diff --git a/.acrolinx-config.edn b/.acrolinx-config.edn index 92f0d843c1..db312c63cd 100644 --- a/.acrolinx-config.edn +++ b/.acrolinx-config.edn @@ -1,2 +1,38 @@ {:allowed-branchname-matches ["master"] - :allowed-filename-matches ["windows/"]} + :allowed-filename-matches ["windows/"] + :acrolinx-check-settings + { + "languageId" "en" + "ruleSetName" "Standard Commercial" + "requestedFlagTypes" ["SPELLING" "GRAMMAR" "STYLE" + "TERMINOLOGY_DEPRECATED" + "TERMINOLOGY_VALID" + "VOICE_GUIDANCE" + ] + "termSetNames" ["M365"] + } + + :template-header + + " +## Acrolinx Scorecards + +**A minimum Acrolinx score of 20 is required.** + +Click the scorecard links for each article to review the Acrolinx feedback on grammar, spelling, punctuation, writing style, and terminology: + +| Article | Score | Issues | Scorecard | Processed | +| ------- | ----- | ------ | --------- | --------- | +" + + :template-change + "| ${s/file} | ${acrolinx/qualityscore} | ${acrolinx/flags/issues} | [link](${acrolinx/scorecard}) | ${s/status} | +" + + :template-footer + " +**More info about Acrolinx** + +You are helping M365 test Acrolinx while we merge to the Microsoft instance. We have set the minimum score to 20 to test that the minimum score script works. This is effectively *not* setting a minimum score. If you need to bypass this score, please contact krowley or go directly to the marveldocs-admins. Thanks for your patience while we continue with roll out! +" +} diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 399dbdb7bc..de9dbd8e9d 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -15425,6 +15425,76 @@ "source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-resources", "redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md", +"redirect_url": "https://github.com/microsoft/SecCon-Framework/blob/master/windows-security-configuration-framework.md", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md", +"redirect_url": "https://github.com/microsoft/SecCon-Framework/blob/master/level-1-enterprise-basic-security.md", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md", +"redirect_url": "https://github.com/microsoft/SecCon-Framework/blob/master/level-2-enterprise-enhanced-security.md", +"redirect_document_id": false +}, +{ + "source_path": "windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md", +"redirect_url": "https://github.com/microsoft/SecCon-Framework/blob/master/level-3-enterprise-high-security.md", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-devops-security.md", +"redirect_url": "https://github.com/microsoft/SecCon-Framework/blob/master/level-4-enterprise-devops-security.md", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-administrator-security.md", +"redirect_url": "https://github.com/microsoft/SecCon-Framework/blob/master/level-5-enterprise-administrator-security.md", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines", +"redirect_document_id": true +}, +{ +"source_path": "windows/release-information/status-windows-10-1703.yml", +"redirect_url": "https://docs.microsoft.com/windows/release-information/windows-message-center", +"redirect_document_id": true +}, +{ +"source_path": "windows/release-information/resolved-issues-windows-10-1703.yml", +"redirect_url": "https://docs.microsoft.com/windows/release-information/windows-message-center", +"redirect_document_id": true +}, +{ +"source_path": "windows/deployment/planning/windows-10-1703-removed-features.md", +"redirect_url": "https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features", +"redirect_document_id": false +}, +{ +"source_path": "windows/deployment/planning/windows-10-1709-removed-features.md", +"redirect_url": "https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features", +"redirect_document_id": false +}, +{ +"source_path": "windows/deployment/planning/windows-10-1803-removed-features.md", +"redirect_url": "https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features", +"redirect_document_id": false +}, +{ +"source_path": "windows/deployment/planning/windows-10-1809-removed-features.md", +"redirect_url": "https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features", +"redirect_document_id": false +}, +{ +"source_path": "windows/deployment/planning/windows-10-1903-removed-features.md", +"redirect_url": "https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features", +"redirect_document_id": false } ] } diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md index 880289a39d..40444da9f6 100644 --- a/browsers/edge/emie-to-improve-compatibility.md +++ b/browsers/edge/emie-to-improve-compatibility.md @@ -44,7 +44,7 @@ If you're having trouble deciding whether Microsoft Edge is right for your organ |Microsoft Edge |IE11 | |---------|---------| -|Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana. |IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support. | +|Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana. |IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support. | ## Configure the Enterprise Mode Site List diff --git a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md index d86492ba81..c17f639024 100644 --- a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md +++ b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md @@ -1,50 +1,51 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (Turned on)* - -[!INCLUDE [configure-windows-defender-smartscreen-shortdesc](../shortdesc/configure-windows-defender-smartscreen-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|----------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Not configured | Blank | Blank | Users can choose to use Windows Defender SmartScreen. | | -| Disabled | 0 | 0 | Turned off. Do not protect users from potential threats and prevent users from turning it on. | | -| Enabled | 1 | 1 | Turned on. Protect users from potential threats and prevent users from turning it off. | ![Most restricted value](../images/check-gn.png) | - ---- - -To verify Windows Defender SmartScreen is turned off (disabled): -1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. -2. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is disabled.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG) - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Windows Defender SmartScreen -- **GP name:** AllowSmartScreen -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -- **Value name:** EnabledV9 -- **Value type:** REG_DWORD - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Turned on)* + +[!INCLUDE [configure-windows-defender-smartscreen-shortdesc](../shortdesc/configure-windows-defender-smartscreen-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|----------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Not configured | Blank | Blank | Users can choose to use Windows Defender SmartScreen. | | +| Disabled | 0 | 0 | Turned off. Do not protect users from potential threats and prevent users from turning it on. | | +| Enabled | 1 | 1 | Turned on. Protect users from potential threats and prevent users from turning it off. | ![Most restricted value](../images/check-gn.png) | + +--- + +To verify Windows Defender SmartScreen is turned off (disabled): +1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. +2. Verify the setting **Help protect me from malicious sites and download with Windows Defender SmartScreen** is disabled.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG) + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Windows Defender SmartScreen +- **GP name:** AllowSmartScreen +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter +- **Value name:** EnabledV9 +- **Value type:** REG_DWORD + +

diff --git a/browsers/edge/microsoft-edge.yml b/browsers/edge/microsoft-edge.yml index 341292cab7..5c105dcdc2 100644 --- a/browsers/edge/microsoft-edge.yml +++ b/browsers/edge/microsoft-edge.yml @@ -40,7 +40,7 @@ sections: - items: - type: markdown text: " - Microsoft Edge uses Windows Hello and SmartScreen to defend against phishing and malware. Take a look at some of the additional features behind the strong defense that Microsoft Edge provides against web-based attacks.
+ Microsoft Edge uses Windows Hello and Windows Defender SmartScreen to defend against phishing and malware. Take a look at some of the additional features behind the strong defense that Microsoft Edge provides against web-based attacks.

**NSS Labs web browser security reports**
See the results of two global tests measuring how effective browsers are at protecting against socially engineered malware and phishing attacks.
Download the reports
**Microsoft Edge sandbox**
See how Microsoft Edge has significantly reduced the attack surface of the sandbox by configuring the app container to further reduce its privilege.
Find out more
**Windows Defender SmartScreen**
Manage your organization's computer settings with Group Policy and MDM settings to display a warning page to employees or block a site entirely.
Read the docs
" diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md index ff09fe4405..81e964a54b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md @@ -157,13 +157,13 @@ This table includes the attributes used by the Enterprise Mode schema. -<version> +version Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element. Internet Explorer 11 and Microsoft Edge -<exclude> -Specifies the domain or path excluded from applying the behavior and is supported on the <domain> and <path> elements. +exclude +Specifies the domain or path is excluded from applying Enterprise Mode. This attribute is only supported on the <domain> and <path> elements in the <emie> section.

Example 

 <emie>
@@ -175,7 +175,7 @@ Where http
 Internet Explorer 11 and Microsoft Edge
 
 
-<docMode>
+docMode
 Specifies the document mode to apply. This attribute is only supported on <domain> or <path> elements in the <docMode> section.
 
Example
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
index 4bcf595aeb..a321e5a744 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
@@ -46,19 +46,19 @@ The following is an example of the v.2 version of the Enterprise Mode schema.
  
 ```xml
 
-	
+	
 	
 		EnterpriseSitelistManager
 		10240
 		20150728.135021
 	
-  	 
+  	 
 	
 		IE8Enterprise
 		MSEdge
 	
 	
-		default
+		Default
 		IE11
 	
 	
@@ -66,14 +66,15 @@ The following is an example of the v.2 version of the Enterprise Mode schema.
 		IE11
 	
 	
-		default
+		Default
 		IE11
 	
 	  
-		default
-		none
+		Default
+		None
 	  
 		IE8Enterprise"
+		None
 	
 	
 		IE7
@@ -232,26 +233,26 @@ These v.1 version schema attributes have been deprecated in the v.2 version of t
 
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -259,25 +260,28 @@ These v.1 version schema attributes have been deprecated in the v.2 version of t
 

 
 
Deprecated attributeNew attributeDeprecated element/attributeNew element
 Replacement example
 

 
 
 
<forceCompatView>forceCompatView
 <compat-mode>Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode>Replace forceCompatView="true" with <compat-mode>IE7Enterprise</compat-mode>
 

 
<docMode>docMode
 <compat-mode>Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode>Replace docMode="IE5" with <compat-mode>IE5</compat-mode>
 

 
<doNotTransition>doNotTransition
 <open-in>Replace <doNotTransition="true"> with <open-in>none</open-in>Replace doNotTransition="true" with <open-in>none</open-in>
 

 

 <domain> and <path>Replace:
 
 <emie>
-  <domain exclude="false">contoso.com</domain>
+  <domain>contoso.com</domain>
 </emie>

 With:
 
 <site url="contoso.com"/>
   <compat-mode>IE8Enterprise</compat-mode>
+  <open-in>IE11</open-in>
 </site>

 -AND-

 Replace:
 
 <emie>
-  <domain exclude="true">contoso.com
-     <path exclude="false" forceCompatView="true">/about</path>
+  <domain exclude="true" doNotTransition="true">
+    contoso.com
+    <path forceCompatView="true">/about</path>
   </domain>
 </emie>

 With:
 
 <site url="contoso.com/about">
   <compat-mode>IE7Enterprise</compat-mode>
+  <open-in>IE11</open-in>
 </site>

 

 

diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
index 269b2bec06..da309b68cd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
@@ -71,19 +71,19 @@ This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypf
 
 ```xml
 
-	
+	
 	
 		EnterpriseSiteListManager
 		10586
 		20150728.135021
 	
-  	 
+  	 
 	
 		IE8Enterprise
 		IE11
 	
 	
-		default
+		Default
 		IE11
 	
 	
@@ -92,8 +92,8 @@ This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypf
 	
 	  
 	
 	  
 		IE8Enterprise"
diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
index 88e151583a..cd7c730569 100644
--- a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
+++ b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
@@ -14,11 +14,11 @@ ms.sitesec: library
 ms.date: 07/27/2017
 ---
 
+# IExpress Wizard command-line options
 
 **Applies to:**
 - Windows Server 2008 R2 with SP1
 
-# IExpress Wizard command-line options
 Use command-line options with the IExpress Wizard (IExpress.exe) to control your Internet Explorer custom browser package extraction process. 
 
 These command-line options work with IExpress:

diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index 159effd554..ce3a2dd2a0 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -1,5 +1,4 @@
 # [HoloLens overview](index.md)
-# [Hololens status](hololens-status.md)
 
 # Get Started with HoloLens 2
 ## [HoloLens 2 hardware](hololens2-hardware.md)
@@ -17,7 +16,7 @@
 ## [Install localized version of HoloLens (1st gen)](hololens1-install-localized.md)
 ## [Getting around HoloLens (1st gen)](hololens1-basic-usage.md)
 
-# Get started with HoloLens in commercial environments
+# HoloLens in commercial environments
 ## [Commercial feature overview](hololens-commercial-features.md)
 ## [Deployment planning](hololens-requirements.md)
 ## [Unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md)
@@ -53,12 +52,16 @@
 ## [Environment considerations for HoloLens](hololens-environment-considerations.md)
 ## [Spatial mapping on HoloLens](hololens-spaces.md)
 
-# Update and recovery
-## [Join the Windows Insider program](hololens-insider.md)
-## [Managing HoloLens updates](hololens-updates.md)
+# Update, troubleshoot, or recover HoloLens
+## [Update, troubleshoot, or recover HoloLens](hololens-management-overview.md)
+## [Update HoloLens](hololens-update-hololens.md)
 ## [Restart, reset, or recover](hololens-recovery.md)
+## [Troubleshoot HoloLens](hololens-troubleshooting.md)
 ## [Known issues](hololens-known-issues.md)
 ## [Frequently asked questions](hololens-faq.md)
 
+# [Release Notes](hololens-release-notes.md)
+# [Hololens status](hololens-status.md)
 # [Give us feedback](hololens-feedback.md)
+# [Join the Windows Insider program](hololens-insider.md)
 # [Change history for Microsoft HoloLens documentation](change-history-hololens.md)
diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md
index f95a0321eb..0729485e7d 100644
--- a/devices/hololens/hololens-cortana.md
+++ b/devices/hololens/hololens-cortana.md
@@ -2,11 +2,12 @@
 title: Use your voice with HoloLens
 description: Cortana can help you do all kinds of things on your HoloLens
 ms.assetid: fd96fb0e-6759-4dbe-be1f-58bedad66fed
-ms.date: 9/13/2019
+ms.date: 11/8/2019
 keywords: hololens
 ms.prod: hololens
 ms.sitesec: library
 author: v-miegge
+audience: ITPro
 ms.author: v-miegge
 ms.topic: article
 manager: jarrettr
@@ -18,12 +19,12 @@ appliesto:
 
 # Use your voice with HoloLens
 
-You can use your voice to do almost anything on HoloLens, such as taking a quick photo or opening an app.  Many voice commands are built into HoloLens, while others are available through Cortana.
+You can use your voice to do almost anything on HoloLens, such as taking a quick photo or opening an app. Many voice commands are built into HoloLens, while others are available through Cortana.
 
-This article teachs you how to control HoloLens and your holographic world with your voice and with Cortana.
+This article teaches you how to control HoloLens and your holographic world with your voice and with Cortana.
 
 > [!NOTE]
-> Speech is only supported in [some languages](https://support.microsoft.com/help/4039262#Languages).  The speech language is based on the Windows display language, not the keyboard language.  
+> Speech is only supported in [some languages](hololens2-language-support.md). The speech language is based on the Windows display language, not the keyboard language.  
 >  
 > You can verify the Windows display language by selecting **Settings** > **Time and Language** > **Language**.
 
@@ -104,16 +105,15 @@ Here are some things you can try saying (remember to say "Hey Cortana" first).
 - Take a picture.
 - Start recording. (Starts recording a video.)
 - Stop recording. (Stops recording a video.)
-- Call <*contact*>. (Requires Skype.)
 - What time is it?
 - Show me the latest NBA scores.
 - How much battery do I have left?
 - Tell me a joke.
 
-Some Cortana features that you're used to from Windows on your PC or phone (for example, reminders and notifications) aren't supported in Microsoft HoloLens Development Edition. Cortana on HoloLens is English-only, and the Cortana experience may vary from one region to another.
+Some Cortana features that you're used to from Windows on your PC or phone (for example, reminders and notifications) aren't supported in Microsoft HoloLens, and the Cortana experience may vary from one region to another.
 
 ### Turn Cortana off
 
-Cortana is on the first time you use HoloLens when you enable speech. You can turn her off in Cortana's settings. In the **All apps** list, select **Cortana > Settings**. Then turn off Cortana can give you suggestions, ideas, reminders, alerts, and more.
+Cortana is on the first time you use HoloLens when you enable speech. You can turn her off in Cortana's settings. In the **All apps** list, select **Cortana** > **Settings**. Then turn off Cortana can give you suggestions, ideas, reminders, alerts, and more.
 
 If Cortana isn't responding to "Hey Cortana," check that speech is enabled on Start and go to Cortana's settings and check to make sure she's on.
diff --git a/devices/hololens/hololens-environment-considerations.md b/devices/hololens/hololens-environment-considerations.md
index ec56133a01..bdd500b298 100644
--- a/devices/hololens/hololens-environment-considerations.md
+++ b/devices/hololens/hololens-environment-considerations.md
@@ -117,5 +117,5 @@ If someone else is going to be using your HoloLens, they should run the Calibrat
 
 ## See also
 
-- [Spatial mapping design](https://docs.microsoft.com/windows/mixed-reality/spatial-mapping-design)
+- [Spatial mapping design](https://docs.microsoft.com/windows/mixed-reality/spatial-mapping)
 - [Holograms](https://docs.microsoft.com/windows/mixed-reality/hologram)
diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index 286fbfe2de..1ca366ecf5 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -55,7 +55,7 @@ If you use [MDM, Microsoft Intune](#set-up-kiosk-mode-using-microsoft-intune-or-
 
 ### Start layout file for MDM (Intune and others)
 
-Save the following sample as an XML file. You will select this file when you configure the kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile).
+Save the following sample as an XML file. You can use this file when you configure the multi-app kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile).
 
 >[!NOTE]
 >If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-a-provisioning-package). 
diff --git a/devices/hololens/hololens-known-issues.md b/devices/hololens/hololens-known-issues.md
index 2fa916f8d0..3cb3f43717 100644
--- a/devices/hololens/hololens-known-issues.md
+++ b/devices/hololens/hololens-known-issues.md
@@ -123,15 +123,6 @@ If your device is still unable to load apps, you can sideload a version of the .
 
 We appreciate your patience as we have gone through the process to get this issue resolved, and we look forward to continued working with our community to create successful Mixed Reality experiences.
 
-## Connecting to WiFi
-
-During HoloLens Setup, there is a credential timeout of 2 minutes. The username/password needs to be entered within 2 minutes otherwise the username field will be automatically cleared.
-
-We recommend using a Bluetooth keyboard for entering long passwords.
-
-> [!NOTE]
-> If the wrong network is selected during HoloLens Setup, the device will need to be fully reset. Instructions can be found [here.](hololens-restart-recover.md)  
-
 ## Device Update
 
 - 30 seconds after a new update, the shell may disappear one time. Please perform the **bloom** gesture to resume your session.
diff --git a/devices/hololens/hololens-management-overview.md b/devices/hololens/hololens-management-overview.md
new file mode 100644
index 0000000000..307b2f7f00
--- /dev/null
+++ b/devices/hololens/hololens-management-overview.md
@@ -0,0 +1,32 @@
+---
+title: Update, troubleshoot, or recover HoloLens
+description: 
+author: Teresa-Motiv
+ms.author: v-tea
+ms.date: 11/27/2019
+ms.prod: hololens
+ms.topic: article
+ms.custom: CSSTroubleshooting
+audience: ITPro
+keywords: issues, bug, troubleshoot, fix, help, support, HoloLens
+manager: jarrettr
+ms.localizationpriority: medium
+appliesto:
+- HoloLens (1st gen)
+- HoloLens 2
+---
+
+# Update, troubleshoot, or recover HoloLens
+
+The articles in this section help you keep your HoloLens up-to-date and help you resolve any issues that you encounter.
+
+**In this section**
+
+| Article | Description |
+| --- | --- |
+| [Update HoloLens](hololens-update-hololens.md) | Describes how to identify the build number of your device, and how to update your device manually. |
+| [Manage updates on many HoloLens](hololens-updates.md) | Describes how to use policies to manage device updates. |
+| [Restart, reset, or recover](hololens-recovery.md) | Describes how to restart, reset, or recover a HoloLens device |
+| [Troubleshoot HoloLens](hololens-troubleshooting.md) | Describes solutions to common HoloLens problems. |
+| [Known issues](hololens-known-issues.md) | Describes known HoloLens issues. |
+| [Frequently asked questions](hololens-faq.md) | Provides answers to common questions about HoloLens.|
diff --git a/devices/hololens/hololens-release-notes.md b/devices/hololens/hololens-release-notes.md
new file mode 100644
index 0000000000..f977fa45ff
--- /dev/null
+++ b/devices/hololens/hololens-release-notes.md
@@ -0,0 +1,97 @@
+---
+title: What's new in Microsoft HoloLens
+description: Learn about updates in each new HoloLens release.
+author: scooley
+ms.author: scooley
+manager: dansimp
+ms.prod: hololens
+ms.sitesec: library
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 12/02/2019
+audience: ITPro
+appliesto:
+- HoloLens 1
+- HoloLens 2
+
+---
+
+# HoloLens Release Notes
+
+## HoloLens 2
+> [!Note]
+> HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive).
+
+### November Update - build 18362.1039
+
+- Fixes for **"Select"** voice commands during initial set-up for en-CA and en-AU.
+- Improvements in visual quality of objects placed far away in latest Unity and MRTK versions.
+- Fixes addressing issues with holographic applications being stuck in a paused state on launch until the pins panel is brought up and dismissed again.
+- OpenXR runtime conformance fixes and improvements for HoloLens 2 and the emulator.
+
+## HoloLens (1st gen)
+
+### Windows 10 Holographic, version 1809
+
+> **Applies to:** Hololens (1st gen)
+
+| Feature | Details |
+|---|---|
+| **Quick actions menu** | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app. 
 See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.

![sample of the Quick actions menu](images/minimenu.png) |
+| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.) |
+| **Project to a Miracast-enabled device** | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter.  On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. |
+| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture). |
+| **HoloLens overlays**
(file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. |
+| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level. |
+| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo. |
+| **Nearby sharing** | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. |
+| **Share from Microsoft Edge** | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. |
+
+#### For international customers
+
+| Feature | Details |
+| --- | --- |
+| Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands.
[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens1-install-localized.md) |
+| Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English. |
+
+#### For administrators
+
+| Feature |  Details  |
+|---|----|
+| [Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**. |
+| Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. |
+| PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**. |
+| Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password. 
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in. |
+| Read device hardware info through MDM so devices can be tracked by serial number | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer to your MDM documentation for feature availability and instructions. |
+| Set HoloLens device name through MDM (rename) | IT administrators can see and rename HoloLens devices in their MDM console. Refer to your MDM documentation for feature availability and instructions. |
+
+### Windows 10, version 1803 for Microsoft HoloLens
+
+> **Applies to:** Hololens (1st gen)
+
+Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes:
+
+- Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md).
+
+- You can view the operating system build number in device properties in the File Explorer app and in the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq).
+- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#wizard).
+
+    ![Provisioning HoloLens devices](images/provision-hololens-devices.png)
+
+- When you create a local account in a provisioning package, the password no longer expires every 42 days.
+
+- You can [configure HoloLens as a single-app or multi-app kiosk](hololens-kiosk.md). Multi-app kiosk mode lets you set up a HoloLens to only run the apps that you specify, and prevents users from making changes.
+
+- Media Transfer Protocol (MTP) is enabled so that you can connect the HoloLens device to a PC by USB and transfer files between HoloLens and the PC. You can also use the File Explorer app to move and delete files from within HoloLens.
+
+- Previously, after you signed in to the device with an Azure Active Directory (Azure AD) account, you then had to **Add work access** in **Settings** to get access to corporate resources. Now, you sign in with an Azure AD account and enrollment happens automatically.
+
+- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business. 
+
+- You can now easily [share HoloLens with multiple people](hololens-multiple-users.md) using Azure AD accounts.
+
+- When setup or  sign-in fails, choose the new **Collect info** option to get diagnostic logs for troubleshooting.
+
+- Individual users can sync their corporate email without enrolling their device in mobile device management (MDM). You can use the device with a Microsoft Account, download and install the Mail app, and add an email account directly.
+
+- You can check the MDM sync status for a device in **Settings** > **Accounts** > **Access Work or School** > **Info**. In the **Device sync status** section, you can start a sync, see areas managed by MDM, and create and export an advanced diagnostics report.
diff --git a/devices/hololens/hololens-troubleshooting.md b/devices/hololens/hololens-troubleshooting.md
new file mode 100644
index 0000000000..75b91e51f9
--- /dev/null
+++ b/devices/hololens/hololens-troubleshooting.md
@@ -0,0 +1,92 @@
+---
+title: HoloLens troubleshooting
+description: Solutions for common HoloLens issues.
+author: mattzmsft
+ms.author: mazeller
+ms.date: 12/02/2019
+ms.prod: hololens
+ms.topic: article
+ms.custom: CSSTroubleshooting
+audience: ITPro
+ms.localizationpriority: medium
+keywords: issues, bug, troubleshoot, fix, help, support, HoloLens
+manager: jarrettr
+appliesto:
+- HoloLens (1st gen)
+- HoloLens 2
+---
+
+# Troubleshooting HoloLens issues
+
+This article describes how to resolve several common HoloLens issues.
+
+## My HoloLens is unresponsive or won’t start
+
+If your HoloLens won't start:
+
+- If the LEDs next to the power button don't light up, or only one LED briefly blinks, you may need to charge your HoloLens.
+- If the LEDs light up when you press the power button but you can't see anything on the displays, hold the power button until all five of the LEDs turn off.
+
+If your HoloLens becomes frozen or unresponsive:
+
+- Turn off your HoloLens by pressing the power button until all five of the LEDs turn themselves off, or for 10 seconds if the LEDs are unresponsive. To start your HoloLens, press the power button again.
+
+If these steps don't work, you can try [recovering your device](hololens-recovery.md).
+
+## Holograms don't look good or are moving around
+
+If your holograms are unstable, jumpy, or don’t look right, try one of these fixes:
+
+- Clean your device visor and make sure that nothing is obstructing the sensors.
+- Make sure that there’s enough light in your room.
+- Try walking around and looking at your surroundings so that HoloLens can scan them more completely.
+- Try running the Calibration app. It calibrates your HoloLens to work best for your eyes. Go to **Settings** > **System** > **Utilities**. Under **Calibration**, select **Open Calibration**.
+
+## HoloLens doesn’t respond to my gestures
+
+To make sure that HoloLens can see your gestures, keep your hand in the gesture frame. The gesture frame extends a couple of feet on either side of you. When HoloLens can see your hand, the cursor changes from a dot to a ring. Learn more about [using gestures](hololens1-basic-usage.md#use-hololens-with-your-hands).
+
+If your environment is too dark, HoloLens might not see your hand, so make sure that there’s enough light.
+
+If your visor has fingerprints or smudges, use the microfiber cleaning cloth that came with the HoloLens to clean your visor gently.
+
+## HoloLens doesn’t respond to my voice commands.
+
+If Cortana isn’t responding to your voice commands, make sure Cortana is turned on. On the All apps list, select **Cortana** > **Menu** > **Notebook** > **Settings** to make changes. To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md).
+
+## I can’t place holograms or see holograms that I previously placed
+
+If HoloLens can’t map or load your space, it enters Limited mode and you won’t be able to place holograms or see holograms that you’ve placed. Here are some things to try:
+
+- Make sure that there’s enough light in your environment so HoloLens can see and map the space.
+- Make sure that you’re connected to a Wi-Fi network. If you’re not connected to Wi-Fi, HoloLens can’t identify and load a known space.
+- If you need to create a new space, connect to Wi-Fi, then restart your HoloLens.
+- To see if the correct space is active, or to manually load a space, go to **Settings** > **System** > **Spaces**.
+- If the correct space is loaded and you’re still having problems, the space may be corrupt. To fix this issue, select the space, then select **Remove**. After you remove the space, HoloLens starts to map your surroundings and create a new space.
+
+## My HoloLens frequently enters Limited mode or shows a “Tracking lost” message
+
+If your device often shows a "Limited mode" or "Tracking lost" message, try the suggestions listed in [My Holograms don't look good or are moving around](#holograms-dont-look-good-or-are-moving-around).
+
+## My HoloLens can’t tell what space I’m in
+
+If your HoloLens can’t identify and load the space you’re in automatically, check the following factors:
+
+- Make sure that you’re connected to Wi-Fi
+- Make sure that there’s plenty of light in the room
+- Make sure that there haven’t been any major changes to the surroundings.
+
+You can also load a space manually or manage your spaces by going to **Settings** > **System** > **Spaces**.
+
+## I’m getting a “low disk space” error
+
+You’ll need to free up some storage space by doing one or more of the following:
+
+- Delete some unused spaces. Go to **Settings** > **System** > **Spaces**, select a space that you no longer need, and then select **Remove**.
+- Remove some of the holograms that you’ve placed.
+- Delete some pictures and videos from the Photos app.
+- Uninstall some apps from your HoloLens. In the **All apps** list, tap and hold the app you want to uninstall, and then select **Uninstall**.
+
+## My HoloLens can’t create a new space
+
+The most likely problem is that you’re running low on storage space. Try one of the [previous tips](#im-getting-a-low-disk-space-error) to free up some disk space.
diff --git a/devices/hololens/hololens-update-hololens.md b/devices/hololens/hololens-update-hololens.md
new file mode 100644
index 0000000000..14d8993c95
--- /dev/null
+++ b/devices/hololens/hololens-update-hololens.md
@@ -0,0 +1,92 @@
+---
+title: Update HoloLens
+description: Check your HoloLens' build number, update, and roll back updates.
+keywords: how-to, update, roll back, HoloLens, check build, build number
+ms.prod: hololens
+ms.sitesec: library
+author: scooley
+ms.author: scooley
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 11/27/2019
+audience: ITPro
+ms.reviewer: 
+manager: jarrettr
+appliesto:
+- HoloLens (1st gen)
+- HoloLens 2
+---
+
+# Update HoloLens
+
+HoloLens uses Windows Update, just like other Windows 10 devices. Your HoloLens will automatically download and install system updates whenever it is plugged-in to power and connected to the Internet, even when it is in standby.
+
+This article will walk through HoloLens tools for:
+
+- viewing your current operating system version (build number)
+- checking for updates
+- manually updating HoloLens
+- rolling back to an older update
+
+## Check your operating system version (build number)
+
+You can verify the system version number, (build number) by opening the Settings app and selecting **System** > **About**.
+
+## Check for updates and manually update
+
+You can check for updates any time in settings.  To see available updates and check for new updates:
+
+1. Open the **Settings** app.
+1. Navigate to **Update & Security** > **Windows Update**.
+1. Select **Check for updates**.
+
+If an update is available, it will start downloading the new version. After the download is complete, select the **Restart Now** button to trigger the installation. If your device is below 40% and not plugged in, restarting will not start installing the update.
+
+While your HoloLens is installing the update, it will display spinning gears and a progress indicator. Do not turn off your HoloLens during this time. It will restart automatically once it has completed the installation.
+
+HoloLens applies one update at a time.  If your HoloLens is more than one version behind the latest you may need to run through the update process multiple times to get it fully up to date.
+
+## Go back to a previous version - HoloLens 2
+
+In some cases, you might want to go back to a previous version of the HoloLens software. You can do this by using the Advanced Recovery Companion to reset your HoloLens to the earlier version.
+
+> [!NOTE]
+> Going back to an earlier version deletes your personal files and settings.
+
+To go back to a previous version of HoloLens 2, follow these steps:
+
+1. Make sure that you don't have any phones or Windows devices plugged in to your PC.
+1. On your PC, download the [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from the Microsoft Store.
+1. Download the [most recent HoloLens 2 release](https://aka.ms/hololens2download).
+1. When you have finished these downloads, open **File explorer** > **Downloads**. Right-click the zipped folder that you just downloaded, and select **Extract all** > **Extract** to unzip it.
+1. Connect your HoloLens to your PC using a USB-A to USB-C cable. (Even if you've been using other cables to connect your HoloLens, this one works best.)
+1. The Advanced Recovery Companion automatically detects your HoloLens. Select the **Microsoft HoloLens** tile.
+1. On the next screen, select **Manual package selection** and then select the installation file contained in the folder that you unzipped in step 4. (Look for a file with the .ffu extension.)
+1. Select **Install software**, and follow the instructions.
+
+## Go back to a previous version - HoloLens (1st Gen)
+
+In some cases, you might want to go back to a previous version of the HoloLens software. You can do this by using the Windows Device Recovery Tool to reset your HoloLens to the earlier version.
+
+> [!NOTE]
+> Going back to an earlier version deletes your personal files and settings.
+
+To go back to a previous version of HoloLens 1, follow these steps:
+
+1. Make sure that you don't have any phones or Windows devices plugged in to your PC.
+1. On your PC, download the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379).
+1. Download the [HoloLens Anniversary Update recovery package](https://aka.ms/hololensrecovery).
+1. When the downloads finish, open **File explorer** > **Downloads**. Right-click the zipped folder you just downloaded, and select **Extract all** > **Extract** to unzip it.
+1. Connect your HoloLens to your PC using the micro-USB cable that it came with. (Even if you've been using other cables to connect your HoloLens, this one works best.)
+1. The WDRT will automatically detect your HoloLens. Select the **Microsoft HoloLens** tile.
+1. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the .ffu extension.)
+1. Select **Install software**, and follow the instructions.
+
+> [!NOTE]
+> If the WDRT doesn't detect your HoloLens, try restarting your PC. If that doesn't work, select **My device was not detected**, select **Microsoft HoloLens**, and then follow the instructions.
+
+## Windows Insider Program on HoloLens
+
+Want to see the latest features in HoloLens?  If so, join the Windows Insider Program; you'll get access to preview builds of HoloLens software updates before they're available to the general public.
+
+[Get Windows Insider preview for Microsoft HoloLens](hololens-insider.md).
diff --git a/devices/hololens/hololens2-basic-usage.md b/devices/hololens/hololens2-basic-usage.md
index d8cc60064a..1a9ec375af 100644
--- a/devices/hololens/hololens2-basic-usage.md
+++ b/devices/hololens/hololens2-basic-usage.md
@@ -102,12 +102,15 @@ To **close** the Start menu, do the Start gesture when the Start menu is open.
 
