config.md)
 
 
 ### [Configure Windows Security app settings](preferences-setup-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..b9f697e5af
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,111 @@
+---
+title: Add or Remove Machine Tags API
+description: Use this API to Add or Remove machine tags.
+keywords: apis, graph api, supported apis, tags, machine tags
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Add or Remove Machine Tags API
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+- Adds or remove tag to a specific machine.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Manage security setting' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/tags
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter |	Type	| Description
+:---|:---|:---
+Value |	String |	The tag name. **Required**.
+Action	| Enum |	Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**.
+
+
+## Response
+If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of a request that adds machine tag.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
+Content-type: application/json
+{
+  "Value" : "test Tag 2",
+  "Action": "Add"
+}
+
+```
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity",
+    "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+    "computerDnsName": "mymachine1.contoso.com",
+    "firstSeen": "2018-08-02T14:55:03.7791856Z",
+	"lastSeen": "2018-08-02T14:55:03.7791856Z",
+    "osPlatform": "Windows10",
+    "osVersion": "10.0.0.0",
+    "lastIpAddress": "172.17.230.209",
+    "lastExternalIpAddress": "167.220.196.71",
+    "agentVersion": "10.5830.18209.1001",
+    "osBuild": 18209,
+    "healthStatus": "Active",
+    "rbacGroupId": 140,
+	"rbacGroupName": "The-A-Team",
+    "riskScore": "Low",
+	"isAadJoined": true,
+    "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+	"machineTags": [ "test tag 1", "test tag 2" ]
+}
+
+```
+
+- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
index b887fd19b7..a6cd39db1b 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 09/28/2018
+ms.date: 11/16/2018
 ---
 
 # Configure advanced features in Windows Defender ATP
@@ -89,7 +89,7 @@ Enabling this setting forwards Windows Defender ATP signals to Microsoft Cloud A
 >[!NOTE]
 >This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
 
-## Azure information protection
+## Azure Information Protection
 Turning this setting on forwards signals to Azure Information Protection, giving data owners and administrators visibility into protected data on onboarded machines and machine risk ratings.
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
index dcda5f43d8..4e5cd8cfb4 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
@@ -37,12 +37,12 @@ To effectively build queries that span multiple tables, you need to understand t
 | ActionType | string | Type of activity that triggered the event |
 | AdditionalFields | string | Additional information about the event in JSON array format |
 | AlertId | string | Unique identifier for the alert |
+| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | ComputerName | string | Fully qualified domain name (FQDN) of the machine |
 | ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it’s connected publicly to the internet. |
 | DefaultGateways | string | Default gateway addresses in JSON array format |
-| DnsServers | string | DNS server addresses in JSON array format |
+| DnsAddresses | string | DNS server addresses in JSON array format |
 | EventTime | datetime | Date and time when the event was recorded |
-| EventType | string | Table where the record is stored |
 | FileName | string | Name of the file that the recorded action was applied to |
 | FileOriginIp | string | IP address where the file was downloaded from |
 | FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
@@ -61,7 +61,7 @@ To effectively build queries that span multiple tables, you need to understand t
 | InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event |
 | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
 | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
 | InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event |
 | InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. |
 | InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
@@ -71,6 +71,7 @@ To effectively build queries that span multiple tables, you need to understand t
 | IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
 | LocalIP | string | IP address assigned to the local machine used during communication |
 | LocalPort | int | TCP port on the local machine used during communication |
+| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
 | LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts. |
 | LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
 | LogonType | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> 
@@ -81,7 +82,6 @@ To effectively build queries that span multiple tables, you need to understand t
 | NetworkAdapterName | string | Name of the network adapter |
 | NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2). |
 | NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2). |
-| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format |
 | OSArchitecture | string | Architecture of the operating system running on the machine |
 | OSBuild | string | Build version of the operating system running on the machine |
 | OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
@@ -94,7 +94,7 @@ To effectively build queries that span multiple tables, you need to understand t
 | ProcessId | int | Process ID (PID) of the newly created process |
 | ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. |
 | ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
-| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log |
+| Protocol | string | IP protocol used, whether TCP or UDP |
 | PublicIP | string | Public IP address used by the onboarded machine to connect to the Windows Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy. |
 | RegistryKey | string | Registry key that the recorded action was applied to |
 | RegistryValueData | string | Data of the registry value that the recorded action was applied to |
@@ -102,15 +102,17 @@ To effectively build queries that span multiple tables, you need to understand t
 | RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
 | RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. |
 | RemoteIP | string | IP address that was being connected to |
+| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
 | RemotePort | int | TCP port on the remote device that was being connected to |
 | RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
 | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
 | SHA1 | string | SHA-1 of the file that the recorded action was applied to |
 | SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
-| TunnelingProtocol | string | Tunneling protocol, if the interface is used for this purpose, for example: <br> - Various IPv6 to IPv4 tunneling protocols (6to4, Teredo, ISATAP) <br> - VPN (PPTP, SSTP) <br> - SSH <br> **NOTE:** This field doesn’t provide full IP tunneling specifications. |
+| Table | string | Table that contains the details of the event |
+| TunnelingType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)        
 
 ## Related topic
 - [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)
-- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
+- [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
index 316fdb9dd1..11646a76e2 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
@@ -59,21 +59,22 @@ To see a live example of these operators, run them as part of the **Get started*
 
 ## Access query language documentation
 
-For more information on the query language and supported operators, see [Query Language](https://docs.loganalytics.io/docs/Language-Reference/).
+For more information on the query language and supported operators, see  [Query Language](https://docs.microsoft.com/azure/log-analytics/query-language/query-language).
 
 ## Use exposed tables in Advanced hunting
 
 The following tables are exposed as part of Advanced hunting:
 
-- **AlertEvents** - Stores alerts related information 
-- **MachineInfo** - Stores machines properties
-- **ProcessCreationEvents** - Stores process creation events 
-- **NetworkCommunicationEvents** - Stores network communication events
-- **FileCreationEvents** - Stores file creation, modification, and rename events
-- **RegistryEvents** - Stores registry key creation, modification, rename and deletion events 
-- **LogonEvents** - Stores login events 
-- **ImageLoadEvents** - Stores load dll events  
-- **MiscEvents** - Stores several types of events, process injection events, access to LSASS processes, and others.
+- **AlertEvents** - Alerts on Windows Defender Security Center 
+- **MachineInfo** - Machine information, including OS information 
+- **MachineNetworkInfo** - Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains
+- **ProcessCreationEvents** - Process creation and related events 
+- **NetworkCommunicationEvents** - Network connection and related events
+- **FileCreationEvents** - File creation, modification, and other file system events
+- **RegistryEvents** - Creation and modification of registry entries 
+- **LogonEvents** - Login and other authentication events 
+- **ImageLoadEvents** - DLL loading events  
+- **MiscEvents** - Multiple event types, such as process injection, creation of scheduled tasks, and LSASS access attempts
 
 These tables include data from the last 30 days.
 
@@ -137,8 +138,8 @@ The filter selections will resolve as an additional query term and the results w
 
 
 
-## Public Advanced Hunting query GitHub repository  
-Check out the [Advanced Hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers. 
+## Public Advanced hunting query GitHub repository  
+Check out the [Advanced hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers. 
 
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..da80f7bb7e
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,84 @@
+---
+title: Get alerts API
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Alert resource type
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+Represents an alert entity in WDATP.
+
+# Methods
+Method|Return Type |Description
+:---|:---|:---
+[Get alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) | [Alert](alerts-windows-defender-advanced-threat-protection-new.md) | Get a single [alert](alerts-windows-defender-advanced-threat-protection-new.md) object.
+[List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) | [Alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | List [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection.
+[Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)|[Alert](alerts-windows-defender-advanced-threat-protection-new.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md).
+[List related domains](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)|Domain collection| List URLs associated with the alert.
+[List related files](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) | [File](files-windows-defender-advanced-threat-protection-new.md) collection |  List the [file](files-windows-defender-advanced-threat-protection-new.md) entities that are associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md).
+[List related IPs](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) | IP collection | List IPs that are associated with the alert.
+[Get related machines](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) | [Machine](machine-windows-defender-advanced-threat-protection-new.md) | The [machine](machine-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md).
+[Get related users](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) | [User](user-windows-defender-advanced-threat-protection-new.md) | The [user](user-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md).
+
+
+# Properties
+Property |	Type	|	Description
+:---|:---|:---
+id | String | Alert ID.
+incidentId | String | The [Incident](incidents-queue.md) ID of the Alert. 
+assignedTo | String | Owner of the alert.
+severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
+status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
+investigationState | Nullable Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' .
+classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. 
+determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
+category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and	'General' .
+detectionSource | string | Detection source.
+threatFamilyName | string | Threat family.
+title | string | Alert title.
+description | String | Description of the threat, identified by the alert.
+recommendedAction | String | Action recommended for handling the suspected threat.
+alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created.
+lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine.
+firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine.
+resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
+machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert.
+
+# JSON representation
+```
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "id": "121688558380765161_2136280442",
+	"incidentId": 7696,
+	"assignedTo": "secop@contoso.com",
+	"severity": "High",
+	"status": "New",
+	"classification": "TruePositive",
+	"determination": "Malware",
+	"investigationState": "Running",
+	"category": "MalwareDownload",
+	"detectionSource": "WindowsDefenderAv",
+	"threatFamilyName": "Mikatz",
+	"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+	"description": "Some description"
+	"recommendedAction": "Some recommended action"
+	"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
+	"firstEventTime": "2018-11-26T16:17:50.0948658Z",
+	"lastEventTime": "2018-11-26T16:18:01.809871Z",
+	"resolvedTime": null,
+	"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/apis-intro.md b/windows/security/threat-protection/windows-defender-atp/apis-intro.md
new file mode 100644
index 0000000000..304eed3564
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/apis-intro.md
@@ -0,0 +1,57 @@
+---
+title: Windows Defender Advanced Threat Protection API overview  
+description: Learn how you can use APIs to automate workflows and innovate based on Windows Defender ATP capabilities
+keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Windows Defender ATP API overview
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+[!include[Prerelease information](prerelease.md)]
+
+Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+
+In general, you’ll need to take the following steps to use the APIs:
+- Create an app
+- Get an access token
+- Use the token to access Windows Defender ATP API
+
+
+As a developer, you decide which permissions for Windows Defender ATP your app requests. When a user signs in to your app they (or, in some cases, an administrator) are given a chance to give consent to these permissions. If the user provides consent, your app is given access to the resources and APIs that it has requested. For apps that don't take a signed-in user, permissions can be pre-approved to by an administrator when the app is installed or during sign-up.
+
+## Delegated permissions, application permissions, and effective permissions
+
+Windows Defender ATP has two types of permissions: delegated permissions and application permissions.
+
+- **Delegated permissions** <br> 
+    Used by apps that have a signed-in user present. For these apps either the user or an administrator provides consent to the permissions that the app requests and the app is delegated permission to act as the signed-in user when making calls to Windows Defender ATP. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require administrator consent.
+- **Application permissions** <br>
+    Used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be consented by an administrator.
+
+Effective permissions are permissions that your app will have when making requests to Windows Defender ATP. It is important to understand the difference between the delegated and application permissions that your app is granted and its effective permissions when making calls to Windows Defender ATP.
+
+- For delegated permissions, the effective permissions of your app will be the least privileged intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user may be determined by policy or by membership in one or more administrator roles. For more information about administrator roles, see [Assigning administrator roles in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles).
+
+	For example, assume your app has been granted the `Machine.CollectForensics` delegated permission. This permission nominally grants your app permission to collect investigation package from a machine. If the signed-in user has 'Alerts Investigation' permission, your app will be able to collect investigation package from a machine, if the machine belongs to a group the user is exposed to. However, if the signed-in user doesn't have 'Alerts Investigation' permission, your app won't be able to collect investigation package from any machine.
+
+- For application permissions, the effective permissions of your app will be the full level of privileges implied by the permission. For example, an app that has the `Machine.CollectForensics` application permission can collect investigation package from any machine in the organization.
+
+
+## Related topics
+- [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+- [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md)
+- [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
index 700bbaef2b..3128addc7a 100644
--- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 09/03/2018
+ms.date: 11/28/2018
 ---
 
 # Assign user access to Windows Defender Security Center
@@ -31,7 +31,7 @@ Windows Defender ATP supports two ways to manage permissions:
 > [!NOTE]
 >If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch:
 
->- Users with full access (Security Administrators) are automatically assigned the default **Global administrator** role, which also has full access. Only global administrators can manage permissions using RBAC. 
+>- Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Windows Defender ATP administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Windows Defender ATP administrator role after switching to RBAC.  Only users assigned to the Windows Defender ATP administrator role can manage permissions using RBAC. 
 >- Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC.
 >- After switching to RBAC, you will not be able to switch back to using basic permissions management.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md
index f54267ebfe..123a0bdfd0 100644
--- a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: lomayor
 author: lomayor
 ms.localizationpriority: medium
-ms.date: 28/02/2018
+ms.date: 11/20/2018
 ---
 
 # Experience Windows Defender ATP through simulated attacks 
@@ -25,6 +25,10 @@ ms.date: 28/02/2018
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)
 
+>[!TIP]
+> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
+
+
 You might want to experience Windows Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Windows Defender ATP surfaces malicious activity and explore how it enables an efficient response.
 
 ## Before you begin
diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
index e5750beb78..3caa3bf11d 100644
--- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 09/03/2018
+ms.date: 12/04/2018
 ---
 
 # Overview of Automated investigations
@@ -31,6 +31,7 @@ Entities are the starting point for Automated investigations. When an alert cont
 
 >[!NOTE]
 >Currently, Automated investigation only supports Windows 10, version 1803 or later.
+>Some investigation playbooks, like memory investigations, require Windows 10, version 1809 or later.
 
 The alerts start by analyzing the supported entities from the alert and also runs a generic machine playbook to see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in the Automated investigation view.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md
index 11611c7741..f5f0d320e5 100644
--- a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 09/13/2018
+ms.date: 11/09/2018
 ---
 
 # Use basic permissions to access the portal
@@ -79,9 +79,10 @@ For more information see, [Manage Azure AD group and role membership](https://te
 
 6.	Select **Manage** > **Directory role**.
 
-7.	Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**.
+7.	Select **Add role** and choose the role you'd like to assign, then click **Select**.
 
-    ![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png)
+
+    ![Image of Microsoft Azure portal](images/atp-azure-assign-role.png)
 
 ## Related topic
 - [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md
index 16ae492cd3..64f4c8d321 100644
--- a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Block file API
+# Block file API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated�information](deprecate.md)]
 
 
 Prevent a file from being executed in the organization using Windows Defender Antivirus.
diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..bcd6861b37
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,98 @@
+---
+title: Collect investigation package API
+description: Use this API to create calls related to the collecting an investigation package from a machine.
+keywords: apis, graph api, supported apis, collect investigation package
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Collect investigation package API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+Collect investigation package from a machine.
+
+[!include[Machine actions note](machineactionsnote.md)]
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.CollectForensics |	'Collect forensics'
+Delegated (work or school account) |	Machine.CollectForensics |	'Collect forensics'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/collectInvestigationPackage
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter |	Type	| Description
+:---|:---|:---
+Comment |	String |	Comment to associate with the action. **Required**.
+
+## Response
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage
+Content-type: application/json
+{
+  "Comment": "Collect forensics due to alert 1234"
+}
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+    "id": "c9042f9b-8483-4526-87b5-35e4c2532223",
+    "type": "CollectInvestigationPackage",
+    "requestor": "Analyst@contoso.com",
+    "requestorComment": " Collect forensics due to alert 1234",
+    "status": "InProgress",
+    "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+    "creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z",
+    "lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z",
+	"relatedFileInfo": null
+}
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md
index f6394dc5a6..74df3d6aa3 100644
--- a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Collect investigation package API
+# Collect investigation package API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated�information](deprecate.md)]
 
 Collect investigation package from a machine.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index e0c41580fa..a567b25209 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 09/19/2018
+ms.date: 12/06/2018
 ---
 
 # Onboard Windows 10 machines using Mobile Device Management tools
@@ -34,27 +34,10 @@ For more information on enabling MDM with Microsoft Intune, see [Setup Windows D
 
 ## Onboard machines using Microsoft Intune
 
+Follow the instructions from [Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
+
 For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
 
-### Use the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher
-
-1. Login to the [Microsoft Azure portal](https://portal.azure.com).
-
-2. Select **Device Configuration > Profiles > Create profile**.
-
-3. Enter a **Name** and **Description**.
-
-4. For **Platform**, select **Windows 10 and later**.
-
-5. For **Profile type**, select **Windows Defender ATP (Windows 10 Desktop)**.
-
-6. Configure the settings:
-    - **Onboard Configuration Package**: Browse and select the **WindowsDefenderATP.onboarding** file you downloaded. This file enables a setting so devices can report to the Windows Defender ATP service.
-    - **Sample sharing for all files**: Allows samples to be collected, and shared with Windows Defender ATP. For example, if you see a suspicious file, you can submit it to Windows Defender ATP for deep analysis.
-    - **Expedite telemetry reporting frequency**: For devices that are at high risk, enable this setting so it reports telemetry to the Windows Defender ATP service more frequently.
-    - **Offboard Configuration Package**: If you want to remove Windows Defender ATP monitoring, you can download an offboarding package from Windows Defender Security Center, and add it. Otherwise, skip this property.
-   
-7. Select **OK**, and **Create** to save your changes, which creates the profile.
 
 > [!NOTE]
 > - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index c7d9e056c4..2609656756 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 09/12/2018
+ms.date: 11/14/2018
 ---
 
 
@@ -98,8 +98,28 @@ United Kingdom | ```uk.vortex-win.data.microsoft.com``` <br>```uk-v20.events.dat
 United States | ```us.vortex-win.data.microsoft.com```<br> ```us-v20.events.data.microsoft.com```<br>```winatp-gw-cus.microsoft.com``` <br>```winatp-gw-eus.microsoft.com```
 
 
+
 If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP  sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs.
 
+## Windows Defender ATP service backend IP range 
+If you network devices don't support the URLs white-listed in the prior section, you can use the following information.
+
+Windows Defender ATP is built on Azure cloud, deployed in the following regions:
+
+- \+\<Region Name="uswestcentral">
+- \+\<Region Name="useast2">
+- \+\<Region Name="useast">
+- \+\<Region Name="europenorth">
+- \+\<Region Name="europewest">
+- \+\<Region Name="uksouth">
+- \+\<Region Name="ukwest">
+
+
+You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653).
+
+>[!NOTE]
+> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
+
 
