fixed merge conflicts from public contributions

browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md

@@ -77,6 +77,6 @@ Regardless which tool you're using to edit your Group Policy settings, you'll ne
 -   **If you're using GPMC with Advanced Group Policy Management (AGPM).** See [Checklist: Create, Edit, and Deploy a GPO](https://go.microsoft.com/fwlink/p/?LinkId=214522) for step-by-step instructions about how to check out a GPO from the AGPM archive, edit it, and request deployment.
 
 ## Related topics
-- [Administrative templates (.admx) for Windows 10 download](https://go.microsoft.com/fwlink/p/?LinkId=746579)
+- [Administrative templates (.admx) for Windows 10 April 2018 Update](https://www.microsoft.com/download/details.aspx?id=56880)
+- [Administrative templates (.admx) for Windows 10 October 2018 Update](https://www.microsoft.com/download/details.aspx?id=57576)
 - [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580)
-

devices/surface-hub/surface-hub-site-readiness-guide.md

@@ -131,7 +131,7 @@ For details on Touchback and Inkback, see the user guide at http://www.microsoft
 
 ## See also
 
-[Watch the video (opens in a pop-up media player)][<http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov>)  
+[Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov)  
 
 
 

devices/surface/assettag.md

@@ -28,7 +28,7 @@ for Surface devices. It works on Surface Pro 3 and all newer Surface devices.
 
 To run Surface Asset Tag:
 
-1.  On the Surface device, download **Surface Pro 3 AssetTag.zip** from the [Microsoft Download
+1.  On the Surface device, download **Surface Asset Tag.zip** from the [Microsoft Download
     Center](https://www.microsoft.com/en-us/download/details.aspx?id=46703),
     extract the zip file, and save AssetTag.exe in desired folder (in
     this example, C:\\assets).

devices/surface/surface-enterprise-management-mode.md

@@ -214,9 +214,7 @@ valid.
 machines that have it?**
 
 If you want SEMM reset or recovery to work, the certificate needs to be
-valid and not expired. You can use the current valid ownership
+valid and not expired. 
-certificate to sign a package that updates to a new certificate for
-ownership. You do not need to create a reset package. 
 
 **Can bulk reset packages be created for each surface that we order? Can
 one be built that resets all machines in our environment?**

mdop/appv-v5/about-the-connection-group-file.md

@@ -157,13 +157,55 @@ In the <Packages> section of the connection group XML file, you list the m
 
 The following example connection group XML file shows examples of the fields in the previous tables and highlights the items that are new for App-V 5.0 SP3.
 
-`<?xml version="1.0" encoding="UTF-16"?>``<appv:AppConnectionGroup``xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"``xmlns:appv="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"``  AppConnectionGroupId="61BE9B14-D2B4-41CE-A6E3-A1B658DE7000"``  VersionId="E6B6AA57-F2A7-49C9-ADF8-F2B5B3C8A42F"``  Priority="0"``  DisplayName="Sample Connection Group">``  <appv:Packages>``    <appv:Package``      PackageId="1DC709C8-309F-4AB4-BD47-F75926D04276"``      VersionId="*"``      IsOptional=”true”``    />``    <appv:Package``      PackageId="04220DCA-EE77-42BE-A9F5-96FD8E8593F2"``      VersionId="E15EFFE9-043D-4C01-BC52-AD2BD1E8BAFA"``      IsOptional=”false”``    />``  </appv:Packages>`
+```XML
+<?xml version="1.0" encoding="UTF-16"?>
+<appv:AppConnectionGroup 
+   xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"
+   xmlns:appv="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"
+   AppConnectionGroupId="61BE9B14-D2B4-41CE-A6E3-A1B658DE7000"
+   VersionId="E6B6AA57-F2A7-49C9-ADF8-F2B5B3C8A42F"  
+   Priority="0"  
+   DisplayName="Sample Connection Group">
+   <appv:Packages>
+      <appv:Package      
+         PackageId="1DC709C8-309F-4AB4-BD47-F75926D04276"
+         VersionId="*"
+         IsOptional=”true”
+      />    
+     <appv:Package
+        PackageId="04220DCA-EE77-42BE-A9F5-96FD8E8593F2"
+        VersionId="E15EFFE9-043D-4C01-BC52-AD2BD1E8BAFA"
+        IsOptional="false"
+     />  
+   </appv:Packages>
+</appv:AppConnectionGroup>
+```
 