 ### One-handed Start gesture
 
+> [!IMPORTANT]
+> For the one-handed Start gesture to work:
+>
+> 1. You must update to the November 2019 update (build 18363) or later.
+> 1. Your eyes must be calibrated on the device so that eye tracking functions correctly. If you do not see orbiting dots around the Start icon when you look at it, your eyes are not calibrated on the device.
+
 You can also perform the Start gesture with only one hand. To do this, hold out your hand with your palm facing you and look at the **Start icon** on your inner wrist. **While keeping your eye on the icon**, pinch your thumb and index finger together.
 
-> [!IMPORTANT]
-> For the one-handed Start gesture to work, your eyes must be calibrated on the device so that eye tracking functions correctly. If you do not see orbiting dots around the Start icon when you look at it, your eyes are not calibrated on the device.
-
-![Image that shows the Start icon and the one-handed start gesture](./images/hololens-2-start-alternative.jpg)
+![Image that shows the Start icon and the one-handed start gesture](./images/hololens-2-start-alternative.png)
 
 ## Start menu, mixed reality home, and apps
 
diff --git a/devices/hololens/hololens2-language-support.md b/devices/hololens/hololens2-language-support.md
index d139119708..29553845a4 100644
--- a/devices/hololens/hololens2-language-support.md
+++ b/devices/hololens/hololens2-language-support.md
@@ -37,13 +37,13 @@ HoloLens 2 is also available in the following languages. However, this support d
 - Dutch (Netherlands)
 - Korean (Korea)
 
-> [!NOTE]
-> Your speech and dictation language depends on the Windows display language.
->  
 # Changing language or keyboard
 
 The setup process configures your HoloLens for a region and language. You can change this configuration by using the **Time & language** section of **Settings**.
 
+> [!NOTE]
+> Your speech and dictation language depends on the Windows display language.
+
 ## To change the Windows display language
 
 1. Go to the **Start** menu, and then select **Settings** > **Time and language** > **Language**.
diff --git a/devices/hololens/hololens2-start.md b/devices/hololens/hololens2-start.md
index 783a6af601..78d3697f03 100644
--- a/devices/hololens/hololens2-start.md
+++ b/devices/hololens/hololens2-start.md
@@ -26,9 +26,9 @@ Before you get started, make sure you have the following available:
 
 **A network connection**. You'll need to connect your HoloLens to a network to set it up. With HoloLens 2, you can connect with Wi-Fi or by using ethernet (you'll need a USB-C-to-Ethernet adapter). The first time you connect, you'll need an open or password-protected network that doesn't require navigating to a website or using certificates to connect. [Learn more about the websites that HoloLens uses](hololens-offline.md).
 
-**A Microsoft account**. You'll also need to sign in to HoloLens with a Microsoft account (or with your work account, if your organization owns the device). If you don't have a Microsoft account, go to [account.microsoft.com](http://account.microsoft.com) and set one up for free.
+**A Microsoft account**. You'll also need to sign in to HoloLens with a Microsoft account (or with your work account, if your organization owns the device). If you don't have a Microsoft account, go to [account.microsoft.com](https://account.microsoft.com) and set one up for free.
 
-**A safe, well-lit space with no tripping hazards**. [Health and safety info](http://go.microsoft.com/fwlink/p/?LinkId=746661).
+**A safe, well-lit space with no tripping hazards**. [Health and safety info](https://go.microsoft.com/fwlink/p/?LinkId=746661).
 
 **The optional comfort accessories** that came with your HoloLens, to help you get the most comfortable fit. [More on fit and comfort](hololens2-setup.md#adjust-fit).
 
@@ -58,6 +58,10 @@ HoloLens 2 will walk you through the following steps:
      HoloLens sets your time zone automatically based on information obtained from the Wi-Fi network. After setup finishes, you can change the time zone by using the Settings app.
 
     ![Connect to Wi-Fi](images/11-network.png)
+> [!NOTE] 
+> If you progress past the Wi-Fi step and later need to switch to a different network while still in setup, you can press the **Volume Down** and **Power** buttons simultaneously to return to this step if you are running an OS version from October 2019 or later. For earlier versions, you may need to [reset the device](hololens-recovery.md) or restart it in a location where the Wi-Fi network is not available to prevent it from automatically connecting.
+> 
+> Also note that during HoloLens Setup, there is a credential timeout of two minutes. The username/password needs to be entered within two minutes otherwise the username field will be automatically cleared.
 
 1. Sign in to your user account. You'll choose between **My work or school owns it** and **I own it**.
     - When you choose **My work or school owns it**, you sign in with an Azure AD account. If your organization uses Azure AD Premium and has configured automatic MDM enrollment, HoloLens automatically enrolls in MDM. If your organization does not use Azure AD Premium, automatic MDM enrollment isn't available. In that case, you need to [manually enroll HoloLens in device management](hololens-enroll-mdm.md#enroll-through-settings-app).
diff --git a/devices/hololens/images/hololens-2-start-alternative.jpg b/devices/hololens/images/hololens-2-start-alternative.jpg
deleted file mode 100644
index e5cc5e275e..0000000000
Binary files a/devices/hololens/images/hololens-2-start-alternative.jpg and /dev/null differ
diff --git a/devices/hololens/images/hololens-2-start-alternative.png b/devices/hololens/images/hololens-2-start-alternative.png
new file mode 100644
index 0000000000..763cd8600e
Binary files /dev/null and b/devices/hololens/images/hololens-2-start-alternative.png differ
diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index aa2c651d1a..c0de52de12 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -56,6 +56,8 @@
 ## Overview
 ### [What's new in Windows 10, version 1703 for Surface Hub?](surfacehub-whats-new-1703.md)
 ### [Operating system essentials (Surface Hub)](differences-between-surface-hub-and-windows-10-enterprise.md)
+### [Technical information for 55” Microsoft Surface Hub](surface-hub-technical-55.md)
+### [Technical information for 84” Microsoft Surface Hub](surface-hub-technical-84.md)
 
 ## Plan
 ### [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md)
@@ -111,7 +113,6 @@
 ## Troubleshoot
 ### [Using the Surface Hub Recovery Tool](surface-hub-recovery-tool.md)
 ### [Surface Hub SSD replacement](surface-hub-ssd-replacement.md)
-
 ### [Top support solutions for Surface Hub](support-solutions-surface-hub.md)
 ### [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
 ### [Surface Hub Update History](surface-hub-update-history.md)
@@ -124,6 +125,4 @@
 ### [Surface Hub may install updates and restart outside maintenance hours](surface-hub-installs-updates-and-restarts-outside-maintenance-hours.md)
 ### [General Data Privacy Regulation and Surface Hub](general-data-privacy-regulation-and-surface-hub.md)
 ### [Useful downloads for Surface Hub administrators](surface-hub-downloads.md)
-### [Technical information for 55” Microsoft Surface Hub](surface-hub-technical-55.md)
-### [Technical information for 84” Microsoft Surface Hub](surface-hub-technical-84.md)
 ### [Change history for Surface Hub](change-history-surface-hub.md)
diff --git a/devices/surface-hub/docfx.json b/devices/surface-hub/docfx.json
index 2ab787b803..d74914168f 100644
--- a/devices/surface-hub/docfx.json
+++ b/devices/surface-hub/docfx.json
@@ -41,7 +41,17 @@
           "depot_name": "Win.surface-hub",
           "folder_relative_path_in_docset": "./"
         }
-      }
+      },
+      "contributors_to_exclude": [ 
+        "rjagiewich", 
+        "traya1", 
+        "rmca14", 
+        "claydetels19", 
+        "Kellylorenebaker",
+        "jborsecnik",
+        "tiburd",
+        "garycentric"
+      ]
     },
     "externalReference": [],
     "template": "op.html",
diff --git a/devices/surface-hub/downloads/TrainingGuide-SurfaceHub2S-EndUser.pdf b/devices/surface-hub/downloads/TrainingGuide-SurfaceHub2S-EndUser.pdf
index b8b6d804a9..9fa82b77c5 100644
Binary files a/devices/surface-hub/downloads/TrainingGuide-SurfaceHub2S-EndUser.pdf and b/devices/surface-hub/downloads/TrainingGuide-SurfaceHub2S-EndUser.pdf differ
diff --git a/devices/surface-hub/downloads/TrainingGuide-SurfaceHub2S-HelpDesk.pdf b/devices/surface-hub/downloads/TrainingGuide-SurfaceHub2S-HelpDesk.pdf
index 9e3ac0aa01..36d552a91a 100644
Binary files a/devices/surface-hub/downloads/TrainingGuide-SurfaceHub2S-HelpDesk.pdf and b/devices/surface-hub/downloads/TrainingGuide-SurfaceHub2S-HelpDesk.pdf differ
diff --git a/devices/surface-hub/downloads/TrainingGuide-SurfaceHub2S-PowerUser.pdf b/devices/surface-hub/downloads/TrainingGuide-SurfaceHub2S-PowerUser.pdf
index a40bdf33d6..216737e393 100644
Binary files a/devices/surface-hub/downloads/TrainingGuide-SurfaceHub2S-PowerUser.pdf and b/devices/surface-hub/downloads/TrainingGuide-SurfaceHub2S-PowerUser.pdf differ
diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
index 1b001aa627..ea543e69f2 100644
--- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
@@ -15,130 +15,131 @@ ms.localizationpriority: medium
 ---
 
 # Hybrid deployment (Surface Hub)
-A hybrid deployment requires special processing to set up a device account for your Microsoft Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-premises](#exchange-on-prem), [Exchange hosted online](#exchange-online), Skype for Business on-premises, Skype for Business online, and Skype for Business hybrid. Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided Powershell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)
 
->[!NOTE]
->In an Exchange hybrid environment, follow the steps for [Exchange on-premises](#exchange-on-prem). To move Exchange objects to Office 365, use the [New-MoveRequest](https://docs.microsoft.com/powershell/module/exchange/move-and-migration/new-moverequest?view=exchange-ps) cmdlet.
+A hybrid deployment requires special processing to set up a device account for your Microsoft Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-premises](#exchange-on-premises), [Exchange hosted online](#exchange-online), Skype for Business on-premises, Skype for Business online, and Skype for Business hybrid. Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided Powershell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)
+
+> [!NOTE]
+> In an Exchange hybrid environment, follow the steps for [Exchange on-premises](#exchange-on-premises). To move Exchange objects to Office 365, use the [New-MoveRequest](https://docs.microsoft.com/powershell/module/exchange/move-and-migration/new-moverequest?view=exchange-ps) cmdlet.
 
-
 ## Exchange on-premises
+
 Use this procedure if you use Exchange on-premises.
 
-1.  For this procedure, you'll be using AD admin tools to add an email address for your on-premises domain account. This account will be synced to Office 365.
+1. For this procedure, you'll be using AD admin tools to add an email address for your on-premises domain account. This account will be synced to Office 365.
 
-    - In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**.
-    - Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**.

-    
-        ![New object box for creating a new user in active directory.](images/hybriddeployment-01a.png)
+- In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**.
+- Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**.

 
-    - Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected.
+![New object box for creating a new user in active directory.](images/hybriddeployment-01a.png)
 
-        >**Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
+- Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected.
 
-        ![Image showing password dialog box.](images/hybriddeployment-02a.png)
-        
-    -   Click **Finish** to create the account.
+> **Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
 
-        ![Image with account name, logon name, and password options for new user.](images/hybriddeployment-03a.png)
+![Image showing password dialog box.](images/hybriddeployment-02a.png)
 
+-   Click **Finish** to create the account.
 
+![Image with account name, logon name, and password options for new user.](images/hybriddeployment-03a.png)
 
-2.  Enable the remote mailbox.
+2. Enable the remote mailbox.
 
-    Open your on-premises Exchange Management Shell with administrator permissions, and run this cmdlet.
+Open your on-premises Exchange Management Shell with administrator permissions, and run this cmdlet.
 
-    ```PowerShell
-    Enable-RemoteMailbox 'HUB01@contoso.com' -RemoteRoutingAddress 'HUB01@contoso.com' -Room
-    ```
-    >[!NOTE]
-    >If you don't have an on-premises Exchange environment to run this cmdlet, you can make the same changes directly to the Active Directory object for the account.
-    >
-    >msExchRemoteRecipientType = 33
-    >
-    >msExchRecipientDisplayType = -2147481850
-    >
-    >msExchRecipientTypeDetails = 8589934592
-    
-3.  After you've created the account, run a directory synchronization. When it's complete, go to the users page in your Microsoft 365 admin center and verify that the account created in the previous steps has merged to online.
-    
-4.  Connect to Microsoft Exchange Online and set some properties for the account in Office 365.
+```PowerShell
+Enable-RemoteMailbox 'HUB01@contoso.com' -RemoteRoutingAddress 'HUB01@contoso.com' -Room
+```
 
-    Start a remote PowerShell session on a PC and connect to Microsoft Exchange. Be sure you have the right permissions set to run the associated cmdlets.
+> [!NOTE]
+> If you don't have an on-premises Exchange environment to run this cmdlet, you can make the same changes directly to the Active Directory object for the account.
+>
+> msExchRemoteRecipientType = 33
+>
+> msExchRecipientDisplayType = -2147481850
+>
+> msExchRecipientTypeDetails = 8589934592
 
-    The next steps will be run on your Office 365 tenant.
+3. After you've created the account, run a directory synchronization. When it's complete, go to the users page in your Microsoft 365 admin center and verify that the account created in the previous steps has merged to online.
 
-    ```PowerShell
-    Set-ExecutionPolicy RemoteSigned
-    $cred=Get-Credential -Message "Please use your Office 365 admin credentials"
-    $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://ps.outlook.com/powershell' -Credential $cred -Authentication Basic -AllowRedirection
-    Import-PSSession $sess
-    ```
+4. Connect to Microsoft Exchange Online and set some properties for the account in Office 365.
 
-5.  Create a new Exchange ActiveSync policy, or use a compatible existing policy.
+Start a remote PowerShell session on a PC and connect to Microsoft Exchange. Be sure you have the right permissions set to run the associated cmdlets.
 
-    After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy or use a compatible existing policy.
-    
-    Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to False. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled.
+The next steps will be run on your Office 365 tenant.
 
-    If you haven’t created a compatible policy yet, use the following cmdlet—-this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
+```PowerShell
+Set-ExecutionPolicy RemoteSigned
+$cred=Get-Credential -Message "Please use your Office 365 admin credentials"
+$sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://ps.outlook.com/powershell' -Credential $cred -Authentication Basic -AllowRedirection
+Import-PSSession $sess
+```
 
-    ```PowerShell
-    $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
-    ```
+5. Create a new Exchange ActiveSync policy, or use a compatible existing policy.
 
-    Once you have a compatible policy, then you will need to apply the policy to the device account. 
+After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy or use a compatible existing policy.
 
-    ```PowerShell
-    Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.id
-    ```
+Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to False. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled.
 
-6.  Set Exchange properties.
+If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
 
-    Setting Exchange properties on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
+```PowerShell
+$easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
+```
 
-    ```PowerShell
-    Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
-    Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse 'This is a Surface Hub room!'
-    ```
+Once you have a compatible policy, you will need to apply the policy to the device account. 
 
-7.  Connect to Azure AD.
+```PowerShell
+Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.id
+```
 
-	You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command :
-    ```PowerShell
-    Install-Module -Name AzureAD
-    ```
-	
-    You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect.
+6. Set Exchange properties.
 
-    ```PowerShell
-    Import-Module AzureAD
-    Connect-AzureAD -Credential $cred
-    ```
-8.  Assign an Office 365 license.
+Setting Exchange properties on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
 
-    The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account.
- 
-    You can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant.
+```PowerShell
+Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
+Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse 'This is a Surface Hub room!'
+```
 
-    Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable.
+7. Connect to Azure AD.
 
-    ```PowerShell
-    Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US"
-	
-	Get-AzureADSubscribedSku | Select Sku*,*Units
-	$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
-    $License.SkuId = SkuId You selected 
-	
-	$AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
-    $AssignedLicenses.AddLicenses = $License
-    $AssignedLicenses.RemoveLicenses = @()
-	
-    Set-AzureADUserLicense -ObjectId "HUB01@contoso.com"  -AssignedLicenses $AssignedLicenses
-    ```
+You first need to install Azure AD module for PowerShell version 2. In an elevated PowerShell prompt, run the following command:
+
+```PowerShell
+Install-Module -Name AzureAD
+```
+
+You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect.
+
+```PowerShell
+Import-Module AzureAD
+Connect-AzureAD -Credential $cred
+```
+
+8. Assign an Office 365 license.
+
+The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account.
+
+You can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant.
+
+Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable.
+
+```PowerShell
+Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US"
+
+Get-AzureADSubscribedSku | Select Sku*,*Units
+$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
+$License.SkuId = SkuId You selected 
+
+$AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
+$AssignedLicenses.AddLicenses = $License
+$AssignedLicenses.RemoveLicenses = @()
+
+Set-AzureADUserLicense -ObjectId "HUB01@contoso.com"  -AssignedLicenses $AssignedLicenses
+```
 
 Next, you enable the device account with [Skype for Business Online](#skype-for-business-online), [Skype for Business on-premises](#skype-for-business-on-premises), or [Skype for Business hybrid](#skype-for-business-hybrid).
 
-
 ### Skype for Business Online
 
 To enable Skype for Business online, your tenant users must have Exchange mailboxes (at least one Exchange mailbox in the tenant is required). The following table explains which plans or additional services you need.
@@ -149,7 +150,7 @@ To enable Skype for Business online, your tenant users must have Exchange mailbo
 | Initiate an ad-hoc meeting | Skype for Business Standalone Plan 2 | E 1, 3, 4, or 5 | Skype for Business Server Standard CAL or Enterprise CAL |
 | Initiate an ad-hoc meeting and dial out from a meeting to phone numbers | Skype for Business Standalone Plan 2 with Audio Conferencing

**Note** PSTN consumption billing is optional | E1 or E3 with Audio Conferencing, or E5| Skype for Business Server Standard CAL or Enterprise CAL |
 | Give the room a phone number and make or receive calls from the room or join a dial-in conference using a phone number | Skype for Business Standalone Plan 2 with Phone System and a PSTN Voice Calling plan | E1 or E3 with Phone System and a PSTN Voice Calling plan, or E5 | Skype for Business Server Standard CAL or Plus CAL |
-    
+
 The following table lists the Office 365 plans and Skype for Business options.
 
 | O365 Plan | Skype for Business | Phone System | Audio Conferencing | Calling Plans |
@@ -162,42 +163,42 @@ The following table lists the Office 365 plans and Skype for Business options.
 
 1. Start by creating a remote PowerShell session from a PC to the Skype for Business online environment.
 
-        ```PowerShell
-        Import-Module SkypeOnlineConnector  
-        $cssess=New-CsOnlineSession -Credential $cred  
-        Import-PSSession $cssess -AllowClobber
-        ```
-        
+```PowerShell
+Import-Module SkypeOnlineConnector  
+$cssess=New-CsOnlineSession -Credential $cred  
+Import-PSSession $cssess -AllowClobber
+```
+
 2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
 
-        ```PowerShell
-        Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool 'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName
-        ```
-        
-    If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
+```PowerShell
+Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool 'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName
+```
 
-        ```PowerShell
-        Get-CsOnlineUser -Identity ‘HUB01@contoso.com’| fl *registrarpool*
-        ```
+If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
+
+```PowerShell
+Get-CsOnlineUser -Identity ‘HUB01@contoso.com’| fl *registrarpool*
+```
 
 3. Assign Skype for Business license to your Surface Hub account.
 
-    Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) to the device.
-    
-   - Login as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app.
-    
-   - Click on **Users and Groups** and then **Add users, reset passwords, and more**.
-    
-   - Click the Surface Hub account, and then click the pen icon to edit the account information.
-    
-   - Click **Licenses**.
-    
-   - In **Assign licenses**, select Skype for Business (Plan 1) or Skype for Business (Plan 2), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 2 license if you want to use Enterprise Voice on your Surface Hub.
-    
-   - Click **Save**.
+ Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) license to the device.
 
-     >[!NOTE]
-     >You can also use the Windows Azure Active Directory Module for Windows Powershell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
+- Login as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app.
+
+- Click on **Users and Groups** and then **Add users, reset passwords, and more**.
+
+- Click the Surface Hub account, and then click the pen icon to edit the account information.
+
+- Click **Licenses**.
+
+- In **Assign licenses**, select Skype for Business (Plan 1) or Skype for Business (Plan 2), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 2 license if you want to use Enterprise Voice on your Surface Hub.
+
+- Click **Save**.
+
+> [!NOTE]
+> You can also use the Windows Azure Active Directory Module for Windows Powershell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
 
 For validation, you should be able to use any Skype for Business client (PC, Android, etc.) to sign in to this account.
 
@@ -205,7 +206,7 @@ For validation, you should be able to use any Skype for Business client (PC, And
 
 To run this cmdlet, you will need to connect to one of the Skype front-ends. Open the Skype PowerShell and run:
 
-```
+```PowerShell
 Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool registrarpoolfqdn -SipAddressType UserPrincipalName 
 ```
 
@@ -217,181 +218,181 @@ The Surface Hub requires a Skype account of the type `meetingroom`, while a norm
 
 In Skype for Business Server 2015 hybrid environment, any user that you want in Skype for Business Online must first be created in the on-premises deployment, so that the user account is created in Active Directory Domain Services. You can then move the user to Skype for Business Online. The move of a user account from on-premises to online is done via the [Move-CsUser](https://technet.microsoft.com/library/gg398528.aspx) cmdlet. To move a Csmeetingroom object, use the [Move-CsMeetingRoom](https://technet.microsoft.com/library/jj204889.aspx?f=255&mspperror=-2147217396) cmdlet.
 
->[!NOTE]
->To use the Move-CsMeetingRoom cmdlet, you must have installed [the May 2017 cumulative update 6.0.9319.281 for Skype for Business Server 2015](https://support.microsoft.com/help/4020991/enables-the-move-csmeetingroom-cmdlet-to-move-a-meeting-room-from-on-p) or [the July 2017 cumulative update 5.0.8308.992 for Lync Server 2013](https://support.microsoft.com/help/4034279/enables-the-move-csmeetingroom-cmdlet-to-move-a-meeting-room-from-on-p).
+> [!NOTE]
+> To use the Move-CsMeetingRoom cmdlet, you must have installed [the May 2017 cumulative update 6.0.9319.281 for Skype for Business Server 2015](https://support.microsoft.com/help/4020991/enables-the-move-csmeetingroom-cmdlet-to-move-a-meeting-room-from-on-p) or [the July 2017 cumulative update 5.0.8308.992 for Lync Server 2013](https://support.microsoft.com/help/4034279/enables-the-move-csmeetingroom-cmdlet-to-move-a-meeting-room-from-on-p).
 
 
 ## Exchange online
+
 Use this procedure if you use Exchange online.
 
-1.  Create an email account in Office 365.
+1. Create an email account in Office 365.
 
-    Start a remote PowerShell session on a PC and connect to Exchange. Be sure you have the right permissions set to run the associated cmdlets.
+Start a remote PowerShell session on a PC and connect to Exchange. Be sure you have the right permissions set to run the associated cmdlets.
 
-    ```PowerShell
-    Set-ExecutionPolicy RemoteSigned
-    $cred=Get-Credential -Message "Please use your Office 365 admin credentials"
-    $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
-    Import-PSSession $sess
-    ```
+```PowerShell
+Set-ExecutionPolicy RemoteSigned
+$cred=Get-Credential -Message "Please use your Office 365 admin credentials"
+$sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
+Import-PSSession $sess
+```
 
-2.  Set up mailbox.
+2. Set up a mailbox.
 
-    After establishing a session, you’ll either create a new mailbox and enable it as a RoomMailboxAccount, or change the settings for an existing room mailbox. This will allow the account to authenticate into the Surface Hub.
+After establishing a session, you’ll either create a new mailbox and enable it as a RoomMailboxAccount, or change the settings for an existing room mailbox. This will allow the account to authenticate into the Surface Hub.
 
-    If you're changing an existing resource mailbox:
+If you're changing an existing resource mailbox:
 
-    ```PowerShell
-    Set-Mailbox -Identity 'HUB01' -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String  -AsPlainText -Force)
-    ```
+```PowerShell
+Set-Mailbox -Identity 'HUB01' -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String  -AsPlainText -Force)
+```
 
-    If you’re creating a new resource mailbox:
+If you’re creating a new resource mailbox:
 
-    ```PowerShell
-    New-Mailbox -MicrosoftOnlineServicesID 'HUB01@contoso.com' -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String  -AsPlainText -Force)
-    ```
+```PowerShell
+New-Mailbox -MicrosoftOnlineServicesID 'HUB01@contoso.com' -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String  -AsPlainText -Force)
+```
 
-3.  Create Exchange ActiveSync policy.
+3. Create Exchange ActiveSync policy.
 
-    After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy.
+After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy.
 
-    Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to False. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled.
+Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to False. If this isn’t set properly, Exchange services on the Surface Hub (mail, calendar, and joining meetings) will not be enabled.
 
-    If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
+If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
 
-    ```PowerShell
-    $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
-    ```
+```PowerShell
+$easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
+```
 
-    Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too.
+Once you have a compatible policy, you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too.
 