 ## Verify client connectivity to Windows Defender ATP service URLs
 
diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..88f5545da4
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,93 @@
+---
+title: Create alert from event API
+description: Creates an alert using event details
+keywords: apis, graph api, supported apis, get, alert, information, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Create alert from event API 
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prerelease�information](prerelease.md)]
+
+
+Enables using event data, as obtained from the [Advanced Hunting](run-advanced-query-api.md) for creating a new alert entity.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alerts.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | String | application/json. **Required**.
+
+## Request body
+In the request body, supply the following values (all are required):
+
+Property | Type | Description
+:---|:---|:---
+machineId | String | Id of the machine on which the event was identified. **Required**.
+severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**.
+title | String | Title for the alert. **Required**.
+description | String | Description of the alert. **Required**.
+recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert.
+eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**.
+reportId | String | The reportId, as obtained from the advanced query. **Required**.
+category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and	'General'.
+
+
+## Response
+If successful, this method returns 200 OK, and a new [alert](alerts-windows-defender-advanced-threat-protection-new.md) object in the response body. If event with the specified properties (_reportId_, _eventTime_ and _machineId_) was not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
+Content-Length: application/json
+
+{
+  "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+  "severity": "Low",
+  "title": "test alert",
+  "description": "redalert",
+  "recommendedAction": "white alert",
+  "eventTime": "2018-08-03T16:45:21.7115183Z",
+  "reportId": "20776",
+  "category": "None"
+} 
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
index 8bc7172555..67591e6f98 100644
--- a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
@@ -187,7 +187,6 @@ The API currently supports the following IOC types:
 - Sha1
 - Sha256
 - Md5
-- FileName
 - IpAddress
 - DomainName 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..b0d3efb765
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,77 @@
+---
+title: Delete Ti Indicator.
+description: Deletes Ti Indicator entity by ID.
+keywords: apis, public api, supported apis, delete, ti indicator, entity, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Delete TI Indicator API
+
+[!include[Prerelease�information](prerelease.md)]
+
+>[!Note]
+> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information)
+
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Retrieves a TI Indicator entity by ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Ti.ReadWrite |	'Read and write TI Indicators'
+
+
+## HTTP request
+```
+Delete https://api.securitycenter.windows.com/api/tiindicators/{id}
+```
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If TI Indicator exist and deleted successfully - 204 OK without content.
+If TI Indicator with the specified id was not found - 404 Not Found.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+DELETE https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 204 NO CONTENT
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/deprecate.md b/windows/security/threat-protection/windows-defender-atp/deprecate.md
new file mode 100644
index 0000000000..fe73a4d416
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/deprecate.md
@@ -0,0 +1,7 @@
+---
+ms.date: 10/17/2018
+---
+>[!WARNING]
+
+
+> This page documents a feature that will soon be deprecated. For the updated and supported version, see [Use the Windows Defender ATP APIs](use-apis.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md
new file mode 100644
index 0000000000..679dc47866
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md
@@ -0,0 +1,175 @@
+---
+title: Use Windows Defender Advanced Threat Protection APIs  
+description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
+keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Use Windows Defender ATP APIs
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+[!include[Prerelease information](prerelease.md)]
+
+
+This page describe how to create an application to get programmatical access to Windows Defender ATP on behalf of a user.
+
+If you need programmatical access Windows Defender ATP without a user, refer to [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md).
+
+If you are not sure which access you need, read the [Introduction page](apis-intro.md).
+
+Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+
+In general, you’ll need to take the following steps to use the APIs:
+- Create an app
+- Get an access token
+- Use the token to access Windows Defender ATP API
+
+This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission.
+
+>[!NOTE]
+> When accessing Windows Defender ATP API on behalf of a user, you will need the correct app permission and user permission.
+> If you are not familiar with user permissions on Windows Defender ATP, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md). 
+
+>[!TIP]
+> If you have the permission to perform an action in the portal, you have the permission to perform the action in the API. 
+
+## Create an app
+
+1.	Log on to [Azure](https://portal.azure.com).
+
+2.	Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
+
+    ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
+
+3.	In the Create window, enter the following information then click **Create**.
+
+    ![Image of Create application window](images/nativeapp-create.png)
+
+    - **Name:** -Your app name-
+    - **Application type:** Native
+    - **Redirect URI:** `https://127.0.0.1`
+
+
+4.	Click **Settings** > **Required permissions** > **Add**.
+
+    ![Image of new app in Azure](images/nativeapp-add-permission.png)
+
+5.	Click **Select an API** > **WindowsDefenderATP**, then click **Select**.
+	
+	**Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+
+    ![Image of API access and API selection](images/webapp-add-permission-2.png)
+
+6. Click **Select permissions** > check **Read alerts** and **Collect forensics** > **Select**.
+	
+	>[!IMPORTANT]
+    >You need to select the relevant permissions. 'Read alerts' and 'Collect forensics' are only an example.
+
+    ![Image of select permissions](images/nativeapp-select-permissions.png)
+
+	For instance,
+
+    - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
+    - To [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), select 'Isolate machine' permission
+
+       To determine which permission you need, look at the **Permissions** section in the API you are interested to call.
+
+
+7. Click **Done**
+
+    ![Image of add permissions completion](images/nativeapp-add-permissions-end.png)
+
+8. Click **Grant permissions**
+
+	In order to add the new selected permissions to the app, the Admin's tenant must press on the **Grant permissions** button.
+
+	If in the future you will want to add more permission to the app, you will need to press on the **Grant permissions** button again so the changes will take effect.
+
+	![Image of Grant permissions](images/webapp-grant-permissions.png)
+
+9. Write down your application ID.
+    
+	![Image of app ID](images/nativeapp-get-appid.png)
+
+
+## Get an access token
+
+For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
+
+### Using C#
+
+The  code was below tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
+
+- Create a new Console Application
+- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
+- Add the below using
+
+	```
+	using Microsoft.IdentityModel.Clients.ActiveDirectory;
+	```
+
+- Copy/Paste the below code in your application (pay attention to the comments in the code)
+
+	```
+	const string authority = "https://login.windows.net";
+	const string wdatpResourceId = "https://api.securitycenter.windows.com";
+
+	string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
+	string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here
+
+	string username = "SecurityAdmin123@microsoft.com"; // Paste your username here
+	string password = GetPasswordFromSafePlace(); // Paste your own password here for a test, and then store it in a safe place! 
+
+	UserPasswordCredential userCreds = new UserPasswordCredential(username, password);
+
+	AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}");
+	AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, appId, userCreds).GetAwaiter().GetResult();
+	string token = authenticationResult.AccessToken;
+	```
+
+## Validate the token
+
+Sanity check to make sure you got a correct token:
+- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it
+- Validate you get a 'scp' claim with the desired app permissions
+- In the screenshot below you can see a decoded token acquired from the app in the tutorial:
+
+![Image of token validation](images/nativeapp-decoded-token.png)
+
+## Use the token to access Windows Defender ATP API
+
+- Choose the API you want to use - [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+- Set the Authorization header in the HTTP request you send to "Bearer {token}" (Bearer is the Authorization scheme)
+- The Expiration time of the token is 1 hour (you can send more then one request with the same token)
+
+- Example of sending a request to get a list of alerts **using C#** 
+	```
+	var httpClient = new HttpClient();
+
+	var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts");
+
+	request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+
+	var response = await httpClient.SendAsync(request).ConfigureAwait(false);
+
+	// Do something useful with the response
+	```
+
+## Related topics
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+- [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md
new file mode 100644
index 0000000000..ca0153916b
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md
@@ -0,0 +1,220 @@
+---
+title: Create an app to access Windows Defender ATP without a user
+description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
+keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Create an app to access Windows Defender ATP without a user
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+[!include[Prerelease information](prerelease.md)]
+
+This page describes how to create an application to get programmatical access to Windows Defender ATP without a user.
+
+If you need programmatical access Windows Defender ATP on behalf of a user, see [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)
+
+If you are not sure which access you need, see [Use Windows Defender ATP APIs](apis-intro.md).
+
+Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+
+In general, you’ll need to take the following steps to use the APIs:
+- Create an app
+- Get an access token
+- Use the token to access Windows Defender ATP API
+
+This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission.
+
+## Create an app
+
+1.	Log on to [Azure](https://portal.azure.com).
+
+2.	Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
+
+    ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
+
+3.	In the Create window, enter the following information then click **Create**.
+
+    ![Image of Create application window](images/webapp-create.png)
+
+    - **Name:** WdatpEcosystemPartner
+    - **Application type:** Web app / API
+    - **Redirect URI:** `https://WdatpEcosystemPartner.com` (The URL where user can sign in and use your app. You can change this URL later.)
+
+
+4.	Click **Settings** > **Required permissions** > **Add**.
+
+    ![Image of new app in Azure](images/webapp-add-permission.png)
+
+5.	Click **Select an API** > **WindowsDefenderATP**, then click **Select**.
+	
+	**Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+
+    ![Image of API access and API selection](images/webapp-add-permission-2.png)
+
+6. Click **Select permissions** > **Run advanced queries** > **Select**.
+	
+	**Important note**: You need to select the relevant permission. 'Run advanced queries' is only an example!
+
+    ![Image of select permissions](images/webapp-select-permission.png)
+
+	For instance,
+
+	- To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
+	- To [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), select 'Isolate machine' permission
+
+	To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
+
+7. Click **Done**
+
+    ![Image of add permissions completion](images/webapp-add-permission-end.png)
+
+8. Click **Grant permissions**
+
+	In order to add the new selected permissions to the app, the Admin's tenant must press on the **Grant permissions** button.
+
+	If in the future you will want to add more permission to the app, you will need to press on the **Grant permissions** button again so the changes will take effect.
+
+	![Image of Grant permissions](images/webapp-grant-permissions.png)
+
+9. Click **Keys** and type a key name and click **Save**.
+
+	**Important**: After you save, **copy the key value**. You won't be able to retrieve after you leave!
+
+    ![Image of create app key](images/webapp-create-key.png)
+
+10. Write down your application ID.
+    
+	![Image of app ID](images/webapp-get-appid.png)
+
+11. Set your application to be multi-tenanted
+	
+	This is **required** for 3rd party apps (for example, if you create an application that is intended to run in multiple customers tenant).
+
+	This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data)​
+
+	Click **Properties** > **Yes** > **Save**.
+
+	![Image of multi tenant](images/webapp-edit-multitenant.png)
+
+
+## Application consent
+You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with WDATP application on behalf of your customer.
+
+You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory.
+
+Consent link is of the form: 
+
+```
+https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true​
+```
+
+where 00000000-0000-0000-0000-000000000000​ should be replaced with your Azure application ID
+
+
+## Get an access token
+
+For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
+
+### Using C#
+
+>The below code was tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
+
+- Create a new Console Application
+- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
+- Add the below using
+
+	```
+	using Microsoft.IdentityModel.Clients.ActiveDirectory;
+	```
+
+- Copy/Paste the below code in your application (do not forget to update the 3 variables: ```tenantId, appId, appSecret```)
+
+	```
+	string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
+	string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here
+	string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test, and then store it in a safe place! 
+
+	const string authority = "https://login.windows.net";
+	const string wdatpResourceId = "https://api.securitycenter.windows.com";
+
+	AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/");
+	ClientCredential clientCredential = new ClientCredential(appId, appSecret);
+	AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, clientCredential).GetAwaiter().GetResult();
+	string token = authenticationResult.AccessToken;
+	```
+
+### Using PowerShell 
+
+Refer to [Get token using PowerShell](run-advanced-query-sample-powershell.md#get-token)
+
+### Using Python
+
+Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token)
+
+### Using Curl
+
+> [!NOTE]
+> The below procedure supposed Curl for Windows is already installed on your computer
+
+- Open a command window
+- ​Set CLIENT_ID to your Azure application ID
+- Set CLIENT_SECRET to your Azure application secret
+- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access WDATP application
+- Run the below command:
+
+```
+curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice​/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID​%/oauth2/v2.0/token" -k​
+```
+
+You will get an answer of the form:
+
+```
+{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn <truncated> aWReH7P0s0tjTBX8wGWqJUdDA"}
+```
+
+## Validate the token
+
+Sanity check to make sure you got a correct token:
+- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it
+- Validate you get a 'roles' claim with the desired permissions
+- In the screenshot below you can see a decoded token acquired from an app with permissions to all of Wdatp's roles:
+
+![Image of token validation](images/webapp-decoded-token.png)
+
+## Use the token to access Windows Defender ATP API
+
+- Choose the API you want to use, for more information, see [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+- Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization scheme)
+- The Expiration time of the token is 1 hour (you can send more then one request with the same token)
+
+- Example of sending a request to get a list of alerts **using C#** 
+	```
+	var httpClient = new HttpClient();
+
+	var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts");
+
+	request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+
+	var response = await httpClient.SendAsync(request).ConfigureAwait(false);
+
+	// Do something useful with the response
+	```
+
+## Related topics
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+- [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md
new file mode 100644
index 0000000000..5c554d4040
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md
@@ -0,0 +1,118 @@
+---
+title: Advanced Hunting API
+description: Use this API to run advanced queries
+keywords: apis, supported apis, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/24/2018
+---
+
+# Windows Defender ATP APIs using PowerShell
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Full scenario using multiple APIs from Windows Defender ATP.
+
+In this section we share PowerShell samples to 
+ - Retrieve a token 
+ - Use token to retrieve the latest alerts in Windows Defender ATP
+ - For each alert, if the alert has medium or high priority and is still in progress, check how many times the machine has connected to suspicious URL.
+
+>**Prerequisite**: You first need to [create an app](apis-intro.md).
+
+## Preparation Instructions
+
+- Open a PowerShell window.
+- If your policy does not allow you to run the PowerShell commands, you can run the below command:
+```
+Set-ExecutionPolicy -ExecutionPolicy Bypass
+```
+
+>For more details, refer to [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy)
+
+## Get token
+
+- Run the below
+
+> - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
+> - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP)
+> - $appSecret: Secret of your AAD app
+> - $suspiciousUrl: The URL
+
+
+```
+$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
+$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
+$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
+$suspiciousUrl = 'www.suspiciousUrl.com' # Paste your own URL here
+
+$resourceAppIdUri = 'https://securitycenter.onmicrosoft.com/windowsatpservice'
+$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
+$authBody = [Ordered] @{
+	resource = "$resourceAppIdUri"
+	client_id = "$appId"
+	client_secret = "$appSecret"
+	grant_type = 'client_credentials'
+}
+$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
+$aadToken = $authResponse.access_token
+
+
+#Get latest alert
+$alertUrl = "https://api.securitycenter.windows.com/api/alerts?`$top=10"
+$headers = @{ 
+	'Content-Type' = 'application/json'
+	Accept = 'application/json'
+	Authorization = "Bearer $aadToken" 
+}
+$alertResponse = Invoke-WebRequest -Method Get -Uri $alertUrl -Headers $headers -ErrorAction Stop
+$alerts =  ($alertResponse | ConvertFrom-Json).value
+
+$machinesToInvestigate = New-Object System.Collections.ArrayList
+
+Foreach($alert in $alerts)
+{
+	#echo $alert.id	$alert.machineId	$alert.severity	$alert.status
+
+	$isSevereAlert = $alert.severity -in 'Medium', 'High'
+	$isOpenAlert = $alert.status -in 'InProgress', 'New'
+	if($isOpenAlert -and $isSevereAlert)
+	{
+		if (-not $machinesToInvestigate.Contains($alert.machineId))
+		{
+			$machinesToInvestigate.Add($alert.machineId) > $null
+		}
+	}
+}
+
+$commaSeparatedMachines = '"{0}"' -f ($machinesToInvestigate -join '","')
+
+$query = "NetworkCommunicationEvents
+| where MachineId in ($commaSeparatedMachines)
+| where RemoteUrl  == `"$suspiciousUrl`"
+| summarize ConnectionsCount = count() by MachineId"
+
+$queryUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run"
+
+$queryBody = ConvertTo-Json -InputObject @{ 'Query' = $query }
+$queryResponse = Invoke-WebRequest -Method Post -Uri $queryUrl -Headers $headers -Body $queryBody -ErrorAction Stop
+$response =  ($queryResponse | ConvertFrom-Json).Results
+$response
+
+```
+
+
+## Related topic
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Advanced Hunting API](run-advanced-query-api.md)
+- [Advanced Hunting using Python](run-advanced-query-sample-python.md)
+- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md
new file mode 100644
index 0000000000..101b345a77
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md
@@ -0,0 +1,58 @@
+---
+title: Supported Windows Defender Advanced Threat Protection query APIs  
+description: Learn about the specific supported Windows Defender Advanced Threat Protection entities where you can create API calls to. 
+keywords: apis, supported apis, actor, alerts, machine, user, domain, ip, file, advanced queries, advanced hunting
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 30/07/2018
+---
+
+# Supported Windows Defender ATP query APIs 
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink) 
+
+## End Point URI and Versioning
+
+### End Point URI:
+
+> The service base URI is: https://api.securitycenter.windows.com
+
+> The queries based OData have the '/api' prefix. For example, to get Alerts you can send GET request to https://api.securitycenter.windows.com/api/alerts
+
+### Versioning:
+
+> The API supports versioning.
+
+> The current version is **V1.0**.
+
+> To use a specific version, use this format: https://api.securitycenter.windows.com/api/{Version}. For example: https://api.securitycenter.windows.com/api/v1.0/alerts
+
+> If you don't specify any version (e.g., https://api.securitycenter.windows.com/api/alerts ) you will get to the latest version.
+
+
+Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.
+
+## In this section
+Topic | Description
+:---|:---
+Advanced Hunting | Run queries from API.
+Alerts | Run API calls such as get alerts, alert information by ID, alert related actor information, alert related IP information, and alert related machine information.
+Domain |Run API calls such as get domain related machines, domain related machines, statistics, and check if a domain is seen in your organization.
+File | Run API calls such as get file information, file related alerts, file related machines, and file statistics.
+IP | Run API calls such as get IP related alerts, IP related machines, IP statistics, and check if and IP is seen in your organization.
+Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID.
+User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines.
+
+## Related topic
+- [Windows Defender ATP APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md
new file mode 100644
index 0000000000..37c5a9f1d7
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md
@@ -0,0 +1,279 @@
+---
+title: OData queries with Windows Defender ATP
+description: OData queries with Windows Defender ATP
+keywords: apis, supported apis, odata, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 11/15/2018
+---
+
+# OData queries with Windows Defender ATP
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+- If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/)
+
+- Not all properties are filterable.
+
+### Properties that supports $filter:
+
+- [Alert](alerts-windows-defender-advanced-threat-protection-new.md): Id, IncidentId, AlertCreationTime, Status, Severity and Category.
+- [Machine](machine-windows-defender-advanced-threat-protection-new.md): Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore, MachineTags and RbacGroupId.
+- [MachineAction](machineaction-windows-defender-advanced-threat-protection-new.md): Id, Status, MachineId, Type, Requestor and CreationDateTimeUtc.
+
+### Example 1
+
+- Get all the machines with the tag 'ExampleTag'
+
+```
+HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag')
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+            "computerDnsName": "mymachine1.contoso.com",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.0.0",
+            "lastIpAddress": "172.17.230.209",
+            "lastExternalIpAddress": "167.220.196.71",
+            "agentVersion": "10.5830.18209.1001",
+            "osBuild": 18209,
+            "healthStatus": "Active",
+            "rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
+            "riskScore": "High",
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
+        },
+		.
+		.
+		.
+    ]
+}
+```
+
+### Example 2
+
+- Get all the alerts that created after 2018-10-20 00:00:00
+
+```
+HTTP GET  https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime gt 2018-11-22T00:00:00Z
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "value": [
+        {
+            "id": "121688558380765161_2136280442",
+			"incidentId": 7696,
+			"assignedTo": "secop@contoso.com",
+			"severity": "High",
+			"status": "New",
+			"classification": "TruePositive",
+			"determination": "Malware",
+			"investigationState": "Running",
+			"category": "MalwareDownload",
+			"detectionSource": "WindowsDefenderAv",
+			"threatFamilyName": "Mikatz",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+			"description": "Some description"
+			"recommendedAction": "Some recommended action"
+			"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-26T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-26T16:18:01.809871Z",
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+        },
+		.
+		.
+		.
+    ]
+}
+```
+
+### Example 3
+
+- Get all the machines with 'High' 'RiskScore'
+
+```
+HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=riskScore eq 'High'
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+            "computerDnsName": "mymachine1.contoso.com",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.0.0",
+            "lastIpAddress": "172.17.230.209",
+            "lastExternalIpAddress": "167.220.196.71",
+            "agentVersion": "10.5830.18209.1001",
+            "osBuild": 18209,
+            "healthStatus": "Active",
+            "rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
+            "riskScore": "High",
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
+        },
+		.
+		.
+		.
+    ]
+}
+```
+
+### Example 4
+
+- Get top 100 machines with 'HealthStatus' not equals to 'Active'
+
+```
+HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=healthStatus ne 'Active'&$top=100
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+            "computerDnsName": "mymachine1.contoso.com",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.0.0",
+            "lastIpAddress": "172.17.230.209",
+            "lastExternalIpAddress": "167.220.196.71",
+            "agentVersion": "10.5830.18209.1001",
+            "osBuild": 18209,
+            "healthStatus": "Active",
+            "rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
+            "riskScore": "High",
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
+        },
+		.
+		.
+		.
+    ]
+}
+```
+
+### Example 5
+
+- Get all the machines that last seen after 2018-10-20
+
+```
+HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+            "computerDnsName": "mymachine1.contoso.com",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.0.0",
+            "lastIpAddress": "172.17.230.209",
+            "lastExternalIpAddress": "167.220.196.71",
+            "agentVersion": "10.5830.18209.1001",
+            "osBuild": 18209,
+            "healthStatus": "Active",
+            "rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
+            "riskScore": "High",
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
+        },
+		.
+		.
+		.
+    ]
+}
+```
+
+### Example 6
+
+- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Windows Defender ATP
+
+```
+HTTP GET  https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@WcdTestPrd.onmicrosoft.com' and type eq 'RunAntiVirusScan'
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
+    "value": [
+        {
+            "id": "5c3e3322-d993-1234-1111-dfb136ebc8c5",
+            "type": "RunAntiVirusScan",
+            "requestor": "Analyst@examples.onmicrosoft.com",
+            "requestorComment": "1533",
+            "status": "Succeeded",
+            "machineId": "123321c10e44a82877af76b1d0161a17843f688a",
+            "creationDateTimeUtc": "2018-11-12T13:33:24.5755657Z",
+            "lastUpdateDateTimeUtc": "2018-11-12T13:34:32.0319826Z",
+            "relatedFileInfo": null
+        },
+		.
+		.
+		.
+    ]
+}
+```
+
+## Related topic
+- [Windows Defender ATP APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
index 82d6912c6d..67ec69e0e1 100644
--- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
@@ -14,7 +14,7 @@ ms.localizationpriority: medium
 ms.date: 10/23/2017
 ---
 
-# Use the Windows Defender ATP exposed APIs 
+# Use the Windows Defender ATP exposed APIs (deprecated)
 
 **Applies to:**
 
diff --git a/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..1b6c340e45
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,49 @@
+---
+title: File resource type
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# File resource type
+
+[!include[Prerelease information](prerelease.md)]
+
+Represent a file entity in WDATP.
+
+# Methods
+Method|Return Type |Description
+:---|:---|:---
+[Get file](get-file-information-windows-defender-advanced-threat-protection-new.md) | [file](files-windows-defender-advanced-threat-protection-new.md) | Get a single file 
+[List file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | Get the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities that are associated with the file.
+[List file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | Get the [machine](machine-windows-defender-advanced-threat-protection-new.md) entities associated with the alert.
+[file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md) | Statistics summary | Retrieves the prevalence for the given file.
+
+
+# Properties
+Property |	Type	|	Description
+:---|:---|:---
+sha1 | String | Sha1 hash of the file content
+sha256 | String | Sha256 hash of the file content
+md5 | String | md5 hash of the file content
+globalPrevalence | Integer | File prevalence across organization
+globalFirstObserved | DateTimeOffset | First time the file was observed.
+globalLastObserved | DateTimeOffset | Last time the file was observed.
+size | Integer | Size of the file.
+fileType | String | Type of the file. 
+isPeFile | Boolean | true if the file is portable executable (e.g. "DLL", "EXE", etc.)
+filePublisher | String | File publisher.
+fileProductName | String | Product name.
+signer | String | File signer.
+issuer | String | File issuer.
+signerHash | String | Hash of the signing certificate.
+isValidCertificate | Boolean | Was signing certificate successfully verified by WDATP agent.
+
diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..5f1df97182
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,88 @@
+---
+title: Find machine information by internal IP API
+description: Use this API to create calls related to finding a machine entry around a specific timestamp by internal IP.
+keywords: ip, apis, graph api, supported apis, find machine, machine information
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 07/25/2018
+---
+
+# Find machine information by internal IP API
+
+[!include[Prerelease information](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+Find a machine by internal IP.
+
+>[!NOTE]
+>The timestamp must be within the last 30 days.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+
+## HTTP request
+```
+GET /api/machines/find(timestamp={time},key={IP})
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine exists - 200 OK.
+If no machine found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61')
+Content-type: application/json
+```
+
+**Response**
+
+Here is an example of the response.
+
+The response will return a list of all machines that reported this IP address within sixteen minutes prior and after the timestamp. 
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
+    "value": [
+        {
+            "id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb",
+            "computerDnsName": "",
+            "firstSeen": "2017-07-06T01:25:04.9480498Z",
+            "osPlatform": "Windows10",
+…
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
index 0f74a2e1cf..f1e846309d 100644
--- a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 07/25/2018
 ---
 