 ### <a href="" id="bkmk-50thru50sp2-exp-cg-xm"></a>App-V 5.0 through App-V 5.0 SP2 example connection group XML file
 
 The following example connection group XML file applies to App-V 5.0 through App-V 5.0 SP2. It shows examples of the fields in the previous table, but it excludes the changes described above for App-V 5.0 SP3.
 
-`<?xml version="1.0" encoding="UTF-16"?>``<appv:AppConnectionGroup``xmlns="http://schemas.microsoft.com/appv/2010/virtualapplicationconnectiongroup"``xmlns:appv="http://schemas.microsoft.com/appv/2010/virtualapplicationconnectiongroup"``  AppConnectionGroupId="61BE9B14-D2B4-41CE-A6E3-A1B658DE7000"``  VersionId="E6B6AA57-F2A7-49C9-ADF8-F2B5B3C8A42F"``  Priority="0"``  DisplayName="Sample Connection Group">``  <appv:Packages>``    <appv:Package``      PackageId="1DC709C8-309F-4AB4-BD47-F75926D04276"``      VersionId="C7DF4F63-5288-439C-ACEF-EF06BF401EC5"``    />``    <appv:Package``      PackageId="04220DCA-EE77-42BE-A9F5-96FD8E8593F2"``      VersionId="E15EFFE9-043D-4C01-BC52-AD2BD1E8BAFA"``    />``  </appv:Packages>`
+```XML
+<?xml version="1.0" encoding="UTF-16"?>
+<appv:AppConnectionGroup
+   xmlns="http://schemas.microsoft.com/appv/2010/virtualapplicationconnectiongroup"
+   xmlns:appv="http://schemas.microsoft.com/appv/2010/virtualapplicationconnectiongroup"
+   AppConnectionGroupId="61BE9B14-D2B4-41CE-A6E3-A1B658DE7000"
+   VersionId="E6B6AA57-F2A7-49C9-ADF8-F2B5B3C8A42F"
+   Priority="0"
+   DisplayName="Sample Connection Group">
+   <appv:Packages>
+      <appv:Package``      
+         PackageId="1DC709C8-309F-4AB4-BD47-F75926D04276"
+         VersionId="C7DF4F63-5288-439C-ACEF-EF06BF401EC5"
+      />
+      <appv:Package
+         PackageId="04220DCA-EE77-42BE-A9F5-96FD8E8593F2"
+         VersionId="E15EFFE9-043D-4C01-BC52-AD2BD1E8BAFA"
+      />
+   </appv:Packages>
+</appv:AppConnectionGroup
+ ```
 
 ## <a href="" id="bkmk-config-pkg-priority-incg"></a>Configuring the priority of packages in a connection group
 

mdop/appv-v5/about-the-connection-group-file51.md

@@ -157,13 +157,55 @@ In the <Packages> section of the connection group XML file, you list the m
 
 The following example connection group XML file shows examples of the fields in the previous tables and highlights the items that are new starting in App-V 5.0 SP3.
 
-`<?xml version="1.0" encoding="UTF-16"?>``<appv:AppConnectionGroup``xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"``xmlns:appv="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"``  AppConnectionGroupId="61BE9B14-D2B4-41CE-A6E3-A1B658DE7000"``  VersionId="E6B6AA57-F2A7-49C9-ADF8-F2B5B3C8A42F"``  Priority="0"``  DisplayName="Sample Connection Group">``  <appv:Packages>``    <appv:Package``      PackageId="1DC709C8-309F-4AB4-BD47-F75926D04276"``      VersionId="*"``      IsOptional=”true”``    />``    <appv:Package``      PackageId="04220DCA-EE77-42BE-A9F5-96FD8E8593F2"``      VersionId="E15EFFE9-043D-4C01-BC52-AD2BD1E8BAFA"``      IsOptional=”false”``    />``  </appv:Packages>`