-    ```PowerShell
-    Set-Mailbox 'HUB01@contoso.com' -Type Regular
-    Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.id
-    Set-Mailbox 'HUB01@contoso.com' -Type Room
-    $credNewAccount = Get-Credential -Message "Please provide the Surface Hub username and password"
-    Set-Mailbox 'HUB01@contoso.com' -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true
-    ```
+```PowerShell
+Set-Mailbox 'HUB01@contoso.com' -Type Regular
+Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.id
+Set-Mailbox 'HUB01@contoso.com' -Type Room
+$credNewAccount = Get-Credential -Message "Please provide the Surface Hub username and password"
+Set-Mailbox 'HUB01@contoso.com' -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true
+```
 
-4.  Set Exchange properties.
+4. Set Exchange properties.
 
-    Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
+Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
 
-    ```PowerShell
-    Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
-    Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
-    ```
+```PowerShell
+Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
+Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
+```
 
-5.  Add email address for your on-premises domain account.
+5. Add an email address for your on-premises domain account.
 
-    For this procedure, you'll be using AD admin tools to add an email address for your on-premises domain account.
-    
-    - In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**.
-    - Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**.
+For this procedure, you'll be using AD admin tools to add an email address for your on-premises domain account.
 
-        ![New object box for creating a new user in Active Directory.](images/hybriddeployment-01a.png)
+- In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**.
+- Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**.
 
-    - Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected.
-    
-        >[!IMPORTANT]
-        >Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
-    
-        ![Image showing password dialog box.](images/hybriddeployment-02a.png)
-    
-    - Click **Finish** to create the account.
+![New object box for creating a new user in Active Directory.](images/hybriddeployment-01a.png)
 
-        ![Image with account name, logon name, and password options for new user.](images/hybriddeployment-03a.png)
+- Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected.
 
-6.  Run directory synchronization.
+> [!IMPORTANT]
+> Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
 
-    After you've created the account, run a directory synchronization. When it's complete, go to the users page and verify that the two accounts created in the previous steps have merged.
+![Image showing password dialog box.](images/hybriddeployment-02a.png)
 
-7.  Connect to Azure AD.
+- Click **Finish** to create the account.
 
-    You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command :
-    
-    ```PowerShell
-    Install-Module -Name AzureAD
-    ```
-    You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect.
+![Image with account name, logon name, and password options for new user.](images/hybriddeployment-03a.png)
 
-    ```PowerShell
-    Import-Module AzureAD
-    Connect-AzureAD -Credential $cred
-    ```
+6. Run directory synchronization.
 
-8.  Assign an Office 365 license.
+After you've created the account, run a directory synchronization. When it's complete, go to the users page and verify that the two accounts created in the previous steps have merged.
 
-    The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account.
+7. Connect to Azure AD.
 
-    Next, you can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant.
+You first need to install Azure AD module for PowerShell version 2. In an elevated PowerShell prompt, run the following command:
 
-    Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable.
+```PowerShell
+Install-Module -Name AzureAD
+```
 
-    ```PowerShell
-    Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US"
-	
-	Get-AzureADSubscribedSku | Select Sku*,*Units
-	$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
-    $License.SkuId = SkuId You selected 
-	
-	$AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
-    $AssignedLicenses.AddLicenses = $License
-    $AssignedLicenses.RemoveLicenses = @()
-	
-    Set-AzureADUserLicense -ObjectId "HUB01@contoso.com"  -AssignedLicenses $AssignedLicenses
-    ```
+You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect:
 
-Next, you enable the device account with [Skype for Business Online](#sfb-online), [Skype for Business on-premises](#sfb-onprem), or [Skype for Business hybrid](#sfb-hybrid).
+```PowerShell
+Import-Module AzureAD
+Connect-AzureAD -Credential $cred
+```
 
+8. Assign an Office 365 license.
 
-### Skype for Business Online    
-    
-In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](#sfb-online).
+The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account.
+
+Next, you can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant.
+
+Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable.
+
+```PowerShell
+Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US"
+
+Get-AzureADSubscribedSku | Select Sku*,*Units
+$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
+$License.SkuId = SkuId You selected 
+
+$AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
+$AssignedLicenses.AddLicenses = $License
+$AssignedLicenses.RemoveLicenses = @()
+
+Set-AzureADUserLicense -ObjectId "HUB01@contoso.com"  -AssignedLicenses $AssignedLicenses
+```
+
+Next, you enable the device account with [Skype for Business Online](#skype-for-business-online), [Skype for Business on-premises](#skype-for-business-on-premises), or [Skype for Business hybrid](#skype-for-business-hybrid).
+
+### Skype for Business Online
+
+In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](#skype-for-business-online).
 
 1. Start by creating a remote PowerShell session to the Skype for Business online environment from a PC.
 
-   ```PowerShell
-   Import-Module SkypeOnlineConnector  
-   $cssess=New-CsOnlineSession -Credential $cred  
-   Import-PSSession $cssess -AllowClobber
-   ```
+```PowerShell
+Import-Module SkypeOnlineConnector  
+$cssess=New-CsOnlineSession -Credential $cred  
+Import-PSSession $cssess -AllowClobber
+```
 
 2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
 
-   ```PowerShell
-   Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool  
-   'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName
-   ```
+```PowerShell
+Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool  
+'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName
+```
 
    If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
 
-   ```PowerShell
-   Get-CsOnlineUser -Identity 'HUB01@contoso.com'| fl *registrarpool*
-   ```
+```PowerShell
+Get-CsOnlineUser -Identity 'HUB01@contoso.com'| fl *registrarpool*
+```
 
 10. Assign Skype for Business license to your Surface Hub account
 
-    Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) to the device.
+Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) license to the device.
 
-    - Sign in as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app.
-    
-    - Click on **Users and Groups** and then **Add users, reset passwords, and more**.
-    
-    - Click the Surface Hub account, and then click the pen icon to edit the account information.
-    
-    - Click **Licenses**.
-    
-    - In **Assign licenses**, select Skype for Business (Plan 2) or Skype for Business (Plan 3), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 3 license if you want to use Enterprise Voice on your Surface Hub.
-    
-    - Click **Save**.
+- Sign in as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app.
 
-        >[!NOTE]
-        > You can also use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
+- Click on **Users and Groups** and then **Add users, reset passwords, and more**.
+
+- Click the Surface Hub account, and then click the pen icon to edit the account information.
+
+- Click **Licenses**.
+
+- In **Assign licenses**, select Skype for Business (Plan 2) or Skype for Business (Plan 3), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 3 license if you want to use Enterprise Voice on your Surface Hub.
+
+- Click **Save**.
+
+> [!NOTE]
+> You can also use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
 
 For validation, you should be able to use any Skype for Business client (PC, Android, etc) to sign in to this account.
 
-
 ### Skype for Business on-premises
 
 To run this cmdlet, you will need to connect to one of the Skype front-ends. Open the Skype PowerShell and run:
@@ -400,15 +401,13 @@ To run this cmdlet, you will need to connect to one of the Skype front-ends. Ope
 Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool registrarpoolfqdn -SipAddressType UserPrincipalName 
 ```
 
-
 ### Skype for Business hybrid
 
 If your organization has set up [hybrid connectivity between Skype for Business Server and Skype for Business Online](https://technet.microsoft.com/library/jj205403.aspx), the guidance for creating accounts differs from a standard Surface Hub deployment.
 
 The Surface Hub requires a Skype account of the type *meetingroom*, while a normal user would use a *user* type account in Skype. If your Skype server is set up for hybrid where you might have users on the local Skype server as well as users hosted in Office 365, you might run into a few issues when trying to create a Surface Hub account.
- 
+
 In Skype for Business Server 2015 hybrid environment, any user that you want in Skype for Business Online must first be created in the on-premises deployment, so that the user account is created in Active Directory Domain Services. You can then move the user to Skype for Business Online. The move of a user account from on-premises to online is done via the [Move-CsUser](https://technet.microsoft.com/library/gg398528.aspx) cmdlet. To move a Csmeetingroom object, use the [Move-CsMeetingRoom](https://technet.microsoft.com/library/jj204889.aspx?f=255&mspperror=-2147217396) cmdlet.
 
->[!NOTE]
->To use the Move-CsMeetingRoom cmdlet, you must have installed [the May 2017 cumulative update 6.0.9319.281 for Skype for Business Server 2015](https://support.microsoft.com/help/4020991/enables-the-move-csmeetingroom-cmdlet-to-move-a-meeting-room-from-on-p) or [the July 2017 cumulative update 5.0.8308.992 for Lync Server 2013](https://support.microsoft.com/help/4034279/enables-the-move-csmeetingroom-cmdlet-to-move-a-meeting-room-from-on-p).
-
+> [!NOTE]
+> To use the Move-CsMeetingRoom cmdlet, you must have installed [the May 2017 cumulative update 6.0.9319.281 for Skype for Business Server 2015](https://support.microsoft.com/help/4020991/enables-the-move-csmeetingroom-cmdlet-to-move-a-meeting-room-from-on-p) or [the July 2017 cumulative update 5.0.8308.992 for Lync Server 2013](https://support.microsoft.com/help/4034279/enables-the-move-csmeetingroom-cmdlet-to-move-a-meeting-room-from-on-p).
diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
index 61a9b33c78..e4fa9986f3 100644
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@@ -30,6 +30,7 @@ Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platfor
                         
Behind the design: Surface Hub 2S

                         
What's new in Surface Hub 2S

                         
Operating system essentials

+                        
Enable Microsoft Whiteboard on Surface Hub

                     
                 
             
@@ -122,7 +123,7 @@ Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platfor
                         
                     
                     

-                        
Support

+                        
Troubleshoot

                         
Service and warranty

                         
Recover & reset Surface Hub 2S

                         
Surface Hub support solutions

@@ -156,7 +157,8 @@ Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platfor
             

                 

                     

-                        
Surface Hub 2s Videos

+                        
Surface Hub 2S Videos

+                        
Adoption and training videos

                         
What is Surface Hub 2S?

                         
Surface Hub 2S with Teams

                         
Surface Hub 2S with Microsoft 365

diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
index 5b45fdcb93..91d561934c 100644
--- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
@@ -117,9 +117,9 @@ The following tables include info on Windows 10 settings that have been validate
 |                    Allow Do Not Track                     |                                                          Use to enable Do Not Track headers.                                                          |                          [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack)                          | Yes 
 [Use a custom policy.](#example-intune) | Yes.
 [Use a custom setting.](#example-sccm) |             Yes             |
 |                       Allow pop-ups                       |                                                         Use to block pop-up browser windows.                                                          |                              [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups)                              | Yes 
 [Use a custom policy.](#example-intune) | Yes.
 [Use a custom setting.](#example-sccm) |             Yes             |
 |                 Allow search suggestions                  |                                                  Use to block search suggestions in the address bar.                                                  |       [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar)       | Yes 
 [Use a custom policy.](#example-intune) | Yes.
 [Use a custom setting.](#example-sccm) |             Yes             |
-|                     Allow SmartScreen                     |                                                       Keep this enabled to turn on SmartScreen.                                                       |                         [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen)                         | Yes 
 [Use a custom policy.](#example-intune) | Yes.
 [Use a custom setting.](#example-sccm) |             Yes             |
-| Prevent ignoring SmartScreen Filter warnings for websites |     For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites.     |         [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride)         | Yes 
 [Use a custom policy.](#example-intune) | Yes.
 [Use a custom setting.](#example-sccm) |             Yes             |
-|  Prevent ignoring SmartScreen Filter warnings for files   | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes 
 [Use a custom policy.](#example-intune) | Yes.
 [Use a custom setting.](#example-sccm) |             Yes             |
+|                     Allow Windows Defender SmartScreen                     |                                                       Keep this enabled to turn on Windows Defender SmartScreen.                                                       |                         [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen)                         | Yes 
 [Use a custom policy.](#example-intune) | Yes.
 [Use a custom setting.](#example-sccm) |             Yes             |
+| Prevent ignoring Windows Defender SmartScreen warnings for websites |     For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from accessing potentially malicious websites.     |         [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride)         | Yes 
 [Use a custom policy.](#example-intune) | Yes.
 [Use a custom setting.](#example-sccm) |             Yes             |
+|  Prevent ignoring Windows Defender SmartScreen warnings for files   | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes 
 [Use a custom policy.](#example-intune) | Yes.
 [Use a custom setting.](#example-sccm) |             Yes             |
 
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index a072d4d7b4..0cd6fc5219 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -90,7 +90,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
    Set-AzureADUser -ObjectId "HUB01@contoso.com" -PasswordPolicies "DisablePasswordExpiration"
    ```
 
-7. Surface Hub requires a license for Skype for Business functionality. In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](hybrid-deployment-surface-hub-device-accounts.md#sfb-online).
+7. Surface Hub requires a license for Skype for Business functionality. In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](hybrid-deployment-surface-hub-device-accounts.md#skype-for-business-online).
    
    Next, you can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant.
 
@@ -124,13 +124,13 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
    - Next, if you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet (for example, alice@contoso.com):
 
        ```PowerShell
-       (Get-CsTenant).TenantPoolExtension
+       Get-CsOnlineUser -Identity 'alice@contoso.com' | fl registrarpool
        ```
        OR by setting a variable
         
        ```PowerShell
-       $strRegistrarPool = (Get-CsTenant).TenantPoolExtension
-       $strRegistrarPool = $strRegistrarPool[0].Substring($strRegistrarPool[0].IndexOf(':') + 1)
+	$strRegistrarPool = Get-CsOnlineUser -Identity 'alice@contoso.com' | fl registrarpool | out-string
+	$strRegistrarPool = $strRegistrarPool.Substring($strRegistrarPool.IndexOf(':') + 2)
        ```
         
    - Enable the Surface Hub account with the following cmdlet:
diff --git a/devices/surface-hub/surface-hub-2s-account.md b/devices/surface-hub/surface-hub-2s-account.md
index 852ea6463d..3312d5f4ec 100644
--- a/devices/surface-hub/surface-hub-2s-account.md
+++ b/devices/surface-hub/surface-hub-2s-account.md
@@ -54,25 +54,26 @@ Instead of using the Microsoft Admin Center portal, you can create the account u
 
 ### Connect to Exchange Online PowerShell
 
-```
-$365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential (Get-Credential) -Authentication Basic –AllowRedirection $ImportResults = Import-PSSession $365Session
+```powershell
+$365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential (Get-Credential) -Authentication Basic –AllowRedirection
+$ImportResults = Import-PSSession $365Session
 ```
 
 ### Create a new Room Mailbox
 
-```
+```powershell
 New-Mailbox -MicrosoftOnlineServicesID account@YourDomain.com -Alias SurfaceHub2S -Name SurfaceHub2S -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString  -String "" -AsPlainText -Force)
 ```
 
 ### Set Calendar Auto processing
 
-```
+```powershell
 Set-CalendarProcessing -Identity "account@YourDomain.com" -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts   $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false -AddAdditionalResponse $true -AdditionalResponse "This room is equipped with a Surface Hub"
 ```
 
 ### Assign a license
 
-```
+```powershell
 Connect-MsolService
 Set-Msoluser -UserPrincipalName account@YourDomain.com -UsageLocation IE
 Set-MsolUserLicense -UserPrincipalName "account@YourDomain.com" -AddLicenses "contoso:MEETING_ROOM"
@@ -85,10 +86,11 @@ Set-MsolUserLicense -UserPrincipalName "account@YourDomain.com" -AddLicenses "co
 - [Visual C++ 2017 Redistributable](https://aka.ms/vs/15/release/vc_redist.x64.exe)
 - [Skype for Business Online PowerShell Module](https://www.microsoft.com/download/confirmation.aspx?id=39366)
 
-```
+```powershell
 Import-Module LyncOnlineConnector
 $SfBSession = New-CsOnlineSession -Credential (Get-Credential)
 Import-PSSession $SfBSession -AllowClobber
-Enable the Skype for Business meeting room
+
+# Enable the Skype for Business meeting room
 Enable-CsMeetingRoom -Identity account@YourDomain.com -RegistrarPool(Get-CsTenant).Registrarpool -SipAddressType EmailAddress
 ```
diff --git a/devices/surface-hub/surface-hub-2s-adoption-videos.md b/devices/surface-hub/surface-hub-2s-adoption-videos.md
index 67fa4e4570..5e0419624f 100644
--- a/devices/surface-hub/surface-hub-2s-adoption-videos.md
+++ b/devices/surface-hub/surface-hub-2s-adoption-videos.md
@@ -1,6 +1,6 @@
 ---
 title: "Surface Hub 2S on-demand adoption and training videos"
-description: "This page contains comprehensive training for Surface Hub 2S via on-demand streaming"
+description: "This page contains on-demand training for Surface Hub 2S."
 keywords: separate values with commas
 ms.prod: surface-hub
 ms.sitesec: library
diff --git a/devices/surface-hub/surface-hub-2s-connect.md b/devices/surface-hub/surface-hub-2s-connect.md
index 7a08a67098..a32df68734 100644
--- a/devices/surface-hub/surface-hub-2s-connect.md
+++ b/devices/surface-hub/surface-hub-2s-connect.md
@@ -9,7 +9,7 @@ ms.author: greglin
 manager: laurawi
 audience: Admin
 ms.topic: article
-ms.date: 06/20/2019
+ms.date: 11/13/2019
 ms.localizationpriority: Medium
 ---
 
@@ -28,7 +28,7 @@ In general, it’s recommended to use native cable connections whenever possible
 | **Connection** | **Functionality** | **Description**|
 | --- | --- | ---|
 | HDMI + USB-C | HDMI-in for audio and video

USB-C for TouchBack and InkBack | USB-C supports TouchBack and InkBack with the HDMI A/V connection.

Use USB-C to USB-A to connect to legacy computers.

**NOTE:** For best results, connect HDMI before connecting a USB-C cable. If the computer you're using for HDMI is not compatible with TouchBack and InkBack, you won't need a USB-C cable. |
-| USB-C 
 (via compute module) | Video-in 
Audio-in | Single cable needed for A/V

TouchBack and InkBack not supported

HDCP enabled |
+| USB-C 
 (via compute module) | Video-in 
Audio-in | Single cable needed for A/V

TouchBack and InkBack is supported

HDCP enabled |
 | HDMI (in port) | Video, Audio into Surface Hub 2S | Single cable needed for A/V

TouchBack and InkBack not supported

HDCP enabled |
 | MiniDP 1.2 output | Video-out such as mirroring to a larger projector. | Single cable needed for A/V |
 
diff --git a/devices/surface-hub/surface-hub-2s-prepare-environment.md b/devices/surface-hub/surface-hub-2s-prepare-environment.md
index a1bd059ab4..fba71d0e0e 100644
--- a/devices/surface-hub/surface-hub-2s-prepare-environment.md
+++ b/devices/surface-hub/surface-hub-2s-prepare-environment.md
@@ -9,7 +9,7 @@ ms.author: greglin
 manager: laurawi
 audience: Admin
 ms.topic: article
-ms.date: 06/20/2019
+ms.date: 11/21/2019
 ms.localizationpriority: Medium
 ---
 
@@ -45,6 +45,6 @@ If you affiliate Surface Hub 2S with on-premises Active Directory Domain Service
 
 ## Azure Active Directory
 
-When choosing to affiliate your Surface Hub 2S with Azure AD, any user in the Global Admins Security Group can sign in to the Settings app on Surface Hub 2S. Alternatively, you can configure the Device Administrator role to sign in to the Settings app. For more information, see [Administrator role permissions in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles#device-administrators). Currently, no other group can be delegated to sign in to the Settings app on Surface Hub 2S.
+When choosing to affiliate your Surface Hub 2S with Azure AD, any user in the Global Admins Security Group can sign in to the Settings app on Surface Hub 2S. Currently, no other group can be delegated to sign in to the Settings app on Surface Hub 2S.
 
 If you enabled Intune Automatic Enrollment for your organization, Surface Hub 2S will automatically enroll itself with Intune. The device’s Bitlocker key is automatically saved in Azure AD. When affiliating Surface Hub 2S with Azure AD, single sign-on and Easy Authentication will not work.
diff --git a/devices/surface-hub/surface-hub-2s-recover-reset.md b/devices/surface-hub/surface-hub-2s-recover-reset.md
index 414456c4f3..5c28202363 100644
--- a/devices/surface-hub/surface-hub-2s-recover-reset.md
+++ b/devices/surface-hub/surface-hub-2s-recover-reset.md
@@ -9,7 +9,7 @@ ms.author: greglin
 manager: laurawi
 audience: Admin
 ms.topic: article
-ms.date: 06/20/2019
+ms.date: 12/05/2019
 ms.localizationpriority: Medium
 ---
 
@@ -38,13 +38,15 @@ New in Surface Hub 2S, you can now reinstall the device using a recovery image.
 Surface Hub 2S lets you reinstall the device using a recovery image, which allows you to reinstall the device to factory settings if you lost the Bitlocker key or no longer have admin credentials to the Settings app.
 
 1. Begin with a USB 3.0 drive with 8 GB or 16 GB of storage, formatted as FAT32.
-2. Download recovery image from the [Surface Recovery website](https://support.microsoft.com/en-us/surfacerecoveryimage?devicetype=surfacehub2s) onto the USB drive and connect it to any USB-C or USB A port on Surface Hub 2S.
-3. Turn off the device. While holding down the Volume down button, press the Power button. Keep holding both buttons until you see the Windows logo. Release the Power button but continue to hold the Volume until the Install UI begins.
+2. From a separate PC, download the .zip file recovery image from the [Surface Recovery website](https://support.microsoft.com/surfacerecoveryimage?devicetype=surfacehub2s) and then return to these instructions. 
+3. Unzip the downloaded file onto the root of the USB drive.  
+4. Connect the USB drive to any USB-C or USB-A port on Surface Hub 2S.
+5. Turn off the device. While holding down the Volume down button, press the Power button. Keep holding both buttons until you see the Windows logo. Release the Power button but continue to hold the Volume until the Install UI begins.
 
 ![*Use Volume down and power buttons to initiate recovery*](images/sh2-keypad.png) 

 
-4. In the language selection screen, select the display language for your Surface Hub 2S.
-5. Choose **Recover from a drive** and **Fully clean the drive** and then select **Recover**. If prompted for a BitLocker key, select **Skip this drive**. Surface Hub 2S reboots several times and takes approximately 30 minutes to complete the recovery process.
+6. In the language selection screen, select the display language for your Surface Hub 2S.
+7. Choose **Recover from a drive** and **Fully clean the drive** and then select **Recover**. If prompted for a BitLocker key, select **Skip this drive**. Surface Hub 2S reboots several times and takes approximately 30 minutes to complete the recovery process.
 Remove the USB drive when the first time setup screen appears.
 
 ## Recover a locked Surface Hub
diff --git a/devices/surface-hub/surface-hub-2s-techspecs.md b/devices/surface-hub/surface-hub-2s-techspecs.md
index 5f898a3fb6..4e40f9ae25 100644
--- a/devices/surface-hub/surface-hub-2s-techspecs.md
+++ b/devices/surface-hub/surface-hub-2s-techspecs.md
@@ -9,7 +9,7 @@ manager: laurawi
 ms.author: greglin
 audience: Admin
 ms.topic: article
-ms.date: 06/20/2019
+ms.date: 11/19/2019
 ms.localizationpriority: Medium
 ---
 
@@ -27,10 +27,10 @@ ms.localizationpriority: Medium
 |**Graphics**| Intel UHD Graphics 620 |
 |**Wireless**| Wi-Fi 5 (IEEE 802.11 a/b/g/n/ac compatible) Bluetooth Wireless 4.1 technology 
 Miracast display |
 |**Connections**| USB-A 
 Mini-DisplayPort 1.2 video output 
 RJ45 gigabit Ethernet (1000/100/10 BaseT) 
 HDMI video input (HDMI 2.0, HDCP 2.2 /1.4) 
 USB-C with DisplayPort input 
 Four USB-C (on display) |
-|**Sensors**| Doppler occupancy sensor 
 Accelerometer 
 Gyroscope |
+|**Sensors**| Doppler occupancy 2 
 Accelerometer 
 Gyroscope |
 |**Audio/Video**| Full-range, front facing 3-way stereo speakers 
 Full band 8-element MEMS microphone array 
 Microsoft Surface Hub 2 Camera, 4K, USB-C connection, 90-degree HFOV |
 |**Pen**| Microsoft Surface Hub 2 Pen (active) |
-|**Software**| Windows 10 
 Microsoft Teams for Surface Hub 2 
 Skype for Business 
 Microsoft Whiteboard 
 Microsoft Office (Mobile) 
 Microsoft Power BI 2 |
+|**Software**| Windows 10 
 Microsoft Teams for Surface Hub 3 
 Skype for Business 
 Microsoft Whiteboard 
 Microsoft Office (Mobile) 
 Microsoft Power BI 2 |
 |**Exterior**| Casing: Precision machined aluminum with mineral-composite resin 
 Color: Platinum 
 Physical Buttons: Power, Volume, Source |
 |**What’s in the box**| One Surface Hub 2S 
 One Surface Hub 2 Pen  
 One Surface Hub 2 Camera 
 2.5 m AC Power Cable 
 Quick Start Guide |
 |**Warranty**| 1-year limited hardware warranty |
@@ -41,4 +41,5 @@ ms.localizationpriority: Medium
 |**Input Power, standby**| 5 W max  |
 
 > [!NOTE]
-> 1 System software uses significant storage space. Available storage is subject to change based on system software updates and apps usage. 1 GB= 1 billion bytes. See Surface.com/Storage for more details. 
 2 Software license required for some features. Sold separately.
 
+> 1 System software uses significant storage space. Available storage is subject to change based on system software updates and apps usage. 1 GB= 1 billion bytes. See Surface.com/Storage for more details. 
 2 Doppler sensor not available in Hong Kong, India, Kuwait, and Oman  due to government regulations.
+
 3 Software license required for some features. Sold separately.
 
diff --git a/devices/surface-hub/surface-hub-wifi-direct.md b/devices/surface-hub/surface-hub-wifi-direct.md
index 5120dc9b9c..bd0195adcd 100644
--- a/devices/surface-hub/surface-hub-wifi-direct.md
+++ b/devices/surface-hub/surface-hub-wifi-direct.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: dansimp
 ms.author: dansimp
 ms.topic: article
-ms.date: 06/20/2019
+ms.date: 11/27/2019
 ms.reviewer: 
 manager: dansimp
 ms.localizationpriority: medium
@@ -25,7 +25,7 @@ The intended audiences for this topic include IT and network administrators inte
 
 Microsoft Surface Hub's security depends extensively on Wi-Fi Direct / Miracast and the associated 802.11, Wi-Fi Protected Access (WPA2), and Wireless Protected Setup (WPS) standards. Since the device only supports WPS (as opposed to WPA2 Pre-Shared Key (PSK) or WPA2 Enterprise), issues traditionally associated with 802.11 encryption are simplified by design. 
 
-It is important to note Surface Hub operates on par with the field of Miracast receivers, meaning that it is protected from, and vulnerable to, a similar set of exploits as all WPS-based wireless network devices. But Surface Hub’s implementation of WPS has extra precautions built in, and its internal architecture helps prevent an attacker – even after compromising the Wi-Fi Direct / Miracast layer – to move past the network interface onto other attack surfaces and connected enterprise networks see [Wi-Fi Direct vulnerabilities and how Surface Hub addresses them](#vulnerabilities).  
+It is important to note Surface Hub operates on par with the field of Miracast receivers, meaning that it is protected from, and vulnerable to, a similar set of exploits as all WPS-based wireless network devices. But Surface Hub’s implementation of WPS has extra precautions built in, and its internal architecture helps prevent an attacker – even after compromising the Wi-Fi Direct / Miracast layer – to move past the network interface onto other attack surfaces and connected enterprise networks. 
 
 ## Wi-Fi Direct background
 
@@ -37,7 +37,7 @@ Security for Wi-Fi Direct is provided by WPA2 using the WPS standard.  Authentic
 
 In Wi-Fi Direct, groups are created as either "persistent," allowing for automatic reconnection using stored key material, or "temporary," where devices cannot re-authenticate without user intervention or action. Wi-Fi Direct groups will typically determine a Group Owner (GO) through a negotiation protocol, which mimics the "station" or "Access Point" functionality for the established Wi-Fi Direct Group. This Wi-Fi Direct GO provides authentication (via an “Internal Registrar”), and facilitate upstream network connections. For Surface Hub, this GO negotiation does not take place, as the network only operates in "autonomous" mode, where Surface Hub is always the Group Owner. Finally, Surface Hub does not and will not join other Wi-Fi Direct networks itself as a client.
 
-
+
 ## Wi-Fi Direct vulnerabilities and how Surface Hub addresses them
 
 **Vulnerabilities and attacks in the Wi-Fi Direct invitation, broadcast, and discovery process**: Wi-Fi Direct / Miracast attacks may target weaknesses in the group establishment, peer discovery, device broadcast, or invitation processes.
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index a10cc065ed..bc26815d56 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -17,7 +17,7 @@
 ### [Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsc.md)
 ### [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md)
 ### [Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md)
-### [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md)
+### [Considerations for Surface and Endpoint Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md)
 ### [Deploy Surface app with Microsoft Store for Business](deploy-surface-app-with-windows-store-for-business.md)
 ### [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)
 ### [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)
diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
index cf84fec23c..351b6d2449 100644
--- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
+++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
@@ -1,5 +1,5 @@
 ---
-title: Considerations for Surface and System Center Configuration Manager (Surface)
+title: Considerations for Surface and Microsoft Endpoint Configuration Manager
 description: The management and deployment of Surface devices with Configuration Manager is fundamentally the same as any other PC; this article describes scenarios that may require additional considerations.
 keywords: manage, deployment, updates, driver, firmware
 ms.prod: w10
@@ -11,32 +11,32 @@ ms.author: dansimp
 ms.topic: article
 ms.localizationpriority: medium
 ms.audience: itpro
-ms.date: 10/24/2019
+ms.date: 11/25/2019
 ms.reviewer: 
 manager: dansimp
 ---
 
-# Considerations for Surface and System Center Configuration Manager
+# Considerations for Surface and Microsoft Endpoint Configuration Manager
 
-Fundamentally, management and deployment of Surface devices with System Center Configuration Manager (SCCM) is the same as the management and deployment of any other PC. Like other PCs, a deployment to Surface devices includes importing drivers, importing a Windows image, preparing a deployment task sequence, and then deploying the task sequence to a collection. After deployment, Surface devices are like any other Windows client – to publish apps, settings, and policies, you use the same process that you would use for any other device.
+Fundamentally, management and deployment of Surface devices with Endpoint Configuration Manager (formerly known as System Center Configuration Manager or SCCM) is the same as the management and deployment of any other PC. Like other PCs, a deployment to Surface devices includes importing drivers, importing a Windows image, preparing a deployment task sequence, and then deploying the task sequence to a collection. After deployment, Surface devices are like any other Windows client – to publish apps, settings, and policies, you use the same process that you would use for any other device.
 
-You can find more information about how to use Configuration Manager to deploy and manage devices in the [Documentation for System Center Configuration Manager](https://docs.microsoft.com/sccm/index).
+You can find more information about how to use Configuration Manager to deploy and manage devices in the [Microsoft Endpoint Configuration Manager documentation](https://docs.microsoft.com/sccm/index).
 
 Although the deployment and management of Surface devices is fundamentally the same as any other PC, there are some scenarios that may require additional considerations or steps. This article provides descriptions and guidance for these scenarios; the solutions documented in this article may apply to other devices and manufacturers as well.
 
 >[!NOTE]
->For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
+>For management of Surface devices it is recommended that you use the Current Branch of Endpoint Configuration Manager.
 