-# Find machine information by internal IP API
+# Find machine information by internal IP API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 Find a machine entity around a specific timestamp by internal IP.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..83d5cedfe0
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,107 @@
+---
+title: Find machines by internal IP API
+description: Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp 
+keywords: apis, graph api, supported apis, get, machine, IP, find, find machine, by ip, ip
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Find machines by internal IP API
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+- Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp 
+- The given timestamp must be in the past 30 days.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/machines/findbyip(ip='{IP}',timestamp={TimeStamp})
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machines were found - 200 OK with list of the machines in the response body.
+If no machine found  - 404 Not Found.
+If the timestamp is not in the past 30 days - 400 Bad Request.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2018-09-22T08:44:05Z)
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+			"computerDnsName": "mymachine1.contoso.com",
+			"firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2018-09-22T08:55:03.7791856Z",
+			"osPlatform": "Windows10",
+			"osVersion": "10.0.0.0",
+			"lastIpAddress": "10.248.240.38",
+			"lastExternalIpAddress": "167.220.196.71",
+			"agentVersion": "10.5830.18209.1001",
+			"osBuild": 18209,
+			"healthStatus": "Active",
+			"rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
+			"riskScore": "Low",
+			"isAadJoined": true,
+			"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2" ]
+        }
+    ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md
index 12e531ccb6..ac3608c9c2 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md
@@ -15,12 +15,13 @@ ms.date: 12/08/2017
 ---
 
 
-# Get actor information API
+# Get actor information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated�information](deprecate.md)]
 
 
 Retrieves an actor information report. 
diff --git a/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md
index 216bf3fd90..c0ff5a988c 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get actor related alerts API
+# Get actor related alerts API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves all alerts related to a given actor.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..88cda0c956
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,99 @@
+---
+title: Get alert information by ID API
+description: Retrieves an alert by its ID.
+keywords: apis, graph api, supported apis, get, alert, information, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert information by ID API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+Retrieves an alert by its ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, and the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entity in the response body. If alert with the specified id was not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/alerts/441688558380765161_2136280442
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "id": "441688558380765161_2136280442",
+	"incidentId": 8633,
+	"assignedTo": "secop@contoso.com",
+	"severity": "Low",
+	"status": "InProgress",
+	"classification": "TruePositive",
+	"determination": "Malware",
+	"investigationState": "Running",
+	"category": "MalwareDownload",
+	"detectionSource": "WindowsDefenderAv",
+	"threatFamilyName": "Mikatz",
+	"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+	"description": "Some description"
+	"recommendedAction": "Some recommended action"
+	"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
+	"firstEventTime": "2018-11-25T16:17:50.0948658Z",
+	"lastEventTime": "2018-11-25T16:18:01.809871Z",
+	"resolvedTime": null,
+	"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+}
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md
index d74debcef4..70160a3b2c 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert information by ID API
+# Get alert information by ID API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves an alert by its ID.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md
index 6eb366dc10..99fcbab5bf 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert related actor information API
+# Get alert related actor information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated�information](deprecate.md)]
 
 
 Retrieves the actor information related to the specific alert.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..a51d83949c
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,86 @@
+---
+title: Get alert related domains information 
+description: Retrieves all domains related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related domain
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert related domain information API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+Retrieves all domains related to a specific alert.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	URL.Read.All |	'Read URLs'
+Delegated (work or school account) | URL.Read.All |	'Read URLs'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}/domains
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and domain exist - 200 OK. If alert not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/domains
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/$metadata#Domains",
+    "value": [
+        {
+            "host": "www.example.com"
+        }
+    ]
+}
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md
index 4558e6c341..d0cfda9671 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,16 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert related domain information API
+# Get alert related domain information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
 
+[!include[Deprecated�information](deprecate.md)]
+
+
 
 Retrieves all domains related to a specific alert.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..aecd1dc46f
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,99 @@
+---
+title: Get alert related files information 
+description: Retrieves all files related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related files
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert related files information API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+Retrieves all files related to a specific alert.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	File.Read.All |	'Read file profiles'
+Delegated (work or school account) | File.Read.All |	'Read file profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}/files
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and files exist - 200 OK. If alert not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/files
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files",
+    "value": [
+        {
+            "sha1": "654f19c41d9662cf86be21bf0af5a88c38c56a9d",
+            "sha256": "2f905feec2798cee6f63da2c26758d86bfeaab954c01e20ac7085bf55fedde87",
+            "md5": "82849dc81d94056224445ea73dc6153a",
+            "globalPrevalence": 33,
+            "globalFirstObserved": "2018-07-17T18:17:27.5909748Z",
+            "globalLastObserved": "2018-08-06T16:07:12.9414137Z",
+            "windowsDefenderAVThreatName": null,
+            "size": 801112,
+            "fileType": "PortableExecutable",
+            "isPeFile": true,
+            "filePublisher": null,
+            "fileProductName": null,
+            "signer": "Microsoft Windows",
+            "issuer": "Microsoft Development PCA 2014",
+            "signerHash": "9e284231a4d1c53fc8d4492b09f65116bf97447f",
+            "isValidCertificate": true
+        }
+    ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md
index 46fc01cffb..cc2ec68bf7 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert related files information API
+# Get alert related files information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves all files related to a specific alert.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..3da5ca41df
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,89 @@
+---
+title: Get alert related IPs information 
+description: Retrieves all IPs related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related ip
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert related IP information API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+
+Retrieves all IPs related to a specific alert.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Ip.Read.All |	'Read IP address profiles'
+Delegated (work or school account) | Ip.Read.All |	'Read IP address profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}/ips
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/ips
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/$metadata#Ips",    
+	"value": [
+				{
+					"id": "104.80.104.128"
+				},
+				{
+					"id": "23.203.232.228	
+				}
+	]
+}
+ 
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md
index 1952732087..fba77be35c 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert related IP information API
+# Get alert related IP information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves all IPs related to a specific alert.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..05bf63bda9
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,99 @@
+---
+title: Get alert related machine information 
+description: Retrieves all machines related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related machine
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert related machine information API
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+- Retrieves machine that is related to a specific alert.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine information'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}/machine
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and machine exist - 200 OK. If alert not found or machine not found - 404 Not Found.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/machine
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity",
+    "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+    "computerDnsName": "mymachine1.contoso.com",
+    "firstSeen": "2018-08-02T14:55:03.7791856Z",
+	"lastSeen": "2018-08-02T14:55:03.7791856Z",
+    "osPlatform": "Windows10",
+    "osVersion": "10.0.0.0",
+    "lastIpAddress": "172.17.230.209",
+    "lastExternalIpAddress": "167.220.196.71",
+    "agentVersion": "10.5830.18209.1001",
+    "osBuild": 18209,
+    "healthStatus": "Active",
+    "rbacGroupId": 140,
+	"rbacGroupName": "The-A-Team",
+    "riskScore": "Low",
+	"isAadJoined": true,
+    "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+	"machineTags": [ "test tag 1", "test tag 2" ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md
index 52169b949b..a9abbd55bb 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert related machine information API
+# Get alert related machine information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves all machines related to a specific alert.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..5d1de50542
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,90 @@
+---
+title: Get alert related user information 
+description: Retrieves the user associated to a specific alert.
+keywords: apis, graph api, supported apis, get, alert, information, related, user
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert related user information API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+
+Retrieves the user associated to a specific alert.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	User.Read.All |	'Read user profiles'
+Delegated (work or school account) | User.Read.All | 'Read user profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}/user
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and a user exists - 200 OK with user in the body. If alert or user not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/user
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity",
+    "id": "contoso\\user1",
+    "firstSeen": "2018-08-02T00:00:00Z",
+    "lastSeen": "2018-08-04T00:00:00Z",
+    "mostPrevalentMachineId": null,
+    "leastPrevalentMachineId": null,
+    "logonTypes": "Network",
+    "logOnMachinesCount": 3,
+    "isDomainAdmin": false,
+    "isOnlyNetworkUser": null
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md
index c60acf0220..cd9221b4db 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert related user information API
+# Get alert related user information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves the user associated to a specific alert.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..7cf854cf6f
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,137 @@
+---
+title: List alerts API
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# List alerts API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prerelease�information](prerelease.md)]
+
+
+- Retrieves a collection of Alerts.
+- Supports [OData V4 queries](https://www.odata.org/documentation/).
+- The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category".
+- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The response will include only alerts that are associated with machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts
+```
+
+## Optional query parameters
+Method supports $skip and $top query parameters.
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, and a list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) objects in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
+
+
+```json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "value": [
+        {
+            "id": "121688558380765161_2136280442",
+			"incidentId": 7696,
+			"assignedTo": "secop@contoso.com",
+			"severity": "High",
+			"status": "New",
+			"classification": "TruePositive",
+			"determination": "Malware",
+			"investigationState": "Running",
+			"category": "MalwareDownload",
+			"detectionSource": "WindowsDefenderAv",
+			"threatFamilyName": "Mikatz",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+			"description": "Some description"
+			"recommendedAction": "Some recommended action"
+			"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-26T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-26T16:18:01.809871Z",
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+        },
+        {
+            "id": "441688558380765161_2136280442",
+			"incidentId": 8633,
+			"assignedTo": "secop@contoso.com",
+			"severity": "Low",
+			"status": "InProgress",
+			"classification": "TruePositive",
+			"determination": "Malware",
+			"investigationState": "Running",
+			"category": "MalwareDownload",
+			"detectionSource": "WindowsDefenderAv",
+			"threatFamilyName": "Mikatz",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+			"description": "Some description"
+			"recommendedAction": "Some recommended action"
+			"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-25T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-25T16:18:01.809871Z",
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+        }
+	]
+}
+```
+
+## Related topics
+- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md
index 29b9ca446e..30daf66f8c 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alerts API
+# Get alerts API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves top recent alerts.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..39c7ea3379
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,131 @@
+---
+title: Get domain related alerts API
+description: Retrieves a collection of alerts related to a given domain address.
+keywords: apis, graph api, supported apis, get, domain, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get domain related alerts API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prerelease�information](prerelease.md)]
+
+
+
+
+
+Retrieves a collection of alerts related to a given domain address.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/domains/{domain}/alerts
+```
+
+## Request headers
+
+Header | Value 
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities. If domain does not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "441688558380765161_2136280442",
+			"incidentId": 8633,
+			"assignedTo": "secop@contoso.com",
+			"severity": "Low",
+			"status": "InProgress",
+			"classification": "TruePositive",
+			"determination": "Malware",
+			"investigationState": "Running",
+			"category": "MalwareDownload",
+			"detectionSource": "WindowsDefenderAv",
+			"threatFamilyName": "Mikatz",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+			"description": "Some description"
+			"recommendedAction": "Some recommended action"
+			"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-25T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-25T16:18:01.809871Z",
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+        },
+        {
+            "id": "121688558380765161_2136280442",
+			"incidentId": 4123,
+			"assignedTo": "secop@contoso.com",
+			"severity": "Low",
+			"status": "InProgress",
+			"classification": "TruePositive",
+			"determination": "Malware",
+			"investigationState": "Running",
+			"category": "MalwareDownload",
+			"detectionSource": "WindowsDefenderAv",
+			"threatFamilyName": "Mikatz",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+			"description": "Some description"
+			"recommendedAction": "Some recommended action"
+			"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-24T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-24T16:18:01.809871Z",
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+        }
+	]
+}
+```
+
diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md
index 5f0b8ccfc5..4d2cd0fc45 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,15 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get domain related alerts API
+# Get domain related alerts API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
 
+[!include[Deprecated information](deprecate.md)]
+
 
 Retrieves a collection of alerts related to a given domain address.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..60229ac888
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,122 @@
+---
+title: Get domain related machines API
+description: Retrieves a collection of machines related to a given domain address.
+keywords: apis, graph api, supported apis, get, domain, related, machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get domain related machines API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+Retrieves a collection of machines that have communicated to or from a given domain address.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/domains/{domain}/machines
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities. If domain do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/api/domains/api.securitycenter.windows.com/machines
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+            "computerDnsName": "mymachine1.contoso.com",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.0.0",
+            "lastIpAddress": "172.17.230.209",
+            "lastExternalIpAddress": "167.220.196.71",
+            "agentVersion": "10.5830.18209.1001",
+            "osBuild": 18209,
+            "healthStatus": "Active",
+            "rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
+            "riskScore": "Low",
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2" ]
+        },
+        {
+            "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
+            "computerDnsName": "mymachine2.contoso.com",
+            "firstSeen": "2018-07-09T13:22:45.1250071Z",
+			"lastSeen": "2018-07-09T13:22:45.1250071Z",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.0.0",
+            "lastIpAddress": "192.168.12.225",
+            "lastExternalIpAddress": "79.183.65.82",
+            "agentVersion": "10.5820.17724.1000",
+            "osBuild": 17724,
+            "healthStatus": "Inactive",
+			"rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
+            "riskScore": "Low",
+			"isAadJoined": false,
+            "aadDeviceId": null,
+			"machineTags": [ "test tag 1" ]
+        }
+	]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md
index c09460e204..9995b7a57f 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get domain related machines API
+# Get domain related machines API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves a collection of machines related to a given domain address.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..c940edba9f
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,83 @@
+---
+title: Get domain statistics API
+description: Retrieves the prevalence for the given domain.
+keywords: apis, graph api, supported apis, get, domain, domain related machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get domain statistics API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prerelease�information](prerelease.md)]
+
+Retrieves the prevalence for the given domain.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	URL.Read.All |	'Read URLs'
+Delegated (work or school account) | URL.Read.All |	'Read URLs'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/domains/{domain}/stats
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain exists - 200 OK, with statistics object in the response body. If domain does not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/domains/example.com/stats
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+	"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats",
+	"host": "example.com",
+    "orgPrevalence": "4070",
+    "orgFirstSeen": "2017-07-30T13:23:48Z",
+    "orgLastSeen": "2017-08-29T13:09:05Z"
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md
index 2e3cde9b70..7cab84b5fb 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get domain statistics API
+# Get domain statistics API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated�information](deprecate.md)]
 
 
 Retrieves the prevalence for the given domain.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..82ba0c9a36
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,97 @@
+---
+title: Get file information API
+description: Retrieves a file by identifier Sha1, Sha256, or MD5.
+keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get file information API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+
+Retrieves a file by identifier Sha1, Sha256, or MD5.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	File.Read.All |	'Read all file profiles'
+Delegated (work or school account) | File.Read.All |	'Read all file profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+
+## HTTP request
+```
+GET /api/files/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and file exists - 200 OK with the [file](files-windows-defender-advanced-threat-protection-new.md) entity in the body. If file does not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files/$entity",
+    "sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1",
+    "sha256": "d4447dffdbb2889b4b4e746b0bc882df1b854101614b0aa83953ef3cb66904cf",
+    "md5": "7f05a371d2beffb3784fd2199f81d730",
+    "globalPrevalence": 7329,
+    "globalFirstObserved": "2018-04-08T05:50:29.4459725Z",
+    "globalLastObserved": "2018-08-07T23:35:11.1361328Z",
+    "windowsDefenderAVThreatName": null,
+    "size": 391680,
+    "fileType": "PortableExecutable",
+    "isPeFile": true,
+    "filePublisher": null,
+    "fileProductName": null,
+    "signer": null,
+    "issuer": null,
+    "signerHash": null,
+    "isValidCertificate": null
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md
index 2d6f45993f..9683f68898 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get file information API
+# Get file information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves a file by identifier Sha1, Sha256, or MD5.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..b8db356dde
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,107 @@
+---
+title: Get file related alerts API
+description: Retrieves a collection of alerts related to a given file hash.
+keywords: apis, graph api, supported apis, get, file, hash
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get file related alerts API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prerelease�information](prerelease.md)]
+
+
+Retrieves a collection of alerts related to a given file hash.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/files/{id}/alerts
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and file exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If file do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "value": [
+        {
+            "id": "121688558380765161_2136280442",
+			"incidentId": 7696,
+			"assignedTo": "secop@contoso.com",
+			"severity": "High",
+			"status": "New",
+			"classification": "TruePositive",
+			"determination": "Malware",
+			"investigationState": "Running",
+			"category": "MalwareDownload",
+			"detectionSource": "WindowsDefenderAv",
+			"threatFamilyName": "Mikatz",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+			"description": "Some description"
+			"recommendedAction": "Some recommended action"
+			"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-26T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-26T16:18:01.809871Z",
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+        }
+    ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md
index 89272a50e2..3967df849d 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get file related alerts API
+# Get file related alerts API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves a collection of alerts related to a given file hash.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..75017123a4
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,121 @@
+---
+title: Get file related machines API
+description: Retrieves a collection of machines related to a given file hash.
+keywords: apis, graph api, supported apis, get, machines, hash
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get file related machines API
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+- Retrieves a collection of machines related to a given file hash.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/files/{id}/machines
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and file exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If file do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+            "computerDnsName": "mymachine1.contoso.com",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.0.0",
+            "lastIpAddress": "172.17.230.209",
+            "lastExternalIpAddress": "167.220.196.71",
+            "agentVersion": "10.5830.18209.1001",
+            "osBuild": 18209,
+            "healthStatus": "Active",
+            "rbacGroupId": 140,
+            "riskScore": "Low",
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2" ]
+        },
+        {
+            "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
+            "computerDnsName": "mymachine2.contoso.com",
+            "firstSeen": "2018-07-09T13:22:45.1250071Z",
+			"lastSeen": "2018-07-09T13:22:45.1250071Z",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.0.0",
+            "lastIpAddress": "192.168.12.225",
+            "lastExternalIpAddress": "79.183.65.82",
+            "agentVersion": "10.5820.17724.1000",
+            "osBuild": 17724,
+            "healthStatus": "Inactive",
+			"rbacGroupId": 140,
+            "riskScore": "Low",
+			"isAadJoined": false,
+            "aadDeviceId": null,
+			"machineTags": [ "test tag 1" ]
+        }
+    ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md
index 62a8f25bcf..dc8a07b552 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get file related machines API
+# Get file related machines API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves a collection of machines related to a given file hash.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..3f661dc422
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,92 @@
+---
+title: Get file statistics API
+description: Retrieves the prevalence for the given file.
+keywords: apis, graph api, supported apis, get, file, statistics
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get file statistics API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+
+
+
+
+Retrieves the prevalence for the given file.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	File.Read.All |	'Read file profiles'
+Delegated (work or school account) | File.Read.All | 'Read file profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/files/{id}/stats
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and file exists - 200 OK with statistical data in the body. If file do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/stats
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
+    "sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1",
+    "orgPrevalence": "3",
+    "orgFirstSeen": "2018-07-15T06:13:59Z",
+    "orgLastSeen": "2018-08-03T16:45:21Z",
+    "topFileNames": [
+        "chrome_1.exe",
+		"chrome_2.exe"
+    ]
+}
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md
index 07424aafd3..e7b702fac8 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get file statistics API
+# Get file statistics API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated�information](deprecate.md)]
 
 Retrieves the prevalence for the given file.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md
index fb469ffac8..b83bae0e6d 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get FileActions collection API
+# Get FileActions collection API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated�information](deprecate.md)]
 
 Gets collection of actions done on files. Get FileActions collection API supports OData V4 queries.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md
index 0d846e906b..5fc6065ee7 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get FileMachineAction object API
+# Get FileMachineAction object API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated�information](deprecate.md)]
 
 Gets file and machine actions.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md
index 27eb723cd9..b00ad9d909 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get FileMachineActions collection API
+# Get FileMachineActions collection API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated�information](deprecate.md)]
 
 Get collection of file and machine actions. Get FileMachineActions collection API supports OData V4 queries.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..601886b8ec
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,106 @@
+---
+title: Get IP related alerts API
+description: Retrieves a collection of alerts related to a given IP address.
+keywords: apis, graph api, supported apis, get, ip, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get IP related alerts API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+Retrieves a collection of alerts related to a given IP address.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/ips/{ip}/alerts
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and IP exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If IP do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "value": [
+        {
+            "id": "441688558380765161_2136280442",
+			"incidentId": 8633,
+			"assignedTo": "secop@contoso.com",
+			"severity": "Low",
+			"status": "InProgress",
+			"classification": "TruePositive",
+			"determination": "Malware",
+			"investigationState": "Running",
+			"category": "MalwareDownload",
+			"detectionSource": "WindowsDefenderAv",
+			"threatFamilyName": "Mikatz",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+			"description": "Some description"
+			"recommendedAction": "Some recommended action"
+			"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-25T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-25T16:18:01.809871Z",
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+        }
+    ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md
index 32e5f6f95e..3502e90557 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get IP related alerts API
+# Get IP related alerts API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves a collection of alerts related to a given IP address.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..628d8def35
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,122 @@
+---
+title: Get IP related machines API
+description: Retrieves a collection of machines related to a given IP address.
+keywords: apis, graph api, supported apis, get, ip, related, machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get IP related machines API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+
+Retrieves a collection of machines that communicated with or from a particular IP.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/ips/{ip}/machines
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and IP exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If IP do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/machines
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+            "computerDnsName": "mymachine1.contoso.com",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.0.0",
+            "lastIpAddress": "172.17.230.209",
+            "lastExternalIpAddress": "167.220.196.71",
+            "agentVersion": "10.5830.18209.1001",
+            "osBuild": 18209,
+            "healthStatus": "Active",
+            "rbacGroupId": 140,
+            "riskScore": "Low",
+			"rbacGroupName": "The-A-Team",
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2" ]
+        },
+        {
+            "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
+            "computerDnsName": "mymachine2.contoso.com",
+            "firstSeen": "2018-07-09T13:22:45.1250071Z",
+			"lastSeen": "2018-07-09T13:22:45.1250071Z",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.0.0",
+            "lastIpAddress": "192.168.12.225",
+            "lastExternalIpAddress": "79.183.65.82",
+            "agentVersion": "10.5820.17724.1000",
+            "osBuild": 17724,
+            "healthStatus": "Inactive",
+			"rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
+            "riskScore": "Low",
+			"isAadJoined": false,
+            "aadDeviceId": null,
+			"machineTags": [ "test tag 1" ]
+        }
+    ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md
index acbfa51a4a..72071848e6 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md
@@ -37,8 +37,7 @@ Content type | application/json
 Empty
 
 ## Response
-If successful and IP and machines exists - 200 OK.
-If IP or machines do not exist - 404 Not Found.
+If successful and IP and machines exists - 200 OK. If IP or machines do not exist - 404 Not Found.
 