+```XML
+<?xml version="1.0" encoding="UTF-16">
+<appv:AppConnectionGroup 
+  xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"
+  xmlns:appv="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"  
+  AppConnectionGroupId="61BE9B14-D2B4-41CE-A6E3-A1B658DE7000"
+  VersionId="E6B6AA57-F2A7-49C9-ADF8-F2B5B3C8A42F"
+  Priority="0"  
+  DisplayName="Sample Connection Group">
+  <appv:Packages>    
+    <appv:Package
+      PackageId="1DC709C8-309F-4AB4-BD47-F75926D04276"
+      VersionId="*"
+      IsOptional="true"    
+    />
+    <appv:Package
+      PackageId="04220DCA-EE77-42BE-A9F5-96FD8E8593F2"
+      VersionId="E15EFFE9-043D-4C01-BC52-AD2BD1E8BAFA"
+      IsOptional="false"    
+    />  
+  </appv:Packages>
+</appv:AppConnectionGroup>
+```
 
 ### <a href="" id="bkmk-50thru50sp2-exp-cg-xm"></a>App-V 5.0 through App-V 5.0 SP2 example connection group XML file
 
 The following example connection group XML file applies to App-V 5.0 through App-V 5.0 SP2. It shows examples of the fields in the previous table, but it excludes the changes described above for App-V 5.0 SP3.
 
-`<?xml version="1.0" encoding="UTF-16"?>``<appv:AppConnectionGroup``xmlns="http://schemas.microsoft.com/appv/2010/virtualapplicationconnectiongroup"``xmlns:appv="http://schemas.microsoft.com/appv/2010/virtualapplicationconnectiongroup"``  AppConnectionGroupId="61BE9B14-D2B4-41CE-A6E3-A1B658DE7000"``  VersionId="E6B6AA57-F2A7-49C9-ADF8-F2B5B3C8A42F"``  Priority="0"``  DisplayName="Sample Connection Group">``  <appv:Packages>``    <appv:Package``      PackageId="1DC709C8-309F-4AB4-BD47-F75926D04276"``      VersionId="C7DF4F63-5288-439C-ACEF-EF06BF401EC5"``    />``    <appv:Package``      PackageId="04220DCA-EE77-42BE-A9F5-96FD8E8593F2"``      VersionId="E15EFFE9-043D-4C01-BC52-AD2BD1E8BAFA"``    />``  </appv:Packages>`
+```XML
+<?xml version="1.0" encoding="UTF-16">
+<appv:AppConnectionGroup
+  xmlns="http://schemas.microsoft.com/appv/2010/virtualapplicationconnectiongroup"
+  xmlns:appv="http://schemas.microsoft.com/appv/2010/virtualapplicationconnectiongroup"
+  AppConnectionGroupId="61BE9B14-D2B4-41CE-A6E3-A1B658DE7000"
+  VersionId="E6B6AA57-F2A7-49C9-ADF8-F2B5B3C8A42F"
+  Priority="0"
+  DisplayName="Sample Connection Group">
+  <appv:Packages>
+    <appv:Package
+      PackageId="1DC709C8-309F-4AB4-BD47-F75926D04276"
+      VersionId="C7DF4F63-5288-439C-ACEF-EF06BF401EC5"
+    />
+    <appv:Package
+     PackageId="04220DCA-EE77-42BE-A9F5-96FD8E8593F2"
+     VersionId="E15EFFE9-043D-4C01-BC52-AD2BD1E8BAFA"
+   />
+ </appv:Packages>
+<appv:AppConnectionGroup>
+```
 
 ## <a href="" id="bkmk-config-pkg-priority-incg"></a>Configuring the priority of packages in a connection group
 

windows/application-management/app-v/appv-connection-group-virtual-environment.md

@@ -30,7 +30,20 @@ The connection group that is used is based on the order in which a package appea
 Consider the following example section:
 