 ## Support for Surface Pro X
-Beginning in version 1802, SCCM includes client management support for Surface Pro X. Note however that running the SCCM agent on Surface Pro X may accelerate battery consumption. In addition, SCCM operating system deployment is not supported on Surface Pro X. For more information, refer to:
-- [What's new in version 1802 of System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802)
+Beginning in version 1802, Endpoint Configuration Manager includes client management support for Surface Pro X. Note however that running the Endpoint Configuration Manager agent on Surface Pro X may accelerate battery consumption. In addition, operating system deployment using Endpoint Configuration Manager is not supported on Surface Pro X. For more information, refer to:
+- [What's new in version 1802 of System Center Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/changes/whats-new-in-version-1802)
 - [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md)
 
 ## Updating Surface device drivers and firmware
 
 For devices that receive updates through Windows Update, drivers for Surface components – and even firmware updates – are applied automatically as part of the Windows Update process. For devices with managed updates, such as those updated through Windows Server Update Services (WSUS), the option to install drivers and firmware through Windows Update is not available. For these managed devices, the recommended driver management process is the deployment of driver and firmware updates using the Windows Installer (.msi) files, which are provided through the Microsoft Download Center. You can find a list of these downloads at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
 
-As .msi files, deployment of driver and firmware updates is performed in the same manner as deployment of an application. Instead of installing an application as would normally happen when an .msi file is run, the Surface driver and firmware .msi will apply the driver and firmware updates to the device. The single .msi file contains the driver and firmware updates required by each component of the Surface device. The updates for firmware are applied the next time the device reboots. You can read more about the .msi installation method for Surface drivers and firmware in [Manage Surface driver and firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-pro-3-firmware-updates). For more information about how to deploy applications with Configuration Manager, see [Packages and programs in System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs).
+As .msi files, deployment of driver and firmware updates is performed in the same manner as deployment of an application. Instead of installing an application as would normally happen when an .msi file is run, the Surface driver and firmware .msi will apply the driver and firmware updates to the device. The single .msi file contains the driver and firmware updates required by each component of the Surface device. The updates for firmware are applied the next time the device reboots. You can read more about the .msi installation method for Surface drivers and firmware in [Manage Surface driver and firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-pro-3-firmware-updates). For more information about how to deploy applications with Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs).
 
 >[!NOTE]
 >Surface device drivers and firmware are signed with SHA-256, which is not natively supported by Windows Server 2008 R2. A workaround is available for Configuration Manager environments running on Windows Server 2008 R2 – for more information see [Can't import drivers into System Center Configuration Manager (KB3025419)](https://support.microsoft.com/kb/3025419).
@@ -47,25 +47,25 @@ The default mechanism that Configuration Manager uses to identify devices during
 
 To ensure that Surface devices using the same Ethernet adapter are identified as unique devices during deployment, you can instruct Configuration Manager to identify devices using another method. This other method could be the MAC address of the wireless network adapter or the System Universal Unique Identifier (System UUID). You can specify that Configuration Manager use other identification methods with the following options:
 
-* Add an exclusion for the MAC addresses of Surface Ethernet adapters, which forces Configuration Manager to overlook the MAC address in preference of the System UUID, as documented in the [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/) blog post.
+* Add an exclusion for the MAC addresses of Surface Ethernet adapters, which forces Configuration Manager to overlook the MAC address in preference of the System UUID, as documented in [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/).
 
-* Prestage devices by System UUID as documented in the [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/) blog post.
+* Prestage devices by System UUID as documented in [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/).
 
-* Use a script to identify a newly deployed Surface device by the MAC address of its wireless adapter, as documented in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://blogs.technet.microsoft.com/askpfeplat/2014/07/27/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm-osd/) blog post.
+* Use a script to identify a newly deployed Surface device by the MAC address of its wireless adapter, as documented in [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://blogs.technet.microsoft.com/askpfeplat/2014/07/27/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm-osd/).
 
 Another consideration for the Surface Ethernet adapter during deployments with Configuration Manager is the driver for the Ethernet controller. Beginning in Windows 10, version 1511, the driver for the Surface Ethernet adapter is included by default in Windows. For organizations that want to deploy the latest version of Windows 10 and use the latest version of WinPE, use of the Surface Ethernet adapter requires no additional actions.
 
-For versions of Windows prior to Windows 10, version 1511 (including Windows 10 RTM and Windows 8.1), you may still need to install the Surface Ethernet adapter driver and include the driver in your WinPE boot media. With its inclusion in Windows 10, the driver is no longer available for download from the Microsoft Download Center. To download the Surface Ethernet adapter driver, download it from the Microsoft Update Catalog as documented in the [Surface Ethernet Drivers](https://blogs.technet.microsoft.com/askcore/2016/08/18/surface-ethernet-drivers/) blog post from the Ask The Core Team blog.
+For versions of Windows prior to Windows 10, version 1511 (including Windows 10 RTM and Windows 8.1), you may still need to install the Surface Ethernet adapter driver and include the driver in your WinPE boot media. With its inclusion in Windows 10, the driver is no longer available for download from the Microsoft Download Center. To download the Surface Ethernet adapter driver, refer to [Surface Ethernet Drivers](https://blogs.technet.microsoft.com/askcore/2016/08/18/surface-ethernet-drivers/).
 
 ## Deploy Surface app with Configuration Manager
 
-With the release of Microsoft Store for Business, Surface app is no longer available as a driver and firmware download. Organizations that want to deploy Surface app to managed Surface devices or during deployment with the use of Configuration Manager, must acquire Surface app through Microsoft Store for Business and then deploy Surface app with PowerShell. You can find the PowerShell commands for deployment of Surface app, instructions to download Surface app, and prerequisite frameworks from Microsoft Store for Business in the [Deploy Surface app with Microsoft Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business) article in the TechNet Library.
+With the release of Microsoft Store for Business, Surface app is no longer available as a driver and firmware download. Organizations that want to deploy Surface app to managed Surface devices or during deployment with the use of Configuration Manager, must acquire Surface app through Microsoft Store for Business and then deploy Surface app with PowerShell. For more information including PowerShell commands for deploying Surface app, refer to [Deploy Surface app with Microsoft Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business).
 
 ## Use prestaged media with Surface clients
 
 If your organization uses prestaged media to pre-load deployment resources on to machines prior to deployment with Configuration Manager, the nature of Surface devices as UEFI devices may require you to take additional steps. Specifically, a native UEFI environment requires that you create multiple partitions on the boot disk of the system. If you are following along with the [documentation for prestaged media](https://technet.microsoft.com/library/79465d90-4831-4872-96c2-2062d80f5583?f=255&MSPPError=-2147217396#BKMK_CreatePrestagedMedia), the instructions provide for only single partition boot disks and therefore will fail when applied to Surface devices.
 
-Instructions for applying prestaged media to UEFI devices, such as Surface devices, can be found in the [How to apply Task Sequence Prestaged Media on multi-partitioned disks for BIOS or UEFI PCs in System Center Configuration Manager](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2014/04/02/how-to-apply-task-sequence-prestaged-media-on-multi-partitioned-disks-for-bios-or-uefi-pcs-in-system-center-configuration-manager/) blog post.
+To apply prestaged media to UEFI devices, such as Surface devices, refer to [How to apply Task Sequence Prestaged Media on multi-partitioned disks for BIOS or UEFI PCs in System Center Configuration Manager](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2014/04/02/how-to-apply-task-sequence-prestaged-media-on-multi-partitioned-disks-for-bios-or-uefi-pcs-in-system-center-configuration-manager/).
 
 ## Licensing conflicts with OEM Activation 3.0
 
@@ -77,9 +77,9 @@ However, issues may arise when organizations intend to use versions of Windows t
 
 ## Apply an asset tag during deployment
 
-Surface Studio, Surface Book, Surface Pro 4, Surface Pro 3, and Surface 3 devices all support the application of an asset tag in UEFI. This asset tag can be used to identify the device from UEFI even if the operating system fails, and it can also be queried from within the operating system. To read more about the Surface Asset Tag function, see the [Asset Tag Tool for Surface Pro 3](https://blogs.technet.microsoft.com/askcore/2014/10/20/asset-tag-tool-for-surface-pro-3/) blog post.
+Surface Studio, Surface Book, Surface Pro 4, Surface Pro 3, and Surface 3 devices all support the application of an asset tag in UEFI. This asset tag can be used to identify the device from UEFI even if the operating system fails, and it can also be queried from within the operating system. For more information, refer to [Surface Asset Tag Tool](assettag.md).
 
-To apply an asset tag using the [Surface Asset Tag CLI Utility](https://www.microsoft.com/download/details.aspx?id=44076) during a Configuration Manager deployment task sequence, use the script and instructions found in the [Set Surface Asset Tag During a Configuration Manager Task Sequence](https://blogs.technet.microsoft.com/jchalfant/set-surface-pro-3-asset-tag-during-a-configuration-manager-task-sequence/) blog post.
+To apply an asset tag using the [Surface Asset Tag CLI Utility](https://www.microsoft.com/download/details.aspx?id=44076) during a Configuration Manager deployment task sequence, use the script and instructions in [Set Surface Asset Tag During a Configuration Manager Task Sequence](https://blogs.technet.microsoft.com/jchalfant/set-surface-pro-3-asset-tag-during-a-configuration-manager-task-sequence/).
 
 ## Configure push-button reset
 
diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
index f836e8254c..92527470f2 100644
--- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
+++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
@@ -2,8 +2,8 @@
 title: Deploy the latest firmware and drivers for Surface devices (Surface)
 description: This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.
 ms.assetid: 7662BF68-8BF7-43F7-81F5-3580A770294A
-ms.reviewer: 
-manager: dansimp
+ms.reviewer: dansimp
+manager: kaushika
 keywords: update Surface, newest, latest, download, firmware, driver, tablet, hardware, device
 ms.localizationpriority: medium
 ms.prod: w10
@@ -12,70 +12,94 @@ ms.pagetype: surface, devices
 ms.sitesec: library
 author: dansimp
 ms.audience: itpro
-ms.date: 10/21/2019
+ms.date: 11/25/2019
 ms.author: dansimp
 ms.topic: article
 ---
 
 # Deploy the latest firmware and drivers for Surface devices
-Although Surface devices are typically automatically updated with the latest device drivers and firmware via Windows Update, sometimes it's necessary to download and install updates manually, such as during a Windows deployment. 
 
-## Download MSI files
-To download MSI files, refer to the following Microsoft Support page:
- 
-- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface)

-Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices.
+> **Home users:** This article is only intended for technical support agents and IT professionals, and applies only to Surface devices. If you're looking for help to install Surface updates or firmware on a home device, please see [Update Surface firmware and Windows 10](https://support.microsoft.com/help/4023505).
+
+Under typical conditions, Windows Update automatically keeps Windows Surface devices up-to-date by downloading and installing the latest device drivers and firmware. However, you may sometimes have to download and install updates manually. For example, you may have to manually manage updates when you deploy a new version of Windows.
+
+## Downloading MSI files
+
+[Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface) provides links to download installation files for the following:
+
+- Administrative tools
+- Drivers for accessories
+- For some devices, updates for Windows
 
 ## Deploying MSI files
-Driver and firmware updates for Surface devices consisting of all required cumulative updates are packaged in separate MSI files for specific versions of Windows 10.
 
-The MSI file names contain useful information including the minimum supported Windows build number required to install the drivers and firmware. For example, to install the drivers contained in SurfaceBook_Win10_17763_19.080.2031.0.msi requires Windows 10 Fall Creators Update version 1709 or later installed on your Surface Book.
+Specific versions of Windows 10 have separate MSI files. Each MSI file contains all required cumulative driver and firmware updates for Surface devices.
 
-To view build numbers for each version, refer to [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information).
+The MSI file names contain useful information, including the minimum supported Windows build number that is required to install the drivers and firmware. For example, to install the drivers that are contained in SurfaceBook_Win10_17763_19.080.2031.0.msi on a Surface Book, the device must be running Windows 10 Fall Creators Update, version 1709 or later.
+
+For more information about build numbers for each Windows version, see [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information).
 
 ### Surface MSI naming convention
-Beginning in August 2019, MSI files use the following naming formula:
 
-- Product > Windows release > Windows build number > Version number >  Revision of version number (typically zero).
+Beginning in August, 2019, MSI files have used the following naming convention:
 
-**Example:**
-SurfacePro6_Win10_18362_19.073.44195_0.msi :
+> *Product*\_*Windows release*\_*Windows build number*\_*Version number*\_*Revision of version number (typically zero)*.
 
-| Product     | Windows release | Build | Version |  Revision of version |
-| --- | --- | --- | --- | --- |
-| SurfacePro6 | Win10  | 18362  | 19.073.44195 | 0  |
-|       |      |       | Indicates key date and sequence information.  | Indicates release history of the update.   |
-|      |        |     | **19:** Signifies the year (2019).
**073**: Signifies the month (July) and week of the release (3).  
**44195**: Signifies the minute of the month that the MSI file was created. |**0:**  Signifies it's the first release of version 1907344195 and has not been re-released for any reason. |
+**Example**
+
+Consider the following MSI file:
+
+> SurfacePro6_Win10_18362_19.073.44195_0.msi
+
+This file name provides the following information:
+
+- **Product:** SurfacePro6
+- **Windows release:** Win10
+- **Build:** 18362
+- **Version:** 19.073.44195 – This shows the date and time that the file was created, as follows:
+  - **Year:** 19 (2019)
+  - **Month and week:** 073 (third week of July)
+  - **Minute of the month:** 44195
+- **Revision of version:** 0 (first release of this version)
 
 ### Legacy Surface MSI naming convention
-Legacy MSI files prior to August 2019 followed the same overall naming formula but used a different method to derive the version number.  
 
-**Example:**
-SurfacePro6_Win10_16299_1900307_0.msi :
+Legacy MSI files (files that were built before August, 2019) followed the same overall naming formula, but used a different method to derive the version number.  
 
-| Product     | Windows release | Build | Version |  Revision of version |
-| --- | --- | --- | --- | --- |
-| SurfacePro6 | Win10  | 16299  | 1900307 | 0  |
-|       |      |       | Indicates key date and sequence information.  | Indicates release history of the MSI file.   |
-|      |        |     | **19:** Signifies the year (2019)
**003**: Signifies that it’s the third release of 2019.
**07**: Signifies the product version number. (Surface Pro 6 is officially the seventh version of Surface Pro.) | **0:** Signifies it's the first release of version 1900307 and has not been re-released for any reason. |
+**Example**
 
-Look to the **version** number to determine the latest files that contain the most recent security updates.  For example, you might need to install the newest file from the following list:
+Consider the following MSI file:
 
+> SurfacePro6_Win10_16299_1900307_0.msi
+
+This file name provides the following information:
+
+- **Product:** SurfacePro6
+- **Windows release:** Win10
+- **Build:** 16299
+- **Version:** 1900307 – This shows the date that the file was created and its position in the release sequence, as follows:
+  - **Year:** 19 (2019)
+  - **Number of release:** 003 (third release of the year)
+  - **Product version number:** 07 (Surface Pro 6 is officially the seventh version of Surface Pro)
+- **Revision of version:** 0 (first release of this version)
+
+Use the **version** number to determine the latest files that contain the most recent security updates. For example, consider the following list:
 
 - SurfacePro6_Win10_16299_1900307_0.msi
 - SurfacePro6_Win10_17134_1808507_3.msi
 - SurfacePro6_Win10_17763_1808707_3.msi
 
-The first file —  SurfacePro6_Win10_16299_1900307_0.msi  —  is the newest because its VERSION field has the newest build in 2019; the other files are from 2018.
+In this list, the newest file is the first file (SurfacePro6_Win10_16299_1900307_0.msi). Its **Version** field has the newest date (2019). The other files are from 2018.
 
 ## Supported devices
-Downloadable MSI files are available for Surface devices from Surface Pro 2 and later. Information about MSI files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3 will be available from this page upon release. 
 
->[!NOTE]
->There are no downloadable firmware or driver updates available for Surface devices with Windows RT, including Surface RT and Surface 2. Updates can only be applied using Windows Update.
+For downloadable MSI files for devices that run Surface Pro 2 and later versions, see [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface). This article contains information about MSI files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3, as they are released.  
 
-For more information about deploying Surface drivers and firmware, refer to:
+> [!NOTE]  
+> There are no downloadable firmware or driver updates available for Surface devices that run Windows RT, including Surface RT and Surface 2. To update these devices, use Windows Update.
+
+For more information about how to deploy Surface drivers and firmware, see the following articles:
 
 - [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates)
 
-- [Microsoft Surface support for business](https://www.microsoft.com/surface/support/business)
+- [Surface for Business help](https://www.microsoft.com/surface/support/business)
diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json
index 026be430c1..fafc824f21 100644
--- a/devices/surface/docfx.json
+++ b/devices/surface/docfx.json
@@ -37,11 +37,21 @@
           "depot_name": "Win.surface",
           "folder_relative_path_in_docset": "./"
         }
-      }
+      },
+      "contributors_to_exclude": [ 
+        "rjagiewich", 
+        "traya1", 
+        "rmca14", 
+        "claydetels19", 
+        "Kellylorenebaker",
+        "jborsecnik",
+        "tiburd",
+        "garycentric"
+      ]
     },
     "externalReference": [],
     "template": "op.html",
     "dest": "devices/surface",
     "markdownEngineName": "markdig"
-  }
+}
 }
diff --git a/devices/surface/get-started.md b/devices/surface/get-started.md
index ff37d7a72e..af2bc13af9 100644
--- a/devices/surface/get-started.md
+++ b/devices/surface/get-started.md
@@ -28,7 +28,7 @@ Harness the power of Surface, Windows, and Office connected together through the
                     

                     

                         
Plan

-                         
Surface and SCCM considerations

+                         
Surface and Endpoint Configuration Manager considerations

                          
Wake On LAN for Surface devices

                     

                 

diff --git a/devices/surface/images/df1.png b/devices/surface/images/df1.png
index cd55014d27..92aff587bc 100644
Binary files a/devices/surface/images/df1.png and b/devices/surface/images/df1.png differ
diff --git a/devices/surface/images/df2a.png b/devices/surface/images/df2a.png
index 6a50ae6862..2a755ac374 100644
Binary files a/devices/surface/images/df2a.png and b/devices/surface/images/df2a.png differ
diff --git a/devices/surface/images/df3b.png b/devices/surface/images/df3b.png
new file mode 100644
index 0000000000..60370c5541
Binary files /dev/null and b/devices/surface/images/df3b.png differ
diff --git a/devices/surface/images/dfciconfig.png b/devices/surface/images/dfciconfig.png
new file mode 100644
index 0000000000..2e8b0b4fee
Binary files /dev/null and b/devices/surface/images/dfciconfig.png differ
diff --git a/devices/surface/images/uefidfci.png b/devices/surface/images/uefidfci.png
new file mode 100644
index 0000000000..ec95181145
Binary files /dev/null and b/devices/surface/images/uefidfci.png differ
diff --git a/devices/surface/manage-surface-driver-and-firmware-updates.md b/devices/surface/manage-surface-driver-and-firmware-updates.md
index efdf20be4d..7f470ab3ac 100644
--- a/devices/surface/manage-surface-driver-and-firmware-updates.md
+++ b/devices/surface/manage-surface-driver-and-firmware-updates.md
@@ -41,7 +41,7 @@ For details about Group Policy for client configuration of WSUS or Windows Updat
 
 Surface driver and firmware updates are packaged as Windows Installer (MSI) files. To deploy these Windows Installer packages, you can use application deployment utilities such as the Microsoft Deployment Toolkit (MDT) or System Center Configuration Manager. Such solutions provide the means for administrators to test and review updates before deploying them, and to centralize deployment. For each device, it is important to select the correct MSI file for the device and its operating system. For more information see [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
 
-For instructions on how to deploy updates by using System Center Configuration Manager, refer to [Deploy applications with Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/deploy-applications). For instructions on how to deploy updates by using MDT, see [Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt).
+For instructions on how to deploy updates by using Endpoint Configuration Manager (formerly System Center Configuration Manager), refer to [Deploy applications with Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/deploy-applications). For instructions on how to deploy updates by using MDT, see [Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt).
 
 > [!NOTE]
 > You can deploy applications separately from an operating system deployment through MDT by using a Post OS Installation task sequence.
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index 64e380aab5..90b623c490 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -14,7 +14,7 @@ author: dansimp
 ms.author: dansimp
 ms.topic: article
 ms.audience: itpro
-ms.date: 10/21/2019
+ms.date: 11/13/2019
 ---
 
 # Microsoft Surface Data Eraser
@@ -160,11 +160,17 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
 
 Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following:
 
+### 3.28.137
+*Release Date: 11 Nov 2019*
+This version of Surface Data Eraser:
+
+- Includes bug fixes
+
 ### Version 3.21.137
 *Release Date: 21 Oct 2019*
 This version of Surface Data Eraser is compiled for x86 and adds support for the following devices:
 
-Supports Surface Pro 7, Surface Pro X, and Surface Laptop 3.
+- Supports Surface Pro 7, Surface Pro X, and Surface Laptop 3
 
 ### Version 3.2.78.0
 *Release Date: 4 Dec 2018*
diff --git a/devices/surface/support-solutions-surface.md b/devices/surface/support-solutions-surface.md
index 8dd12ede7c..b311e28937 100644
--- a/devices/surface/support-solutions-surface.md
+++ b/devices/surface/support-solutions-surface.md
@@ -19,6 +19,9 @@ ms.audience: itpro
 
 # Top support solutions for Surface devices
 
+> [!Note]
+> **Home users**: This article is only intended for use by IT professionals and  technical support agents, and applies only to Surface devices. If you're looking for help with a problem with your home device, please see [Surface Devices Help](https://support.microsoft.com/products/surface-devices).
+
 Microsoft regularly releases both updates and solutions for Surface devices. To ensure your devices can receive future updates, including security updates, it's important to keep your Surface devices updated.  For a complete listing of the update history, see [Surface update history](https://www.microsoft.com/surface/support/install-update-activate/surface-update-history) and [Install Surface and Windows updates](https://www.microsoft.com/surface/support/performance-and-maintenance/install-software-updates-for-surface?os=windows-10&=undefined).
 
 
diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md
index 8fa4e11515..104b12b126 100644
--- a/devices/surface/surface-dock-firmware-update.md
+++ b/devices/surface/surface-dock-firmware-update.md
@@ -45,7 +45,10 @@ If preferred, you can manually complete the update as follows:
 
 You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firmware Update to multiple devices across your network. When using System Center Configuration Manager or other deployment tool, enter the following syntax to ensure the installation is silent:
 
-- **Msiexec.exe /i  /quiet /norestart**
+- **Msiexec.exe /i  /quiet /norestart** 
+
+> [!NOTE]
+> A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]"
 
 > [!NOTE]
 > A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]"
@@ -86,15 +89,16 @@ Successful completion of Surface Dock Firmware Update results in new registry ke
 
 ## Event logging
 
-**Table 1. Event logging for Surface Dock Firmware Update**
+**Table 1. Log files for Surface Dock Firmware Update**
 
 | Log                              | Location                               | Notes                                                                                                                                                                                                         |
-| -------------------------------- | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| -------------------------------- | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | Surface Dock Firmware Update log | Path needs to be specified (see note) | Earlier versions of this tool wrote events to Applications and Services Logs\Microsoft Surface Dock Updater.                                                                                                  |
-| Windows Device Install log       | %windir%\inf\setupapi.dev.log         | For more information about using Device Install Log, refer to [SetupAPI Logging](https://docs.microsoft.com/windows-hardware/drivers/install/setupapi-logging--windows-vista-and-later-). |
+| Windows Device Install log       | %windir%\inf\setupapi.dev.log           | For more information about using Device Install Log, refer to [SetupAPI Logging](https://docs.microsoft.com/windows-hardware/drivers/install/setupapi-logging--windows-vista-and-later-) documentation. |
 
- 
-**Table 2. Event log IDs for Surface Dock Firmware Update**
+
+**Table 2. Event log IDs for Surface Dock Firmware Update**

+Events are logged in the Application Event Log.  Note:  Earlier versions of this tool wrote events to Applications and Services Logs\Microsoft Surface Dock Updater.
 
 | Event ID | Event type                                                           |
 | -------- | -------------------------------------------------------------------- |
diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md
index de1879bcba..81b911bb6f 100644
--- a/devices/surface/surface-enterprise-management-mode.md
+++ b/devices/surface/surface-enterprise-management-mode.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 author: dansimp
 ms.author: dansimp
 ms.topic: article
-ms.date: 10/31/2019
+ms.date: 12/02/2019
 ms.reviewer: scottmca
 manager: dansimp
 ms.localizationpriority: medium
@@ -21,8 +21,7 @@ ms.audience: itpro
 Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal.
 
 >[!NOTE]
->SEMM is only available on devices with Surface UEFI firmware. 
-
+>SEMM is only available on devices with Surface UEFI firmware. This includes most Surface devices including Surface Pro 7, Surface Pro X, and Surface Laptop 3 commercial SKUs with an Intel processor. SEMM is not supported on the 15" Surface Laptop 3 SKU with AMD processor (only available as a retail SKU). 
 
 When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM.
 
@@ -91,7 +90,7 @@ The following list shows all the available devices you can manage in SEMM:
 | Alternate Boot                     | Allows you to manage use of an Alternate boot order to boot directly to a USB or Ethernet device by pressing both the Volume Down button and Power button during boot. If you do not configure this setting, Alternate boot is enabled. |
 | Boot Order Lock                    | Allows you to lock the boot order to prevent changes. If you do not configure this setting, Boot Order Lock is disabled.                                                                                                        |
 | USB Boot                           | Allows you to manage booting to USB devices. If you do not configure this setting, USB Boot is enabled.                                                                                                                 |
-| Network Stack                      | Allows you to manage Network Stack boot settings. If you do not configure this setting,  the ability to manage Network Stack boot settings is enabled.                                                                                                           |
+| Network Stack                      | Allows you to manage Network Stack boot settings. If you do not configure this setting,  the ability to manage Network Stack boot settings is disabled.                                                                                                           |
 | Auto Power On                      | Allows you to manage Auto Power On boot settings. If you do not configure this setting, Auto Power on is enabled.                                                                                                        |
 | Simultaneous Multi-Threading (SMT) | Allows you to manage Simultaneous Multi-Threading (SMT) to enable or disable hyperthreading. If you do not configure this setting, SMT is enabled.                                                  |
 |Enable Battery limit| Allows you to manage Battery limit functionality. If you do not configure this setting, Battery limit is enabled |
@@ -229,8 +228,8 @@ create a reset package using PowerShell to reset SEMM.
 
 ## Version History
 
-### Version 2.59.139
-* Support to Surface Pro 7 and Surface Laptop 3
+### Version 2.59.
+* Support to Surface Pro 7, Surface Pro X,  and Surface Laptop 3 13.5" and 15" models with Intel processor. Note:  Surface Laptop 3 15" AMD processor is not supported.
 - Support to Wake on Power feature
 
 ### Version 2.54.139.0
diff --git a/devices/surface/surface-manage-dfci-guide.md b/devices/surface/surface-manage-dfci-guide.md
index 19a91301f7..efb5fa93b5 100644
--- a/devices/surface/surface-manage-dfci-guide.md
+++ b/devices/surface/surface-manage-dfci-guide.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 author: dansimp
 ms.author: dansimp
 ms.topic: article
-ms.date: 10/20/2019
+ms.date: 11/13/2019
 ms.reviewer: jesko
 manager: dansimp
 ms.audience: itpro
@@ -29,9 +29,11 @@ In contrast to other Windows 10 devices available in the market today, Surface p
 
 Until now, managing firmware required enrolling devices into Surface Enterprise Management Mode (SEMM) with the overhead of ongoing manual IT-intensive tasks. As an example, SEMM requires IT staff to physically access each PC to enter a two-digit pin as part of the certificate management process. Although SEMM remains a good solution for organizations in a strictly on-premises environment, its complexity and IT-intensive requirements make it costly to use.
 
-Now with newly integrated UEFI firmware management capabilities in Microsoft Intune, the ability to lock down hardware is simplified and easier to use with new features for provisioning, security, and streamlined updating all in a single console.
+Now with newly integrated UEFI firmware management capabilities in Microsoft Intune, the ability to lock down hardware is simplified and easier to use with new features for provisioning, security, and streamlined updating all in a single console, now unified as [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). The following figure shows UEFI settings viewed directly on the device (left) and viewed in the Endpoint Manager console (right).
 
-DFCI leverages the device profiles capability in Intune and is deployed using Windows Autopilot, eliminating the need for manual interaction by IT admins or end users. A device profile allows you to add and configure settings which can then be deployed to devices enrolled in management within your organization. Once the device receives the device profile, the features and settings are applied automatically. Examples of common device profiles include Email, Device restrictions, VPN, Wi-Fi, and Administrative templates. DFCI is simply an additional device profile that enables you to manage UEFI configuration settings from the cloud without having to maintain a costly on-premises infrastructure.  
+![UEFI settings shown on device (left) and in the Endpoint Manager console (right) ](images/uefidfci.png)
+
+Crucially, DFCI enables zero touch management, eliminating the need for manual interaction by IT admins. DFCI is deployed via Windows Autopilot using the device profiles capability in Intune. A device profile allows you to add and configure settings which can then be deployed to devices enrolled in management within your organization. Once the device receives the device profile, the features and settings are applied automatically. Examples of common device profiles include Email, Device restrictions, VPN, Wi-Fi, and Administrative templates. DFCI is simply an additional device profile that enables you to manage UEFI configuration settings from the cloud without having to maintain on-premises infrastructure.  
 
 ## Supported devices
 
@@ -41,6 +43,9 @@ At this time, DFCI is supported in the following devices:
 - Surface Pro X
 - Surface Laptop 3
 
+> [!NOTE]
+> Surface Pro X does not support DFCI settings management for built-in camera, audio, and Wi-Fi/Bluetooth.
+
 ## Prerequisites
 
 - Devices must be registered with Windows Autopilot by a [Microsoft Cloud Solution Provider (CSP) partner](https://partner.microsoft.com/membership/cloud-solution-provider) or OEM distributor.
@@ -59,30 +64,33 @@ A DFCI environment requires setting up a DFCI profile that contains  the setting
 
 Before configuring DFCI policy settings, first create a DFCI profile and assign it to the Azure AD security group that contains your target devices.
 
-1. Open Intune select **Device configuration > Profiles > Create profile** and enter a name; for example **My DFCI profile.**
-2. Select Windows 10 and later for platform type.
-3. In the Profile type drop down list, select **Device Firmware Configuration Interface** to open the DFCI blade containing all available policy settings. For information on DFCI settings, refer to Table 2 on this page below or the [Intune documentation](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows). You can configure DFCI settings during the initial setup process or later by editing the DFCI profile.
+1. Sign into your tenant at  devicemanagement.microsoft.com.
+2. In the Microsoft Endpoint Manager Admin Center, select **Devices > Configuration profiles > Create profile** and enter a name; for example, **DFCI Configuration Policy.**
+3. Select **Windows 10 and later** for platform type.
+4. In the Profile type drop down list, select **Device Firmware Configuration Interface** to open the DFCI blade containing all available policy settings. For information on DFCI settings, refer to Table 1 on this page or the [Intune documentation](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows). You can configure DFCI settings during the initial setup process or later by editing the DFCI profile.
 