 
 ## Example
diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..763444713a
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,85 @@
+---
+title: Get IP statistics API
+description: Retrieves the prevalence for the given IP.
+keywords: apis, graph api, supported apis, get, ip, statistics, prevalence
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get IP statistics API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+
+
+Retrieves the prevalence for the given IP.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Ip.Read.All |	'Read IP address profiles'
+Delegated (work or school account) | Ip.Read.All |	'Read IP address profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/ips/{ip}/stats
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and ip exists - 200 OK with statistical data in the body. IP do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/stats
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats",
+    "ipAddress": "10.209.67.177",
+    "orgPrevalence": "63515",
+    "orgFirstSeen": "2017-07-30T13:36:06Z",
+    "orgLastSeen": "2017-08-29T13:32:59Z"
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..9c3d3c0eeb
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,103 @@
+---
+title: Get machine by ID API
+description: Retrieves a machine entity by ID.
+keywords: apis, graph api, supported apis, get, machines, entity, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get machine by ID API
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+- Retrieves a machine entity by ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+
+## HTTP request
+```
+GET /api/machines/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine exists - 200 OK with the [machine](machine-windows-defender-advanced-threat-protection-new.md) entity in the body.
+If machine with the specified id was not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine",
+    "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+    "computerDnsName": "mymachine1.contoso.com",
+    "firstSeen": "2018-08-02T14:55:03.7791856Z",
+	"lastSeen": "2018-08-02T14:55:03.7791856Z",
+    "osPlatform": "Windows10",
+    "osVersion": "10.0.0.0",
+    "lastIpAddress": "172.17.230.209",
+    "lastExternalIpAddress": "167.220.196.71",
+    "agentVersion": "10.5830.18209.1001",
+    "osBuild": 18209,
+    "healthStatus": "Active",
+    "rbacGroupId": 140,
+	"rbacGroupName": "The-A-Team",
+    "riskScore": "Low",
+	"isAadJoined": true,
+    "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+	"machineTags": [ "test tag 1", "test tag 2" ]
+}
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md
index 078641587d..66f525a094 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get machine by ID API
+# Get machine by ID API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves a machine entity by ID.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..93e70b3e10
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,104 @@
+---
+title: Get machine log on users API
+description: Retrieves a collection of logged on users.
+keywords: apis, graph api, supported apis, get, machine, log on, users
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get machine log on users API
+
+[!include[Prerelease�information](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Retrieves a collection of logged on users.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	User.Read.All |	'Read user profiles'
+Delegated (work or school account) | User.Read.All | 'Read user profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include users only if the machine is visible to the user, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/machines/{id}/logonusers
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine exist - 200 OK with list of [user](user-windows-defender-advanced-threat-protection-new.md) entities in the body. If machine was not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users",
+    "value": [
+        {
+            "id": "contoso\\user1",
+            "firstSeen": "2018-08-02T00:00:00Z",
+            "lastSeen": "2018-08-04T00:00:00Z",
+            "mostPrevalentMachineId": null,
+            "leastPrevalentMachineId": null,
+            "logonTypes": "Network",
+            "logOnMachinesCount": 3,
+            "isDomainAdmin": false,
+            "isOnlyNetworkUser": null
+        },
+        {
+            "id": "contoso\\user2",
+            "firstSeen": "2018-08-02T00:00:00Z",
+            "lastSeen": "2018-08-05T00:00:00Z",
+            "mostPrevalentMachineId": null,
+            "leastPrevalentMachineId": null,
+            "logonTypes": "Network",
+            "logOnMachinesCount": 3,
+            "isDomainAdmin": false,
+            "isOnlyNetworkUser": null
+        }
+    ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md
index 0bf2c47c64..13530b98e5 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get machine log on users API
+# Get machine log on users API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves a collection of logged on users.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..191f30cfc2
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,106 @@
+---
+title: Get machine related alerts API
+description: Retrieves a collection of alerts related to a given machine ID.
+keywords: apis, graph api, supported apis, get, machines, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get machine related alerts  API
+
+[!include[Prerelease�information](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Retrieves a collection of alerts related to a given machine ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/machines/{id}/alerts
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If machine was not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "value": [
+        {
+            "id": "441688558380765161_2136280442",
+			"incidentId": 8633,
+			"assignedTo": "secop@contoso.com",
+			"severity": "Low",
+			"status": "InProgress",
+			"classification": "TruePositive",
+			"determination": "Malware",
+			"investigationState": "Running",
+			"category": "MalwareDownload",
+			"detectionSource": "WindowsDefenderAv",
+			"threatFamilyName": "Mikatz",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+			"description": "Some description"
+			"recommendedAction": "Some recommended action"
+			"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-25T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-25T16:18:01.809871Z",
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+        }
+    ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md
index 4d976968c0..4803e86973 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get machine related alerts  API
+# Get machine related alerts  API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves a collection of alerts related to a given machine ID.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..bfda8dcbcd
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,92 @@
+---
+title: Get MachineAction object API
+description: Use this API to create calls related to get machineaction object
+keywords: apis, graph api, supported apis, machineaction object
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get machineAction API
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+- Get action performed on a machine.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET https://api.securitycenter.windows.com/api/machineactions/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200, Ok response code with a [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity. If machine action entity with the specified id was not found - 404 Not Found.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+    "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
+    "type": "RunAntiVirusScan",
+    "requestor": "Analyst@contoso.com",
+    "requestorComment": "Check machine for viruses due to alert 3212",
+    "status": "Succeeded",
+    "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+    "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
+    "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
+	"relatedFileInfo": null
+}
+
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md
index 2c94ca5628..b3ed113094 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get MachineAction object API
+# Get MachineAction object API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated�information](deprecate.md)]
 
 Get actions done on a machine.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..1e956940fa
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,174 @@
+---
+title: List machineActions API
+description: Use this API to create calls related to get machineactions collection
+keywords: apis, graph api, supported apis, machineaction collection
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# List MachineActions API
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+- Gets collection of actions done on machines. 
+- Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/).
+- The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and "CreationDateTimeUtc".
+- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET https://api.securitycenter.windows.com/api/machineactions
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200, Ok response code with a collection of [machineAction](machineaction-windows-defender-advanced-threat-protection-new.md) entities.
+
+
+## Example 1
+
+**Request**
+
+Here is an example of the request on an organization that has three MachineActions.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/machineactions
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
+    "value": [
+        {
+            "id": "69dc3630-1ccc-4342-acf3-35286eec741d",
+            "type": "CollectInvestigationPackage",
+            "requestor": "Analyst@contoso.com",
+            "requestorComment": "test",
+            "status": "Succeeded",
+            "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+            "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
+            "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
+			"relatedFileInfo": null
+        },
+        {
+            "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
+            "type": "RunAntiVirusScan",
+            "requestor": "Analyst@contoso.com",
+            "requestorComment": "Check machine for viruses due to alert 3212",
+            "status": "Succeeded",
+            "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+            "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
+            "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
+			"relatedFileInfo": null
+        },
+        {
+            "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e",
+            "type": "StopAndQuarantineFile",
+            "requestor": "Analyst@contoso.com",
+            "requestorComment": "test",
+            "status": "Succeeded",
+            "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+            "creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z",
+            "lastUpdateTimeUtc": "2018-12-04T12:16:14.2899973Z",
+			"relatedFileInfo": {
+                "fileIdentifier": "a0c659857ccbe457fdaf5fe21d54efdcbf6f6508",
+                "fileIdentifierType": "Sha1"
+			}
+        }
+    ]
+}
+```
+
+## Example 2
+
+**Request**
+
+Here is an example of a request that filters the MachineActions by machine ID and shows the latest two MachineActions.
+
+```
+GET https://api.securitycenter.windows.com/api/machineactions?$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2
+```
+
+**Response**
+
+Here is an example of the response.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
+    "value": [
+        {
+            "id": "69dc3630-1ccc-4342-acf3-35286eec741d",
+            "type": "CollectInvestigationPackage",
+            "requestor": "Analyst@contoso.com",
+            "requestorComment": "test",
+            "status": "Succeeded",
+            "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+            "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
+            "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
+			"relatedFileInfo": null
+        },
+        {
+            "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
+            "type": "RunAntiVirusScan",
+            "requestor": "Analyst@contoso.com",
+            "requestorComment": "Check machine for viruses due to alert 3212",
+            "status": "Succeeded",
+            "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+            "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
+            "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
+			"relatedFileInfo": null
+        }
+    ]
+}
+```
+
+## Related topics
+- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md
index c86ead0780..0983daee3c 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get MachineActions collection API
+# Get MachineActions collection API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated�information](deprecate.md)]
 
  Gets collection of actions done on machines. Get MachineAction collection API supports OData V4 queries.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..15817d675c
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,128 @@
+---
+title: List machines API
+description: Retrieves a collection of recently seen machines.
+keywords: apis, graph api, supported apis, get, machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# List machines API
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+- Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days.
+- Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/).
+- The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId".
+- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
+
+## Permissions
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET https://api.securitycenter.windows.com/api/machines
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If no recent machines - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/machines
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+            "computerDnsName": "mymachine1.contoso.com",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.0.0",
+            "lastIpAddress": "172.17.230.209",
+            "lastExternalIpAddress": "167.220.196.71",
+            "agentVersion": "10.5830.18209.1001",
+            "osBuild": 18209,
+            "healthStatus": "Active",
+            "rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
+            "riskScore": "Low",
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2" ]
+        },
+        {
+            "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
+            "computerDnsName": "mymachine2.contoso.com",
+            "firstSeen": "2018-07-09T13:22:45.1250071Z",
+			"lastSeen": "2018-07-09T13:22:45.1250071Z",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.0.0",
+            "lastIpAddress": "192.168.12.225",
+            "lastExternalIpAddress": "79.183.65.82",
+            "agentVersion": "10.5820.17724.1000",
+            "osBuild": 17724,
+            "healthStatus": "Inactive",
+			"rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
+            "riskScore": "Low",
+			"isAadJoined": false,
+            "aadDeviceId": null,
+			"machineTags": [ "test tag 1" ]
+        }
+    ]
+}
+```
+
+## Related topics
+- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md
index d442db809b..2aae8e0d5d 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get machines API
+# Get machines API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves a collection of recently seen machines.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..6b90d0ff62
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,84 @@
+---
+title: Get package SAS URI API
+description: Use this API to get a URI that allows downloading an investigation package.
+keywords: apis, graph api, supported apis, get package, sas, uri
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get package SAS URI API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Get a URI that allows downloading of an [investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.CollectForensics |	'Collect forensics'
+Delegated (work or school account) | Machine.CollectForensics |	'Collect forensics'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET https://api.securitycenter.windows.com/api/machineactions/{machine action id}/getPackageUri
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200, Ok response code with object that holds the link to the package in the “value” parameter. This link is valid for a very short time and should be used immediately for downloading the package to a local storage.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri
+
+```
+
+**Response**
+
+Here is an example of the response.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.String",
+    "value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\""
+}
+
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md
index 60f0e29f88..688491a75d 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get package SAS URI API
+# Get package SAS URI API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Get a URI that allows downloading of an investigation package.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/get-started.md b/windows/security/threat-protection/windows-defender-atp/get-started.md
index 08d0bcb99e..1104afadfd 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-started.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-started.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 09/03/2018
+ms.date: 11/20/2018
 ---
 
 # Get started with Windows Defender Advanced Threat Protection
@@ -19,6 +19,9 @@ ms.date: 09/03/2018
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+>[!TIP]
+> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
+
 Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP.
 
 The following capabilities are available across multiple products that make up the Windows Defender ATP platform. 
diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..ccd438a908
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,92 @@
+---
+title: Get Ti Indicator by ID API
+description: Retrieves Ti Indicator entity by ID.
+keywords: apis, public api, supported apis, get, ti indicator, entity, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get TI Indicator by ID API
+
+[!include[Prerelease�information](prerelease.md)]
+
+>[!Note]
+> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information)
+
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Retrieves a TI Indicator entity by ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Ti.ReadWrite |	'Read and write TI Indicators'
+
+
+## HTTP request
+```
+GET https://api.securitycenter.windows.com/api/tiindicators/{id}
+```
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and TI Indicator exists - 200 OK with the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the body.
+If TI Indicator with the specified id was not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#TiIndicators/$entity",
+    "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
+    "indicatorType": "FileSha1",
+    "title": "test",
+    "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
+    "createdBy": "45097602-0cfe-4cc6-925f-9f453233e62c",
+    "expirationTime": "2020-12-12T00:00:00Z",
+    "action": "AlertAndBlock",
+    "severity": "Informational",
+    "description": "test",
+    "recommendedActions": "TEST"
+}
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..d2c398ee0f
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,109 @@
+---
+title: List TiIndicators API
+description: Use this API to create calls related to get TiIndicators collection
+keywords: apis, public api, supported apis, TiIndicators collection
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# List TiIndicators API
+
+[!include[Prerelease�information](prerelease.md)]
+
+>[!Note]
+> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information)
+
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+ Gets collection of TI Indicators.
+ Get TI Indicators collection API supports [OData V4 queries](https://www.odata.org/documentation/).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Ti.ReadWrite |	'Read and write TI Indicators'
+
+
+## HTTP request
+```
+GET https://api.securitycenter.windows.com/api/tiindicators
+```
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200, Ok response code with a collection of [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities.
+
+>[!Note]
+> The response will only include TI Indicators that submitted by the calling Application. 
+
+
+## Example
+
+**Request**
+
+Here is an example of a request that gets all TI Indicators
+
+```
+GET https://api.securitycenter.windows.com/api/tiindicators
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#TiIndicators",
+    "value": [
+        {
+            "indicator": "12.13.14.15",
+            "indicatorType": "IpAddress",
+            "title": "test",
+            "creationTimeDateTimeUtc": "2018-10-24T11:15:35.3688259Z",
+            "createdBy": "45097602-1234-5678-1234-9f453233e62c",
+            "expirationTime": "2020-12-12T00:00:00Z",
+            "action": "AlertAndBlock",
+            "severity": "Informational",
+            "description": "test",
+            "recommendedActions": "test"
+        },
+        {
+            "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
+            "indicatorType": "FileSha1",
+            "title": "test",
+            "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
+            "createdBy": "45097602-1234-5678-1234-9f453233e62c",
+            "expirationTime": "2020-12-12T00:00:00Z",
+            "action": "AlertAndBlock",
+            "severity": "Informational",
+            "description": "test",
+            "recommendedActions": "TEST"
+        }
+    ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..ef4ed492c9
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,85 @@
+---
+title: Get user information API
+description: Retrieve a User entity by key such as user name or domain.
+keywords: apis, graph api, supported apis, get, user, user information
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get user information API
+
+[!include[Prerelease information](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Retrieve a User entity by key (user name).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	User.Read.All |	'Read all user profiles'
+
+## HTTP request
+```
+GET /api/users/{id}/
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and user exists - 200 OK with [user](user-windows-defender-advanced-threat-protection-new.md) entity in the body. If user does not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/users/user1
+Content-type: application/json
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity",
+    "id": "user1",
+    "firstSeen": "2018-08-02T00:00:00Z",
+    "lastSeen": "2018-08-04T00:00:00Z",
+    "mostPrevalentMachineId": null,
+    "leastPrevalentMachineId": null,
+    "logonTypes": "Network",
+    "logOnMachinesCount": 3,
+    "isDomainAdmin": false,
+    "isOnlyNetworkUser": null
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md
index c4dfae50e6..86880c519e 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get user information API
+# Get user information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieve a User entity by key (user name or domain\user).
 
diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..139d24daf4
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,127 @@
+---
+title: Get user related alerts API
+description: Retrieves a collection of alerts related to a given user ID.
+keywords: apis, graph api, supported apis, get, user, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get user related alerts API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+Retrieves a collection of alerts related to a given user ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/users/{id}/alerts
+```
+
+**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts) **
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and user exist - 200 OK. If the user do not exist - 404 Not Found. 
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/users/user1/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+	"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "value": [
+        {
+            "id": "441688558380765161_2136280442",
+			"incidentId": 8633,
+			"assignedTo": "secop@contoso.com",
+			"severity": "Low",
+			"status": "InProgress",
+			"classification": "TruePositive",
+			"determination": "Malware",
+			"investigationState": "Running",
+			"category": "MalwareDownload",
+			"detectionSource": "WindowsDefenderAv",
+			"threatFamilyName": "Mikatz",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+			"description": "Some description"
+			"recommendedAction": "Some recommended action"
+			"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-25T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-25T16:18:01.809871Z",
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+        },
+        {
+            "id": "121688558380765161_2136280442",
+			"incidentId": 4123,
+			"assignedTo": "secop@contoso.com",
+			"severity": "Low",
+			"status": "InProgress",
+			"classification": "TruePositive",
+			"determination": "Malware",
+			"investigationState": "Running",
+			"category": "MalwareDownload",
+			"detectionSource": "WindowsDefenderAv",
+			"threatFamilyName": "Mikatz",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+			"description": "Some description"
+			"recommendedAction": "Some recommended action"
+			"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-24T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-24T16:18:01.809871Z",
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+        }
+	]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
index aadcc3dd2b..ec40578526 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
@@ -11,16 +11,16 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 12/08/2017
+ms.date: 11/15/2018
 ---
 