 ```XML
-<appv:Packages><appv:PackagePackageId="A8731008-4523-4713-83A4-CD1363907160"VersionId="E889951B-7F30-418B-A69C-B37283BC0DB9"/><appv:PackagePackageId="1DC709C8-309F-4AB4-BD47-F75926D04276"VersionId="01F1943B-C778-40AD-BFAD-AC34A695DF3C"/><appv:PackagePackageId="04220DCA-EE77-42BE-A9F5-96FD8E8593F2"VersionId="E15EFFE9-043D-4C01-BC52-AD2BD1E8BAFA"/></appv:Packages>
+<appv:Packages>
+  <appv:Package
+    PackageId="A8731008-4523-4713-83A4-CD1363907160"
+    VersionId="E889951B-7F30-418B-A69C-B37283BC0DB9"
+  />
+  <appv:Package
+    PackageId="1DC709C8-309F-4AB4-BD47-F75926D04276"
+    VersionId="01F1943B-C778-40AD-BFAD-AC34A695DF3C"
+  />
+  <appv:Package
+    PackageId="04220DCA-EE77-42BE-A9F5-96FD8E8593F2"
+    VersionId="E15EFFE9-043D-4C01-BC52-AD2BD1E8BAFA"
+  />
+</appv:Packages>
 ```
 
 Assume that same DWORD value ABC (HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region) is defined in the first and third package.

windows/application-management/manage-windows-mixed-reality.md

@@ -74,22 +74,22 @@ In the following example, the **Id** can be any generated GUID and the **Name**
                     <Type xmlns="syncml:metinf">text/plain</Type>
                 </Meta>
                 <Data>
-                  &lt;RuleCollection Type="Appx" EnforcementMode="Enabled"&gt;
+                  <RuleCollection Type="Appx" EnforcementMode="Enabled">
-                   &lt;FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"&gt;
+                   <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
-                    &lt;Conditions&gt;
+                    <Conditions>
-                      &lt;FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"&gt;
+                      <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
-                        &lt;BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /&gt;
+                        <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
-                      &lt;/FilePublisherCondition&gt;
+                      </FilePublisherCondition>
-                    &lt;/Conditions&gt;
+                    </Conditions>
-                  &lt;/FilePublisherRule&gt;
+                  </FilePublisherRule>
-                  &lt;FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"&gt;
+                  <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
-                   &lt;Conditions&gt;
+                   <Conditions>
-                     &lt;FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"&gt;
+                     <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*">
-                      &lt;BinaryVersionRange LowSection="*" HighSection="*" /&gt;
+                      <BinaryVersionRange LowSection="*" HighSection="*" />
-                      &lt;/FilePublisherCondition&gt;
+                      </FilePublisherCondition>
-                    &lt;/Conditions&gt;
+                    </Conditions>
-                  &lt;/FilePublisherRule&gt;
+                  </FilePublisherRule>
-                 &lt;/RuleCollection&gt;&gt;
+                 </RuleCollection>>
                 </Data>
             </Item>
         </Add>

windows/deployment/update/waas-delivery-optimization-reference.md

@@ -83,8 +83,8 @@ Additional options available that control the impact Delivery Optimization has o
 - [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage.
 - [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers each month.
 - [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network.
-- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
+- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the **maximum foreground download bandwidth** that Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth.
-- [Maximum Background Download Bandwidth](#maximum-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
+- [Maximum Background Download Bandwidth](#maximum-background-download-bandwidth) specifies the **maximum background download bandwidth** that Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth.
 - [Set Business Hours to Limit Background Download Bandwidth](#set-business-hours-to-limit-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
 - [Set Business Hours to Limit Foreground Download Bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
 - [Select a method to restrict Peer Selection](#select-a-method-to-restrict-peer-selection) restricts peer selection by the options you select.
@@ -194,8 +194,6 @@ Starting in Windows 10, version 1803, specifies the maximum foreground download
 Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option.  
 Currently the only available option is **1 = Subnet mask** This option (Subnet mask) applies to both Download Modes LAN (1) and Group (2).  
 
-
-
 ### Delay background download from http (in secs)
 Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer.
 

windows/deployment/update/windows-analytics-FAQ-troubleshooting.md

@@ -87,9 +87,9 @@ If you have devices that appear in other solutions, but not Device Health (the D