-> ![Create DFCI profile](images/df1.png)
+    ![Create DFCI profile](images/df1.png)
 
-4. Click **OK** and then select **Create**.
-5. Select **Assignments** and under **Select groups to include** select the Azure AD security group that contains your target devices, as shown in the following figure. Click **Save**.
+5. Click **OK** and then select **Create**.
+6. Select **Assignments** and under **Select groups to include** select the Azure AD security group that contains your target devices, as shown in the following figure. Click **Save**.
 
-![Assign security group](images/df2a.png)
+    ![Assign security group](images/df2a.png)
 
 ## Create Autopilot profile
 
-1. Go to **Intune > Device enrollment > Windows enrollment** and scroll down to select **Deployment Profiles**.
-2. Select **Create profile**, enter a name; for example, My Autopilot profile, and select **Next**.
+1. In Endpoint Manager at  devicemanagement.microsoft.com, select **devices > Windows enrollment** and scroll down to **Deployment profiles**.
+2. Select **Create profile** and enter a name; for example, **My Autopilot profile**, and select **Next**.
 3. Select the following settings:
 
-- Deployment mode: **User-Driven**.
-- Join type: Azure **AD joined**.
+    - Deployment mode: **User-Driven**.
+    - Join type: Azure **AD joined**.
 
-4. Leave the remaining default settings unchanged and select **Next**
-5. On the Scope tags page, select **Next**.
-6. On the Assignments page, choose **Select groups to include** and click your Azure AD security group. Select **Next**.
-7. Accept the summary and then select **Create**. The Autopilot profile is now created and assigned to the group.
+4. Leave the remaining default settings unchanged and select **Next**, as shown in the following figure.
+
+    ![Create Autopilot profile](images/df3b.png)
+
+5. On the Assignments page, choose **Select groups to include** and click your Azure AD security group. Select **Next**.
+6. Accept the summary and then select **Create**. The Autopilot profile is now created and assigned to the group.
 
 ## Configure Enrollment Status Page
 
@@ -95,13 +103,15 @@ For more information, refer to [Set up an enrollment status page](https://docs.m
 
 DFCI includes a streamlined set of UEFI configuration policies that provide an extra level of security by locking down devices at the hardware level. DFCI is designed to be used in conjunction with mobile device management settings at the software level. Note that DFCI settings only affect hardware components built into Surface devices and do not extend to attached peripherals such as USB webcams. (However, you can use Device restriction policies in Intune to turn off access to attached peripherals at the software level).
 
-You configure DFCI policy settings by editing the DFCI profile:
+You configure DFCI policy settings by editing the DFCI profile from Endpoint Manager, as shown in the figure below. 
 
-- **Intune > Device configuration > Profiles > “DFCI profile name” > Properties > Settings**
+- In Endpoint Manager at  devicemanagement.microsoft.com, select **Devices > Windows > Configuration Profiles > “DFCI profile name” > Properties > Settings**.
+
+    ![Configure DFCI settings](images/dfciconfig.png)
 
 ### Block user access to UEFI settings
 
-For many customers, the ability to block users from changing UEFI settings is critically important and a primary reason to use DFCI. As listed in the followng table, this is managed via the setting **Allow local user to change UEFI settings**. If you do not edit or configure this setting, local users will be able to change any UEFI setting not managed by Intune. Therefore, it’s highly recommended to disable **Allow local user to change UEFI settings.**
+For many customers, the ability to block users from changing UEFI settings is critically important and a primary reason to use DFCI. As listed in Table 1, this is managed via the setting **Allow local user to change UEFI settings**. If you do not edit or configure this setting, local users will be able to change any UEFI setting not managed by Intune. Therefore, it’s highly recommended to disable **Allow local user to change UEFI settings.**
 The rest of the DFCI settings enable you to turn off functionality that would otherwise be available to users. For example, if you need to protect sensitive information in highly secure areas, you can disable the camera, and if you don’t want users booting from USB drives, you can disable that also.
 
 ### Table 1. DFCI scenarios
@@ -114,11 +124,11 @@ The rest of the DFCI settings enable you to turn off functionality that would ot
 | Disable radios (Bluetooth, Wi-Fi)             | Under **Built in Hardware > Radios (Bluetooth, Wi-Fi, etc…)**, select **Disabled**.                   |
 | Disable Boot from external media (USB, SD)    | Under **Built in Hardware > Boot Options > Boot from external media (USB, SD)**, select **Disabled**. |
 
+> [!CAUTION]
+> The **Disable radios (Bluetooth, Wi-Fi)** setting should only be used on devices that have a wired Ethernet connection.
  
 > [!NOTE]
->  DFCI in Intune includes two settings that do not currently apply to Surface devices:
-- CPU and IO virtualization
-- Disable Boot from network adapters
+>  DFCI in Intune includes two settings that do not currently apply to Surface devices: (1) CPU and IO virtualization and (2) Disable Boot from network adapters.
  
 Intune provides Scope tags to delegate administrative rights and Applicability Rules to manage device types. For more information about policy management support and full details on all DFCI settings, refer to [Microsoft Intune documentation](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows).
 
@@ -130,7 +140,7 @@ As stated above, DFCI can only be applied on devices registered in Windows Autop
 
 Although Intune policy settings typically get applied almost immediately, there may be a delay of 10 minutes before the settings take effect on targeted devices. In rare circumstances, delays of up to 8 hours are possible. To ensure settings apply as soon as possible, (such as in test scenarios), you can manually sync the target devices.
 
-- In Intune, go to **Device enrollment > Windows enrollment > Windows Autopilot Devices** and select **Sync**.
+- In Endpoint Manager at  devicemanagement.microsoft.com, go to **Devices > Device enrollment > Windows enrollment > Windows Autopilot Devices** and select **Sync**.
 
  For more information, refer to [Sync your Windows device manually](https://docs.microsoft.com/intune-user-help/sync-your-device-manually-windows).
 
@@ -144,12 +154,12 @@ In a test environment, you can verify settings in the Surface UEFI interface.
 1. Open Surface UEFI, which involves pressing the **Volume +** and **Power** buttons at the same time.
 2. Select **Devices**. The UEFI menu will reflect configured settings, as shown in the following figure.
 
-![Surface UEFI](images/df3.png)
+    ![Surface UEFI](images/df3.png)
 
-Note how:
+    Note how:
 
-- The settings are greyed out because **Allow local user to change UEFI setting** is set to None.
-- Audio is set to off because **Microphones and speakers** are set to **Disabled**.
+      - The settings are greyed out because **Allow local user to change UEFI setting** is set to None.
+      - Audio is set to off because **Microphones and speakers** are set to **Disabled**.
 
 ## Removing DFCI policy settings
 
@@ -157,14 +167,19 @@ When you create a DFCI profile, all configured settings will remain in effect ac
 
 If the original DFCI profile has been deleted, you can remove policy settings by creating a new profile and then editing the settings, as appropriate.
 
-## Unregistering devices from DFCI to prepare for resale or recycle
+## Removing DFCI management
 
-1. Contact your partner, OEM, or reseller to unregister the device from Autopilot.
-2. Remove the device from Intune.
-3. Connect a Surface-branded network adapter.
-4. Open Surface UEFI, which involves pressing the **Volume +** and **Power** buttons at the same time.
-5. Select **Management > Configure > Refresh from Network**.
-6. Validate DFCI is removed from the device in the UEFI.
+**To remove DFCI management and return device to factory new state:**
+
+1. Retire the device from Intune:
+    1. In Endpoint Manager at  devicemanagement.microsoft.com, choose **Groups > All Devices**. Select the devices you want to retire, and then choose **Retire/Wipe.** To learn more refer to [Remove devices by using wipe, retire, or manually unenrolling the device](https://docs.microsoft.com/intune/remote-actions/devices-wipe). 
+2. Delete the Autopilot registration from Intune:
+    1.  Choose **Device enrollment > Windows enrollment > Devices**.
+    2. Under Windows Autopilot devices, choose the devices you want to delete, and then choose **Delete**.
+3. Connect device to wired internet with Surface-branded ethernet adapter. Restart device and open the UEFI menu (press and hold the volume-up button while also pressing and releasing the power button).
+4. Select **Management > Configure > Refresh from Network** and then choose **Opt-out.**
+
+To keep managing the device with Intune, but without DFCI management, self-register the device to Autopilot and enroll it to Intune. DFCI will not be applied to self-registered devices.
 
 ## Learn more
 - [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333)
diff --git a/devices/surface/surface-pro-arm-app-management.md b/devices/surface/surface-pro-arm-app-management.md
index 2f8061c0b4..3e867c8f49 100644
--- a/devices/surface/surface-pro-arm-app-management.md
+++ b/devices/surface/surface-pro-arm-app-management.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 author: dansimp
 ms.author: dansimp
 ms.topic: article
-ms.date: 10/03/2019
+ms.date: 11/20/2019
 ms.reviewer: jessko
 manager: dansimp
 ms.audience: itpro
@@ -36,7 +36,7 @@ Organizations already using modern management, security, and productivity soluti
 
 ## Image-based deployment considerations
 
-Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager (SCCM) operating system deployment currently do not support Surface Pro X. Customers relying on image-based deployment should consider Surface Pro 7 while they continue to evaluate the right time to transition to the cloud.
+Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager (formerly System Center Configuration Manager) currently do not support Surface Pro X for operating system deployment. Customers relying on image-based deployment should consider Surface Pro 7 while they continue to evaluate the right time to transition to the cloud.
 
 ## Managing Surface Pro X devices
 
@@ -48,7 +48,7 @@ For more information about setting up Intune, refer to the [Intune documentation
 
 ### Co-management
 
-Once deployed in Autopilot, you can join Surface Pro X devices to Azure AD or Active Directory (Hybrid Azure AD Join) where you will be able to manage the devices with Intune or co-manage them with SCCM, which will install the 32-bit x86 ConfigMgr client.
+Once deployed in Autopilot, you can join Surface Pro X devices to Azure AD or Active Directory (Hybrid Azure AD Join) where you will be able to manage the devices with Intune or co-manage them with Endpoint Configuration Manager, which will install the 32-bit x86 ConfigMgr client.
 
 ### Third party MDM solutions
 
@@ -69,6 +69,12 @@ Outside of personal devices that rely on Windows Update, servicing devices in mo
 > [!NOTE]
 > Surface Pro X supports Windows 10, version 1903 and later.
 
+### Windows Server Update Services
+Windows Server Update Services (WSUS) does not support the ability to deliver drivers and firmware to Surface Pro X.
+
+For more information, refer to the [Microsoft Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/sum/get-started/configure-classifications-and-products).
+
+
 ## Running apps on Surface Pro X
 
 Most apps run on ARM-based Windows 10 PCs with limited exclusions.
@@ -120,7 +126,7 @@ The following tables show the availability of selected key features on Surface P
 | Support for Network Boot (PXE)          | Yes           | Yes           |                                                                                                                                 |
 | Windows Configuration Designer          | Yes           | No            | Not recommended for Surface Pro X.                                                                                              |
 | WinPE                                   | Yes           | Yes           | Not recommended for Surface Pro X. Microsoft does not provide the necessary .ISO and drivers to support WinPE with Surface Pro X. |
-| SCCM: Operating System Deployment (OSD) | Yes           | No            | Not supported on Surface Pro X.                                                                                              |
+| Endpoint Configuration Manager: Operating System Deployment (OSD) | Yes           | No            | Not supported on Surface Pro X.                                                                                              |
 | MDT                                     | Yes           | No            | Not supported on Surface Pro X.                                                                                              |
 
 
@@ -129,7 +135,7 @@ The following tables show the availability of selected key features on Surface P
 | Intune                                        | Yes                 | Yes           | Manage LTE with eSIM profiles.                                                        |
 | Windows Autopilot                             | Yes                 | Yes           |                                                                                       |
 | Azure AD (co-management)                      | Yes                 | Yes           | Ability to join Surface Pro X to Azure AD or Active Directory (Hybrid Azure AD Join). |
-| SCCM                                          | Yes               | Yes           |                                                                                       |
+| Endpoint Configuration Manager                                          | Yes               | Yes           |                                                                                       |
 | Power on When AC Restore                      | Yes                 | Yes           |                                                                                   |
 | Surface Diagnostic Toolkit (SDT) for Business | Yes                 | Yes           |                                                                                   |
 | Surface Dock Firmware Update                  | Yes                 | Yes           |                                                                                   |
@@ -150,9 +156,9 @@ The following tables show the availability of selected key features on Surface P
 | Surface Data Eraser (SDE)         | Yes           | Yes           |                                                                                                                                                                                                                                                                                                                                                     
 ## FAQ
 
-### Can I deploy Surface Pro X with MDT or SCCM?
+### Can I deploy Surface Pro X with MDT or Endpoint Configuration Manager?
 
-The Microsoft Deployment Toolkit and System Center Configuration Manager operating system deployment currently do not support Surface Pro X. Customers relying on image-based deployment should consider Surface Pro 7 while they continue to evaluate the right time to transition to the cloud.
+The Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager  currently do not support Surface Pro X for operating system deployment.Customers relying on image-based deployment should consider Surface Pro 7 while they continue to evaluate the right time to transition to the cloud.
 
 ### How can I deploy Surface Pro X?
 
@@ -164,4 +170,4 @@ Yes.
 
 ### Is Intune required to manage Surface Pro X?
 
-Intune is recommended but not required. Once deployed in Autopilot, you can join Surface Pro X devices to Azure AD or Active Directory (Hybrid Azure AD Join) where you will be able to manage the devices with Intune or co-manage them with SCCM, which will install the 32-bit x86 ConfigMgr client.
+Intune is recommended but not required. Once deployed in Autopilot, you can join Surface Pro X devices to Azure AD or Active Directory (Hybrid Azure AD Join) where you will be able to manage the devices with Intune or co-manage them with Endpoint Configuration Manager, which will install the 32-bit x86 ConfigMgr client.
diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md
index 74c348d2d1..cb201c332e 100644
--- a/devices/surface/surface-system-sku-reference.md
+++ b/devices/surface/surface-system-sku-reference.md
@@ -24,6 +24,9 @@ System Model and System SKU are variables that are stored in the System Manageme
 
 | Device   | System Model | System SKU       |
 | ---------- | ----------- | -------------- |
+| AMD Surface Laptop 3                                         | Surface 3        | Surface_Laptop_3_1873       |
+| Surface Laptop 3                                             | Surface 3        | Surface_Laptop_3_1867:1868       |
+| Surface Laptop 3                                             | Surface 3        | Surface_3                   
 | Surface 3 WiFI                                               | Surface 3        | Surface_3                        |
 | Surface 3 LTE AT&T                                           | Surface 3        | Surface_3_US1                    |
 | Surface 3 LTE Verizon                                        | Surface 3        | Surface_3_US2                    |
diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
index 6c29966521..85b5bfa7d1 100644
--- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
+++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
@@ -1,6 +1,6 @@
 ---
-title: Use System Center Configuration Manager to manage devices with SEMM (Surface)
-description: Find out how to use Microsoft Surface UEFI Manager to perform SEMM management with System Center Configuration Manager.
+title: Use Microsoft Endpoint Configuration Manager to manage devices with SEMM (Surface)
+description: Learn how to manage SEMM with Endpoint Configuration Manager.
 keywords: enroll, update, scripts, settings
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -9,21 +9,21 @@ ms.sitesec: library
 author: dansimp
 ms.author: dansimp
 ms.topic: article
-ms.date: 10/31/2019
+ms.date: 11/22/2019
 ms.reviewer: 
 manager: dansimp
 ms.localizationpriority: medium
 ms.audience: itpro
 ---
 
-# Use System Center Configuration Manager to manage devices with SEMM
+# Use Microsoft Endpoint Configuration Manager to manage devices with SEMM
 
 The Surface Enterprise Management Mode (SEMM) feature of Surface UEFI devices allows administrators to both manage and secure the configuration of Surface UEFI settings. For most organizations, this process is accomplished by creating Windows Installer (.msi) packages with the Microsoft Surface UEFI Configurator tool. These packages are then run or deployed to the client Surface devices to enroll the devices in SEMM and to update the Surface UEFI settings configuration.
 
-For organizations with System Center Configuration Manager, there is an alternative to using the Microsoft Surface UEFI Configurator .msi process to deploy and administer SEMM. Microsoft Surface UEFI Manager is a lightweight installer that makes required assemblies for SEMM management available on a device. By installing these assemblies with Microsoft Surface UEFI Manager on a managed client, SEMM can be administered by Configuration Manager with PowerShell scripts, deployed as applications. With this process, SEMM management is performed within Configuration Manager, which eliminates the need for the external Microsoft Surface UEFI Configurator tool.
+For organizations with Endpoint Configuration Manager, (formerly known as System Center Configuration Manager or SCCM) there is an alternative to using the Microsoft Surface UEFI Configurator .msi process to deploy and administer SEMM. Microsoft Surface UEFI Manager is a lightweight installer that makes required assemblies for SEMM management available on a device. By installing these assemblies with Microsoft Surface UEFI Manager on a managed client, SEMM can be administered by Configuration Manager with PowerShell scripts, deployed as applications. With this process, SEMM management is performed within Configuration Manager, which eliminates the need for the external Microsoft Surface UEFI Configurator tool.
 
 >[!Note]
->Although the process described in this article may work with earlier versions of System Center Configuration Manager or with other third-party management solutions, management of SEMM with Microsoft Surface UEFI Manager and PowerShell is supported only with the Current Branch of System Center Configuration Manager.
+>Although the process described in this article may work with earlier versions of Endpoint Configuration Manager or with other third-party management solutions, management of SEMM with Microsoft Surface UEFI Manager and PowerShell is supported only with the Current Branch of Endpoint Configuration Manager.
 