-# Get user related alerts API
+# Get user related alerts API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves a collection of alerts related to a given user ID.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..da315671ca
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,125 @@
+---
+title: Get user related machines API
+description: Retrieves a collection of machines related to a given user ID.
+keywords: apis, graph api, supported apis, get, user, user related alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get user related machines API
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+Retrieves a collection of machines related to a given user ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/users/{id}/machines
+```
+
+**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines) **
+
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and user exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If user does not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/users/user1/machines
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+            "computerDnsName": "mymachine1.contoso.com",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.0.0",
+            "lastIpAddress": "172.17.230.209",
+            "lastExternalIpAddress": "167.220.196.71",
+            "agentVersion": "10.5830.18209.1001",
+            "osBuild": 18209,
+            "healthStatus": "Active",
+            "rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
+            "riskScore": "Low",
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2" ]
+        },
+        {
+            "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
+            "computerDnsName": "mymachine2.contoso.com",
+            "firstSeen": "2018-07-09T13:22:45.1250071Z",
+			"lastSeen": "2018-07-09T13:22:45.1250071Z",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.0.0",
+            "lastIpAddress": "192.168.12.225",
+            "lastExternalIpAddress": "79.183.65.82",
+            "agentVersion": "10.5820.17724.1000",
+            "osBuild": 17724,
+            "healthStatus": "Inactive",
+			"rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
+            "riskScore": "Low",
+			"isAadJoined": false,
+            "aadDeviceId": null,
+			"machineTags": [ "test tag 1" ]
+        }
+    ]
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md
index 1b66f1961a..11f719ebd8 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get user related machines API
+# Get user related machines API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves a collection of machines related to a given user ID.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-assign-role.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-assign-role.png
new file mode 100644
index 0000000000..93e294ec2b
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-assign-role.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png
index a4a07d3b92..4449661657 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-settings-aip.png b/windows/security/threat-protection/windows-defender-atp/images/atp-settings-aip.png
new file mode 100644
index 0000000000..f66b75a274
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-settings-aip.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/azure-data-discovery.png b/windows/security/threat-protection/windows-defender-atp/images/azure-data-discovery.png
new file mode 100644
index 0000000000..0148a800b2
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/azure-data-discovery.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-choose-action.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-choose-action.png
new file mode 100644
index 0000000000..867fb4d976
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-choose-action.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-define-action.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-define-action.png
new file mode 100644
index 0000000000..51588e0bdc
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-define-action.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-e2e.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-e2e.png
new file mode 100644
index 0000000000..f33aa04682
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-e2e.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-insert-db.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-insert-db.png
new file mode 100644
index 0000000000..1f15b39220
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-insert-db.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-parse-json.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-parse-json.png
new file mode 100644
index 0000000000..b42c9ec193
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-parse-json.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-read-db.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-read-db.png
new file mode 100644
index 0000000000..89e20f3a67
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-read-db.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permission.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permission.png
new file mode 100644
index 0000000000..1f7f423e49
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permission.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permissions-end.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permissions-end.png
new file mode 100644
index 0000000000..eb866e3cce
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permissions-end.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-create.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-create.png
new file mode 100644
index 0000000000..05d76ec807
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-create.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-decoded-token.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-decoded-token.png
new file mode 100644
index 0000000000..92f46bf116
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-decoded-token.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-get-appid.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-get-appid.png
new file mode 100644
index 0000000000..859e4fa8a3
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-get-appid.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-select-permissions.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-select-permissions.png
new file mode 100644
index 0000000000..2114b14c4d
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-select-permissions.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/office-scc-label.png b/windows/security/threat-protection/windows-defender-atp/images/office-scc-label.png
new file mode 100644
index 0000000000..750bd6e459
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/office-scc-label.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-advanced-query.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-advanced-query.png
new file mode 100644
index 0000000000..d5fdf37ac2
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-advanced-query.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-blank-query.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-blank-query.png
new file mode 100644
index 0000000000..d060becd5b
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-blank-query.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-credentials.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-credentials.png
new file mode 100644
index 0000000000..62c96acf75
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-credentials.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-data-privacy.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-data-privacy.png
new file mode 100644
index 0000000000..7098c8a543
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-data-privacy.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-open-advanced-editor.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-open-advanced-editor.png
new file mode 100644
index 0000000000..5c340e3138
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-open-advanced-editor.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-query-results.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-query-results.png
new file mode 100644
index 0000000000..b94ee3a009
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-query-results.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-anonymous.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-anonymous.png
new file mode 100644
index 0000000000..dce1698521
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-anonymous.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational-cont.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational-cont.png
new file mode 100644
index 0000000000..049d3ed6ee
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational-cont.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational.png
new file mode 100644
index 0000000000..054470d70e
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-data-privacy.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-data-privacy.png
new file mode 100644
index 0000000000..00a8756c43
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-data-privacy.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-2.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-2.png
new file mode 100644
index 0000000000..8123965c84
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-2.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-end.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-end.png
new file mode 100644
index 0000000000..40f15eb65a
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-end.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission.png
new file mode 100644
index 0000000000..38e98ce07d
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-create-key.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-create-key.png
new file mode 100644
index 0000000000..4ddb1fae83
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-create-key.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-create.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-create.png
new file mode 100644
index 0000000000..a091db0189
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-create.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-decoded-token.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-decoded-token.png
new file mode 100644
index 0000000000..be98e49216
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-decoded-token.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-multitenant.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-multitenant.png
new file mode 100644
index 0000000000..47203a8151
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-multitenant.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-settings.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-settings.png
new file mode 100644
index 0000000000..1b8396b50e
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-settings.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-get-appid.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-get-appid.png
new file mode 100644
index 0000000000..103081f82c
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-get-appid.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-grant-permissions.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-grant-permissions.png
new file mode 100644
index 0000000000..b7c7e0926f
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-grant-permissions.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-select-permission.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-select-permission.png
new file mode 100644
index 0000000000..8edc069eaf
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-select-permission.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-validate-token.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-validate-token.png
new file mode 100644
index 0000000000..c813929e31
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-validate-token.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md b/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md
new file mode 100644
index 0000000000..afb2f9bbdd
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md
@@ -0,0 +1,23 @@
+---
+title:
+description: 
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 04/24/2018
+---
+
+# Improve request performance
+
+
+>[!NOTE]
+>For better performance, you can use server closer to your geo location:
+> - api-us.securitycenter.windows.com
+> - api-eu.securitycenter.windows.com
+> - api-uk.securitycenter.windows.com
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md
new file mode 100644
index 0000000000..b0644db04c
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md
@@ -0,0 +1,49 @@
+---
+title: Configure information protection in Windows 
+description: Learn how to expand the coverage of WIP to protect files based on their label, regardless of their origin.
+keywords: information, protection, data, loss, prevention, wip, policy, scc, compliance, labels, dlp
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/05/2018
+---
+
+# Configure information protection in Windows 
+**Applies to:**
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+
+[!include[Prerelease information](prerelease.md)]
+
+Learn how you can use Windows Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin.
+
+## Prerequisites
+- Endpoints need to be on Windows 10, version 1809 or later
+- You'll need the appropriate license to leverage the Windows Defender ATP and Azure Information Protection integration
+- Your tenant needs to be onboarded to Azure Information Protection analytics, for more information see, [Configure a Log Analytics workspace for the reports](https://docs.microsoft.comazure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports)
+
+
+## Configuration steps
+1. Define a WIP policy and assign it to the relevant devices. For more information, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). If WIP is already configured on the relevant devices, skip this step. 
+2. Define which labels need to get WIP protection in Office 365 Security and Compliance. 
+    
+    1. Go to: **Classifications > Labels**.
+    2. Create a new label or edit an existing one. 
+    3. In the configuration wizard, go to 'Data loss prevention' tab and enable WIP.
+
+    ![Image of Office 365 Security and Compliance sensitivity label](images/office-scc-label.png)
+
+    4. Repeat for every label that you want to get WIP applied to in Windows. 
+
+After completing these steps Windows Defender ATP will automatically identify labeled documents stored on the device and enable WIP on them.
+
+>[!NOTE]
+>- The Windows Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take effect and ensure that the endpoint is online. Otherwise, it will not receive the policy.
+>- Data forwarded to Azure Information Protection is stored in the same location as your other Azure Information Protection data.
+
+## Related topic
+- [Information protection in Windows overview](information-protection-in-windows-overview.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md
new file mode 100644
index 0000000000..9c4fe5f044
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md
@@ -0,0 +1,95 @@
+---
+title: Information protection in Windows overview
+description: Learn about how information protection works in Windows to identify and protect sensitive information
+keywords: information, protection, dlp, wip, data, loss, prevention, protect
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/05/2018
+---
+
+# Information protection in Windows overview
+**Applies to:**
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+
+[!include[Prerelease information](prerelease.md)]
+
+Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace.
+
+
+Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite. 
+
+
+Windows Defender ATP applies two methods to discover and protect data:
+- **Data discovery** - Identify sensitive data on Windows devices at risk
+- **Data protection** - Windows Information Protection (WIP) as outcome of Azure Information Protection label
+
+
+## Data discovery 
+Windows Defender ATP automatically discovers files with Office 365 sensitivity labels on Windows devices when the feature is enabled. You can enable the Azure Information Protection integration feature from Windows Defender Security Center. For more information, see [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md#azure-information-protection).
+
+
+![Image of settings page with Azure Information Protection](images/atp-settings-aip.png)
+
+After enabling the Azure Information Protection integration, data discovery signals are immediately forwarded to Azure Information Protection from the device. When a file that has a sensitivity label applied is created or modified on a Windows device, Windows Defender ATP automatically reports the signal to Azure Information Protection.
+
+The reported signals can be viewed on the Azure Information Protection - Data discovery dashboard.
+
+### Azure Information Protection - Data discovery dashboard 
+This dashboard presents a summarized discovery information of data discovered by both Windows Defender ATP and Azure Information Protection. Data from Windows Defender ATP is marked with Location Type - Endpoint. 
+
+![Image of Azure Information Protection - Data discovery](images/azure-data-discovery.png)
+
+
+Notice the Device Risk column on the right, this device risk is derived directly from Windows Defender ATP, indicating the risk level of the security device where the file was discovered, based on the active security threats detected by Windows Defender ATP.
+
+Clicking the device risk level will redirect you to the device page in Windows Defender ATP, where you can get a comprehensive view of the device security status and its active alerts. 
+
+
+>[!NOTE]
+>Windows Defender ATP does not currently report the Information Types. 
+
+### Log Analytics 
+Data discovery based on Windows Defender ATP is also available in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-overview), where you can perform complex queries over the raw data.
+
+For more information on Azure Information Protection analytics, see [Central reporting for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/reports-aip). 
+
+Open Azure Log Analytics in Azure Portal and open a query builder (standard or classic). 
+
+To view Windows Defender ATP data, perform a query that contains: 
+
+
+```
+InformationProtectionLogs_CL 
+| where Workload_s == "Windows Defender" 
+```
+
+**Prerequisites:**
+- Customers must have a subscription for Azure Information Protection, and be using a unified labeling client. 
+- Enable Azure Information Protection integration in Windows Defender Security Center: 
+    - Go to **Settings** in Windows Defender Security Center, click on **Advanced Settings** under **General**.
+
+
+## Data protection 
+For data to be protected, they must first be identified through labels. Sensitivity labels are created in Office Security and Compliance (SCC). Windows Defender ATP then uses the labels to identify endpoints that need Windows Information Protection (WIP) applied on them.
+
+
+When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Windows Defender ATP is the Data loss prevention. You'll need to turn on the Data loss prevention and select Enable Windows end point protection (DLP for devices). 
+
+
+![Image of Office 365 Security and Compliance sensitivity label](images/office-scc-label.png)
+
+Once, the policy is set and published, Windows Defender ATP automatically enables WIP for labeled files. When a labeled file is created or modified on a Windows device, Windows Defender ATP automatically detects it and enables WIP on that file if its label corresponds with Office Security and Compliance (SCC) policy. 
+
+This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin. 
+
+For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md).
+
+
+## Related topics
+- [How Windows Information Protection protects files with a sensitivity label](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
index 87f2d65c02..55f697cb46 100644
--- a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
@@ -54,14 +54,11 @@ Some actor profiles include a link to download a more comprehensive threat intel
 The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading.
 
 ## Alert process tree
-The **Alert process tree** takes alert triage and investigation to the next level, displaying the alert and related evidence, together with other events that occurred within the same execution context and time. This rich triage context of the alert and surrounding events is available on the alert page.
+The **Alert process tree** takes alert triage and investigation to the next level, displaying the aggregated alert and surrounding evidence that occurred within the same execution context and time period. This rich triage and investigation context is available on the alert page.
 
 ![Image of the alert process tree](images/atp-alert-process-tree.png)
 
-The **Alert process tree** expands to display the execution path of the alert, its evidence, and related events that occurred in the minutes - before and after - the alert.
-
-The alert and related events or evidence have circles with thunderbolt icons inside them.
-
+The **Alert process tree** expands to display the execution path of the alert and related evidence that occurred around the same period. Items marked with a thunderbolt icon should be given priority during investigation.
 
 >[!NOTE]
 >The alert process tree might not be available in some alerts.
diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..066dac83dd
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,80 @@
+---
+title: Is domain seen in org API
+description: Use this API to create calls related to checking whether a domain was seen in the organization.
+keywords: apis, graph api, supported apis, domain, domain seen
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 04/24/2018
+---
+
+# Was domain seen in org
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prerelease�information](prerelease.md)]
+
+Answers whether a domain was seen in the organization. 
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Url.Read.All |	'Read URLs'
+Delegated (work or school account) | URL.Read.All |	'Read URLs'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/domains/{domain}
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain exists - 200 OK. If domain does not exist - 404 Not Found.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/domains/example.com
+Content-type: application/json
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Domains/$entity",
+    "host": "example.com"
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
index 892fc60bd3..6dee679614 100644
--- a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
@@ -14,9 +14,14 @@ ms.localizationpriority: medium
 ms.date: 04/24/2018
 ---
 
-# Is domain seen in org
+# Is domain seen in org (deprecated)
 Answers whether a domain was seen in the organization. 
 
+[!include[Deprecated�information](deprecate.md)]
+
+
+
+
 ## Permissions
 User needs read permissions.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..fc6b531fc1
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,81 @@
+---
+title: Is IP seen in org API
+description: Answers whether an IP was seen in the organization.
+keywords: apis, graph api, supported apis, is, ip, seen, org, organization
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Was IP seen in org
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prerelease�information](prerelease.md)]
+
+Answers whether an IP was seen in the organization.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Ip.Read.All |	'Read IP address profiles'
+Delegated (work or school account) | Ip.Read.All |	'Read IP address profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/ips/{ip}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and IP exists - 200 OK. If IP do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/ips/10.209.67.177
+```
+
+**Response**
+
+Here is an example of the response.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Ips/$entity",
+    "id": "10.209.67.177"
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md
index d006cede0b..42887d7fa8 100644
--- a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Is IP seen in org
+# Is IP seen in org (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated�information](deprecate.md)]
 
 Answers whether an IP was seen in the organization.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..696d961f94
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,108 @@
+---
+title: Isolate machine API
+description: Use this API to create calls related isolating a machine.
+keywords: apis, graph api, supported apis, isolate machine
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Isolate machine API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Isolates a machine from accessing external network.
+
+[!include[Machine actions note](machineactionsnote.md)]
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Isolate |	'Isolate machine'
+Delegated (work or school account) | Machine.Isolate |	'Isolate machine'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/isolate
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter |	Type	| Description
+:---|:---|:---
+Comment |	String |	Comment to associate with the action. **Required**.
+IsolationType	| String |	Type of the isolation. Allowed values are: 'Full' or 'Selective'.
+
+**IsolationType** controls the type of isolation to perform and can be one of the following:
+-	Full – Full isolation
+-	Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) for more details)
+
+
+## Response
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate
+Content-type: application/json
+{
+  "Comment": "Isolate machine due to alert 1234",
+  “IsolationType”: “Full” 
+}
+
+```
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+    "id": "b89eb834-4578-496c-8be0-03f004061435",
+    "type": "Isolate",
+    "requestor": "Analyst@contoso.com ",
+    "requestorComment": "Isolate machine due to alert 1234",
+    "status": "InProgress",
+    "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+    "creationDateTimeUtc": "2017-12-04T12:12:18.9725659Z",
+    "lastUpdateTimeUtc": "2017-12-04T12:12:18.9725659Z",
+	"relatedFileInfo": null
+}
+
+```
+
+To unisolate a machine, see [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md).
diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md
index 61cfbb1c6f..c7b6c877d3 100644
--- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Isolate machine API
+# Isolate machine API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Isolates a machine from accessing external network.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..4d6a156ac0
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,48 @@
+---
+title: Machine resource type
+description: Retrieves top machines
+keywords: apis, supported apis, get, machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 11/11/2018
+---
+
+# Machine resource type
+
+
+# Methods
+Method|Return Type |Description
+:---|:---|:---
+[List machines](get-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | List set of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the org.
+[Get machine](get-machine-by-id-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) | Get a [machine](machine-windows-defender-advanced-threat-protection-new.md) by its identity.
+[Get logged on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) | [user](user-windows-defender-advanced-threat-protection-new.md) collection | Get the set of [User](user-windows-defender-advanced-threat-protection-new.md) that logged on to the [machine](machine-windows-defender-advanced-threat-protection-new.md).
+[Get related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | Get the set of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities that were raised on the [machine](machine-windows-defender-advanced-threat-protection-new.md).
+[Add or Remove machine tags](add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) | Add or Remove tag to a specific machine.
+[Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | Find machines seen with IP.
+
+# Properties
+Property |	Type	|	Description
+:---|:---|:---
+id | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) identity.
+computerDnsName | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) fully qualified name.
+firstSeen | DateTimeOffset | First date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP.
+lastSeen | DateTimeOffset | Last date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP.
+osPlatform | String | OS platform.
+osVersion | String | OS Version.
+lastIpAddress | String | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md).
+lastExternalIpAddress | String | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet.
+agentVersion | String | Version of WDATP agent.
+osBuild | Nullable long | OS build number.
+healthStatus | Enum | [machine](machine-windows-defender-advanced-threat-protection-new.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication"
+rbacGroupId | Int | RBAC Group ID.
+rbacGroupName | String | RBAC Group Name.
+riskScore | Nullable Enum | Risk score as evaluated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
+isAadJoined | Nullable Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined.
+aadDeviceId | Nullable Guid | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined).
+machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags.
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..6c225819b2
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,48 @@
+---
+title: machineAction resource type
+description: Retrieves top recent machineActions.
+keywords: apis, supported apis, get, machineaction, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# MachineAction resource type
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+Method|Return Type |Description
+:---|:---|:---
+[List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | List [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities.
+[Get MachineAction](get-machineaction-object-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Get a single [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity.
+[Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Collect investigation package from a [machine](machine-windows-defender-advanced-threat-protection-new.md).
+[Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Get URI for downloading the investigation package.
+[Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Isolate [machine](machine-windows-defender-advanced-threat-protection-new.md) from network.
+[Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Release [machine](machine-windows-defender-advanced-threat-protection-new.md) from Isolation.
+[Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Restrict application execution.
+[Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Remove application execution restriction.
+[Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Run an AV scan using Windows Defender (when applicable).
+[Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)|[Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Offboard [machine](machine-windows-defender-advanced-threat-protection-new.md) from WDATP.
+
+# Properties
+Property |	Type	|	Description
+:---|:---|:---
+id | Guid | Identity of the [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity.
+type | Enum | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution"
+requestor | String | Identity of the person that executed the action.
+requestorComment | String | Comment that was written when issuing the action.
+status | Enum | Current status of the command. Possible values are: "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled".
+machineId | String | Id of the machine on which the action was executed.
+creationDateTimeUtc | DateTimeOffset | The date and time when the action was created.
+lastUpdateTimeUtc | DateTimeOffset | The last date and time when the action status was updated.
+relatedFileInfo | Class | Contains two Properties. 1) string 'fileIdentifier' 2) Enum 'fileIdentifierType' with the possible values: "Sha1" ,"Sha256" and "Md5".
+
diff --git a/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md
new file mode 100644
index 0000000000..fcbd68ecec
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md
@@ -0,0 +1,6 @@
+---
+ms.date: 08/28/2017
+author: zavidor
+---
+>[!Note]
+> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via WDATP.
diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md
index bcadd41d25..ba9be2d111 100644
--- a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md
+++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md
@@ -11,11 +11,11 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 09/19/2018
+ms.date: 10/19/2018
 
 ---
 
-# Configure Microsoft Cloud App Security integration
+# Configure Microsoft Cloud App Security in Windows
 **Applies to:**
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md
index c18f430649..12da630b32 100644
--- a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md
+++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md
@@ -1,7 +1,7 @@
 ---
 title: Microsoft Cloud App Security integration overview
-description: 
-keywords: 
+description: Windows Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage
+keywords: cloud, app, networking, visibility, usage
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -11,10 +11,10 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 09/18/2018
+ms.date: 10/18/2018
 ---
 
-# Microsoft Cloud App Security integration overview
+# Microsoft Cloud App Security in Windows overview
 **Applies to:**
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
index 4d2d4dc628..498cf8a90c 100644
--- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 07/01/2018
+ms.date: 11/20/2018
 ---
 
 # Minimum requirements for Windows Defender ATP
@@ -23,6 +23,10 @@ There are some minimum requirements for onboarding machines to the service.
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink)
 
+
+>[!TIP]
+> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
+
 ## Licensing requirements
 Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
 
@@ -30,7 +34,10 @@ Windows Defender Advanced Threat Protection requires one of the following Micros
 - Windows 10 Education E5
 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
 
-For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
+For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare).
+
+For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf).
+
 
 
 ## Related topic
diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..0200975d55
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,98 @@
+---
+title: Offboard machine API
+description: Use this API to offboard a machine from WDATP.
+keywords: apis, graph api, supported apis, collect investigation package
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Offboard machine API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+Offboard machine from WDATP.
+
+[!include[Machine actions note](machineactionsnote.md)]
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Offboard |	'Offboard machine'
+Delegated (work or school account) |	Machine.Offboard |	'Offboard machine'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to 'Global Admin' AD role
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/offboard
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter |	Type	| Description
+:---|:---|:---
+Comment |	String |	Comment to associate with the action. **Required**.
+
+## Response
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard
+Content-type: application/json
+{
+  "Comment": "Offboard machine by automation"
+}
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+    "id": "c9042f9b-8483-4526-87b5-35e4c2532223",
+    "type": "OffboardMachine",
+    "requestor": "Analyst@contoso.com",
+    "requestorComment": "offboard machine by automation",
+    "status": "InProgress",
+    "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+    "creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z",
+    "lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z",
+	"relatedFileInfo": null
+}
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
index d53fe2abfd..3dd7d4940d 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 07/01/2018
+ms.date: 11/19/2018
 ---
 
 # Onboard machines to the Windows Defender ATP service
@@ -42,7 +42,7 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us
 - Windows 7 SP1 Pro
 - Windows 8.1 Enterprise
 - Windows 8.1 Pro
-- Windows 10
+- Windows 10, version 1607 or later
   - Windows 10 Enterprise
   - Windows 10 Education
   - Windows 10 Pro
@@ -128,7 +128,7 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
 #### Internet connectivity
 Internet connectivity on machines is required either directly or through proxy.
 
-The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data.
+The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth.
 
 For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .
 
diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
index 59c6a4e7a2..0a0076523d 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 10/10/2018
+ms.date: 11/19/2018
 ---
 
 # Onboard previous versions of Windows
@@ -46,12 +46,13 @@ Windows Defender ATP integrates with System Center Endpoint Protection to provid
 The following steps are required to enable this integration: 
 - Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) 
 - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
+- Configure your network to allow connections to the Windows Defender Antivirus cloud. For more information, see [Allow connections to the Windows Defender Antivirus cloud](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus#allow-connections-to-the-windows-defender-antivirus-cloud)
 
 ## Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP
 
 ### Before you begin
 Review the following details to verify minimum system requirements:
-- Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) or a later monthly update rollup.
+- Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
   
   >[!NOTE]
   >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. 
@@ -67,9 +68,9 @@ Review the following details to verify minimum system requirements:
     >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
     >Don't install .NET framework 4.0.x, since it will negate the above installation.
 
+- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
 
 
-- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in your environment with Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
 
 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604).
 
@@ -89,7 +90,7 @@ Once completed, you should see onboarded endpoints in the portal within an hour.
 
 ### Configure proxy and Internet connectivity settings
  
-- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway).
+- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway).
 - If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
 
 Agent Resource    |    Ports 
diff --git a/windows/security/threat-protection/windows-defender-atp/overview.md b/windows/security/threat-protection/windows-defender-atp/overview.md
index 9741504d5c..d650cb05c1 100644
--- a/windows/security/threat-protection/windows-defender-atp/overview.md
+++ b/windows/security/threat-protection/windows-defender-atp/overview.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 09/03/2018
+ms.date: 11/20/2018
 ---
 
 # Overview of Windows Defender ATP capabilities
@@ -21,6 +21,9 @@ ms.date: 09/03/2018
 
 Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform. 
 