 2. Confirm that the devices are running Windows 10.
 3. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551).
 4. Confirm that devices are opted in to send diagnostic data by checking in the registry that **AllowTelemetry** is set to either 2 (Enhanced) or 3 (Full). 
-    - **AllowTelemetry** under **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is the location set by Group Policy or MDM
+    - **AllowTelemetry** under **HKLM\Software\Policies\Microsoft\Windows\DataCollection** is the IT policy path.
-    - **AllowTelemetry** under **HKLM\Software\Policies\Microsoft\Windows\DataCollection** is the location set by local tools such as the Settings app.
+    - **AllowTelemetry** under **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is the user preference (Settings app) path. 
-    - By convention the Group Policy location would take precedence if both are set. Starting with Windows 10, version 1803, the default precedence is modified to enable a device user to lower the diagnostic data level from that set by IT. For organizations which have no requirement to allow the user to override IT, the conventional (IT wins) behavior can be re-enabled using **DisableTelemetryOptInSettingsUx**. This policy can be set via Group Policy as  **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface**.
+    - IMPORTANT: By convention (and in earlier versions of Windows 10) the IT policy would take precedence over any user preference. Starting with Windows 10, version 1803, the user can lower the device's effective value even when an IT policy is set. This change assists organizations in complying with regional or organizational expectations about user control over privacy settings. For organizations where user control of privacy settings is not required, the previous behavior (IT policy path always wins) can be enabled using the new policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface**.
 5. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information.
 6. Wait 48 hours for activity to appear in the reports.
 7. If you need additional troubleshooting, contact Microsoft Support.

windows/deployment/update/windows-analytics-azure-portal.md

@@ -17,13 +17,13 @@ ms.topic: article
 
 # Windows Analytics in the Azure Portal
 
-Windows Analytics uses Azure Log Analytics (formerly known as Operations Management Suite or OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments.
+Windows Analytics uses Azure Log Analytics workspaces (formerly known as Operations Management Suite or OMS), a collection of cloud-based services for monitoring and automating your on-premises and cloud environments.
 
 **The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences, which this topic will explain. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition).
 
 ## Navigation and permissions in the Azure portal
 
-Go to the [Azure portal](https://portal.azure.com), select **All services**, and search for *Log Analytics*. Once it appears, you can select the star to add it to your favorites for easy access in the future.
+Go to the [Azure portal](https://portal.azure.com), select **All services**, and search for *Log Analytics workspaces*. Once it appears, you can select the star to add it to your favorites for easy access in the future.
 
 [![Azure portal all services page with Log Analytics found and selected as favorite](images/azure-portal-LAfav1.png)](images/azure-portal-LAfav1.png)
 
@@ -39,7 +39,7 @@ An **Azure subscription** is a container for billing, but also acts as a securit
 >[!IMPORTANT]
 >Unlike the OMS portal (which only requires permission to access the Azure Log Analytics workspace), the Azure portal also requires access to be configured to either the linked *Azure subscription* or Azure resource group.
 
-To check the Log Analytics workspaces you can access, select **Log Analytics**. You should see a grid control listing all workspaces, along with the Azure subscription each is linked to:
+To check the Log Analytics workspaces you can access, select **Log Analytics workspaces**. You should see a grid control listing all workspaces, along with the Azure subscription each is linked to:
 
 [![Log Analytics workspace page showing accessible workspaces and linked Azure subscriptions](images/azure-portal-LAmain-wkspc-subname-sterile.png)](images/azure-portal-LAmain-wkspc-subname-sterile.png)
 

windows/security/identity-protection/access-control/local-accounts.md

@@ -121,15 +121,15 @@ In addition, the guest user in the Guest account should not be able to view the
 ### DefaultAccount
 
 The DefaultAccount, also known as the Default System Managed Account (DSMA), is a built-in account introduced in Windows 10 version 1607 and Windows Server 2016. 
-The DMSA is a well-known user account type. 
+The DSMA is a well-known user account type. 
 It is a user neutral account that can be used to run processes that are either multi-user aware or user-agnostic. 