 #### Prerequisites
 
@@ -278,7 +278,7 @@ To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 sc
 The following code fragment, found on lines 380-477, is used to write these registry keys:
 
 ```
-380	# For SCCM or other management solutions that wish to know what version is applied, tattoo the LSV and current DateTime (in UTC) to the registry:
+380	# For Endpoint Configuration Manager or other management solutions that wish to know what version is applied, tattoo the LSV and current DateTime (in UTC) to the registry:
 381	$UTCDate = (Get-Date).ToUniversalTime().ToString()
 382	$certIssuer = $certPrint.Issuer
 383	$certSubject = $certPrint.Subject
diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md
index 00b08cc73a..2be171841b 100644
--- a/devices/surface/windows-autopilot-and-surface-devices.md
+++ b/devices/surface/windows-autopilot-and-surface-devices.md
@@ -13,7 +13,7 @@ ms.author: dansimp
 ms.topic: article
 ms.localizationpriority: medium
 ms.audience: itpro
-ms.date: 10/21/2019
+ms.date: 11/26/2019
 ---
 
 # Windows Autopilot and Surface devices
@@ -35,10 +35,17 @@ Enrolling Surface devices in Windows Autopilot at the time of purchase is a capa
 
 When you purchase Surface devices from a Surface partner enabled for Windows Autopilot, your new devices can be enrolled in your Windows Autopilot deployment for you by the partner. Surface partners enabled for Windows Autopilot include: 
 
+- [ALSO](https://www.also.com/ec/cms5/de_1010/1010_anbieter/microsoft/windows-autopilot/index.jsp) 
 - [Atea](https://www.atea.com/)
+- [Bechtle](https://www.bechtle.com/de-en) 
+- [Cancom](https://www.cancom.de/)
+- [CDW](https://www.cdw.com/)
+- [Computacenter](https://www.computacenter.com/uk)
 - [Connection](https://www.connection.com/brand/microsoft/microsoft-surface) 
 - [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface/windows-autopilot.html)
 - [SHI](https://www.shi.com/Surface)
+- [Synnex](https://www.synnexcorp.com/us/microsoft/surface-autopilot/)
+- [Techdata](https://www.techdata.com/)
 
 ## Learn more
 For more information about Windows Autopilot, refer to:
diff --git a/education/developers.yml b/education/developers.yml
index 5c73169853..9e21b6d27f 100644
--- a/education/developers.yml
+++ b/education/developers.yml
@@ -1,10 +1,10 @@
 ### YamlMime:Hub
 
-title: M365 Education Documentation for developers
+title: Microsoft 365 Education Documentation for developers
 summary: Are you an app developer looking for information about developing solutions on Microsoft Education products? Start here.
 
 metadata:
-  title: M365 Education Documentation for developers
+  title: Microsoft 365 Education Documentation for developers
   description: Are you an app developer looking for information about developing solutions on Microsoft Education products? Start here.
   ms.service: help
   ms.topic: hub-page
diff --git a/education/docfx.json b/education/docfx.json
index 91c875c200..809a2da28f 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -39,11 +39,21 @@
           "depot_name": "Win.education",
           "folder_relative_path_in_docset": "./"
         }
-      }
+      },
+      "contributors_to_exclude": [ 
+        "rjagiewich", 
+        "traya1", 
+        "rmca14", 
+        "claydetels19", 
+        "Kellylorenebaker",
+        "jborsecnik",
+        "tiburd",
+        "garycentric"
+      ]
     },
     "externalReference": [],
     "template": "op.html",
     "dest": "education",
     "markdownEngineName": "markdig"
-  }
+}
 }
diff --git a/education/images/EDU-FindHelp.svg b/education/images/EDU-FindHelp.svg
new file mode 100644
index 0000000000..fea3109134
--- /dev/null
+++ b/education/images/EDU-FindHelp.svg
@@ -0,0 +1,32 @@
+
+
+
+
+EDUAdmins-50px
+
+
+
+	toolbox
+	
+		
+			
+				
+					
+				
+			
+		
+	
+
+
diff --git a/education/images/EDU-ITJourney.svg b/education/images/EDU-ITJourney.svg
new file mode 100644
index 0000000000..e42fe12104
--- /dev/null
+++ b/education/images/EDU-ITJourney.svg
@@ -0,0 +1,31 @@
+
+
+
+
+EDUAdmins-50px
+
+
+
+	MapPin-blue
+	
+	
+	
+	
+	
+
+
diff --git a/education/images/EDU-Teachers.svg b/education/images/EDU-Teachers.svg
new file mode 100644
index 0000000000..4cdb2b3e7d
--- /dev/null
+++ b/education/images/EDU-Teachers.svg
@@ -0,0 +1,27 @@
+
+
+
+
+EDUAdmins-50px
+
+
+
+	PresenterPresentationChart-blue
+	
+	
+	
+
+
diff --git a/education/index.yml b/education/index.yml
index 9d3a74a32c..80796a921a 100644
--- a/education/index.yml
+++ b/education/index.yml
@@ -1,10 +1,10 @@
 ### YamlMime:Hub
 
-title: M365 Education Documentation
+title: Microsoft 365 Education Documentation
 summary: Microsoft 365 Education empowers educators to unlock creativity, promote teamwork, and provide a simple and safe experience in a single, affordable solution built for education.
 
 metadata:
-  title: M365 Education Documentation
+  title: Microsoft 365 Education Documentation
   description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers.
   ms.service: help
   ms.topic: hub-page
diff --git a/education/itadmins.yml b/education/itadmins.yml
index 25eabd906a..4aa321c59c 100644
--- a/education/itadmins.yml
+++ b/education/itadmins.yml
@@ -1,10 +1,10 @@
 ### YamlMime:Hub
 
-title: M365 Education Documentation for IT admins
-summary: M365 Education consists of Office 365 Education, Windows 10 Education, and security and management tools such as Intune for Education and School Data Sync.
+title: Microsoft 365 Education Documentation for IT admins
+summary: Microsoft 365 Education consists of Office 365 Education, Windows 10 Education, and security and management tools such as Intune for Education and School Data Sync.
 
 metadata:
-  title: M365 Education Documentation for IT admins
+  title: Microsoft 365 Education Documentation for IT admins
   description: M365 Education consists of Office 365 Education, Windows 10 Education, and security and management tools such as Intune for Education and School Data Sync.
   ms.service: help
   ms.topic: hub-page
@@ -13,7 +13,7 @@ metadata:
   ms.date: 10/24/2019
 
 productDirectory:
-  summary: This guide is designed for IT admins looking for the simplest way to move their platform to the cloud. It does not capture all the necessary steps for large scale or complex deployments. Check out at https://edujourney.microsoft.com/. Find help now at https://docs.microsoft.com/microsoft-365/education/deploy/find-deployment-help.
+  summary: This guide is designed for IT admins looking for the simplest way to move their platform to the cloud. It does not capture all the necessary steps for large scale or complex deployments.
   items:
     # Card    
     - title: Phase 1 - Cloud deployment
@@ -71,7 +71,7 @@ productDirectory:
         - url: https://docs.microsoft.com/microsoft-365/education/deploy/deploy-sharepoint-server-hybrid
           text: Deploy SharePoint Server Hybrid
     # Card
-    - title: Security & Compliance
+    - title: Security & compliance
       imageSrc: ./images/EDU-Lockbox.svg
       links:
         - url: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-deployment-checklist-p2
@@ -87,10 +87,34 @@ productDirectory:
         - url: https://social.technet.microsoft.com/wiki/contents/articles/35748.office-365-what-is-customer-lockbox-and-how-to-enable-it.aspx
           text: Deploying Lockbox
     # Card    
-    - title: Analytics & Insights
+    - title: Analytics & insights
       imageSrc: ./images/EDU-Education.svg
       links:
         - url: https://docs.microsoft.com/en-us/power-bi/service-admin-administering-power-bi-in-your-organization
           text: Power BI for IT admins
         - url: https://docs.microsoft.com/en-us/dynamics365/#pivot=get-started
-          text: Dynamics 365
\ No newline at end of file
+          text: Dynamics 365
+    # Card    
+    - title: Find deployment help
+      imageSrc: ./images/EDU-FindHelp.svg
+      links:
+        - url: https://docs.microsoft.com/microsoft-365/education/deploy/find-deployment-help
+          text: IT admin help
+        - url: https://social.technet.microsoft.com/forums/en-us/home
+          text: TechNet
+    # Card    
+    - title: Check out our education journey
+      imageSrc: ./images/EDU-ITJourney.svg
+      links:
+        - url: https://edujourney.microsoft.com/k-12/
+          text: K-12
+        - url: https://edujourney.microsoft.com/hed/
+          text: Higher education
+    # Card    
+    - title: Additional support resources
+      imageSrc: ./images/EDU-Teachers.svg
+      links:
+        - url: https://support.office.com/en-us/education
+          text: Education help center
+        - url: https://support.office.com/en-us/article/teacher-training-packs-7a9ee74a-8fe5-43d3-bc23-a55185896921
+          text: Teacher training packs
\ No newline at end of file
diff --git a/education/partners.yml b/education/partners.yml
index 05d585f5f5..42925925f4 100644
--- a/education/partners.yml
+++ b/education/partners.yml
@@ -1,10 +1,10 @@
 ### YamlMime:Hub
 
-title: M365 Education Documentation for partners
+title: Microsoft 365 Education Documentation for partners
 summary: Looking for resources available to Microsoft Education partners? Start here.
 
 metadata:
-  title: M365 Education Documentation for partners
+  title: Microsoft 365 Education Documentation for partners
   description: Looking for resources available to Microsoft Education partners? Start here.
   ms.service: help
   ms.topic: hub-page
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 43b68e46ad..35146fcace 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -1617,7 +1617,7 @@ As a final quality control step, verify the device configuration to ensure that
 * The device can connect to the Internet and view the appropriate web content in Microsoft Edge.
 * Windows Update is active and current with software updates.
 * Windows Defender is active and current with malware Security intelligence.
-* The SmartScreen Filter is active.
+* Windows Defender SmartScreen is active.
 * All Microsoft Store apps are properly installed and updated.
 * All Windows desktop apps are properly installed and updated.
 * Printers are properly configured.
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index 3cfeafb6d3..5fd1f4093a 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -1096,7 +1096,7 @@ As a final quality control step, verify the device configuration to ensure that
 - The device can connect to the Internet and view the appropriate web content in Microsoft Edge.
 - Windows Update is active and current with software updates.
 - Windows Defender is active and current with malware Security intelligence.
-- The SmartScreen Filter is active.
+- Windows Defender SmartScreen is active.
 - All Microsoft Store apps are properly installed and updated.
 - All Windows desktop apps are properly installed and updated.
 - Printers are properly configured.
diff --git a/mdop/agpm/index.md b/mdop/agpm/index.md
index 3832e088c4..bd78561b83 100644
--- a/mdop/agpm/index.md
+++ b/mdop/agpm/index.md
@@ -19,7 +19,7 @@ Microsoft Advanced Group Policy Management (AGPM) extends the capabilities of th
 ## AGPM Version Information
 
 
-[AGPM 4.0 SP3](agpm-40-sp3-navengl.md) supports Windows 10, Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
+[AGPM 4.0 SP3](agpm-40-sp3-navengl.md) supports Windows 10, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
 
 [AGPM 4.0 SP2](agpm-40-sp2-navengl.md) supports Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
 
diff --git a/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md b/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md
index c290148b0d..76656d39e1 100644
--- a/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md
+++ b/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md
@@ -1,3 +1,4 @@
+---
 ms.reviewer: 
 title: How to Revert Extension Points From an App-V 5.0 Package to an App-V 4.6 Package for a Specific User
 description: How to Revert Extension Points From an App-V 5.0 Package to an App-V 4.6 Package for a Specific User
diff --git a/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-50-application.md b/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-50-application.md
index c265b6155e..0345a45113 100644
--- a/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-50-application.md
+++ b/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-50-application.md
@@ -1,3 +1,4 @@
+---
 ms.reviewer: 
 title: How to Use an App-V 4.6 Application From an App-V 5.0 Application
 description: How to Use an App-V 4.6 Application From an App-V 5.0 Application
diff --git a/mdop/dart-v10/planning-to-create-the-dart-10-recovery-image.md b/mdop/dart-v10/planning-to-create-the-dart-10-recovery-image.md
index 6346265cf1..7089ba0bff 100644
--- a/mdop/dart-v10/planning-to-create-the-dart-10-recovery-image.md
+++ b/mdop/dart-v10/planning-to-create-the-dart-10-recovery-image.md
@@ -49,7 +49,7 @@ The following items are required or recommended for creating the DaRT recovery i
 
 
 
Windows Debugging Tools for your platform

-
Required when you run the Crash Analyzer to determine the cause of a computer failure. We recommend that you specify the path of the Windows Debugging Tools at the time that you create the DaRT recovery image. You can download the Windows Debugging Tools here: Download and Install Debugging Tools for Windows.

+
Required when you run the Crash Analyzer to determine the cause of a computer failure. We recommend that you specify the path of the Windows Debugging Tools at the time that you create the DaRT recovery image. You can download the Windows Debugging Tools here: Download and Install Debugging Tools for Windows.

 
 
 
Optional: Windows symbols files for use with Crash Analyzer

@@ -62,7 +62,6 @@ The following items are required or recommended for creating the DaRT recovery i
 
 ## Related topics
 
-
 [Planning to Deploy DaRT 10](planning-to-deploy-dart-10.md)
 
  
@@ -72,4 +71,3 @@ The following items are required or recommended for creating the DaRT recovery i
 
 
 
-
diff --git a/mdop/docfx.json b/mdop/docfx.json
index 252c242145..c037b4fa3c 100644
--- a/mdop/docfx.json
+++ b/mdop/docfx.json
@@ -41,11 +41,21 @@
           "depot_name": "Win.mdop",
           "folder_relative_path_in_docset": "./"
         }
-      }
+      },
+      "contributors_to_exclude": [ 
+        "rjagiewich", 
+        "traya1", 
+        "rmca14", 
+        "claydetels19", 
+        "Kellylorenebaker",
+        "jborsecnik",
+        "tiburd",
+        "garycentric"
+      ]
     },
     "externalReference": [],
     "template": "op.html",
     "dest": "mdop",
     "markdownEngineName": "markdig"
-  }
+    }
 }
diff --git a/mdop/mbam-v1/getting-started-with-mbam-10.md b/mdop/mbam-v1/getting-started-with-mbam-10.md
index f42751d4d1..7d1f4c4060 100644
--- a/mdop/mbam-v1/getting-started-with-mbam-10.md
+++ b/mdop/mbam-v1/getting-started-with-mbam-10.md
@@ -13,9 +13,12 @@ ms.prod: w10
 ms.date: 08/30/2016
 ---
 
-
 # Getting Started with MBAM 1.0
 
+> **IMPORTANT**
+> MBAM 1.0 will reach end of support on September 14, 2021. 
+> See our [lifecycle page](https://support.microsoft.com/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%201.0) for more information. We recommend [migrating to MBAM 2.5](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions) or another supported version of MBAM, or migrating your BitLocker management to [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager).
+
 
 Microsoft BitLocker Administration and Monitoring (MBAM) requires thorough planning before you deploy it or use its features. Because this product can affect every computer in your organization, you might disrupt your entire network if you do not plan your deployment carefully. However, if you plan your deployment carefully and manage it so that it meets your business needs, MBAM can help reduce your administrative overhead and total cost of ownership.
 
diff --git a/smb/docfx.json b/smb/docfx.json
index 14448aa33c..1c1ce5a53a 100644
--- a/smb/docfx.json
+++ b/smb/docfx.json
@@ -37,11 +37,21 @@
           "depot_name": "TechNet.smb",
           "folder_relative_path_in_docset": "./"
         }
-      }
+      },
+      "contributors_to_exclude": [ 
+        "rjagiewich", 
+        "traya1", 
+        "rmca14", 
+        "claydetels19", 
+        "Kellylorenebaker",
+        "jborsecnik",
+        "tiburd",
+        "garycentric"
+      ]
     },
     "fileMetadata": {},
     "template": [],
     "dest": "smb",
     "markdownEngineName": "markdig"
-  }
+    }
 }
diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json
index 760a988add..2a30faf3ef 100644
--- a/store-for-business/docfx.json
+++ b/store-for-business/docfx.json
@@ -47,11 +47,21 @@
           "depot_name": "MSDN.store-for-business",
           "folder_relative_path_in_docset": "./"
         }
-      }
+      },
+      "contributors_to_exclude": [ 
+        "rjagiewich", 
+        "traya1", 
+        "rmca14", 
+        "claydetels19", 
+        "Kellylorenebaker",
+        "jborsecnik",
+        "tiburd",
+        "garycentric"
+      ]
     },
     "fileMetadata": {},
     "template": [],
     "dest": "store-for-business",
     "markdownEngineName": "markdig"
-  }
+    }
 }
diff --git a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
index e2ed065b74..55dcc71e05 100644
--- a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
+++ b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
@@ -1,5 +1,5 @@
 ---
-title: How to Allow Only Administrators to Enable Connection Groups (Windows 10)
+title: Only Allow Admins to Enable Connection Groups (Windows 10)
 description: How to Allow Only Administrators to Enable Connection Groups
 author: dansimp
 ms.pagetype: mdop, appcompat, virtualization
diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
index b6d62b3219..5ba6786e15 100644
--- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
@@ -1,5 +1,5 @@
 ---
-title: How to apply the deployment configuration file by using Windows PowerShell (Windows 10)
+title: Apply deployment config file via Windows PowerShell (Windows 10)
 description: How to apply the deployment configuration file by using Windows PowerShell for Windows 10.
 author: dansimp
 ms.pagetype: mdop, appcompat, virtualization
diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
index 6e88aa4a89..3acd5f85db 100644
--- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
+++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
@@ -1,5 +1,5 @@
 ---
-title: Automatically clean up unpublished packages on the App-V client (Windows 10)
+title: Auto-remove unpublished packages on App-V client (Windows 10)
 description: How to automatically clean up any unpublished packages on your App-V client devices.
 author: dansimp
 ms.pagetype: mdop, appcompat, virtualization
diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
index 87ee2f267a..7209027bb8 100644
--- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
+++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
@@ -1,5 +1,5 @@
 ---
-title: How to Install the Publishing Server on a Remote Computer (Windows 10)
+title: Install the Publishing Server on a Remote Computer (Windows 10)
 description: How to Install the App-V Publishing Server on a Remote Computer
 author: lomayor
 ms.pagetype: mdop, appcompat, virtualization
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index 44260b0181..a7c0f2f152 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -46,15 +46,22 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
      >
      >`net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"`, where *FirstnameLastname* is the name of the user profile in C:\Users\, which is created based on DisplayName attribute in Azure AD.
      >
+     > This command only works for AADJ device users already added to any of the local groups (administrators).
+     > Otherwise this command throws the below error. For example: 

+     > for cloud only user: "There is no such global user or group : *name*" 

+     > for synced user: "There is no such global user or group : *name*" 

+     >
      >In Windows 10, version 1709, the user does not have to sign in to the remote device first.
      >
      >In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
 
   4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.
 
-  >[!TIP]
-  >When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant.
+  > [!TIP]
+  > When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant.
 
+> [!Note]
+> If you cannot connect using Remote Desktop Connection 6.0, then you must turn off new features of RDP 6.0 and revert back to RDP 5.0 by changing a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e).
  
 ## Supported configurations
  
diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md
index e0d86a8a23..dbcd186131 100644
--- a/windows/client-management/img-boot-sequence.md
+++ b/windows/client-management/img-boot-sequence.md
@@ -1,6 +1,6 @@
 ---
-description: A full-sized view of the boot sequence flowchart.
 title: Boot sequence flowchart
+description: A full-sized view of the boot sequence flowchart.
 ms.date: 11/16/2018
 ms.reviewer: 
 manager: dansimp
@@ -10,8 +10,8 @@ ms.topic: article
 ms.prod: w10
 ---
 
+# Boot sequence flowchart
+
 Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)

 
-
 ![Full-sized boot sequence flowchart](images/boot-sequence.png)
-
diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md
index ef2bf77cba..97ea145013 100644
--- a/windows/client-management/manage-settings-app-with-group-policy.md
+++ b/windows/client-management/manage-settings-app-with-group-policy.md
@@ -12,13 +12,13 @@ ms.author: dansimp
 ms.topic: article
 ---
 
+# Manage the Settings app with Group Policy
+
+
 **Applies to**
 
 -   Windows 10, Windows Server 2016
 
-
-# Manage the Settings app with Group Policy
-
 You can now manage the pages that are shown in the Settings app by using Group Policy. This lets you hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely.
 To make use of the Settings App group polices on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. 
 
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index 67aad1cf77..9241a7fdf7 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -237,7 +237,6 @@
 #### [Security](policy-csp-security.md)
 #### [ServiceControlManager](policy-csp-servicecontrolmanager.md)
 #### [Settings](policy-csp-settings.md)
-#### [SmartScreen](policy-csp-smartscreen.md)
 #### [Speech](policy-csp-speech.md)
 #### [Start](policy-csp-start.md)
 #### [Storage](policy-csp-storage.md)
@@ -253,6 +252,7 @@
 #### [Wifi](policy-csp-wifi.md)
 #### [WindowsConnectionManager](policy-csp-windowsconnectionmanager.md)
 #### [WindowsDefenderSecurityCenter](policy-csp-windowsdefendersecuritycenter.md)
+#### [WindowsDefenderSmartScreen](policy-csp-smartscreen.md)
 #### [WindowsInkWorkspace](policy-csp-windowsinkworkspace.md)
 #### [WindowsLogon](policy-csp-windowslogon.md)
 #### [WindowsPowerShell](policy-csp-windowspowershell.md)
diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md
index 0cd8b04e7c..60449c917c 100644
--- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md
+++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md
@@ -1,6 +1,6 @@
 ---
-title: ApplicationControl CSP
-description: ApplicationControl CSP
+title: ApplicationControl CSP DDF
+description: This topic shows the OMA DM device description framework (DDF) for the **ApplicationControl** configuration service provider. DDF files are used only with OMA DM provisioning XML.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md
index cb636ce3ef..dbbecb3b74 100644
--- a/windows/client-management/mdm/applicationcontrol-csp.md
+++ b/windows/client-management/mdm/applicationcontrol-csp.md
@@ -40,7 +40,7 @@ This node is the policy binary itself, which is encoded as base64.
 
 Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
 
-Value type is b64. Supported value is any well-formed WDAC policy, i.e. the base64-encoded content output by the ConvertFrom-CIPolicy cmdlet.
+Value type is b64. Supported value is a binary file, converted from the policy XML file by the ConvertFrom-CIPolicy cmdlet.
 
 Default value is empty.
 
@@ -118,8 +118,7 @@ To use ApplicationControl CSP, you must:
 - Know a generated policy’s GUID, which can be found in the policy xml as ``.
 - Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
 
-If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI
-functionality to apply the Code Integrity policy.
+If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy via uploading the binary file.
 
 ### Deploy policies
 To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below.
@@ -224,4 +223,4 @@ The following is an example of Delete command:
             
         
    
-```
\ No newline at end of file
+```
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 79251bed03..5f163fa7a7 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -9,7 +9,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: lomayor
-ms.date: 07/25/2019
+ms.date: 11/19/2019
 ---
 
 # AppLocker CSP
@@ -21,10 +21,10 @@ The following diagram shows the AppLocker configuration service provider in tree
 
 ![applocker csp](images/provisioning-csp-applocker.png)
 
-**./Vendor/MSFT/AppLocker**
+**./Vendor/MSFT/AppLocker**  
 Defines the root node for the AppLocker configuration service provider.
 
-**ApplicationLaunchRestrictions**
+**AppLocker/ApplicationLaunchRestrictions**  
 Defines restrictions for applications.
 
 > [!NOTE]
@@ -40,7 +40,133 @@ Additional information:
 - [Find publisher and product name of apps](#productname) - step-by-step guide for getting the publisher and product names for various Windows apps.
 - [Whitelist example](#whitelist-examples) - example for Windows 10 Mobile that denies all apps except the ones listed.
 
-**EnterpriseDataProtection**
+**AppLocker/ApplicationLaunchRestrictions/_Grouping_**  
+Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define.
+Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.
+
+Supported operations are Get, Add, Delete, and Replace.
+
+**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE**  
+Defines restrictions for launching executable applications.
+
+Supported operations are Get, Add, Delete, and Replace.
+
+**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/Policy**  
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+Data type is string. 
+
+Supported operations are Get, Add, Delete, and Replace.
+
+**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/EnforcementMode**  
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+The data type is a string. 
+
+Supported operations are Get, Add, Delete, and Replace.
+
+**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/NonInteractiveProcessEnforcement**  
+The data type is a string.
+
+Supported operations are Add, Delete, Get, and Replace.
+
+**AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI**  
+Defines restrictions for executing Windows Installer files.
+
+Supported operations are Get, Add, Delete, and Replace.
+
+**AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI/Policy**  
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+Data type is string. 
+
+Supported operations are Get, Add, Delete, and Replace.
+
+**AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI/EnforcementMode**  
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+The data type is a string. 
+
+Supported operations are Get, Add, Delete, and Replace.
+
+**AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script**  
+Defines restrictions for running scripts.
+
+Supported operations are Get, Add, Delete, and Replace.
+
+**AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script/Policy**  
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+Data type is string. 
+
+Supported operations are Get, Add, Delete, and Replace.
+
+**AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script/EnforcementMode**  
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+The data type is a string.
+
+Supported operations are Get, Add, Delete, and Replace.
+
+**AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps**  
+Defines restrictions for running apps from the Microsoft Store.
+
+Supported operations are Get, Add, Delete, and Replace.
+
+**AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps/Policy**  
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+Data type is string.
+
+Supported operations are Get, Add, Delete, and Replace.
+
+**AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps/EnforcementMode**  
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+The data type is a string.
+
+Supported operations are Get, Add, Delete, and Replace.
+
+**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL**  
+Defines restrictions for processing DLL files.
+
+Supported operations are Get, Add, Delete, and Replace.
+
+**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/Policy**  
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+Data type is string.
+
+Supported operations are Get, Add, Delete, and Replace.
+
+**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/EnforcementMode**  
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+
+The data type is a string.
+
+Supported operations are Get, Add, Delete, and Replace.
+
+**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/NonInteractiveProcessEnforcement**  
+The data type is a string.
+
+Supported operations are Add, Delete, Get, and Replace.
+
+**AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity**  
+This node is only supported on the desktop. 
+
+Supported operations are Get, Add, Delete, and Replace.
+
+**AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy**  
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+
+Data type is Base64.
+
+Supported operations are Get, Add, Delete, and Replace.
+
+> [!NOTE]
+> To use Code Integrity Policy, you first need to convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](https://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool) and added to the Applocker-CSP.
+
+**AppLocker/EnterpriseDataProtection**  
 Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md).
 
 In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data.
@@ -61,115 +187,35 @@ Additional information:
 
 - [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.
 
-Each of the previously listed nodes contains a **Grouping** node.
+**AppLocker/EnterpriseDataProtection/_Grouping_**  
+Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define.
+Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-




TermDescription
Grouping
Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define.

-
Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.

-
Supported operations are Get, Add, Delete, and Replace.

+Supported operations are Get, Add, Delete, and Replace.
 
+**AppLocker/EnterpriseDataProtection/_Grouping_/EXE**  
+Defines restrictions for launching executable applications.
 
+Supported operations are Get, Add, Delete, and Replace.
 
-In addition, each **Grouping** node contains one or more of the following nodes:
+**AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy**  
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-




TermDescription
EXE
Defines restrictions for launching executable applications.

-
Supported operations are Get, Add, Delete, and Replace.
MSI
Defines restrictions for executing Windows Installer files.

-
Supported operations are Get, Add, Delete, and Replace.
Script
Defines restrictions for running scripts.

-
Supported operations are Get, Add, Delete, and Replace.
StoreApps
Defines restrictions for running apps from the Microsoft Store.

-
Supported operations are Get, Add, Delete, and Replace.
DLL
Defines restrictions for processing DLL files.

-
Supported operations are Get, Add, Delete, and Replace.
CodeIntegrity
This node is only supported on the desktop. Supported operations are Get, Add, Delete, and Replace.

+Data type is string. 
 
+Supported operations are Get, Add, Delete, and Replace.
 
+**AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps**  
+Defines restrictions for running apps from the Microsoft Store.
 
-Each of the previous nodes contains one or more of the following leaf nodes:
+Supported operations are Get, Add, Delete, and Replace.
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-




TermDescription
Policy
Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.

-
For nodes, other than CodeIntegrity, policy leaf data type is string. Supported operations are Get, Add, Delete, and Replace.

-
For CodeIntegrity/Policy, data type is Base64. Supported operations are Get, Add, Delete, and Replace.
EnforcementMode
The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).

-
The data type is a string. Supported operations are Get, Add, Delete, and Replace.
NonInteractiveProcessEnforcement
The data type is a string.

-
Supported operations are Add, Delete, Get, and Replace.

+**AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps/Policy**  
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
 
-> [!NOTE]
-> To use Code Integrity Policy, you first need to convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](https://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool) and added to the Applocker-CSP.
+Data type is string.
 
+Supported operations are Get, Add, Delete, and Replace.
 
 ## Find publisher and product name of apps
 
@@ -239,7 +285,6 @@ The following table show the mapping of information to the AppLocker publisher r
 
 
 
-
 Here is an example AppLocker publisher rule:
 
 ``` syntax
@@ -319,7 +364,7 @@ Result
 
windowsPhoneLegacyId

 
Same value maps to the ProductName and Publisher name

 
This value will only be present if there is a XAP package associated with the app in the Store.

-
If this value is populated then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and anothe one using the windowsPhoneLegacyId value.

+
If this value is populated then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.

 
 
 
@@ -668,12 +713,12 @@ The following list shows the apps that may be included in the inbox.
 Microsoft.MSPodcast
 
 
-Posdcast downloads
+Podcast downloads
 063773e7-f26f-4a92-81f0-aa71a1161e30
 
 
 
-Powerpoint
+PowerPoint
 b50483c4-8046-4e1b-81ba-590b24935798
 Microsoft.Office.PowerPoint
 
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index d0a24d5007..2e5300fe0d 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -9,797 +9,211 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: manikadhiman
-ms.date: 08/05/2019
+ms.date: 11/19/2019
 ---
 
 # DiagnosticLog CSP
+The DiagnosticLog configuration service provider (CSP) provides the following feature areas:  
+- [DiagnosticArchive area](#diagnosticarchive-area). Capture and upload event logs, log files, and registry values for troubleshooting.
+- [Policy area](#policy-area). Configure Windows event log policies, such as maximum log size.
+- [EtwLog area](#etwlog-area). Control ETW trace sessions.
+- [DeviceStateData area](#devicestatedata-area). Provide additional device information.
+- [FileDownload area](#filedownload-area). Pull trace and state data directly from the device.
 
-The DiagnosticLog configuration service provider (CSP) is used in the following scenarios:  
-- [Controlling ETW trace sessions](#diagnosticlog-csp-for-controlling-etw-trace-sessions)
-- [Triggering devices to upload existing event logs, log files, and registry values to cloud storage](#diagnosticlog-csp-for-triggering-devices-to-upload-files-to-cloud)
-
-## DiagnosticLog CSP for controlling ETW trace sessions
-The DiagnosticLog CSP is used for generating and collecting diagnostic information from the device: Event Tracing for Windows (ETW) log files and current MDM configured state of the device.
-
-DiagnosticLog CSP supports the following type of event tracing:
-
-- Collector-based tracing
-- Channel-based tracing
-
-### Collector-based tracing
-
-This type of event tracing simultaneously collects event data from a collection of registered ETW providers.
-
-An event collector is a container of registered ETW providers. Users can add or delete a collector node and register or unregister multiple providers in this collector.
-
-The ***CollectorName*** must be unique within the CSP and must not be a valid event channel name or a provider GUID.
-
-The DiagnosticLog CSP maintains a log file for each collector node and the log file is overwritten if a start command is triggered again on the same collector node.
-
-For each collector node, the user can:
-
--   Start or stop the session with all registered and enabled providers
--   Query session status
--   Change trace log file mode
--   Change trace log file size limit
-
-The configurations log file mode and log file size limit does not take effect while trace session is in progress. These are applied when user stops the current session and then starts it again for this collector.
-
-For each registered provider in this collector, the user can:
-
--   Specify keywords to filter events from this provider
--   Change trace level to filter events from this provider
--   Enable or disable the provider in the trace session
-
-The changes on **State**, **Keywords** and **TraceLevel** takes effect immediately while trace session is in progress.
-
-> [!Note]
-> Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
-
- ### Channel-based tracing
-
-The type of event tracing exports event data from a specific channel. This is only supported on the desktop.
-
-Users can add or delete a channel node using the full name, such as Microsoft-Windows-AppModel-Runtime/Admin.
-
-The DiagnosticLog CSP maintains a log file for each channel node and the log file is overwritten if a start command is triggered again on the same channel node.
-
-For each channel node, the user can:
-
--   Export channel event data into a log file (.evtx)
--   Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel
--   Specify an XPath query to filter events while exporting the channel event data
-
-For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md).
-
-Here are the links to the DDFs:
-
--   [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2)
--   [DiagnosticLog CSP version 1.3](diagnosticlog-ddf.md#version-1-3)
+The following are the links to different versions of the DiagnosticLog CSP DDF files:  
 -   [DiagnosticLog CSP version 1.4](diagnosticlog-ddf.md#version-1-4)
+-   [DiagnosticLog CSP version 1.3](diagnosticlog-ddf.md#version-1-3)
+-   [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2)
+
 
 The following diagram shows the DiagnosticLog CSP in tree format.
-
 ![diagnosticlog csp diagram](images/provisioning-csp-diagnosticlog.png)
 
 **./Vendor/MSFT/DiagnosticLog**  
 The root node for the DiagnosticLog CSP.
 
-To gather diagnostics using this CSP:
+Rest of the nodes in the DiagnosticLog CSP are described within their respective feature area sections.
 
-1.  Specify a *CollectorName* for the container of the target ETW providers.
-2.  (Optional) Set logging and log file parameters using the following options:
+## DiagnosticArchive area
 
-    - TraceLogFileMode
-    - LogFileSizeLimitMB
+The DiagnosticArchive functionality within the DiagnosticLog CSP is used to trigger devices to gather troubleshooting data into a zip archive file and upload that archive to cloud storage. DiagnosticArchive is designed for ad-hoc troubleshooting scenarios, such as an IT admin investigating an app installation failure using a collection of event log events, registry values, and app or OS log files.
 
-3.  Indicate one or more target ETW providers by supplying its *ProviderGUID* to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*.
-4.  (Optional) Set logging and log file parameters using the following options:
-    - TraceLevel
-    -   Keywords
-5.  Start logging using **TraceControl** EXECUTE command “START”.
-6.  Perform actions on the target device that will generate activity in the log files.
-7.  Stop logging using **TraceControl** EXECUTE command “STOP”.
-8.  Collect the log file located in the `%temp%` folder using the method described in [Reading a log file](#reading-a-log-file).
+> [!Note]
+> DiagnosticArchive is a "break glass" backstop option for device troubleshooting. Diagnostic data such as log files can grow to many gigabytes. Gathering, transferring, and storing large amounts of data may burden the user's device, the network and cloud storage. Management servers invoking DiagnosticArchive must take care to minimize data gathering frequency and scope.
 
-**EtwLog**  
-Node to contain the Error Tracing for Windows log.
+The following section describes the nodes for the DiagnosticArchive functionality.
+
+**DiagnosticArchive**  
+Added in version 1.4 of the CSP in Windows 10, version 1903. Root node for the DiagnosticArchive functionality. 
 
 The supported operation is Get.
 
-**EtwLog/Collectors**  
-Interior node to contain dynamic child interior nodes for active providers.
+**DiagnosticArchive/ArchiveDefinition**  
+Added in version 1.4 of the CSP in Windows 10, version 1903. 
+
+The supported operations are Add and Execute.
+
+The data type is string.
+
+Expected value:
+Set and Execute are functionality equivalent, and each accepts an XML snippet (as a string) describing what data to gather and where to upload it.
+
+The following is an example of the XML. This example instructs the CSP to gather:
+- All the keys and values under a registry path
+- All the *.etl files in a folder
+- The output of two commands
+- Additional files created by one of the commands
+- All the Application event log events. 
+
+The results are zipped and uploaded to the specified SasUrl. The filename format is "DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip".
+
+``` xml
+
+   server generated guid value such as f1e20cb4-9789-4f6b-8f6a-766989764c6d
+   server generated url where the HTTP PUT will be accepted
+   HKLM\Software\Policies
+   %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl
+   %windir%\system32\ipconfig.exe /all
+   %windir%\system32\mdmdiagnosticstool.exe -out %ProgramData%\temp\
+   %ProgramData%\temp\*.*
+   Application
+
+
+```
+The XML should include the following elements within the `Collection` element:
+
+**ID**  
+The ID value is a server-generated GUID string that identifies this data-gathering request. To avoid accidental repetition of data gathering, the CSP ignores subsequent Set or Execute invocations with the same ID value.
+
+**SasUrl**  
+The SasUrl value is the target URI to which the CSP uploads the results zip file. It is the responsibility of the management server to provision storage in such a way that the server accepts the HTTP PUT to this URL. For example, the device management service could:
+- Provision cloud storage, such as an Azure blob storage container or other storage managed by the device management server
+- Generate a dynamic https SAS token URL representing the storage location (and which is understood by the server to allow a one-time upload or time-limited uploads)
+- Pass this value to the CSP as the SasUrl value. 
+
+Assuming a case where the management server's customer (such as an IT admin) is meant to access the data, the management server would also expose the stored data through its user interface or APIs.
+
+**One or more data gathering directives, which may include any of the following:**  
+
+- **RegistryKey**
+  - Exports all of the key names and values under a given path (recursive).
+  - Expected input value: Registry path such as "HKLM\Software\Policies".
+  - Output format: Creates a .reg file, similar to the output of reg.exe EXPORT command.
+  - Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, registry paths are restricted to those under HKLM and HKCR.
+
+- **Events**
+  - Exports all events from the named Windows event log.
+  - Expected input value: A named event log channel such as "Application" or "Microsoft-Windows-DeviceGuard/Operational".
+  - Output format: Creates a .evtx file.
+
+- **Commands**
+  - This directive type allows the execution of specific commands such as ipconfig.exe. Note that DiagnosticArchive and the Commands directives are not a general-purpose scripting platform. These commands are allowed in the DiagnosticArchive context to handle cases where critical device information may not be available through existing log files.
+  - Expected input value: The full command line including path and any arguments, such as `%windir%\\system32\\ipconfig.exe /all`.
+  - Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands which may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter.
+  - Privacy guardrails: To enable diagnostic data capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only the following commands are allowed:  
+          - %windir%\\system32\\certutil.exe  
+          - %windir%\\system32\\dxdiag.exe  
+          - %windir%\\system32\\gpresult.exe  
+          - %windir%\\system32\\msinfo32.exe  
+          - %windir%\\system32\\netsh.exe  
+          - %windir%\\system32\\nltest.exe  
+          - %windir%\\system32\\ping.exe  
+          - %windir%\\system32\\powercfg.exe  
+          - %windir%\\system32\\w32tm.exe  
+          - %windir%\\system32\\wpr.exe  
+          - %windir%\\system32\\dsregcmd.exe  
+          - %windir%\\system32\\dispdiag.exe  
+          - %windir%\\system32\\ipconfig.exe  
+          - %windir%\\system32\\logman.exe  
+          - %windir%\\system32\\tracelog.exe  
+          - %programfiles%\\windows defender\\mpcmdrun.exe  
+          - %windir%\\system32\\MdmDiagnosticsTool.exe  
+          - %windir%\\system32\\pnputil.exe  
+
+- **FoldersFiles**
+  - Captures log files from a given path (without recursion).
+  - Expected input value: File path with or without wildcards, such as "%windir%\\System32", or "%programfiles%\\*.log".
+  - Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only paths under the following roots are allowed:  
+          - %PROGRAMFILES%  
+          - %PROGRAMDATA%  
+          - %PUBLIC%  
+          - %WINDIR%  
+          - %TEMP%  
+          - %TMP%  
+  - Additionally, only files with the following extensions are captured:  
+          - .log  
+          - .txt  
+          - .dmp  
+          - .cab  
+          - .zip  
+          - .xml  
+          - .html  
+          - .evtx  
+          - .etl  
+
+**DiagnosticArchive/ArchiveResults**  
+Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run. 
 
 The supported operation is Get.
 
-**EtwLog/Collectors/***CollectorName*  
-Dynamic nodes to represent active collector configuration.
+The data type is string. 
 