+>[!TIP]
+> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
+
 ## In this section 
 
 Topic | Description 
diff --git a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..1a2575ea36
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,115 @@
+---
+title: Submit or Update Ti Indicator API
+description: Use this API to submit or Update Ti Indicator.
+keywords: apis, graph api, supported apis, submit, ti, ti indicator, update
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Submit or Update TI Indicator API
+
+[!include[Prerelease information](prerelease.md)]
+
+>[!Note]
+> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information)
+
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+- Submits or Updates new [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity.
+
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Ti.ReadWrite |	'Read and write TI Indicators'
+
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/tiindicators
+```
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter |	Type	| Description
+:---|:---|:---
+indicator | String | Identity of the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. **Required**
+indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required**
+action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required**
+title | String | TI indicator alert title. **Optional**
+expirationTime | DateTimeOffset | The expiration time of the indicator. **Optional**
+severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". **Optional**
+description | String | Description of the indicator. **Optional**
+recommendedActions | String | TI indicator alert recommended actions. **Optional**
+
+
+## Response
+- If successful, this method returns 200 - OK response code and the created / updated [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the response body.
+- If not successful: this method return 400 - Bad Request / 409 - Conflict with the failure reason. Bad request usually indicates incorrect body and Conflict can happen if you try to submit a TI Indicator with existing indicator value but with different Indicator type or Action.  
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+POST https://api.securitycenter.windows.com/api/tiindicators
+Content-type: application/json
+{
+	"indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
+	"indicatorType": "FileSha1",
+	"title": "test",
+	"expirationTime": "2020-12-12T00:00:00Z",
+	"action": "AlertAndBlock",
+	"severity": "Informational",
+	"description": "test",
+	"recommendedActions": "TEST"
+}
+
+```
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+    "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
+    "indicatorType": "FileSha1",
+    "title": "test",
+    "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
+    "createdBy": "45097602-1234-5678-1234-9f453233e62c",
+    "expirationTime": "2020-12-12T00:00:00Z",
+    "action": "AlertAndBlock",
+    "severity": "Informational",
+    "description": "test",
+    "recommendedActions": "TEST"
+}
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
index 48c6104eb8..7454693217 100644
--- a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 10/19/2018
+ms.date: 11/26/2018
 ---
 
 
@@ -20,6 +20,10 @@ ms.date: 10/19/2018
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
 
+[!include[Prerelease information](prerelease.md)]
+
+>[!TIP]
+>Go to **Advanced features** in the **Settings** page to turn on the preview features.
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-powerbireports-abovefoldlink) 
 
@@ -200,5 +204,10 @@ There are a couple of tabs on the report that's generated:
 In general, if you know of a specific threat name, CVE, or KB, you can identify machines with unpatched vulnerabilities that might be leveraged by threats. This report also helps you determine whether machine-level mitigations are configured correctly on the machines and prioritize those that might need attention.
 
 
+## Related topic
+- [**Beta** Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md)
+
+
+
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
index f77b086c9e..f0d5d23e2f 100644
--- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 11/05/2018
+ms.date: 12/03/2018
 ---
 
 # Windows Defender ATP preview features
@@ -39,6 +39,10 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 ## Preview features
 The following features are included in the preview release:
 
+- [Information protection](information-protection-in-windows-overview.md)<br>
+Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite. 
+
+
 - [Incidents](incidents-queue.md)<br>
 Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network.
 
@@ -58,5 +62,9 @@ Onboard supported versions of Windows machines so that they can send sensor data
   - Windows 8.1 Pro 
 
  
+- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)<br>
+Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. 
+
+
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink)  
 
diff --git a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
index 4ede6cb172..1c6449106b 100644
--- a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 10/26/2018
+ms.date: 11/19/2018
 ---
 
 # Pull Windows Defender ATP alerts using REST API
@@ -106,6 +106,7 @@ DateTime?sinceTimeUtc | string | Defines the lower time bound alerts are retriev
 DateTime?untilTimeUtc | string | Defines the upper time bound alerts are retrieved. <br> The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time. <br><br> **NOTE**: When not specified, the default value will be the current time.
 string ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time. <br><br> Value should be set according to **ISO 8601** duration format <br> E.g. `ago=PT10M` will pull alerts received in the last 10 minutes.
 int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.<br><br> **NOTE**: When not specified, all alerts available in the time range will be retrieved.
+machinegroups | String | Specifies machine groups to pull alerts from . <br><br> **NOTE**: When not specified, alerts from all machine groups will be retrieved. <br><br> Example: <br><br> ```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
 
 ### Request example
 The following example demonstrates how to retrieve all the alerts in your organization.
diff --git a/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md
index 8c0f6851d1..94706ede5a 100644
--- a/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Request sample API
+# Request sample API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated�information](deprecate.md)]
 
 Request sample of a file from a specific machine. File will be collected from the machine and uploaded to a secure storage. 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
index cdc3c156e4..b684069aa8 100644
--- a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 11/05/2018
+ms.date: 11/28/2018
 ---
 
 # Take response actions on a machine
@@ -122,6 +122,7 @@ In addition to the ability of containing an attack by stopping malicious process
 
 >[!IMPORTANT]
 > - This action is available for machines on Windows 10, version  1709 or later.
+> - This feature is available if your organization uses Windows Defender Antivirus. 
 > - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing).
 
 
@@ -182,7 +183,7 @@ Depending on the severity of the attack and the sensitivity of the machine, you
 
 This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine.
 
-On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity.
+On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation').
 
 >[!NOTE]
 >You’ll be able to reconnect the machine back to the network at any time.
@@ -198,7 +199,7 @@ On Windows 10, version 1709 or later, you'll have additional control over the ne
 
     ![Image of isolate machine](images/atp-actions-isolate-machine.png)
 
-3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated.
+3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated (a.k.a. 'Selective Isolation').
 
     ![Image of isolation confirmation](images/atp-confirm-isolate.png)
 
diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..d57876fdc0
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,101 @@
+---
+title: Restrict app execution API
+description: Use this API to create calls related to restricting an application from executing.
+keywords: apis, graph api, supported apis, collect investigation package
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Restrict app execution API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+Restrict execution of all applications on the machine except a predefined set (see [Response machine alerts](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information)
+
+[!include[Machine actions note](machineactionsnote.md)]
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.RestrictExecution |	'Restrict code execution'
+Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/restrictCodeExecution
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter |	Type	| Description
+:---|:---|:---
+Comment |	String |	Comment to associate with the action. **Required**.
+
+## Response
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecution 
+Content-type: application/json
+{
+  "Comment": "Restrict code execution due to alert 1234"
+}
+
+```
+**Response**
+
+Here is an example of the response.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+    "id": "78d408d1-384c-4c19-8b57-ba39e378011a",
+    "type": "RestrictCodeExecution",
+    "requestor": "Analyst@contoso.com ",
+    "requestorComment": "Restrict code execution due to alert 1234",
+    "status": "InProgress",
+    "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+    "creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z",
+    "lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z",
+	"relatedFileInfo": null
+}
+
+```
+
+To remove code execution restriction from a machine, see [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md).
+
diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md
index 3eb57786f8..1722b1f921 100644
--- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,12 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Restrict app execution API
+# Restrict app execution API (deprecated)
 
 **Applies to:**
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated�information](deprecate.md)]
 
 Restrict execution of set of predefined applications.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md
new file mode 100644
index 0000000000..8decfce57c
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md
@@ -0,0 +1,151 @@
+---
+title: Advanced Hunting API
+description: Use this API to run advanced queries
+keywords: apis, supported apis, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Advanced hunting API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prerelease information](prerelease.md)]
+
+
+
+This API allows you to run programmatic queries that you are used to running from [Windows Defender ATP Portal](https://securitycenter.windows.com/hunting).
+
+
+## Limitations
+This API is a beta version only and is currently restricted to the following actions:
+1. ​You can only run a query on data from the last 30 days
+2. The results will include a maximum of 10,000 rows
+3. The number of executions is limited​ (up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day)
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	AdvancedQuery.Read.All |	'Run advanced queries'
+Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have 'Global Admin' AD role (note: will be updated soon to 'View Data')
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/advancedqueries/run
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content-Type	| application/json
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter |	Type	| Description
+:---|:---|:---
+Query |	Text |	The query to run. **Required**.
+
+## Response
+If successful, this method returns 200 OK, and _QueryResponse_ object in the response body.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+>[!NOTE]
+>For better performance, you can use server closer to your geo location:
+> - api-us.securitycenter.windows.com
+> - api-eu.securitycenter.windows.com
+> - api-uk.securitycenter.windows.com
+
+```
+POST https://api.securitycenter.windows.com/api/advancedqueries/run
+Content-type: application/json
+{
+	"Query":"ProcessCreationEvents  
+| where InitiatingProcessFileName =~ \"powershell.exe\"
+| where ProcessCommandLine contains \"appdata\"
+| project EventTime, FileName, InitiatingProcessFileName 
+| limit 2"
+}
+```
+
+Response
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
+
+```
+HTTP/1.1 200 OK
+Content-Type: application/json​
+{
+	"Schema": [{
+		"Name": "EventTime",
+		"Type": "DateTime"
+	},
+	{
+		"Name": "FileName",
+		"Type": "String"
+	},
+	{
+		"Name": "InitiatingProcessFileName",
+		"Type": "String"
+	}],
+	"Results": [{
+		"EventTime": "2018-07-09T07:16:26.8017265",
+		"FileName": "csc.exe",
+		"InitiatingProcessFileName": "powershell.exe"
+	},
+	{
+		"EventTime": "2018-07-08T19:00:02.7798905",
+		"FileName": "gpresult.exe",
+		"InitiatingProcessFileName": "powershell.exe"
+	}]
+}
+
+
+```
+
+## T​roubl​eshoot issues
+
+- Error: (403) Forbidden
+	
+	
+    If you get this error when calling Windows Defender ATP API, your token might not include the necessary permission.
+
+	Check [app permissions](exposed-apis-create-app-webapp.md#validate-the-token) or [delegated permissions](exposed-apis-create-app-nativeapp.md#validate-the-token) included in your token.
+	
+    If the 'roles' section in the token does not include the necessary permission: 
+
+	- The necessary permission to your app might not have been granted. For more information, see [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md#create-an-app) or [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md#create-an-app) or,
+    - The app was not authorized in the tenant, see [Application consent](exposed-apis-create-app-webapp.md#application-consent).
+
+
+## Related topic
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Advanced Hunting from Portal](advanced-hunting-windows-defender-advanced-threat-protection.md)
+- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
+- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md
new file mode 100644
index 0000000000..d5e16fbf5a
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md
@@ -0,0 +1,88 @@
+---
+title: Advanced Hunting API
+description: Use this API to run advanced queries
+keywords: apis, supported apis, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/24/2018
+---
+
+# Schedule Advanced Hunting using Microsoft Flow 
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Schedule advanced query.
+
+## Before you begin
+You first need to [create an app](apis-intro.md).
+
+## Use case
+
+A common scenario is scheduling an advanced query and using the results for follow up actions and processing.
+In this section we share sample for this purpose using [Microsoft Flow](https://flow.microsoft.com/) (or [Logic Apps](https://azure.microsoft.com/en-us/services/logic-apps/)).
+
+## Define a flow to run query and parse results
+
+Use the following basic flow as an example.
+
+1. Define the trigger – Recurrence by time.
+
+2. Add an action: Select HTTP.
+
+	![Image of MsFlow choose an action](images/ms-flow-choose-action.png)
+
+	- Set method to be POST
+	- Uri is https://api.securitycenter.windows.com/api/advancedqueries/run or one of the region specific locations
+		- US: https://api-us.securitycenter.windows.com/api/advancedqueries/run
+		- Europe: https://api-eu.securitycenter.windows.com/api/advancedqueries/run
+		- United Kingdom: https://api-uk.securitycenter.windows.com/api/advancedqueries/run
+	- Add the Header: Content-Type              application/json
+	- In the body write your query surrounded by single quotation mark (')
+	- In the Advanced options select Authentication to be Active Directory OAuth
+	- Set the Tenant with proper AAD Tenant Id
+	- Audience is https://api.securitycenter.windows.com
+	- Client ID is your application ID
+	- Credential Type should be Secret
+	- Secret is the application secret generated in the Azure Active directory.
+
+	![Image of MsFlow define action](images/ms-flow-define-action.png)
+
+3. You can use the "Parse JSON" action to get the schema of data – just "use sample payload to generate schema" and copy an output from of the expected result.
+
+	![Image of MsFlow parse json](images/ms-flow-parse-json.png)
+
+## Expand the flow to use the query results
+
+The following section shows how to use the parsed results to insert them in SQL database.
+
+This is an example only, you can  use other actions supported by  Microsoft Flow.
+
+- Add an 'Apply to each' action
+- Select the Results json (which was an output of the last parse action)
+- Add an 'Insert row' action – you will need to supply the connection details
+- Select the table you want to update and define the mapping between the WD-ATP output to the SQL. Note it is possible to manipulate the data inside the flow. In the example I changed the type of the EventTime.
+
+![Image of insert into DB](images/ms-flow-insert-db.png)
+
+The output in the SQL DB is getting updates and can be used for correlation with other data sources. You can now read from your table:
+
+![Image of select from DB](images/ms-flow-read-db.png)
+
+## Full flow definition
+
+You can find below the full definition
+
+![Image of E2E flow](images/ms-flow-e2e.png)
+
+## Related topic
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Advanced Hunting API](run-advanced-query-api.md)
+- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md
new file mode 100644
index 0000000000..ce6ccb012c
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md
@@ -0,0 +1,134 @@
+---
+title: Advanced Hunting API
+description: Use this API to run advanced queries
+keywords: apis, supported apis, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 30/07/2018
+---
+
+# Create custom reports using Power BI (app authentication)
+
+Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before.
+
+In this section we share Power BI query sample to run a query using **application token**.
+
+If you want to use **user token** instead please refer to [this](run-advanced-query-sample-power-bi-user-token.md) tutorial.
+
+>**Prerequisite**: You first need to [create an app](exposed-apis-create-app-webapp.md).
+
+## Run a query
+
+- Open Microsoft Power BI
+
+- Click **Get Data** > **Blank Query**
+
+    ![Image of create blank query](images/power-bi-create-blank-query.png)
+
+- Click **Advanced Editor**
+
+    ![Image of open advanced editor](images/power-bi-open-advanced-editor.png)
+
+- Copy the below and paste it in the editor, after you update the values of TenantId, AppId, AppSecret, Query
+
+	```
+	let 
+
+		TenantId = "00000000-0000-0000-0000-000000000000", // Paste your own tenant ID here
+		AppId = "11111111-1111-1111-1111-111111111111", // Paste your own app ID here
+		AppSecret = "22222222-2222-2222-2222-222222222222", // Paste your own app secret here
+		Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", // Paste your own query here
+    
+		ResourceAppIdUrl = "https://api.securitycenter.windows.com",
+		OAuthUrl = Text.Combine({"https://login.windows.net/", TenantId, "/oauth2/token"}, ""),
+
+		Resource = Text.Combine({"resource", Uri.EscapeDataString(ResourceAppIdUrl)}, "="),
+		ClientId = Text.Combine({"client_id", AppId}, "="),
+		ClientSecret = Text.Combine({"client_secret", Uri.EscapeDataString(AppSecret)}, "="),
+		GrantType = Text.Combine({"grant_type", "client_credentials"}, "="),
+	
+		Body = Text.Combine({Resource, ClientId, ClientSecret, GrantType}, "&"),
+
+		AuthResponse= Json.Document(Web.Contents(OAuthUrl, [Content=Text.ToBinary(Body)])),
+		AccessToken= AuthResponse[access_token],
+		Bearer = Text.Combine({"Bearer", AccessToken}, " "),
+    
+		AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run",
+    
+		Response = Json.Document(Web.Contents(
+			AdvancedHuntingUrl, 
+			[
+				Headers = [#"Content-Type"="application/json", #"Accept"="application/json", #"Authorization"=Bearer],
+				Content=Json.FromValue([#"Query"=Query])
+			]
+		)),
+
+		TypeMap = #table(
+			{ "Type", "PowerBiType" },
+			{
+				{ "Double",   Double.Type },
+				{ "Int64",    Int64.Type },
+				{ "Int32",    Int32.Type },
+				{ "Int16",    Int16.Type },
+				{ "UInt64",   Number.Type },
+				{ "UInt32",   Number.Type },
+				{ "UInt16",   Number.Type },
+				{ "Byte",     Byte.Type },
+				{ "Single",   Single.Type },
+				{ "Decimal",  Decimal.Type },
+				{ "TimeSpan", Duration.Type },
+				{ "DateTime", DateTimeZone.Type },
+				{ "String",   Text.Type },
+				{ "Boolean",  Logical.Type },
+				{ "SByte",    Logical.Type },
+				{ "Guid",     Text.Type }
+			}),
+
+		Schema = Table.FromRecords(Response[Schema]),
+		TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
+		Results = Response[Results],
+		Rows = Table.FromRecords(Results, Schema[Name]),
+		Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
+        
+	in Table
+
+	```
+
+- Click **Done**
+
+    ![Image of create advanced query](images/power-bi-create-advanced-query.png)
+
+- Click **Edit Credentials**
+
+    ![Image of edit credentials](images/power-bi-edit-credentials.png)
+
+- Select **Anonymous** and click **Connect**
+
+    ![Image of set credentials](images/power-bi-set-credentials-anonymous.png)
+
+- Repeat the previous step for the second URL
+
+- Click **Continue**
+
+    ![Image of edit data privacy](images/power-bi-edit-data-privacy.png)
+
+- Select the privacy level you want and click **Save**
+
+    ![Image of set data privacy](images/power-bi-set-data-privacy.png)
+
+- View the results of your query
+
+    ![Image of query results](images/power-bi-query-results.png)
+
+## Related topic
+- [Create custom Power BI reports with user authentication](run-advanced-query-sample-power-bi-user-token.md)
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Advanced Hunting API](run-advanced-query-api.md)
+- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
+- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md
new file mode 100644
index 0000000000..b065578d98
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md
@@ -0,0 +1,115 @@
+---
+title: Advanced Hunting API
+description: Use this API to run advanced queries
+keywords: apis, supported apis, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 30/07/2018
+---
+
+# Create custom reports using Power BI (user authentication)
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before.
+
+In this section we share Power BI query sample to run a query using **user token**.
+
+If you want to use **application token** instead please refer to [this](run-advanced-query-sample-power-bi-app-token.md) tutorial.
+
+## Before you begin
+You first need to [create an app](exposed-apis-create-app-nativeapp.md).
+
+## Run a query
+
+- Open Microsoft Power BI
+
+- Click **Get Data** > **Blank Query**
+
+    ![Image of create blank query](images/power-bi-create-blank-query.png)
+
+- Click **Advanced Editor**
+
+    ![Image of open advanced editor](images/power-bi-open-advanced-editor.png)
+
+- Copy the below and paste it in the editor, after you update the values of Query
+
+	```
+	let 
+
+		Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId",
+
+		FormattedQuery= Uri.EscapeDataString(Query),
+
+		AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries?key=" & FormattedQuery,
+
+		Response = Json.Document(Web.Contents(AdvancedHuntingUrl)),
+
+		TypeMap = #table(
+			{ "Type", "PowerBiType" },
+			{
+				{ "Double",   Double.Type },
+				{ "Int64",    Int64.Type },
+				{ "Int32",    Int32.Type },
+				{ "Int16",    Int16.Type },
+				{ "UInt64",   Number.Type },
+				{ "UInt32",   Number.Type },
+				{ "UInt16",   Number.Type },
+				{ "Byte",     Byte.Type },
+				{ "Single",   Single.Type },
+				{ "Decimal",  Decimal.Type },
+				{ "TimeSpan", Duration.Type },
+				{ "DateTime", DateTimeZone.Type },
+				{ "String",   Text.Type },
+				{ "Boolean",  Logical.Type },
+				{ "SByte",    Logical.Type },
+				{ "Guid",     Text.Type }
+			}),
+
+		Schema = Table.FromRecords(Response[Schema]),
+		TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
+		Results = Response[Results],
+		Rows = Table.FromRecords(Results, Schema[Name]),
+		Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
+
+	in Table
+
+	```
+
+- Click **Done**
+
+    ![Image of create advanced query](images/power-bi-create-advanced-query.png)
+
+- Click **Edit Credentials**
+
+    ![Image of edit credentials](images/power-bi-edit-credentials.png)
+
+- Select **Organizational account** > **Sign in**
+
+    ![Image of set credentials](images/power-bi-set-credentials-organizational.png)
+
+- Enter your credentials and wait to be signed in
+
+- Click **Connect**
+
+    ![Image of set credentials](images/power-bi-set-credentials-organizational-cont.png)
+
+- View the results of your query
+
+    ![Image of query results](images/power-bi-query-results.png)
+
+## Related topic
+- [Create custom Power BI reports with app authentication](run-advanced-query-sample-power-bi-app-token.md)
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Advanced Hunting API](run-advanced-query-api.md)
+- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
+- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md
new file mode 100644
index 0000000000..76fa741ab6
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md
@@ -0,0 +1,119 @@
+---
+title: Advanced Hunting API
+description: Use this API to run advanced queries
+keywords: apis, supported apis, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/24/2018
+---
+
+# Advanced Hunting using PowerShell
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Run advanced queries using PowerShell, see [Advanced Hunting API](run-advanced-query-api.md).
+
+In this section we share PowerShell samples to retrieve a token and use it to run a query.
+
+## Before you begin
+You first need to [create an app](apis-intro.md).
+
+## Preparation instructions
+
+- Open a PowerShell window.
+- If your policy does not allow you to run the PowerShell commands, you can run the below command:
+```
+Set-ExecutionPolicy -ExecutionPolicy Bypass
+```
+
+>For more details, see [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy)
+
+## Get token
+
+- Run the following:
+
+```
+$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
+$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
+$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
+
+$resourceAppIdUri = 'https://api.securitycenter.windows.com'
+$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
+$body = [Ordered] @{
+	resource = "$resourceAppIdUri"
+	client_id = "$appId"
+	client_secret = "$appSecret"
+	grant_type = 'client_credentials'
+}
+$response = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $body -ErrorAction Stop
+$aadToken = $response.access_token
+
+```
+
+where
+- $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
+- $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP)
+- $appSecret: Secret of your AAD app
+
+## Run query
+
+Run the following query:
+
+```
+$query = 'RegistryEvents | limit 10' # Paste your own query here
+
+$url = "https://api.securitycenter.windows.com/api/advancedqueries/run"
+$headers = @{ 
+	'Content-Type' = 'application/json'
+	Accept = 'application/json'
+	Authorization = "Bearer $aadToken" 
+}
+$body = ConvertTo-Json -InputObject @{ 'Query' = $query }
+$webResponse = Invoke-WebRequest -Method Post -Uri $url -Headers $headers -Body $body -ErrorAction Stop
+$response =  $webResponse | ConvertFrom-Json
+$results = $response.Results
+$schema = $response.Schema
+```
+
+- $results contains the results of your query
+- $schema contains the schema of the results of your query
+
+### Complex queries
+
+If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in the above sample, run the below command:
+
+```
+$query = [IO.File]::ReadAllText("C:\myQuery.txt"); # Replace with the path to your file
+```
+
+## Work with query results
+
+You can now use the query results.
+
+To output the results of the query in CSV format in file file1.csv do the below:
+
+```
+$results | ConvertTo-Csv -NoTypeInformation | Set-Content file1.csv
+```
+
+To output the results of the query in JSON format in file file1.json​ do the below:
+
+```
+$results | ConvertTo-Json | Set-Content file1.json
+```
+
+
+## Related topic
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Advanced Hunting API](run-advanced-query-api.md)
+- [Advanced Hunting using Python](run-advanced-query-sample-python.md)
+- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md
new file mode 100644
index 0000000000..71784d6ccd
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md
@@ -0,0 +1,146 @@
+---
+title: Advanced Hunting API
+description: Use this API to run advanced queries
+keywords: apis, supported apis, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 30/07/2018
+---
+
+# Advanced Hunting using Python
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Run advanced queries using Python, see [Advanced Hunting API](run-advanced-query-api.md).
+
+In this section we share Python samples to retrieve a token and use it to run a query.
+
+>**Prerequisite**: You first need to [create an app](apis-intro.md).
+
+## Get token
+
+- Run the following:
+
+```
+
+import json
+import urllib.request
+import urllib.parse
+
+tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
+appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
+appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
+
+url = "https://login.windows.net/%s/oauth2/token" % (tenantId)
+
+resourceAppIdUri = 'https://api.securitycenter.windows.com'
+
+body = {
+    'resource' : resourceAppIdUri,
+    'client_id' : appId,
+    'client_secret' : appSecret,
+    'grant_type' : 'client_credentials'
+}
+
+data = urllib.parse.urlencode(body).encode("utf-8")
+
+req = urllib.request.Request(url, data)
+response = urllib.request.urlopen(req)
+jsonResponse = json.loads(response.read())
+aadToken = jsonResponse["access_token"]
+
+```
+
+where
+- tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
+- appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP)
+- appSecret: Secret of your AAD app
+
+## Run query
+
+ Run the following query:
+
+```
+query = 'RegistryEvents | limit 10' # Paste your own query here
+
+url = "https://api.securitycenter.windows.com/api/advancedqueries/run"
+headers = { 
+	'Content-Type' : 'application/json',
+	'Accept' : 'application/json',
+	'Authorization' : "Bearer " + aadToken
+}
+
+data = json.dumps({ 'Query' : query }).encode("utf-8")
+
+req = urllib.request.Request(url, data, headers)
+response = urllib.request.urlopen(req)
+jsonResponse = json.loads(response.read())
+schema = jsonResponse["Schema"]
+results = jsonResponse["Results"]
+
+```
+
+- schema contains the schema of the results of your query
+- results contains the results of your query
+
+### Complex queries
+
+If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in the above sample, run the below command:
+
+```
+queryFile = open("D:\\Temp\\myQuery.txt", 'r') # Replace with the path to your file
+query = queryFile.read()
+queryFile.close()
+```
+
+## Work with query results
+
+You can now use the query results.
+
+To iterate over the results do the below:
+
+```
+for result in results:
+	print(result) # Prints the whole result
+	print(result["EventTime"]) # Prints only the property 'EventTime' from the result
+
+
+```
+
+
+To output the results of the query in CSV format in file file1.csv do the below:
+
+```
+import csv
+
+outputFile = open("D:\\Temp\\file1.csv", 'w')
+output = csv.writer(outputFile)
+output.writerow(results[0].keys())
+for result in results:
+	output.writerow(result.values())
+
+outputFile.close()
+```
+
+To output the results of the query in JSON format in file file1.json​ do the below:
+
+```
+outputFile = open("D:\\Temp\\file1.json", 'w')
+json.dump(results, outputFile)
+outputFile.close()
+```
+
+
+## Related topic
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Advanced Hunting API](run-advanced-query-api.md)
+- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
+- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..c9ae44eb2b
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,107 @@
+---
+title: Run antivirus scan API
+description: Use this API to create calls related to running an antivirus scan on a machine.
+keywords: apis, graph api, supported apis, remove machine from isolation
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Run antivirus scan API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Initiate Windows Defender Antivirus scan on a machine.
+
+[!include[Machine actions note](machineactionsnote.md)]
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Scan |	'Scan machine'
+Delegated (work or school account) |	Machine.Scan |	'Scan machine'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/runAntiVirusScan
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter |	Type	| Description
+:---|:---|:---
+Comment |	String | Comment to associate with the action. **Required**.
+ScanType|	String	| Defines the type of the Scan. **Required**.
+
+**ScanType** controls the type of scan to perform and can be one of the following:
+
+- **Quick** – Perform quick scan on the machine
+- **Full** – Perform full scan on the machine
+
+
+
+## Response
+If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan 
+Content-type: application/json
+{
+  "Comment": "Check machine for viruses due to alert 3212",
+  “ScanType”: “Full”
+}
+```
+
+**Response**
+
+Here is an example of the response.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+    "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
+    "type": "RunAntiVirusScan",
+    "requestor": "Analyst@contoso.com",
+    "requestorComment": "Check machine for viruses due to alert 3212",
+    "status": "InProgress",
+    "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+    "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
+    "lastUpdateTimeUtc": "2018-12-04T12:18:27.1293487Z",
+	"relatedFileInfo": null
+}
+
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md
index 73333ff005..40d0e7da3f 100644
--- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,12 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Run antivirus scan API
+# Run antivirus scan API (deprecated)
 