-The DMSA is disabled by default on the desktop SKUs (full windows SKUs) and WS 2016 with the Desktop. 
+The DSMA is disabled by default on the desktop SKUs (full windows SKUs) and WS 2016 with the Desktop. 
 
-The DMSA has a well-known RID of 503. The security identifier (SID) of the DMSA will thus have a well-known SID in the following format: S-1-5-21-<ComputerIdentifier>-503 
+The DSMA has a well-known RID of 503. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: S-1-5-21-<ComputerIdentifier>-503 
 
-The DMSA is a member of the well-known group **System Managed Accounts Group**, which has a well-known SID of S-1-5-32-581. 
+The DSMA is a member of the well-known group **System Managed Accounts Group**, which has a well-known SID of S-1-5-32-581. 
 
-The DMSA alias can be granted access to resources during offline staging even before the account itself has been created. The account and the group are created during first boot of the machine within the Security Accounts Manager (SAM).
+The DSMA alias can be granted access to resources during offline staging even before the account itself has been created. The account and the group are created during first boot of the machine within the Security Accounts Manager (SAM).
 
 #### How Windows uses the DefaultAccount
 From a permission perspective, the DefaultAccount is a standard user account. 

windows/security/identity-protection/credential-guard/additional-mitigations.md

@@ -611,9 +611,3 @@ write-host $tmp -Foreground Red
 
 > [!NOTE]  
 > If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
-
-## See also
-
-**Deep Dive into Windows Defender Credential Guard: Related videos**
-
-[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)

windows/security/identity-protection/credential-guard/credential-guard-considerations.md

@@ -22,9 +22,6 @@ ms.reviewer:
 -   Windows 10
 -   Windows Server 2016
 
-Prefer video? See [Credentials Protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
-in the **Deep Dive into Windows Defender Credential Guard** video series.
-
 Passwords are still weak. We recommend that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
 
 Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not supported.
@@ -99,6 +96,6 @@ When data protected with user DPAPI is unusable, then the user loses access to a
 
 ## See also
 
-**Deep Dive into Windows Defender Credential Guard: Related videos**
+**Related videos**
 
-[Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474)
+[What is virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security)

windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md

@@ -35,14 +35,8 @@ Here's a high-level overview on how the LSA is isolated by using virtualization-
 
 ![Windows Defender Credential Guard overview](images/credguard.png)  
 
-<br>
-
 ## See also
 
-**Deep Dive into Windows Defender Credential Guard: Related videos**
+**Related videos**
 
-[Credential Theft and Lateral Traversal](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474)
+[What is virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security)
-
-[Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474)
-
-[Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)

windows/security/identity-protection/credential-guard/credential-guard-manage.md

@@ -114,6 +114,9 @@ You can also enable Windows Defender Credential Guard by using the [Windows Defe
 ```
 DG_Readiness_Tool_v3.5.ps1 -Enable -AutoReboot
 ```
+> [!IMPORTANT]
+> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSAch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
+> This is a known issue.
 
 ### Review Windows Defender Credential Guard performance
 
@@ -134,6 +137,9 @@ You can also check that Windows Defender Credential Guard is running by using th
 ```
 DG_Readiness_Tool_v3.5.ps1 -Ready
 ```
+> [!IMPORTANT]
+> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSAch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
+> This is a known issue.
 
 > [!NOTE]
 > For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features.
@@ -201,6 +207,9 @@ You can also disable Windows Defender Credential Guard by using the [Windows Def
 ```
 DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
 ```
+> [!IMPORTANT]
+> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSAch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
+> This is a known issue.
 
 #### Disable Windows Defender Credential Guard for a virtual machine
 

windows/security/identity-protection/credential-guard/credential-guard.md

@@ -23,8 +23,6 @@ ms.date: 08/17/2017
 -   Windows 10
 -   Windows Server 2016
 
-Prefer video? See [Credential Theft and Lateral Traversal](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474) in the Deep Dive into Windows Defender Credential Guard video series.
-
 Introduced in Windows 10 Enterprise and Windows Server 2016, Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
 
 By enabling Windows Defender Credential Guard, the following features and solutions are provided:
@@ -45,10 +43,3 @@ By enabling Windows Defender Credential Guard, the following features and soluti