-Supported operations are Add, Delete, and Get.
+A Get to the above URI will return the results of the data gathering for the last diagnostics request. For the example above it returns:
 
-Add a collector
-
-```xml
-
-
-    
-        
+``` xml
+
+    
+      
+          
             1
-            
-                
-                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement
-                
-                
-                    node
-                
-            
-        
-        
-    
-
-```
-
-Delete a collector
-
-```xml
-
-
-    
-        
-            1
-            
-                
-                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement
-                
-            
-        
-        
-    
-
-```
-
-**EtwLog/Collectors/*CollectorName*/TraceStatus**  
-Specifies whether the current logging status is running.
-
-The data type is an integer.
-
-The supported operation is Get.
-
-The following table represents the possible values:
-
-| Value | Description |
-|-------|-------------|
-| 0     | Stopped     |
-| 1     | Started     |
-
-**EtwLog/Collectors/*CollectorName*/TraceLogFileMode**  
-Specifies the log file logging mode.
-
-The data type is an integer.
-
-Supported operations are Get and Replace.
-
-The following table lists the possible values:
-
-| Value | Description        |
-|-------|--------------------|
-| EVENT_TRACE_FILE_MODE_SEQUENTIAL (0x00000001) | Writes events to a log file sequentially; stops when the file reaches its maximum size. |
-| EVENT_TRACE_FILE_MODE_CIRCULAR (0x00000002)  | Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events.   |
-
-**EtwLog/Collectors/*CollectorName*/TraceControl**  
-Specifies the logging and report action state.
-
-The data type is a string.
-
-The following table lists the possible values:
-
-| Value | Description        |
-|-------|--------------------|
-| START | Start log tracing. |
-| STOP  | Stop log tracing   |
-
-The supported operation is Execute.
-
-After you have added a logging task, you can start a trace by running an Execute command on this node with the value START.
-
-To stop the trace, running an execute command on this node with the value STOP.
-
-Start collector trace logging
-
-```xml
-
-
-    
-        
+            1
+            0
+            SyncHdr
+            200
+          
+          
             2
-            
-                
-                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl
-                
-                
-                    chr
-                
-                START
-            
-        
-        
-    
+            1
+            1
+            Get
+            200
+          
+          
+            3
+            1
+            1
+          
+            
+            ./Vendor/MSFT/DiagnosticLog/DiagnosticArchive/ArchiveResults
+            
+          
+            
+                f1e20cb4-9789-4f6b-8f6a-766989764c6d
+                HKLM\Software\Policies
+                C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\*.etl
+                %windir%\system32\ipconfig.exe /all
+                %windir%\system32\mdmdiagnosticstool.exe -out c:\ProgramData\temp\
+                c:\ProgramData\temp\*.*
+                Application
+              
+          
+          
+          
+          
+      
 
 ```
 
-Stop collector trace logging
+Each data gathering node is annotated with the HRESULT of the action and the collection is also annotated with an overall HRESULT. In this example, note that the mdmdiagnosticstool.exe command failed.
 
-```xml
-
-
-    
-        
-            2
-            
-                
-                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl
-                
-                
-                    chr
-                
-                STOP
-            
-        
-        
-    
-
-```
+The zip file which is created also contains a results.xml file whose contents align to the Data section in the SyncML for ArchiveResults. Accordingly, an IT admin using the zip file for troubleshooting can determine the order and success of each directive without needing a permanent record of the SyncML value for DiagnosticArchive/ArchiveResults.
 
-**EtwLog/Collectors/*CollectorName*/LogFileSizeLimitMB**  
-Sets the log file size limit, in MB.
 
-The data type is an integer.
+## Policy area
 
-Valid values are 1-2048. The default value is 4.
+The Policy functionality within the DiagnosticLog CSP configures Windows event log policies, such as maximum log size.
 
-Supported operations are Get and Replace.
-
-**EtwLog/Collectors/*CollectorName*/Providers**  
-Interior node to contain dynamic child interior nodes for active providers.
-
-The supported operation is Get.
-
-**EtwLog/Collectors/*CollectorName*/Providers/***ProviderGUID*  
-Dynamic nodes to represent active provider configuration per provider GUID.
-
-> **Note**  Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
-
-Supported operations are Add, Delete, and Get.
-
-Add a provider
-
-```xml
-
-
-    
-        
-            1
-            
-                
-                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b
-                
-                
-                    node
-                
-            
-        
-        
-    
-
-```
-
-Delete a provider
-
-```xml
-
-
-    
-        
-            1
-            
-                
-                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b
-                
-            
-        
-        
-    
-
-```
-
-**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/TraceLevel**  
-Specifies the level of detail included in the trace log.
-
-The data type is an integer.
-
-Supported operations are Get and Replace.
-
-The following table lists the possible values:
-
-| Value | Description        |
-|-------|--------------------|
-| 1 – TRACE_LEVEL_CRITICAL | Abnormal exit or termination events |
-| 2 – TRACE_LEVEL_ERROR  | Severe error events   |
-| 3 – TRACE_LEVEL_WARNING  | Warning events such as allocation failures   |
-| 4 – TRACE_LEVEL_INFORMATION  | Non-error events, such as entry or exit events   |
-| 5 – TRACE_LEVEL_VERBOSE  | Detailed information   |
-
-Set provider **TraceLevel**
-
-```xml
-
-
-    
-        
-            2
-            
-                
-                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/TraceLevel
-                
-                
-                    int
-                
-                1
-            
-        
-        
-    
-
-```
-
-**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/Keywords**  
-Specifies the provider keywords to be used as MatchAnyKeyword for this provider.
-
-The data type is a string.
-
-Supported operations are Get and Replace.
-
-Default value is 0 meaning no keyword.
-
-Get provider **Keywords**
-
-```xml
-
-  
-    
-      1
-      
-        
-          
-            ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords
-          
-        
-      
-    
-     
-  
-
-```
-
-Set provider **Keywords**
-
-```xml
-
-  
-    
-      4
-      
-        
-          
-            ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords
-          
-        
-        
-          chr
-          text/plain
-        
-        12345678FFFFFFFF
-      
-    
-     
-  
-
-```
-
-**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/State**  
-Specifies if this provider is enabled in the trace session.
-
-The data type is a boolean.
-
-Supported operations are Get and Replace. This change will be effective during active trace session.
-
-The following table lists the possible values:
-| Value | Description        |
-|-------|--------------------|
-| TRUE | Provider is enabled in the trace session. This is the default. |
-| FALSE  | Provider is disabled in the trace session.   |
-
-Set provider **State**
-
-```xml
-
-
-    
-        
-            2
-            
-                
-                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/State
-                
-                
-                    bool
-                
-                false
-            
-        
-        
-    
-
-```
-
-**EtwLog/Channels**  
-Interior node to contain dynamic child interior nodes for registered channels.
-
-The supported operation is Get.
-
-**EtwLog/Channels/***ChannelName*  
-Dynamic nodes to represent a registered channel. The node name must be a valid Windows event log channel name, such as "Microsoft-Client-Licensing-Platform%2FAdmin"
-
-Supported operations are Add, Delete, and Get.
-
-Add a channel
-
-```xml
-
-
-    
-        
-            1
-            
-                
-                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin
-                
-                
-                    node
-                
-            
-        
-        
-    
-
-```
-
-Delete a channel
-
-```xml
-
-
-    
-        
-            1
-            
-                
-                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin
-                
-            
-        
-        
-    
-
-```
-
-**EtwLog/Channels/*ChannelName*/Export**  
-Node to trigger the command to export channel event data into the log file.
-
-The supported operation is Execute.
-
-Export channel event data
-
-```xml
-
-
-    
-        
-            2
-            
-                
-                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Export
-                
-            
-        
-        
-    
-
-```
-
-**EtwLog/Channels/*ChannelName*/Filter**  
-Specifies the XPath query string to filter the events while exporting.
-
-The data type is a string.
-
-Supported operations are Get and Replace.
-
-Default value is empty string.
-
-Get channel **Filter**
-
-```xml
-
-
-    
-        
-            1
-            
-                
-                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Filter
-                
-            
-        
-        
-    
-
-```
-
-**EtwLog/Channels/*ChannelName*/State**  
-Specifies if the Channel is enabled or disabled.
-
-The data type is a boolean.
-
-Supported operations are Get and Replace.
-
-The following table lists the possible values:
-
-| Value | Description        |
-|-------|--------------------|
-| TRUE | Channel is enabled. |
-| FALSE  | Channel is disabled. |
-
-Get channel **State**
-
-```xml
-
-
-    
-        
-            1
-            
-                
-                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State
-                
-            
-        
-        
-    
-
-```
-
-Set channel **State**
-
-```xml
-
-
-    
-        
-            2
-            
-                
-                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State
-                
-                
-                    bool
-                
-                false
-            
-        
-        
-    
-
-```
-
-**DeviceStateData**  
-Added in version 1.3 of the CSP in Windows 10, version 1607. Node for all types of device state data that are exposed.
-
-**DeviceStateData/MdmConfiguration**  
-Added in version 1.3 of the CSP in Windows 10, version 1607. Triggers the snapping of device management state data with SNAP.
-
-The supported value is Execute.
-
-```xml
-
-
-  
-    
-      2
-      
-        
-          ./Vendor/MSFT/DiagnosticLog/DeviceStateData/MdmConfiguration
-        
-        
-           chr
-        
-        SNAP
-      
-    
-    
-  
-
-```
-
-**FileDownload**  
-Node to contain child nodes for log file transportation protocols and corresponding actions.
-
-**FileDownload/DMChannel**  
-Node to contain child nodes using DM channel for transport protocol.
-
-**FileDownload/DMChannel/***FileContext*  
-Dynamic interior nodes that represents per log file context.
-
-**FileDownload/DMChannel/*FileContext*/BlockSizeKB**  
-Sets the log read buffer, in KB.
-
-The data type is an integer.
-
-Valid values are 1-16. The default value is 4.
-
-Supported operations are Get and Replace.
-
-Set **BlockSizeKB**
-
-```xml
-
-
-    
-        
-            1
-            
-                
-                    ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB
-                
-                
-                    int
-                
-                1
-            
-        
-        
-    
-
-```
-
-Get **BlockSizeKB**
-
-```xml
-
-
-    
-        
-            1
-            
-                
-                    ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB
-                
-            
-        
-        
-    
-
-```
-
-**FileDownload/DMChannel/*FileContext*/BlockCount**  
-Represents the total read block count for the log file.
-
-The data type is an integer.
-
-The only supported operation is Get.
-
-Get **BlockCount**
-
-```xml
-
-
-    
-        
-            1
-            
-                
-                    ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockCount
-                
-            
-        
-        
-    
-
-```
-
-**FileDownload/DMChannel/*FileContext*/BlockIndexToRead**  
-Represents the read block start location.
-
-The data type is an integer.
-
-Supported operations are Get and Replace.
-
-Set **BlockIndexToRead** at 0
-
-```xml
-
-
-    
-        
-            1
-            
-                
-                    ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead
-                
-                
-                    int
-                
-                0
-            
-        
-        
-    
-
-```
-
-Set **BlockIndexToRead** at 1
-
-```xml
-
-
-    
-        
-            1
-            
-                
-                    ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead
-                
-                
-                    int
-                
-                1
-            
-        
-        
-    
-
-```
-
-**FileDownload/DMChannel/*FileContext*/BlockData**  
-The data type is Base64.
-
-The only supported operation is Get.
-
-Get **BlockData**
-
-```xml
-
-
-    
-        
-            1
-            
-                
-                    ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockData
-                
-            
-        
-        
-    
-
-```
-
-**FileDownload/DMChannel/*FileContext*/DataBlocks**  
-Node to transfer the selected log file block to the DM server.
-
-**FileDownload/DMChannel/*FileContext*/DataBlocks/***BlockNumber*  
-The data type is Base64.
-
-The supported operation is Get.
+The following section describes the nodes for the Policy functionality.
 
 **Policy**  
 Added in version 1.4 of the CSP in Windows 10, version 1903. Root node to control settings for channels in Event Log.
@@ -1268,110 +682,798 @@ Replace **Enabled**
 
 ```
 
-## DiagnosticLog CSP for triggering devices to upload files to cloud
-The DiagnosticLog CSP is used for triggering devices to upload existing event logs, log files, and registry values to cloud storage. The following section describes the nodes for the DiagnosticArchive functionality.
+## EtwLog area
 
-**DiagnosticArchive**  
-Added in version 1.4 of the CSP in Windows 10, version 1903. Root note for the DiagnosticArchive functionality. 
+The Event Tracing for Windows (ETW) log feature of the DiagnosticLog CSP is used to control the following types of event tracing:
+- [Collector-based tracing](#collector-based-tracing)
+- [Channel-based tracing](#channel-based-tracing)
+
+The ETW log feature is designed for advanced usage, and assumes developers' familiarity with ETW. For more information, see [About Event Tracing](https://docs.microsoft.com/windows/win32/etw/about-event-tracing).
+
+### Collector-based tracing
+
+This type of event tracing collects event data from a collection of registered ETW providers.
+
+An event collector is a container of registered ETW providers. Users can add or delete a collector node and register or unregister multiple providers in this collector.
+
+The ***CollectorName*** must be unique within the CSP and must not be a valid event channel name or a provider GUID.
+
+The DiagnosticLog CSP maintains a log file for each collector node and the log file is overwritten if a start command is triggered again on the same collector node.
+
+For each collector node, the user can:
+
+-   Start or stop the session with all registered and enabled providers
+-   Query session status
+-   Change trace log file mode
+-   Change trace log file size limit
+
+The configurations log file mode and log file size limit does not take effect while trace session is in progress. These are applied when user stops the current session and then starts it again for this collector.
+
+For each registered provider in this collector, the user can:
+
+-   Specify keywords to filter events from this provider
+-   Change trace level to filter events from this provider
+-   Enable or disable the provider in the trace session
+
+The changes on **State**, **Keywords**, and **TraceLevel** takes effect immediately while trace session is in progress.
+
+> [!Note]
+> Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
+
+ ### Channel-based tracing
+
+The type of event tracing exports event data from a specific channel. This is only supported on the desktop.
+
+Users can add or delete a channel node using the full name, such as Microsoft-Windows-AppModel-Runtime/Admin.
+
+The DiagnosticLog CSP maintains a log file for each channel node and the log file is overwritten if a start command is triggered again on the same channel node.
+
+For each channel node, the user can:
+
+-   Export channel event data into a log file (.evtx)
+-   Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel
+-   Specify an XPath query to filter events while exporting the channel event data
+
+For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md).
+
+To gather diagnostics using this CSP:
+
+1.  Specify a *CollectorName* for the container of the target ETW providers.
+2.  (Optional) Set logging and log file parameters using the following options:
+
+    - TraceLogFileMode
+    - LogFileSizeLimitMB
+
+3.  Indicate one or more target ETW providers by supplying its *ProviderGUID* to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*.
+4.  (Optional) Set logging and log file parameters using the following options:
+    - TraceLevel
+    - Keywords
+5.  Start logging using **TraceControl** EXECUTE command “START”.
+6.  Perform actions on the target device that will generate activity in the log files.
+7.  Stop logging using **TraceControl** EXECUTE command “STOP”.
+8.  Collect the log file located in the `%temp%` folder using the method described in [Reading a log file](#reading-a-log-file).
+
+The following section describes the nodes for EtwLog functionality.
+
+**EtwLog**  
+Node to contain the Error Tracing for Windows log.
 
 The supported operation is Get.
 
-**DiagnosticArchive/ArchiveDefinition**  
-Added in version 1.4 of the CSP in Windows 10, version 1903. 
-
-The supported operations are Add and Execute.
-
-The data type is string.
-
-Expected value:
-Set and Execute are functionality equivalent, and each accepts an XML snippet (as a string) describing what data to gather and where to upload it when done. This XML defines what should be collected and compressed into a zip file to be uploaded to Azure blog storage.
-
-The following is an example of the XML. This example instructs that a zip file be created containing the output from a dump of the specified registry key, all the files in a folder, the output of two commands, all the files in another folder, the output of a command, all the Application events, two sets of files, and another command output. All of this will be uploaded to the blob storage URL as specified in the  tags and must be in the noted format with the container and the key in the URL. The administrator can retrieve this URL from Azure. The file uploaded will be in the format DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip.
-
-``` xml
-
-             f1e20cb4-9789-4f6b-8f6a-766989764c6d
-             {web address}/{container}{key}
-             HKLM\Software\Policies
-             C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\*.etl
-             %windir%\system32\ipconfig.exe /all
-             %windir%\system32\mdmdiagnosticstool.exe -out c:\ProgramData\temp\
-             c:\ProgramData\temp\*.*
-             %windir%\system32\ping.exe -n 50 localhost
-             Application
-             %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl
-             %SystemRoot%\System32\LogFiles\wmi\*.etl.*
-             
-             %windir%\system32\pnputil.exe /enum-drivers
-
-
-```
-Where:
-
-- ID is a unique GUID value that defines this particular run of the DiagnosticLog CSP.
-- There can be multiple RegistryKey, FolderFiles, Command, and Events elements, which extract or execute and collect the output from the action specified. 
-- SasUrl is generated from the Azure Blob Storage UX in Azure such that it will allow write access to the blob to upload the zip file created by all the actions specified. 
-
-**DiagnosticArchive/ArchiveResults**  
-Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run. 
+**EtwLog/Collectors**  
+Interior node to contain dynamic child interior nodes for active providers.
 
 The supported operation is Get.
 
-The data type is string. 
+**EtwLog/Collectors/***CollectorName*  
+Dynamic nodes to represent active collector configuration.
 
-A Get to the above URI will return the results of the gathering of data for the last diagnostics request. For the example above it returns:
+Supported operations are Add, Delete, and Get.
 
-``` xml
-
-    
-      
-          
+Add a collector
+
+```xml
+
+
+    
+        
             1
-            1
-            0
-            SyncHdr
-            200
-          
-          
-            2
-            1
-            1
-            Get
-            200
-          
-          
-            3
-            1
-            1
-          
-            
-            ./Vendor/MSFT/DiagnosticLog/DiagnosticArchive/ArchiveResults
-            
-          
-            
-                f1e20cb4-9789-4f6b-8f6a-766989764c6d
-                HKLM\Software\Policies
-                C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\*.etl
-                %windir%\system32\ipconfig.exe /all
-                %windir%\system32\mdmdiagnosticstool.exe -out c:\ProgramData\temp\
-                c:\ProgramData\temp\*.*
-                %windir%\system32\ping.exe -n 50 localhost
-                Application
-                %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl
-                %SystemRoot%\System32\LogFiles\wmi\*.etl.*
-                %windir%\system32\pnputil.exe /enum-drivers
-              
-          
-          
-          
-          
-      
+            
+                
+                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement
+                
+                
+                    node
+                
+            
+        
+        
+    
 
 ```
-> [!Note]
-> Each data gathering node is annotated with the HRESULT of the option and the collection is also annotated with an HRESULT. In this example, note that the mdmdiagnosticstool.exe command failed.
 
-## Reading a log file
+Delete a collector
+
+```xml
+
+
+    
+        
+            1
+            
+                
+                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement
+                
+            
+        
+        
+    
+
+```
+
+**EtwLog/Collectors/*CollectorName*/TraceStatus**  
+Specifies whether the current logging status is running.
+
+The data type is an integer.
+
+The supported operation is Get.
+
+The following table represents the possible values:
+
+| Value | Description |
+|-------|-------------|
+| 0     | Stopped     |
+| 1     | Started     |
+
+**EtwLog/Collectors/*CollectorName*/TraceLogFileMode**  
+Specifies the log file logging mode.
+
+The data type is an integer.
+
+Supported operations are Get and Replace.
+
+The following table lists the possible values:
+
+| Value | Description        |
+|-------|--------------------|
+| EVENT_TRACE_FILE_MODE_SEQUENTIAL (0x00000001) | Writes events to a log file sequentially; stops when the file reaches its maximum size. |
+| EVENT_TRACE_FILE_MODE_CIRCULAR (0x00000002)  | Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events.   |
+
+**EtwLog/Collectors/*CollectorName*/TraceControl**  
+Specifies the logging and report action state.
+
+The data type is a string.
+
+The following table lists the possible values:
+
+| Value | Description        |
+|-------|--------------------|
+| START | Start log tracing. |
+| STOP  | Stop log tracing   |
+
+The supported operation is Execute.
+
+After you have added a logging task, you can start a trace by running an Execute command on this node with the value START.
+
+To stop the trace, running an execute command on this node with the value STOP.
+
+Start collector trace logging
+
+```xml
+
+
+    
+        
+            2
+            
+                
+                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl
+                
+                
+                    chr
+                
+                START
+            
+        
+        
+    
+
+```
+
+Stop collector trace logging
+
+```xml
+
+
+    
+        
+            2
+            
+                
+                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl
+                
+                
+                    chr
+                
+                STOP
+            
+        
+        
+    
+
+```
+
+**EtwLog/Collectors/*CollectorName*/LogFileSizeLimitMB**  
+Sets the log file size limit, in MB.
+
+The data type is an integer.
+
+Valid values are 1-2048. The default value is 4.
+
+Supported operations are Get and Replace.
+
+**EtwLog/Collectors/*CollectorName*/Providers**  
+Interior node to contain dynamic child interior nodes for active providers.
+
+The supported operation is Get.
+
+**EtwLog/Collectors/*CollectorName*/Providers/***ProviderGUID*  
+Dynamic nodes to represent active provider configuration per provider GUID.
+
+> [!Note]
+> Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
+
+Supported operations are Add, Delete, and Get.
+
+Add a provider
+
+```xml
+
+
+    
+        
+            1
+            
+                
+                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b
+                
+                
+                    node
+                
+            
+        
+        
+    
+
+```
+
+Delete a provider
+
+```xml
+
+
+    
+        
+            1
+            
+                
+                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b
+                
+            
+        
+        
+    
+
+```
+
+**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/TraceLevel**  
+Specifies the level of detail included in the trace log.
+
+The data type is an integer.
+
+Supported operations are Get and Replace.
+
+The following table lists the possible values:
+
+| Value | Description        |
+|-------|--------------------|
+| 1 – TRACE_LEVEL_CRITICAL | Abnormal exit or termination events |
+| 2 – TRACE_LEVEL_ERROR  | Severe error events   |
+| 3 – TRACE_LEVEL_WARNING  | Warning events such as allocation failures   |
+| 4 – TRACE_LEVEL_INFORMATION  | Non-error events, such as entry or exit events   |
+| 5 – TRACE_LEVEL_VERBOSE  | Detailed information   |
+
+Set provider **TraceLevel**
+
+```xml
+
+
+    
+        
+            2
+            
+                
+                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/TraceLevel
+                
+                
+                    int
+                
+                1
+            
+        
+        
+    
+
+```
+
+**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/Keywords**  
+Specifies the provider keywords to be used as MatchAnyKeyword for this provider.
+
+The data type is a string.
+
+Supported operations are Get and Replace.
+
+Default value is 0 meaning no keyword.
+
+Get provider **Keywords**
+
+```xml
+
+  
+    
+      1
+      
+        
+          
+            ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords
+          
+        
+      
+    
+     
+  
+
+```
+
+Set provider **Keywords**
+
+```xml
+
+  
+    
+      4
+      
+        
+          
+            ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords
+          
+        
+        
+          chr
+          text/plain
+        
+        12345678FFFFFFFF
+      
+    
+     
+  
+
+```
+
+**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/State**  
+Specifies if this provider is enabled in the trace session.
+
+The data type is a boolean.
+
+Supported operations are Get and Replace. This change will be effective during active trace session.
+
+The following table lists the possible values:  
+
+| Value | Description        |
+|-------|--------------------|
+| TRUE | Provider is enabled in the trace session. This is the default. |
+| FALSE  | Provider is disabled in the trace session.   |
+
+Set provider **State**
+
+```xml
+
+
+    
+        
+            2
+            
+                
+                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/State
+                
+                
+                    bool
+                
+                false
+            
+        
+        
+    
+
+```
+
+**EtwLog/Channels**  
+Interior node to contain dynamic child interior nodes for registered channels.
+
+The supported operation is Get.
+
+**EtwLog/Channels/***ChannelName*  
+Dynamic nodes to represent a registered channel. The node name must be a valid Windows event log channel name, such as "Microsoft-Client-Licensing-Platform%2FAdmin"
+
+Supported operations are Add, Delete, and Get.
+
+Add a channel
+
+```xml
+
+
+    
+        
+            1
+            
+                
+                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin
+                
+                
+                    node
+                
+            
+        
+        
+    
+
+```
+
+Delete a channel
+
+```xml
+
+
+    
+        
+            1
+            
+                
+                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin
+                
+            
+        
+        
+    
+
+```
+
+**EtwLog/Channels/*ChannelName*/Export**  
+Node to trigger the command to export channel event data into the log file.
+
+The supported operation is Execute.
+
+Export channel event data
+
+```xml
+
+
+    
+        
+            2
+            
+                
+                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Export
+                
+            
+        
+        
+    
+
+```
+
+**EtwLog/Channels/*ChannelName*/Filter**  
+Specifies the XPath query string to filter the events while exporting.
+
+The data type is a string.
+
+Supported operations are Get and Replace.
+
+Default value is empty string.
+
+Get channel **Filter**
+
+```xml
+
+
+    
+        
+            1
+            
+                
+                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Filter
+                
+            
+        
+        
+    
+
+```
+
+**EtwLog/Channels/*ChannelName*/State**  
+Specifies if the Channel is enabled or disabled.
+
+The data type is a boolean.
+
+Supported operations are Get and Replace.
+
+The following table lists the possible values:
+
+| Value | Description        |
+|-------|--------------------|
+| TRUE | Channel is enabled. |
+| FALSE  | Channel is disabled. |
+
+Get channel **State**
+
+```xml
+
+
+    
+        
+            1
+            
+                
+                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State
+                
+            
+        
+        
+    
+
+```
+
+Set channel **State**
+
+```xml
+
+
+    
+        
+            2
+            
+                
+                    ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State
+                
+                
+                    bool
+                
+                false
+            
+        
+        
+    
+
+```
+
+## DeviceStateData area
+
+The DeviceStateData functionality within the DiagnosticLog CSP provides additional device information.
+
+The following section describes the nodes for the DeviceStateData functionality.
+
+**DeviceStateData**  
+Added in version 1.3 of the CSP in Windows 10, version 1607. Node for all types of device state data that are exposed.
+
+**DeviceStateData/MdmConfiguration**  
+Added in version 1.3 of the CSP in Windows 10, version 1607. Triggers the snapping of device management state data with SNAP.
+
+The supported value is Execute.
+
+```xml
+
+
+  
+    
+      2
+      
+        
+          ./Vendor/MSFT/DiagnosticLog/DeviceStateData/MdmConfiguration
+        
+        
+           chr
+        
+        SNAP
+      
+    
+    
+  
+
+```
+
+## FileDownload area
+The FileDownload feature of the DiagnosticLog CSP enables a management server to pull data directly from the device. In the FileDownload context the client and server roles are conceptually reversed, with the management server acting as a client to download the data from the managed device.
+
+### Comparing FileDownload and DiagnosticArchive
+Both the FileDownload and DiagnosticArchive features can be used to get data from the device to the management server, but they are optimized for different workflows.
+
+- FileDownload enables the management server to directly pull byte-level trace data from the managed device. The data transfer takes place through the existing OMA-DM/SyncML context. It is typically used together with the EtwLogs feature as part of an advanced monitoring or diagnostic flow. FileDownlod requires granular orchestration by the management server, but avoids the need for dedicated cloud storage.
+- DiagnosticArchive allows the management server to give the CSP a full set of instructions as single command. Based on those instructions the CSP orchestrates the work client-side to package the requested diagnostic files into a zip archive and upload that archive to cloud storage. The data transfer happens outside of the OMA-DM session, via an HTTP PUT.
+
+The following section describes the nodes for the FileDownload functionality.
+
+**FileDownload**  
+Node to contain child nodes for log file transportation protocols and corresponding actions.
+
+**FileDownload/DMChannel**  
+Node to contain child nodes using DM channel for transport protocol.
+
+**FileDownload/DMChannel/***FileContext*  
+Dynamic interior nodes that represents per log file context.
+
+**FileDownload/DMChannel/*FileContext*/BlockSizeKB**  
+Sets the log read buffer, in KB.
+
+The data type is an integer.
+
+Valid values are 1-16. The default value is 4.
+
+Supported operations are Get and Replace.
+
+Set **BlockSizeKB**
+
+```xml
+
+
+    
+        
+            1
+            
+                
+                    ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB
+                
+                
+                    int
+                
+                1
+            
+        
+        
+    
+
+```
+
+Get **BlockSizeKB**
+
+```xml
+
+
+    
+        
+            1
+            
+                
+                    ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB
+                
+            
+        
+        
+    
+
+```
+
+**FileDownload/DMChannel/*FileContext*/BlockCount**  
+Represents the total read block count for the log file.
+
+The data type is an integer.
+
+The only supported operation is Get.
+
+Get **BlockCount**
+
+```xml
+
+
+    
+        
+            1
+            
+                
+                    ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockCount
+                
+            
+        
+        
+    
+
+```
+
+**FileDownload/DMChannel/*FileContext*/BlockIndexToRead**  
+Represents the read block start location.
+
+The data type is an integer.
+
+Supported operations are Get and Replace.
+
+Set **BlockIndexToRead** at 0
+
+```xml
+
+
+    
+        
+            1
+            
+                
+                    ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead
+                
+                
+                    int
+                
+                0
+            
+        
+        
+    
+
+```
+
+Set **BlockIndexToRead** at 1
+
+```xml
+
+
+    
+        
+            1
+            
+                
+                    ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead
+                
+                
+                    int
+                
+                1
+            
+        
+        
+    
+
+```
+
+**FileDownload/DMChannel/*FileContext*/BlockData**  
+The data type is Base64.
+
+The only supported operation is Get.
+
+Get **BlockData**
+
+```xml
+
+
+    
+        
+            1
+            
+                
+                    ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockData
+                
+            
+        
+        
+    
+
+```
+
+**FileDownload/DMChannel/*FileContext*/DataBlocks**  
+Node to transfer the selected log file block to the DM server.
+
+**FileDownload/DMChannel/*FileContext*/DataBlocks/***BlockNumber*  
+The data type is Base64.
+
+The supported operation is Get.
+
+### Reading a log file
 To read a log file:  
 1.  Enumerate log file under **./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel**.
 2.  Select a log file in the Enumeration result.
diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
index 429bf2fe21..84b5bb69b0 100644
--- a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
+++ b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
@@ -1,6 +1,6 @@
 ---
-title: EnrollmentStatusTracking CSP
-description: EnrollmentStatusTracking CSP
+title: EnrollmentStatusTracking DDF
+description: This topic shows the OMA DM device description framework (DDF) for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md
index 080db28b5c..5fba2bac07 100644
--- a/windows/client-management/mdm/enrollmentstatustracking-csp.md
+++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md
@@ -1,6 +1,6 @@
 ---
 title: EnrollmentStatusTracking CSP
-description: EnrollmentStatusTracking CSP
+description: During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device use until the required apps are installed.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
@@ -11,7 +11,6 @@ ms.date: 05/21/2019
 
 # EnrollmentStatusTracking CSP
 
-
 During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device use until the required apps are installed. You can select the apps that must be installed before using the device. The EnrollmentStatusTracking configuration service provider (CSP) is used by Intune's agents, such as SideCar to configure ESP for blocking the device use until the required Win32 apps are installed. It tracks the installation status of the required policy providers and the apps they install and sends it to ESP, which displays the installation progress message to the user. For more information on ESP, see [Windows Autopilot Enrollment Status page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status).
 
 ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track the installation of different apps. The EnrollmentStatusTracking CSP tracks Win32 apps installations and DMClient CSP tracks MSI and Universal Windows Platform apps installations. In DMClient CSP, the **FirstSyncStatus/ExpectedMSIAppPackages** and **FirstSyncStatus/ExpectedModernAppPackages** nodes list the apps to track their installation. See [DMClient CSP](dmclient-csp.md) for more information.
diff --git a/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png b/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png
index 9829586338..a12415ae84 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png and b/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png differ
diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
index a3dc006fc8..bc80bbff44 100644
--- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
@@ -1,5 +1,5 @@
 ---
-title: Implement server-side support for mobile application management on Windows 
+title: Provide server-side support for mobile app management on Windows
 description: The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP).
 ms.author: dansimp
 ms.topic: article
diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md
index 682ae5b63d..01ee6820fc 100644
--- a/windows/client-management/mdm/index.md
+++ b/windows/client-management/mdm/index.md
@@ -34,7 +34,7 @@ With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM secur
 
 The MDM security baseline includes policies that cover the following areas:
 
-- Microsoft inbox security technology (not deprecated) such as Bitlocker, Smartscreen, and DeviceGuard (virtual-based security), ExploitGuard, Defender, and Firewall
+- Microsoft inbox security technology (not deprecated) such as Bitlocker, Windows Defender Smartscreen, and DeviceGuard (virtual-based security), ExploitGuard, Defender, and Firewall
 - Restricting remote access to devices
 - Setting credential requirements for passwords and PINs
 - Restricting use of legacy technology
diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md
index 8d7aa80999..c82e246263 100644
--- a/windows/client-management/mdm/networkproxy-csp.md
+++ b/windows/client-management/mdm/networkproxy-csp.md
@@ -84,7 +84,7 @@ Valid values:
 
 The data type is integer. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported.
 
-# Configuration Example
+## Configuration Example
 
 These generic code portions for the options **ProxySettingsPerUser**, **Autodetect**, and **SetupScriptURL** can be used for a specific operation, for example Replace.  Only enter the portion of code needed in the **Replace** section.
 ```xml
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 0a50619021..15f103ba47 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -21,7 +21,7 @@ ms.date: 07/01/2019
 
 This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
 
-For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). 
+For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). 
 