 **Applies to:**
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Initiate Windows Defender Antivirus scan on the machine.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..9b50c9bf1d
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,105 @@
+---
+title: Stop and quarantine file API
+description: Use this API to stop and quarantine file.
+keywords: apis, graph api, supported apis, stop and quarantine file
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Stop and quarantine file API
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+- Stop execution of a file on a machine and delete it.
+
+[!include[Machine actions note](machineactionsnote.md)]
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.StopAndQuarantine |	'Stop And Quarantine'
+Delegated (work or school account) | Machine.StopAndQuarantine | 'Stop And Quarantine'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/StopAndQuarantineFile
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter |	Type	| Description
+:---|:---|:---
+Comment |	String |	Comment to associate with the action. **Required**.
+Sha1 |	String	 | Sha1 of the file to stop and quarantine on the machine. **Required**.
+
+## Response
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile 
+Content-type: application/json
+{
+  "Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
+  "Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9"
+}
+
+```
+**Response**
+
+Here is an example of the response.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+    "id": "141408d1-384c-4c19-8b57-ba39e378011a",
+    "type": "StopAndQuarantineFile",
+    "requestor": "Analyst@contoso.com ",
+    "requestorComment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
+    "status": "InProgress",
+    "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+    "creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z",
+    "lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z",
+	"relatedFileInfo": {
+        "fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
+        "fileIdentifierType": "Sha1"
+	}
+}
+
+```
+
diff --git a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md
index 06af6fc6af..078ced8e48 100644
--- a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md
@@ -14,12 +14,12 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Stop and quarantine file API
+# Stop and quarantine file API (deprecated)
 
 **Applies to:**
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Stop execution of a file on a machine and ensure it’s not executed again on that machine.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
index e5bb46bc1d..aff0ccd147 100644
--- a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
@@ -14,15 +14,14 @@ ms.localizationpriority: medium
 ms.date: 09/03/2018
 ---
 
-# Supported Windows Defender ATP query APIs 
+# Supported Windows Defender ATP query APIs (deprecated)
 
 **Applies to:**
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated�information](deprecate.md)]
 
 
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink) 
-
 Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.
 
 ## In this section
@@ -38,5 +37,4 @@ User | Run API calls such as get alert related user information, user informatio
 KbInfo | Run API call that gets list of Windows KB's information
 CveKbMap | Run API call that gets mapping of CVE's to corresponding KB's
 MachineSecurityStates | Run API call that gets list of machines with their security properties and versions
-MachineGroups | Run API call that gets list of machine group definitions
-
+MachineGroups | Run API call that gets list of machine group definitions
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md
index e0301cebc1..d837895ff9 100644
--- a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md
+++ b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 10/12/2018
+ms.date: 12/03/2018
 ---
 
 # Microsoft Threat Protection 
@@ -28,24 +28,30 @@ Microsoft's multiple layers of threat protection across data, applications, devi
 
 Each layer in the threat protection stack plays a critical role in protecting customers. The deep integration between these layers results in better protected customers.
 
-## Conditional access
-Windows Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation, ensuring that only secure devices have access to resources. 
-
-## Office 365 Advanced Threat Protection (Office 365 ATP)
-[Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Windows Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. 
-
 ## Azure Advanced Threat Protection (Azure ATP)
  Suspicious activities are processes running under a user context. The integration between Windows Defender ATP and Azure ATP provides the flexibility of conducting cyber security investigation across activities and identities. 
 
-## Skype for Business
-The Skype for Business integration provides s a way for analysts to communicate with a potentially compromised user or device owner through ao simple button from the portal.
-
 ## Azure Security Center
 Windows Defender ATP provides a comprehensive server protection solution, including endpoint detection and response (EDR) capabilities on Windows Servers.
 
+## Azure Information Protection
+Keep sensitive data secure while enabling productivity in the workplace through data data discovery and data protection.
+
+## Conditional access
+Windows Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation, ensuring that only secure devices have access to resources. 
+
+
 ## Microsoft Cloud App Security
 Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
 
+## Office 365 Advanced Threat Protection (Office 365 ATP)
+[Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Windows Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. 
+
+## Skype for Business
+The Skype for Business integration provides s a way for analysts to communicate with a potentially compromised user or device owner through ao simple button from the portal.
+
+
+
 ## Related topic
 - [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md)
 
diff --git a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..d8693cd298
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,45 @@
+---
+title: TiIndicator resource type
+description: TiIndicator entity description.
+keywords: apis, supported apis, get, TiIndicator, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# TI(threat intelligence) Indicator resource type
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+Method|Return Type |Description
+:---|:---|:---
+[List TI Indicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) Collection | List [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities.
+[Get TI Indicator by ID](get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Gets the requested [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity.
+[Submit TI Indicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Submits [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity.
+[Delete TI Indicator](delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | No Content | Deletes [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity.
+
+
+# Properties
+Property |	Type	|	Description
+:---|:---|:---
+indicator | String | Identity of the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity.
+indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url"
+title | String | Ti indicator alert title.
+creationTimeDateTimeUtc | DateTimeOffset | The date and time when the indicator was created.
+createdBy | String | Identity of the user/application that submitted the indicator.
+expirationTime | DateTimeOffset | The expiration time of the indicator
+action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed"
+severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High"
+description | String | Description of the indicator.
+recommendedActions | String | TI indicator alert recommended actions.
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
index ec2722306c..8c7c0f5e5f 100644
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 02/13/2018
+ms.date: 11/08/2018
 ---
 
 # Troubleshoot SIEM tool integration issues
@@ -67,6 +67,12 @@ If you encounter an error when trying to get a refresh token when using the thre
  
 6. Click **Save**.
 
+## Error while enabling the SIEM connector application
+If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability.
+
+
+
+
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink) 
 
 ## Related topics
diff --git a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md
index fffb9ad229..ad824d3ab2 100644
--- a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Unblock file API
+# Unblock file API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated�information](deprecate.md)]
 
 Allow a file to be executed in the organization, using Windows Defender Antivirus.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..0b654aa63c
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,105 @@
+---
+title: Release machine from isolation API
+description: Use this API to create calls related to release a machine from isolation.
+keywords: apis, graph api, supported apis, remove machine from isolation
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Release machine from isolation API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+Undo isolation of a machine.
+
+[!include[Machine actions note](machineactionsnote.md)]
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Isolate |	'Isolate machine'
+Delegated (work or school account) |	Machine.Isolate |	'Isolate machine'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/unisolate
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter |	Type	| Description
+:---|:---|:---
+Comment |	String |	Comment to associate with the action. **Required**.
+
+## Response
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate 
+Content-type: application/json
+{
+  "Comment": "Unisolate machine since it was clean and validated"
+}
+
+```
+**Response**
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+    "id": "09a0f91e-a2eb-409d-af33-5577fe9bd558",
+    "type": "Unisolate",
+    "requestor": "Analyst@contoso.com ",
+    "requestorComment": "Unisolate machine since it was clean and validated ",
+    "status": "InProgress",
+    "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+    "creationDateTimeUtc": "2018-12-04T12:13:15.0104931Z",
+    "lastUpdateTimeUtc": "2018-12-04T12:13:15.0104931Z",
+	"relatedFileInfo": null
+}
+
+```
+
+To isolate a machine, see [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md).
+
diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md
index 560416bc51..8898ab6189 100644
--- a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Release machine from isolation API
+# Release machine from isolation API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated�information](deprecate.md)]
 
 Undo isolation of a machine.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..8ca7430854
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,100 @@
+---
+title: Remove app restriction API
+description: Use this API to create calls related to removing a restriction from applications from executing.
+keywords: apis, graph api, supported apis, remove machine from isolation
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Remove app restriction API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease�information](prerelease.md)]
+
+Enable execution of any application on the machine.
+
+[!include[Machine actions note](machineactionsnote.md)]
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.RestrictExecution |	'Restrict code execution'
+Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/unrestrictCodeExecution
+```
+
+## Request headers
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter |	Type	| Description
+:---|:---|:---
+Comment |	String | Comment to associate with the action. **Required**.
+
+## Response
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExecution 
+Content-type: application/json
+{
+  "Comment": "Unrestrict code execution since machine was cleaned and validated"
+}
+
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+    "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e",
+    "type": "UnrestrictCodeExecution",
+    "requestor": "Analyst@contoso.com",
+    "requestorComment": "Unrestrict code execution since machine was cleaned and validated ",
+    "status": "InProgress",
+    "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+    "creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z",
+    "lastUpdateTimeUtc": "2018-12-04T12:15:40.6052029Z",
+	"relatedFileInfo": null
+}
+
+```
+
+To restrict code execution on a machine, see [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md
index 10def5a55d..e011fa5800 100644
--- a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Remove app restriction API
+# Remove app restriction API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated�information](deprecate.md)]
 
 Unrestrict execution of set of predefined applications.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..4e69de458e
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,109 @@
+---
+title: Get alert information by ID API
+description: Retrieves an alert by its ID.
+keywords: apis, graph api, supported apis, get, alert, information, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Update alert 
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prerelease�information](prerelease.md)]
+Update the properties of an alert entity.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alerts.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+PATCH /api/alerts/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | String | application/json. **Required**.
+
+
+## Request body
+In the request body, supply the values for the relevant fields that should be updated.Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance you shouldn't include existing values that haven't change.
+
+Property | Type | Description
+:---|:---|:---
+status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'.
+assignedTo | String | Owner of the alert
+classification | String | Specifies the specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. 
+determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
+
+
+## Response
+If successful, this method returns 200 OK, and the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entity in the response body with the updated properties. If alert with the specified id was not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442
+Content-Type: application/json
+{
+	"assignedTo": "secop2@contoso.com"
+}
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity",
+    "id": "121688558380765161_2136280442",
+	"incidentId": 7696,
+	"assignedTo": "secop2@contoso.com",
+	"severity": "High",
+	"status": "New",
+	"classification": "TruePositive",
+	"determination": "Malware",
+	"investigationState": "Running",
+	"category": "MalwareDownload",
+	"detectionSource": "WindowsDefenderAv",
+	"threatFamilyName": "Mikatz",
+	"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+	"description": "Some description"
+	"recommendedAction": "Some recommended action"
+	"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
+	"firstEventTime": "2018-11-26T16:17:50.0948658Z",
+	"lastEventTime": "2018-11-26T16:18:01.809871Z",
+	"resolvedTime": null,
+	"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+}
+```
diff --git a/windows/security/threat-protection/windows-defender-atp/use-apis.md b/windows/security/threat-protection/windows-defender-atp/use-apis.md
new file mode 100644
index 0000000000..991dcfebfe
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/use-apis.md
@@ -0,0 +1,26 @@
+---
+title: Use the Windows Defender Advanced Threat Protection APIs  
+description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
+keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 11/28/2018
+---
+
+# Use the Windows Defender ATP exposed APIs
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+## In this section
+Topic | Description
+:---|:---
+Create your app | Learn how to create an application to get programmatical access to Windows Defender ATP [on behalf of a user](exposed-apis-create-app-nativeapp.md) or [without a user](exposed-apis-create-app-webapp.md).
+Supported Windows Defender ATP APIs | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. Examples include APIs for [alert resource type](alerts-windows-defender-advanced-threat-protection-new.md), [domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md), or even actions such as [isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md).
+How to use APIs - Samples | Learn how to use Advanced hunting APIs and multiple APIs such as PowerShell. Other examples include [schedule advanced hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) or [OData queries](exposed-apis-odata-samples.md).
diff --git a/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md
new file mode 100644
index 0000000000..509ded9db9
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md
@@ -0,0 +1,23 @@
+---
+title: File resource type
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# User resource type
+
+Method|Return Type |Description
+:---|:---|:---
+[List User related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection |  List all the alerts that are associated with a [user](user-windows-defender-advanced-threat-protection-new.md).
+[List User related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | List all the machines that were logged on by a [user](user-windows-defender-advanced-threat-protection-new.md).
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
index abe99e8194..de7712091a 100644
--- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 10/26/2018
+ms.date: 11/07/2018
 ---
 
 # Windows Defender Advanced Threat Protection
@@ -22,7 +22,7 @@ ms.date: 10/26/2018
 
 Windows Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
 
-indows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
+Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
 
 -   **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors
     collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP.
@@ -66,6 +66,10 @@ indows Defender ATP uses the following combination of technology built into Wind
 
 <a name="asr"></a>
 
+
+>[!TIP]
+> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
+
 **[Attack surface reduction](overview-attack-surface-reduction.md)**<br>
 The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. 
 
@@ -76,8 +80,8 @@ To further reinforce the security perimeter of your network, Windows Defender AT
 
 <a name="edr"></a>
 
-**[Endpoint protection and response](overview-endpoint-detection-response.md)**<br>
-Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. 
+**[Endpoint detection and response](overview-endpoint-detection-response.md)**<br>
+Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. 
 
 <a name="ai"></a>
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 360b2a59c8..125ff2e581 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 10/15/2018
+ms.date: 11/29/2018
 ---
 
 # Reduce attack surfaces with attack surface reduction rules 
@@ -31,6 +31,8 @@ Attack surface reduction rules help prevent actions and apps that are typically
 
 When an attack surface reduction rule is triggered, a notification displays from the Action Center on the user's computer. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information.
 
+Attack surface reduction is supported on Windows 10, version 1709 and later and Windows Server 2019.
+
 ## Requirements
 
 Attack surface reduction rules are a feature of Windows Defender ATP and require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
@@ -53,18 +55,9 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
-The rules apply to the following Office apps:
-
-- Microsoft Word
-- Microsoft Excel
-- Microsoft PowerPoint
-- Microsoft OneNote
-
-The rules do not apply to any other Office apps.
-
 ### Rule: Block executable content from email client and webmail
 
 This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
@@ -73,13 +66,13 @@ This rule blocks the following file types from being run or launched from an ema
 - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
 - Script archive files
 
->[!IMPORTANT]
->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
-
 ### Rule: Block all Office applications from creating child processes
 
 Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
 
+>[!NOTE]
+>This does not include Outlook. For Outlook, please see [Block Office communication applications from creating child processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#rule-block-office-communication-applications-from-creating-child-processes).
+
 This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
 
 ### Rule: Block Office applications from creating executable content
@@ -90,22 +83,16 @@ Extensions will be blocked from being used by Office apps. Typically these exten
 
 ### Rule: Block Office applications from injecting code into other processes
 
-Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. 
+Office apps, including Word, Excel, PowerPoint, and OneNote, will not be able to inject code into other processes. 
 
 This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
 
->[!IMPORTANT]
->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
-
 ### Rule: Block JavaScript or VBScript From launching downloaded executable content
 
 JavaScript and VBScript scripts can be used by malware to launch other malicious apps. 
 
 This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
 
->[!IMPORTANT]
->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
-
 ### Rule: Block execution of potentially obfuscated scripts
 
 Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. 
@@ -116,7 +103,7 @@ This rule prevents scripts that appear to be obfuscated from running.
 
 Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system.
 
-This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. 
+This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote.
 
 ### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
  
@@ -138,9 +125,6 @@ This rule provides an extra layer of protection against ransomware. Executable f
  
 Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
 
->[!IMPORTANT]
->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
- 
  >[!NOTE]
  >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat.
 
@@ -158,12 +142,15 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
 - Executable files (such as .exe, .dll, or .scr) 
 - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
 
-### Rule: Block Office communication applications from creating child processes
+### Rule: Block Office communication application from creating child processes
 
-Office communication apps will not be allowed to create child processes. This includes Outlook.
+Outlook will not be allowed to create child processes.
 
 This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
 
+>[!NOTE]
+>This rule applies to Outlook only.
+
 ### Rule: Block Adobe Reader from creating child processes
 
 This rule blocks Adobe Reader from creating child processes.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
index 0131be7167..a17ef04dd9 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
@@ -21,7 +21,7 @@ ms.date: 09/18/2018
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-You can enable attack surface reduction rules, eploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
+You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
 
 You might want to do this when testing how the features will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
 
@@ -69,4 +69,4 @@ You can also use the a custom PowerShell script that enables the features in aud
 - [Protect devices from exploits](exploit-protection-exploit-guard.md) 
 - [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) 
 - [Protect your network](network-protection-exploit-guard.md) 
-- [Protect important folders](controlled-folders-exploit-guard.md)
\ No newline at end of file
+- [Protect important folders](controlled-folders-exploit-guard.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
index 21c0acfc51..68bff70bd4 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 10/02/2018
+ms.date: 11/29/2018
 ---
 
 # Protect important folders with controlled folder access
@@ -33,6 +33,7 @@ The protected folders include common system folders, and you can [add additional
 
 You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
+Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019.
 
 ## Requirements
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index a948e7db7e..557b83c494 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 10/17/2018
+ms.date: 11/27/2018
 ---
 
 # Customize attack surface reduction rules
@@ -28,7 +28,7 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
 
 ## Exclude files and folders
 
-You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running. 
+You can exclude files and folders from being evaluated by all attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running. 
 
 This could potentially allow unsafe files to run and infect your devices.
 
@@ -41,28 +41,24 @@ You can specify individual files or folders (using folder paths or fully qualifi
 
 Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). 
 
-Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe.
+Exclusions apply to all attack surface reduction rules.
 
->[!IMPORTANT] 
->Rules that do not honor the exclusion list will not exclude folders or files added in the exclusion list. All files will be evaluated and potentially blocked by rules that do not honor the exclusion list (indicated with a red X in the following table). 
-
-
-Rule description | Rule honors exclusions | GUID 
+Rule description | GUID 
 -|:-:|-
-Block all Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
-Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
-Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
-Block Office applications from creating executable content | [!include[Check mark yes](images/svg/check-yes.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899
-Block Office applications from injecting code into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
-Block JavaScript or VBScript from launching downloaded executable content | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D
-Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
-Block executable files from running unless they meet a prevalence, age, or trusted list criteria | [!include[Check mark yes](images/svg/check-yes.svg)] | 01443614-cd74-433a-b99e-2ecdc07bfc25
-Use advanced protection against ransomware | [!include[Check mark yes](images/svg/check-yes.svg)] | c1db55ab-c21a-4637-bb3f-a12568109d35
-Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
-Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
-Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
-Block Adobe Reader from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
+Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
+Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
+Block Win32 API calls from Office macro 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
+Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
+Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
+Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
+Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
+Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
+Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
+Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
+Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
+Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
 See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
index 7591a39db0..2ad55e0a66 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 10/02/2018
+ms.date: 11/16/2018
 ---
 
 # Customize exploit protection
@@ -53,19 +53,19 @@ Validate exception chains (SEHOP) | Ensures the integrity of an exception chain
 Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level  | [!include[Check mark no](images/svg/check-no.svg)]
 Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
 Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
 Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
 Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
 Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
 Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
 Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
+Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
+Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
+Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
 Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
+Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
 
 >[!IMPORTANT]
 >If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index 675f449f0b..8e84a3872c 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -34,13 +34,13 @@ You can manually add the rules by using the GUIDs in the following table:
 
 Rule description | GUID
 -|-
-Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
-Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
-Block Office applications from creating executable content  | 3B576869-A4EC-4529-8536-B80A7769E899
-Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
-Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
-Block execution of potentially obfuscated scripts  | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
-Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+Block executable content from email client and webmail | be9ba2d9-53ea-4cdc-84e5-9B1eeee46550
+Block all Office applications from creating child processes | d4f940ab-401b-4efc-aadc-ad5f3c50688a
+Block Office applications from creating executable content  | 3b576869-a4eC-4529-8536-b80a7769e899
+Block Office applications from injecting code into other processes | 75668c1f-73b5-4Cf0-bb93-3ecf5cb7cc84
+Block JavaScript or VBScript from launching downloaded executable content | d3e037e1-3eb8-44c8-a917-57927947596d
+Block execution of potentially obfuscated scripts  | 5beb7efe-fd9A-4556-801d-275e5ffc04cc
+Block Win32 API calls from Office macro | 92e97fa1-2edf-4476-bdd6-9dd0B4dddc7b
 Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
 Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
index 98835fdcfd..325b6119b3 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 ms.author: justinha
 author: brianlic-msft
-ms.date: 08/08/2018
+ms.date: 11/15/2018
 ---
 
 # Enable virtualization-based protection of code integrity 
@@ -42,7 +42,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP]
 1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
 2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.  
 3. Double-click **Turn on Virtualization Based Security**.
-4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be enabled remotely or select **Enabled without UEFI lock**.
+4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
 
    ![Enable HVCI using Group Policy](images\enable-hvci-gp.png)
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
index a143ed81a3..290fbdaae4 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 10/02/2018
+ms.date: 11/16/2018
 ---
 
 # Evaluate attack surface reduction rules
@@ -22,164 +22,14 @@ ms.date: 10/02/2018
 
 Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
 
-This topic helps you evaluate attack surface reduction rules. It explains how to demo ASR rules using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
-
->[!NOTE]
->This topic uses a customized testing tool and PowerShell cmdlets to make it easy to enable the feature and test it. 
->For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md).
+This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test the feature directly in your organization.
 
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
-## Use the demo tool to see how attack surface reduction rules work
-
-Use the **ExploitGuard ASR test tool** app to see how attack surface reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines.
-
-The tool is part of the Windows Defender Exploit Guard evaluation package:
-- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
-
-This tool has a simple user interface that lets you choose a rule, configure it in blocking, audit, or disabled mode, and run a pre-created series of actions that would be evaluated by the rule.
-
-When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken.
-
-![Screenshot of the Exploit guard demo tool](images/asr-test-tool.png)
-
-Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running.
-
->[!IMPORTANT]
->The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [audit mode to measure impact](#use-audit-mode-to-measure-impact), or see the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md).
-
-**Run a rule using the demo tool:**
-
-1. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard ASR test tool* to a location on your PC that is easy to access (such as your desktop). 
-
-2. Run the tool by double-clicking the version that matches your operating system - either 64-bit (x64) or 32-bit (x86). If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**. 
-
-
-    >[!IMPORTANT]
-    >Make sure you use the version of the tool that is appropriate for the machine you are using. Use the x86 version for 32-bit versions of Windows 10, or use the x64 version for 64-bit versions of Windows 10.
-
-3. Select the rule from the drop-down menu.
-
-4. Select the mode, **Disabled**, **Block**, or **Audit**.
-    1. Optionally, click **Show Advanced Options** and choose a specific scenario (or all scenarios sequentially by selecting **All Scenarios**), enter a delay, or click **Leave Dirty**.
-
-5. Click **RunScenario**.
-
-The scenario will run, and an output will appear describing the steps taken.
-
-You can right-click on the output window and click **Open Event Viewer** to see the relevant event in Windows Event Viewer.
-
->[!TIP]
->You can click **Save Filter to Custom View...** in the Event Viewer to create a custom view so you can easily come back to this view as you continue to evaluate rules.
-
-
-Choosing the **Mode** will change how the rule functions:
-
-Mode option | Description
--|-
-Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled attack surface reduction rules at all.
-Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled attack surface reduction rules.
-Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how attack surface reduction rules will work but without impacting how you use the computer.
-
-Block mode will cause a notification to appear on the user's desktop:
-
-![Example notification that says Action blocked: Your IT administrator caused Windows Defender Antivirus to block this action. Contact your IT desk.](images/asr-notif.png)
-
-You can [modify the notification to display your company name and links](customize-attack-surface-reduction.md#customize-the-notification) for users to obtain more information or contact your IT help desk.
-
-For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
-
-The following sections describe what each rule does and what the scenarios entail for each rule.
-
-### Rule: Block executable content from email client and webmail
-
-This rule blocks certain files from being run or launched from an email. You can specify an individual scenario, based on the category of the file type or whether the email is in Microsoft Outlook or web mail.
-
-The following table describes the category of the file type that will be blocked and the source of the email for each scenario in this rule:
-
-Scenario name | File type | Program
-- | - | -
-Random | A scenario will be randomly chosen from this list | Microsoft Outlook or web mail
-Mail Client PE | Executable files (such as .exe, .dll, or .scr) | Microsoft Outlook
-Mail Client Script | Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) | Microsoft Outlook
-Mail Client Script Archive | Script archive files | Microsoft Outlook
-WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as gmail, outlook, hotmail
-WebMail Script | Script files (such as a PowerShell .ps, VBScript .vbs, or JavaScript .js file)  | Web mail
-WebMail Script Archive | Script archive files  | Web mail
-
-
-### Rule: Block Office applications from creating child processes
-
->[!NOTE]
->There is only one scenario to test for this rule.
-
-Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
-
-### Rule: Block Office applications from creating executable content
-
-This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware technique.
-
-The following scenarios can be individually chosen:
-
-- Random
-    - A scenario will be randomly chosen from this list
-- Extension Block
-    - Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
-
-### Rule: Block Office applications from injecting into other processes
-
->[!NOTE]
->There is only one scenario to test for this rule.
-
-Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
-
-### Rule: Impede JavaScript and VBScript to launch executables
-
-JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
-
-- Random
-    - A scenario will be randomly chosen from this list
-- JScript
-    - JavaScript will not be allowed to launch executable files
-- VBScript
-    - VBScript will not be allowed to launch executable files
-
-### Rule: Block execution of potentially obfuscated scripts
-
-Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running.
-
-- Random
-    - A scenario will be randomly chosen from this list
-- AntiMalwareScanInterface
-    - This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script
-- OnAccess
-    - Potentially obfuscated scripts will be blocked when an attempt is made to access them
-
-
-## Review Attack surface reduction events in Windows Event Viewer
-
-You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
-
-1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
-
-2. On the left panel, under **Actions**, click **Import custom view...**
-
-3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
-
-4. Click **OK**.
-
-5. This will create a custom view that filters to only show the following events related to Attack surface reduction:
-
-Event ID | Description
--|-
-5007 | Event when settings are changed
-1122 | Event when rule fires in Audit-mode 
-1121 | Event when rule fires in Block-mode 
-
 ## Use audit mode to measure impact
 
-You can also enable the Attack surface reduction feature in audit mode. This lets you see a record of what apps would have been blocked if you had enabled the feature.
+You can enable attack surface reduction rules in audit mode. This lets you see a record of what apps would have been blocked if you had enabled attack surface reduction rules.
 
 You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use.
 
@@ -189,17 +39,17 @@ To enable audit mode, use the following PowerShell cmdlet:
 Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
 ```
 
-This enables all Attack surface reduction rules in audit mode.
+This enables all attack surface reduction rules in audit mode.
 
 >[!TIP]
->If you want to fully audit how Attack surface reduction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
-You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md).
+>If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction-exploit-guard.md).
 
 ## Customize attack surface reduction rules
 
 During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.
 
-See the [Customize Exploit protection](customize-exploit-protection.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
+See the [Customize attack surface reduction rules](customize-attack-surface-reduction.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
 
 ## Related topics
 - [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
index f30804cbd0..3357f3a4fc 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 10/02/2018
+ms.date: 11/16/2018
 ---
 
 # Evaluate controlled folder access
@@ -24,70 +24,11 @@ ms.date: 10/02/2018
 
 It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
 
-This topic helps you evaluate controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
-
->[!NOTE]
->This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. 
->For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Controlled folder access topic](controlled-folders-exploit-guard.md).
+This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization.
 
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
-## Use the demo tool to see how controlled folder access works
-
-Use the **ExploitGuard CFA File Creator** tool to see how controlled folder access can prevent a suspicious app from creating files in protected folders. 
-
-The tool is part of the Windows Defender Exploit Guard evaluation package:
-- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
-
-This tool can be run locally on an individual machine to see the typical behavior of controlled folder access. The tool is considered by Windows Defender ATP to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
-
-You can enable controlled folder access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
-
-1. Type **powershell** in the Start menu.
-
-2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt.
-
-3. Enter the following in the PowerShell window to enable Controlled folder access:
-    ```PowerShell
-    Set-MpPreference -EnableControlledFolderAccess Enabled
-    ```
-
-4. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard CFA File Creator.exe* to a location on your PC that is easy to access (such as your desktop).
- 
-5. Run the tool by double-clicking it. If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**. 
-
-6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test.
-
-    ![Screenshot of the exploit guard demo tool](images/cfa-filecreator.png)
-
-7. A notification will appear, indicating that the tool was prevented from creating the file, as in the following example:
-
-    ![Exampke notification that says Unauthorized changes blocked: Controlled folder access blocked (file name) from making changes to the folder (folder name)](images/cfa-notif.png)
-
-## Review controlled folder access events in Windows Event Viewer
-
-You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
-
-1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
-
-2. On the left panel, under **Actions**, click **Import custom view...**
-
-3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
-
-4. Click **OK**.
-
-5. This will create a custom view that filters to only show the following events related to Controlled folder access:
-
-Event ID | Description
--|-
-5007 | Event when settings are changed
-1124 | Audited controlled folder access event
-1123 | Blocked controlled folder access event
-1127 | Blocked controlled folder access sector write block event
-1128 | Audited controlled folder access sector write block event
-
-
 ## Use audit mode to measure impact
 
 You can enable the controlled folder access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
index 1d7efe7b59..ec8690b50d 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 11/16/2018
 ---
 
 # Evaluate exploit protection
@@ -26,75 +26,9 @@ Many of the features that are part of the [Enhanced Mitigation Experience Toolki
 
 This topic helps you evaluate exploit protection. For more information about what exploit protection does and how to configure it for real-world deployment, see [Exploit protection](exploit-protection-exploit-guard.md).
 
->[!NOTE]
->This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. 
->For instructions about how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see [Exploit protection](exploit-protection-exploit-guard.md).
-
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
-## Enable and validate an exploit protection mitigation
-
-For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app.
-
-First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Security app:
-
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
-
-2. Enter the following cmdlet:
-
-    ```PowerShell
-    Set-ProcessMitigation -Name iexplore.exe -Enable DisallowChildProcessCreation
-    ```
-
-3. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**.
-
-4. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
-
-5. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
-
-6. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**.
-
-Now that you know the mitigation has been enabled, you can test to see if it works and what the experience would be for an end user:
-
-1. Type **run** in the Start menu and press **Enter** to open the run dialog box.
-
-2. Type **iexplore.exe** and press **Enter** or click **OK** to attempt to open Internet Explorer.
-
-3. Internet Explorer should briefly open and then immediately shut down again, indicating that the mitigation was applied and prevented Internet Explorer from opening a child process (its own process).
-
-Lastly, we can disable the mitigation so that Internet Explorer works properly again:
-
-1. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**.
-
-2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
-
-3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
-
-4. Find the **Do not allow child processes** setting and set the switch to **Off**. Click **Apply**
-
-5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected.
-
-## Review exploit protection events in Windows Event Viewer
-
-You can now review the events that exploit protection sent to the Windows Event Viewer to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
-
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
-
-2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
-
-3. On the left panel, under **Actions**, click **Import custom view...**
-
-4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
-
-4. Click **OK**.
-
-5. This will create a custom view that filters to only show the events related to exploit protection.
-
-6. The specific event to look for in this demo is event ID 4, which should have the following or similar information:
-
-    Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'. 
-
 ## Use audit mode to measure impact
 
 You can enable exploit protection in audit mode. You can enable audit mode for individual mitigations.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
index 995cbaeb50..9c5516c1de 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 08/09/2018
+ms.date: 11/16/2018
 ---
 
 # Evaluate network protection
@@ -39,7 +39,7 @@ This topic helps you evaluate Network protection by enabling the feature and gui
     Set-MpPreference -EnableNetworkProtection Enabled
     ```
 
-You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace `Enabled` with either `AuditMode` or `Disabled`.
+You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace "Enabled" with either "AuditMode" or "Disabled".
 
 ### Visit a (fake) malicious domain
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
index 5f32c57193..f04964a7cd 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
@@ -144,30 +144,30 @@ You can access these events in Windows Event viewer:
 
 Feature | Provider/source | Event ID | Description
 :-|:-|:-:|:-
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 1 | ACG audit
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 2 | ACG enforce
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 3 | Do not allow child processes audit
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 4 | Do not allow child processes block
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 5 | Block low integrity images audit
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 6 | Block low integrity images block
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 7 | Block remote images audit
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 8 | Block remote images block
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 9 | Disable win32k system calls audit
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 10 | Disable win32k system calls block
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 11 | Code integrity guard audit
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 12 | Code integrity guard block
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 13 | EAF audit
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 14 | EAF enforce
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 15 | EAF+ audit
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 16 | EAF+ enforce
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 17 | IAF audit
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 18 | IAF enforce
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 19 | ROP StackPivot audit
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 20 | ROP StackPivot enforce
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 21 | ROP CallerCheck audit
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 22 | ROP CallerCheck enforce
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 23 | ROP SimExec audit
-Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 24 | ROP SimExec enforce
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 2 | ACG enforce
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 4 | Do not allow child processes block
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 6 | Block low integrity images block
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 8 | Block remote images block
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 10 | Disable win32k system calls block
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 12 | Code integrity guard block
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 13 | EAF audit
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 14 | EAF enforce
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 15 | EAF+ audit
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 16 | EAF+ enforce
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 17 | IAF audit
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 18 | IAF enforce
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 19 | ROP StackPivot audit
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 20 | ROP StackPivot enforce
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 21 | ROP CallerCheck audit
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 22 | ROP CallerCheck enforce
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 23 | ROP SimExec audit
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 24 | ROP SimExec enforce
 Exploit protection | WER-Diagnostics | 5 | CFG Block
 Exploit protection | Win32K (Operational) | 260 | Untrusted Font
 Network protection | Windows Defender (Operational) | 5007 | Event when settings are changed
@@ -180,4 +180,4 @@ Controlled folder access | Windows Defender (Operational) | 1127 | Blocked Contr
 Controlled folder access | Windows Defender (Operational) | 1128 | Audited Controlled folder access sector write block event
 Attack surface reduction | Windows Defender (Operational) | 5007 | Event when settings are changed
 Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode 
-Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode 
\ No newline at end of file
+Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
index 7fb3984ab2..e84b78a8a0 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 08/09/2018
+ms.date: 11/29/2018
 ---
 
 # Protect devices from exploits
@@ -22,10 +22,10 @@ ms.date: 08/09/2018
 
 Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. 
 
-It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Exploit protection is supported on Windows 10, version 1709 and later and Windows Server 2016, version 1803 or later.
 
 >[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+>You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
 Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
index b1e742ac1b..b6ef34d2fc 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 08/09/2018
+ms.date: 11/29/2018
 ---
 
 # Protect your network
@@ -24,8 +24,10 @@ Network protection helps reduce the attack surface of your devices from Internet
 
 It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
 
+Network protection is supported on Windows 10, version 1709 and later and Windows Server 2016, version 1803 or later.
+
 >[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+>You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
 Network protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
index 1eb3ac9b72..640fe4cc29 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
@@ -33,9 +33,9 @@ The following tables provide more information about the hardware, firmware, and
 |--------------------------------|----------------------------------------------------|-------------------|
 | Hardware: **64-bit CPU**       | A 64-bit computer is required for the Windows hypervisor to provide VBS. |  |
 | Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>• VT-x (Intel) or<br>• AMD-V<br>And:<br>• Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. |
-| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://docs.microsoft.com/windows-hardware/design/compatibility/systems#systemfundamentalsfirmwareuefisecureboot) | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
-| Firmware: **Secure firmware update process**      | UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://docs.microsoft.com/windows-hardware/design/compatibility/systems#systemfundamentalsfirmwareuefisecureboot)  | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: **HVCI compatible drivers**       | See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://docs.microsoft.com/windows-hardware/design/compatibility/filter#filterdriverdeviceguarddrivercompatibility).| [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode.  |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
+| Firmware: **Secure firmware update process**      | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies).  | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Software: **HVCI compatible drivers**       | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode.  |
 | Software: Qualified **Windows operating system**  | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.</p></blockquote> | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
 
 > **Important**&nbsp;&nbsp;The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
@@ -58,7 +58,7 @@ The following tables describe additional hardware and firmware qualifications, a
 
 | Protections for Improved Security        | Description                                        | Security benefits |
 |---------------------------------------------|----------------------------------------------------|-----|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://docs.microsoft.com/windows-hardware/design/compatibility/systems#systemfundamentalsfirmwarecsuefisecurebootconnectedstandby)<br>• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://docs.microsoft.com/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies).<br>• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://docs.microsoft.com/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
 | Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. |
 | Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index effaa35bd4..622cbcdd98 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -234,4 +234,4 @@ Support in [Windows Defender Application Guard](#windows-defender-application-gu
 [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.<br>
 [What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.<br>
 [Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709.
-[How to take a screenshot on pc without any app](https://rahulit.com/how-to-take-a-screenshot-on-a-dell-laptop/)
+