 - [What's New in Kerberos Authentication for Windows Server 2012](https://technet.microsoft.com/library/hh831747.aspx)
 - [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/library/dd378897.aspx)
 - [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
- 
-
-## See also
-
-**Deep Dive into Windows Defender Credential Guard: Related videos**
-
-[Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)

windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md

@@ -23,12 +23,13 @@ ms.reviewer:
 -   Hybrid deployment
 -   Key trust
 
-
 ## Directory Synchronization
 
 In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure.  Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.  
 
 ### Group Memberships for the Azure AD Connect Service Account
+>[!IMPORTANT]
+> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. For more detail see [Configure Hybrid Windows Hello for Business: Directory Synchronization](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync).
 
 The KeyAdmins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory.  
 
@@ -45,12 +46,10 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 
 > [!div class="checklist"]
 > * Configure group membership for Azure AD Connect
-> 
-> [!div class="step-by-step"]
-> [< Configure Active Directory](hello-hybrid-key-whfb-settings-ad.md)
-> [Configure PKI >](hello-hybrid-key-whfb-settings-pki.md)
 
-<br><br>
+>[!div class="step-by-step"]
+[< Configure Active Directory](hello-hybrid-key-whfb-settings-ad.md)
+[Configure PKI >](hello-hybrid-key-whfb-settings-pki.md)  
 
 <hr>
 

windows/security/identity-protection/hello-for-business/hello-identity-verification.md

@@ -73,3 +73,6 @@ The table shows the minimum requirements for each deployment.
 | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) |
 | AD FS with Azure MFA Server, or</br>AD FS with 3rd Party MFA Adapter | AD FS with Azure MFA Server, or</br>AD FS with 3rd Party MFA Adapter |
 | Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing |
+
+>[!IMPORTANT]
+> For Windows Hello for Business deployment, if you have several domains, at least one Windows Server Domain Controller 2016 is required for each domain. For more information, see the [planning guide](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers).

windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md

@@ -54,7 +54,7 @@ ms.date: 04/24/2018
 
 5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
 
-6. In the  **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**.
+6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account (BUILTIN\SYSTEM) under **Security options**.
 
 7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
 
@@ -116,7 +116,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
 
 5.	Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
 
-6.	In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**.
+6.	In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account (BUILTIN\SYSTEM) under **Security options**.
 
 7.	Select **Run whether user is logged on or not** and check the **Run with highest privileges** check-box.
 

windows/security/threat-protection/microsoft-defender-atp/use-apis.md

@@ -20,7 +20,7 @@ ms.topic: conceptual
 
 # Microsoft Defender ATP APIs
 
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 

windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md

@@ -47,6 +47,13 @@ Microsoft Defender ATP provides detailed reporting into events and blocks as par
 
 You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
 
+Here is an example query 
+
+```
+MiscEvents
+| where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')
+```
+
 ## Review controlled folder access events in Windows Event Viewer
 
 You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app:

windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md

@@ -49,7 +49,7 @@ You can also use Group Policy, Intune, MDM, or System Center Configuration Manag
 
 ## Review controlled folder access events in Windows Event Viewer
 
-The following controlled folder access events appear in Windows Event Viewer.
+The following controlled folder access events appear in Windows Event Viewer under Microsoft/Windows/Windows Defender/Operational folder.
 
 | Event ID | Description |
 | --- | --- |

windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md

@@ -67,7 +67,11 @@ Set-MpPreference -EnableNetworkProtection Enabled
 
 ## Report a false positive or false negative
 
-If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md).
+If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md).
+
+## Exclude website from network protection scope
+
+To whitelist the website that is being blocked (false positive), add its URL to the [list of trusted sites](https://blogs.msdn.microsoft.com/asiatech/2014/08/19/how-to-add-web-sites-to-trusted-sites-via-gpo-from-dc-installed-ie10-or-higher-ie-version/). Web resources from this list bypass the network protection check.
 
 ## Collect diagnostic data for file submissions