 - **What’s new in MDM for Windows 10 versions**
   - [What’s new in MDM for Windows 10, version 1909](#whats-new-in-mdm-for-windows-10-version-1909)
@@ -58,6 +58,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
   - [What is dmwappushsvc?](#what-is-dmwappushsvc)
 
 - **Change history in MDM documentation**
+    - [November 2019](#november-2019)
     - [October 2019](#october-2019)
     - [September 2019](#september-2019)
     - [August 2019](#august-2019)
@@ -1934,6 +1935,13 @@ How do I turn if off? | The service can be stopped from the "Services" console o
 
 ## Change history in MDM documentation
 
+### November 2019
+
+|New or updated topic | Description|
+|--- | ---|
+|[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added option 5 in the supported values list for DeliveryOptimization/DOGroupIdSource.|
+|[DiagnosticLog CSP](diagnosticlog-csp.md)|Added substantial updates to this CSP doc.|
+
 ### October 2019
 
 |New or updated topic | Description|
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index 32d3ae4dc0..f8dfc0e3c3 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -190,7 +190,7 @@ Default value is false. If you set this policy to true, Remote Windows Hello for
 
 Supported operations are Add, Get, Delete, and Replace.
 
-*Not supported on Windows Holographic and Windows Holographic for Business.*
+*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
 
 ***TenantId*/Policies/UseHelloCertificatesAsSmartCardCertificates** (only for ./Device/Vendor/MSFT)  
 Added in Windows 10, version 1809. If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
@@ -206,7 +206,7 @@ This node is deprecated. Use **Biometrics/UseBiometrics** node instead.
 
 **Biometrics** (only for ./Device/Vendor/MSFT)  
 Node for defining biometric settings. This node was added in Windows 10, version 1511.
-*Not supported on Windows Holographic and Windows Holographic for Business.*
+*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
 
 **Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT)  
 Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use in case of failures. This node was added in Windows 10, version 1511.
@@ -230,7 +230,7 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re
 
 Supported operations are Add, Get, Delete, and Replace.
 
-*Not supported on Windows Holographic and Windows Holographic for Business.*
+*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
 
 **DeviceUnlock** (only for ./Device/Vendor/MSFT)  
 Added in Windows 10, version 1803. Interior node.
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index d0d52bed09..9d72af8a49 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -3202,7 +3202,7 @@ The following diagram shows the Policy configuration service provider in tree fo
   
 
 
-### SmartScreen policies
+### Windows Defender SmartScreen policies
 
 

   

diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index b10a4a04f0..58bf93fb63 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -1748,7 +1748,7 @@ Most restricted value: 1
 To verify AllowSmartScreen is set to 0 (not allowed):
 
 1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
-2.  Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is disabled.
+2.  Verify that the setting **Help protect me from malicious sites and download with Windows Defender SmartScreen** is disabled.
 
 
 
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index 79c0298921..8a8184ba9a 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -780,7 +780,7 @@ ADMX Info:
 
 
 
-Added in Windows 10, version 1803. Set this policy to restrict peer selection to a specific source. Options available are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix
+Added in Windows 10, version 1803. Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD.
 
 When set, the Group ID will be assigned automatically from the selected source.
 
@@ -790,6 +790,8 @@ The options set in this policy only apply to Group (2) download mode. If Group (
 
 For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID.
 
+Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
+
 
 
 ADMX Info:  
@@ -807,6 +809,7 @@ The following list shows the supported values:
 -   2 - Authenticated domain SID
 -   3 - DHCP user option
 -   4 - DNS suffix
+-   5 - AAD
 
 
 
diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
index 7d8aeb48ed..0a4dde8690 100644
--- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
+++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
@@ -1,5 +1,5 @@
 ---
-title: Policy CSP - TimeLanguageSettings
+title: Policy CSP - DeviceHealthMonitoring
 description: Policy CSP - TimeLanguageSettings
 ms.author: dansimp
 ms.topic: article
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index 783b570d85..6e0db74b13 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -2448,7 +2448,7 @@ ADMX Info:
 
 Value and index pairs in the SyncML example:  
 - http://adfs.contoso.org 1
-- http://microsoft.com 2
+- https://microsoft.com 2
 
 
 
@@ -3253,11 +3253,11 @@ ADMX Info:
 
 
 
-This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious.
+This policy setting determines whether the user can bypass warnings from Windows Defender SmartScreen. Windows Defender SmartScreen prevents the user from browsing to or downloading from sites that are known to host malicious content. Windows Defender SmartScreen also prevents the execution of files that are known to be malicious.
 
-If you enable this policy setting, SmartScreen Filter warnings block the user.
+If you enable this policy setting, Windows Defender SmartScreen warnings block the user.
 
-If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
+If you disable or do not configure this policy setting, the user can bypass Windows Defender SmartScreen warnings.
 
 
 > [!TIP]
@@ -3324,11 +3324,11 @@ ADMX Info:
 
 
 
-This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet.
+This policy setting determines whether the user can bypass warnings from Windows Defender SmartScreen. Windows Defender SmartScreen warns the user about executable files that Internet Explorer users do not commonly download from the Internet.
 
-If you enable this policy setting, SmartScreen Filter warnings block the user.
+If you enable this policy setting, Windows Defender SmartScreen warnings block the user.
 
-If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
+If you disable or do not configure this policy setting, the user can bypass Windows Defender SmartScreen warnings.
 
 
 > [!TIP]
@@ -6501,13 +6501,13 @@ ADMX Info:
 
 
 
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content.
 
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content.
 
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content.
 
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content.
 
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
@@ -8604,13 +8604,13 @@ ADMX Info:
 
 
 
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content.
 
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content.
 
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content.
 
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content.
 
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
@@ -9561,13 +9561,13 @@ ADMX Info:
 
 
 
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content.
 
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content.
 
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content.
 
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content.
 
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
@@ -10518,13 +10518,13 @@ ADMX Info:
 
 
 
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content.
 
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content.
 
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content.
 
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content.
 
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
@@ -11481,13 +11481,13 @@ ADMX Info:
 
 
 
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content.
 
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content.
 
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content.
 
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content.
 
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
@@ -12286,13 +12286,13 @@ ADMX Info:
 
 
 
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content.
 
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content.
 
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content.
 
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content.
 
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
@@ -13170,13 +13170,13 @@ ADMX Info:
 
 
 
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content.
 
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content.
 
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content.
 
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content.
 
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
@@ -14054,13 +14054,13 @@ ADMX Info:
 
 
 
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content.
 
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content.
 
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content.
 
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content.
 
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
@@ -14733,11 +14733,11 @@ ADMX Info:
 
 
 
-This policy setting prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware.
+This policy setting prevents the user from managing Windows Defender SmartScreen, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware.
 
-If you enable this policy setting, the user is not prompted to turn on SmartScreen Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user.
+If you enable this policy setting, the user is not prompted to turn on Windows Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user.
 
-If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on SmartScreen Filter during the first-run experience.
+If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on Windows Defender SmartScreen during the first-run experience.
 
 
 > [!TIP]
@@ -16477,13 +16477,13 @@ ADMX Info:
 
 
 
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content.
 
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content.
 
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content.
 
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content.
 
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
@@ -19053,13 +19053,13 @@ ADMX Info:
 
 
 
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content.
 
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content.
 
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content.
 
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content.
 
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index b99fa3f5fc..9263511ddf 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -173,6 +173,9 @@ manager: dansimp
 
 

 
+> [!NOTE]
+> To find data formats (and other policy-related details), see [Policy DDF file](https://docs.microsoft.com/windows/client-management/mdm/policy-ddf-file). 
+
 
 **LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts**  
 
@@ -3698,4 +3701,3 @@ Footnotes:
 -   6 - Added in Windows 10, version 1903.
 
 
-
diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md
index ff3e25edce..c26f13353d 100644
--- a/windows/client-management/mdm/uefi-csp.md
+++ b/windows/client-management/mdm/uefi-csp.md
@@ -20,7 +20,7 @@ The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmwa
 > The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809).
 
 > [!NOTE]
-> The production UEFI CSP is present in 1809, but it depends upon the Device Firmware Configuration Interface (DFCI) and UEFI firmware to comply with this interface.  The specification for this interface and compatible firmware is not yet available.
+> The production UEFI CSP is present in 1809, but it depends upon the [Device Firmware Configuration Interface (DFCI) and UEFI firmware](https://microsoft.github.io/mu/dyn/mu_plus/DfciPkg/Docs/Dfci_Feature/) to comply with this interface.
 
 The following diagram shows the UEFI CSP in tree format.
 
@@ -70,7 +70,7 @@ Apply a permissions information package to UEFI. Input is the signed package in
 Value type is Base64. Supported operation is Replace.
 
 **Permissions/Result**  
-Retrieves the binary result package of the previous Permissions/Apply operation.  This binary package contains XML describing the action taken for each individual permission.
+Retrieves the binary result package of the previous Permissions/Apply operation. This binary package contains XML describing the action taken for each individual permission.
 
 Supported operation is Get.
 
@@ -109,17 +109,17 @@ Supported operation is Get.
 Node for settings permission operations. Alternate endpoint for sending a second permission package without an OS restart.
 
 **Permissions2/Apply**  
-Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format.  Alternate location for sending two permissions information packages in the same session.
+Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two permissions information packages in the same session.
 
 Value type is Base64. Supported operation is Replace.
 
 **Permissions2/Result**  
-Retrieves the binary result package from the previous Permissions2/Apply operation.  This binary package contains XML describing the action taken for each individual permission.
+Retrieves the binary result package from the previous Permissions2/Apply operation. This binary package contains XML describing the action taken for each individual permission.
 
 Supported operation is Get.
 
 **Settings2**  
-Nodefor device settings operations. Alternate endpoint for sending a second settings package without an OS restart.
+Node for device settings operations. Alternate endpoint for sending a second settings package without an OS restart.
 
 **Settings2/Apply**  
 Apply a settings information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two settings information packages in the same session.
@@ -130,3 +130,8 @@ Value type is Base64. Supported operation is Replace.
 Retrieves the binary result package of previous Settings2/Apply operation. This binary package contains XML describing the action taken for each individual setting.
 
 Supported operation is Get.
+
+
+## Related topics
+
+[UEFI DDF file](./uefi-ddf.md)
diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md
index b6fb182eae..914c39c364 100644
--- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md
+++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md
@@ -296,21 +296,13 @@ For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.micro
 [**Win32\_UninterruptiblePowerSupply**](https://msdn.microsoft.com/library/windows/hardware/aa394503) |
 [**Win32\_USBController**](https://msdn.microsoft.com/library/windows/hardware/aa394504)    |
 [**Win32\_UTCTime**](https://msdn.microsoft.com/library/windows/hardware/aa394510)          | ![cross mark](images/checkmark.png)
-[**Win32\_VideoController**](https://msdn.microsoft.com/library/windows/hardware/aa394505) |
+[**Win32\_VideoController**](https://docs.microsoft.com/windows/win32/cimwin32prov/win32-videocontroller) |
 **Win32\_WindowsUpdateAgentVersion**                                                        |
  
 
 ## Related topics
 
-
 [Configuration service provider reference](configuration-service-provider-reference.md)
 
- 
-
- 
-
-10/10/2016
-
-
-
-
+## Related Links
+[CIM Video Controller](https://docs.microsoft.com/windows/win32/cimwin32prov/cim-videocontroller)
diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md
index 27b46491dc..3acffc551f 100644
--- a/windows/client-management/troubleshoot-inaccessible-boot-device.md
+++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md
@@ -1,5 +1,5 @@
 ---
-title: Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device
+title: Advanced advice for Stop error 7B, Inaccessible_Boot_Device
 description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device
 ms.prod: w10
 ms.mktglfcycl:
diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md
index da7f583966..47a439de72 100644
--- a/windows/client-management/windows-10-mobile-and-mdm.md
+++ b/windows/client-management/windows-10-mobile-and-mdm.md
@@ -634,12 +634,12 @@ The following settings for Microsoft Edge on Windows 10 Mobile can be managed.
 -   **Allow InPrivate** Whether users can use InPrivate browsing
 -   **Allow Password Manager** Whether users can use Password Manager to save and manage passwords locally
 -   **Allow Search Suggestions in Address Bar** Whether search suggestions are shown in the address bar
--   **Allow SmartScreen** Whether SmartScreen Filter is enabled
+-   **Allow Windows Defender SmartScreen** Whether Windows Defender SmartScreen is enabled
 -   **Cookies**	Whether cookies are allowed
 -   **Favorites** Configure Favorite URLs
 -   **First Run URL** The URL to open when a user launches Microsoft Edge for the first time
--   **Prevent SmartScreen Prompt Override** Whether users can override the SmartScreen warnings for URLs
--   **Prevent Smart Screen Prompt Override for Files** Whether users can override the SmartScreen warnings for files
+-   **Prevent Windows Defender SmartScreen Prompt Override** Whether users can override the Windows Defender SmartScreen warnings for URLs
+-   **Prevent Smart Screen Prompt Override for Files** Whether users can override the Windows Defender SmartScreen warnings for files
 
 ## Manage
 
diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md
index c319034f39..8c30018235 100644
--- a/windows/client-management/windows-10-support-solutions.md
+++ b/windows/client-management/windows-10-support-solutions.md
@@ -18,23 +18,23 @@ Microsoft regularly releases both updates for Windows Server. To ensure your ser
 
 This section contains advanced troubleshooting topics and links to help you resolve issues with Windows 10 in an enterprise or IT pro environment. Additional topics will be added as they become available.
 
-### Troubleshoot 802.1x Authentication
+## Troubleshoot 802.1x Authentication
 - [Advanced Troubleshooting 802.1X Authentication](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-802-authentication)
 - [Data collection for troubleshooting 802.1X authentication](https://docs.microsoft.com/windows/client-management/data-collection-for-802-authentication)
 
-### Troubleshoot BitLocker
-- [BitLocker overview and requirements FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq)
-- [BitLocker Upgrading FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq)
-- [BitLocker frequently asked questions (FAQ) (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq)
-- [BitLocker Key Management FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-key-management-faq)
-- [BitLocker To Go FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)
-- [BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq)
-- [BitLocker Security FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-security-faq)
-- [BitLocker frequently asked questions (FAQ) (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq)
-- [Using BitLocker with other programs FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq)
-- [BitLocker recovery guide (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan)
+## Troubleshoot BitLocker
+- [Guidelines for troubleshooting BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/troubleshoot-bitlocker)
+- [BitLocker cannot encrypt a drive: known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues)
+- [Enforcing BitLocker policies by using Intune: known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues)
+- [BitLocker Network Unlock: known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues)
+- [BitLocker recovery: known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues)
+- [BitLocker configuration: known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues)
+- [BitLocker cannot encrypt a drive: known TPM issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues)
+- [BitLocker and TPM: other known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues)
+- [Decode Measured Boot logs to track PCR changes](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs)
+- [BitLocker frequently asked questions (FAQ)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions)
 
-### Troubleshoot Bugcheck and Stop errors
+## Troubleshoot Bugcheck and Stop errors
 - [Introduction to the page file](https://docs.microsoft.com/windows/client-management/introduction-page-file)
 - [How to determine the appropriate page file size for 64-bit versions of Windows](https://docs.microsoft.com/windows/client-management/determine-appropriate-page-file-size)
 - [Configure system failure and recovery options in Windows](https://docs.microsoft.com/windows/client-management/system-failure-recovery-options)
@@ -44,20 +44,20 @@ This section contains advanced troubleshooting topics and links to help you reso
 - [Blue Screen Data - Windows drivers](https://docs.microsoft.com/windows-hardware/drivers/debugger/blue-screen-data)
 - [Bug Check Code Reference - Windows drivers](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2)
 
-### Troubleshoot Credential Guard
+## Troubleshoot Credential Guard
 - [Windows Defender Credential Guard - Known issues (Windows 10)](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-known-issues)
 
-### Troubleshoot Disks
+## Troubleshoot Disks
 - [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt)
 - [Windows and GPT FAQ](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-and-gpt-faq)
 
-### Troubleshoot Kiosk mode
+## Troubleshoot Kiosk mode
 - [Troubleshoot kiosk mode issues](https://docs.microsoft.com/windows/configuration/kiosk-troubleshoot)
 
-### Troubleshoot No Boot
+## Troubleshoot No Boot
 - [Advanced troubleshooting for Windows boot problems](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-boot-problems)
 
-### Troubleshoot Push Button Reset
+## Troubleshoot Push Button Reset
 - [Push-button reset frequently-asked questions (FAQ)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/pbr-faq)
 - [Push-button reset frequently-asked questions (FAQ)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/pbr-validation)
 - [Recovery components](https://docs.microsoft.com/windows-hardware/manufacture/desktop/recovery-strategy-for-common-customizations)
@@ -66,46 +66,46 @@ This section contains advanced troubleshooting topics and links to help you reso
 - [Modern Standby FAQs](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby-faqs)
 
 
-### Troubleshoot Secure Boot
+## Troubleshoot Secure Boot
 - [Secure Boot isn't configured correctly: troubleshooting](https://docs.microsoft.com/windows-hardware/manufacture/desktop/secure-boot-isnt-configured-correctly-troubleshooting)
 
 
-### Troubleshoot Setup and Install
+## Troubleshoot Setup and Install
 - [Deployment Troubleshooting and Log Files](https://docs.microsoft.com/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files)
 
 
-### Troubleshoot Start Menu
+## Troubleshoot Start Menu
 - [Troubleshoot Start menu errors](https://docs.microsoft.com/windows/configuration/start-layout-troubleshoot)
 
 
-### Troubleshoot Subscription Activation
+## Troubleshoot Subscription Activation
 - [Deploy Windows 10 Enterprise licenses](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses)
 
-### Troubleshoot System Hang
+## Troubleshoot System Hang
 - [Advanced troubleshooting for Windows-based computer freeze issues](https://docs.microsoft.com/windows/client-management/troubleshoot-windows-freeze)
 
-### Troubleshoot TCP/IP Communication
+## Troubleshoot TCP/IP Communication
 - [Collect data using Network Monitor](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-netmon)
 - [Troubleshoot TCP/IP connectivity](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-connectivity)
 - [Troubleshoot port exhaustion issues](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-port-exhaust)
 - [Troubleshoot Remote Procedure Call (RPC) errors](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-rpc-errors)
 
-### Troubleshoot User State Migration Toolkit (USMT)
+## Troubleshoot User State Migration Toolkit (USMT)
 - [Common Issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues)
 - [Frequently Asked Questions](https://docs.microsoft.com/windows/deployment/usmt/usmt-faq)
 - [Log Files](https://docs.microsoft.com/windows/deployment/usmt/usmt-log-files)
 - [Return Codes](https://docs.microsoft.com/windows/deployment/usmt/usmt-return-codes)
 
-### Troubleshoot Windows Hello for Business (WHFB)
+## Troubleshoot Windows Hello for Business (WHFB)
 - [Windows Hello for Business Frequently Asked Questions](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-faq)
 - [Windows Hello errors during PIN creation (Windows 10)](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation)
 - [Event ID 300 - Windows Hello successfully created (Windows 10)](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-event-300)
 
 
-### Troubleshoot Windows Analytics
+## Troubleshoot Windows Analytics
 - [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-faq-troubleshooting)
 
-### Troubleshoot Windows Update
+## Troubleshoot Windows Update
 - [How Windows Update works](https://docs.microsoft.com/windows/deployment/update/how-windows-update-works)
 - [Windows Update log files](https://docs.microsoft.com/windows/deployment/update/windows-update-logs)
 - [Windows Update troubleshooting](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting)
@@ -114,7 +114,7 @@ This section contains advanced troubleshooting topics and links to help you reso
 - [Get started with Windows Update](https://docs.microsoft.com/windows/deployment/update/windows-update-overview)
 - [Servicing stack updates](https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates)
 
-### Troubleshoot Windows Upgrade
+## Troubleshoot Windows Upgrade
 - [Quick fixes - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/quick-fixes)
 - [SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag)
 - [Troubleshoot Windows 10 upgrade errors - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/troubleshoot-upgrade-errors)
@@ -123,10 +123,10 @@ This section contains advanced troubleshooting topics and links to help you reso
 - [Log files - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/log-files)
 - [Resolution procedures - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/resolution-procedures)
 
-### Troubleshoot Windows Recovery (WinRE)
+## Troubleshoot Windows Recovery (WinRE)
 - [Windows RE troubleshooting features](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-re-troubleshooting-features)
 
-### Troubleshoot Wireless Connection
+## Troubleshoot Wireless Connection
 - [Advanced Troubleshooting Wireless Network Connectivity](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-wireless-network-connectivity)
 
 ## Other Resources
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
index 8c6f2186a3..0122fb2eb7 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@@ -1,5 +1,5 @@
 ---
-title: Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization (Windows 10)
+title: Configure Cortana with Group Policy and MDM settings (Windows 10)
 description: The list of Group Policy and mobile device management (MDM) policy settings that apply to Cortana at work.
 ms.prod: w10
 ms.mktglfcycl: manage
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
index a1dfe7d5c0..a7b6e72c12 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@@ -1,5 +1,5 @@
 ---
-title: Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook (Windows 10)
+title: Sign-in to Azure AD and manage notebook with Cortana (Windows 10)
 description: A test scenario walking you through signing in and managing the notebook.
 ms.prod: w10
 ms.mktglfcycl: manage
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
index 70a280cb22..c58d165771 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
@@ -1,5 +1,5 @@
 ---
-title: Test scenario 2 - Perform a quick search with Cortana at work (Windows 10)
+title: Perform a quick search with Cortana at work (Windows 10)
 description: A test scenario about how to perform a quick search with Cortana at work.
 ms.prod: w10
 ms.mktglfcycl: manage
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
index e82abbd92a..d072cdb5fa 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
@@ -1,5 +1,5 @@
 ---
-title: Test scenario 3 - Set a reminder for a specific location using Cortana at work (Windows 10)
+title: Set a reminder for a location with Cortana at work (Windows 10)
 description: A test scenario about how to set a location-based reminder using Cortana at work.
 ms.prod: w10
 ms.mktglfcycl: manage
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
index 3283f2d1ad..4ea208fcfd 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
@@ -1,5 +1,5 @@
 ---
-title: Test scenario 4 - Use Cortana at work to find your upcoming meetings (Windows 10)
+title: Use Cortana at work to find your upcoming meetings (Windows 10)
 description: A test scenario about how to use Cortana at work to find your upcoming meetings.
 ms.prod: w10
 ms.mktglfcycl: manage
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
index 7fe284c023..f5efc05577 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
@@ -1,5 +1,5 @@
 ---
-title: Test scenario 5 - Use Cortana to send email to a co-worker (Windows 10)
+title: Use Cortana to send email to a co-worker (Windows 10)
 description: A test scenario about how to use Cortana at work to send email to a co-worker.
 ms.prod: w10
 ms.mktglfcycl: manage
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
index 7d96f06030..f5ffb003b7 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
@@ -1,5 +1,5 @@
 ---
-title: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email (Windows 10)
+title: Review a reminder suggested by Cortana (Windows 10)
 description: A test scenario about how to use Cortana with the Suggested reminders feature.
 ms.prod: w10
 ms.mktglfcycl: manage
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
index 01f326616c..a00867e25b 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
@@ -1,5 +1,5 @@
 ---
-title: Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device (Windows 10)
+title: Help protect data with Cortana and WIP (Windows 10)
 description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP).
 ms.prod: w10
 ms.mktglfcycl: manage
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
index bda947c233..047006fce2 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -1,5 +1,5 @@
 ---
-title: Customize Windows 10 Start and taskbar with mobile device management (MDM) (Windows 10)
+title: Alter Windows 10 Start and taskbar via mobile device management
 description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and tasbkar layout to users.
 ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4
 ms.reviewer: 
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
index a02ff6ba03..aaa526a014 100644
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@@ -97,6 +97,8 @@ In addition to the settings in the table, you may want to set up **automatic log
 > [!TIP]
 > You can also configure automatic sign-in [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon).
 
+> [!NOTE]
+> If you are also using [Custom Logon](https://docs.microsoft.com/windows-hardware/customize/enterprise/custom-logon) with **HideAutoLogonUI** enabled, you might experience a black screen after a password expires. We recommend that you consider [setting the password to never expire](https://docs.microsoft.com/windows-hardware/customize/enterprise/troubleshooting-custom-logon#the-device-displays-a-black-screen-when-a-password-expiration-screen-is-displayed).
 
 ## Interactions and interoperability
 
diff --git a/windows/configuration/mobile-devices/provisioning-configure-mobile.md b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
index dabf9951dc..afb1fa0310 100644
--- a/windows/configuration/mobile-devices/provisioning-configure-mobile.md
+++ b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
@@ -1,6 +1,6 @@
 ---
-title: Use Windows Configuration Designer to configure Windows 10 Mobile devices (Windows 10)
-description: 
+title: Configure Windows 10 Mobile devices with Configuration Designer
+description: Use Windows Configuration Designer to configure Windows 10 Mobile devices
 keywords: phone, handheld, lockdown, customize
 ms.prod: w10
 ms.mktglfcycl: manage
diff --git a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
index 4ea4c7f814..f1d9a178fc 100644
--- a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
+++ b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
@@ -1,5 +1,5 @@
 ---
-title: Settings and quick actions that can be locked down in Windows 10 Mobile (Windows 10)
+title: Lock down settings and quick actions in Windows 10 Mobile
 description: This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile.
 ms.assetid: 69E2F202-D32B-4FAC-A83D-C3051DF02185
 ms.reviewer: 
diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index 107e1b4b1c..be16f1f393 100644
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -1,5 +1,5 @@
 ---
-title: Introduction to configuration service providers (CSPs) for IT pros (Windows 10)
+title: Intro to configuration service providers for IT pros (Windows 10)
 description: Configuration service providers (CSPs) expose device configuration settings in Windows 10. 
 ms.assetid: 25C1FDCA-0E10-42A1-A368-984FFDB2B7B6
 ms.reviewer: 
diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
index e8ebc96787..8e974645d5 100644
--- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
@@ -1,5 +1,5 @@
 ---
-title: Settings changed when you uninstall a provisioning package (Windows 10)
+title: Uninstall a provisioning package - reverted settings (Windows 10)
 description: This topic lists the settings that are reverted when you uninstall a provisioning package.
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
index 191b74f140..3fe4ab887a 100644
--- a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
+++ b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
@@ -1,5 +1,5 @@
 ---
-title: Managing the UE-V Service and Packages with Windows PowerShell and WMI
+title: Manage UE-V Service and Packages with Windows PowerShell and WMI
 description: Managing the UE-V service and packages with Windows PowerShell and WMI
 author: dansimp
 ms.pagetype: mdop, virtualization
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index 5ccfcbb449..62f3b52b5d 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -135,8 +135,8 @@ This section describes the **Policies** settings that you can configure in [prov
 | [PreventCertErrorOverrides](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides)  | Specify whether to override security warnings about sites that have SSL errors.  | X  | X |  X |   | X |
 | [PreventFirstRunPage](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | X |  |  |  |  |
 | [PreventLiveTileDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection)  | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge.  | X  | X | X  |   | X |
-| [PreventSmartScreenPromptOverride](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride)  | Specify whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites.  | X  | X | X  |   | X |
-| [PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. | X | X | X |  | X |
+| [PreventSmartScreenPromptOverride](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride)  | Specify whether users can override the Windows Defender SmartScreen warnings about potentially malicious websites.  | X  | X | X  |   | X |
+| [PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen warnings about downloading unverified files. | X | X | X |  | X |
 PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. Applies to Windows 10, version 1803 and earlier only. | X |  |  |  |  |
 | [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-forceenabledextensions)  | Enter a list of extensions in Microsoft Edge that users cannot turn off, using a semi-colon delimited list of extension package family names.  | X  |  |   |   |  |
 | [PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc)  | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol.  | X  | X | X  |   | X |
diff --git a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
index a89f01eda9..692b7306a7 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -1,190 +1,191 @@
----
-title: Create a task sequence with Configuration Manager and MDT (Windows 10)
-description: In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard.
-ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-keywords: deploy, upgrade, task sequence, install
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.pagetype: mdt
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Create a task sequence with Configuration Manager and MDT
-
-
-**Applies to**
-
--   Windows 10
-
-In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in System Center 2012 R2 Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages.
-
-For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard, both of which are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-## Create a task sequence using the MDT Integration Wizard
-
-
-This section walks you through the process of creating a System Center 2012 R2 Configuration Manager task sequence for production use.
-
-1.  On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
-
-2.  On the **Choose Template** page, select the **Client Task Sequence** template and click **Next**.
-
-3.  On the **General** page, assign the following settings and then click **Next**:
-
-    * Task sequence name: Windows 10 Enterprise x64 RTM
-
-    * Task sequence comments: Production image with Office 2013
-
-4.  On the **Details** page, assign the following settings and then click **Next**:
-
-    * Join a Domain
-
-    * Domain: contoso.com
-
-        * Account: CONTOSO\\CM\_JD
-
-        * Password: Passw0rd!
-
-    * Windows Settings
-
-        * User name: Contoso
-
-        * Organization name: Contoso
-
-        * Product key: <blank>
-
-5.  On the **Capture Settings** page, accept the default settings, and click **Next**.
-
-6.  On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
-
-7.  On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT**. Then click **Next**.
-
-8.  On the **MDT Details** page, assign the name **MDT** and click **Next**.
-
-9.  On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then click **Next**.
-
-10. On the **Deployment Method** page, accept the default settings and click **Next**.
-
-11. On the **Client Package** page, browse and select the **OSD / Configuration Manager Client** package. Then click **Next**.
-
-12. On the **USMT Package** page, browse and select **the OSD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**.
-
-13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Settings\\Windows 10 x64 Settings**. Then click **Next**.
-
-14. On the **Settings Details** page, assign the name **Windows 10 x64 Settings** and click **Next**.
-
-15. On the **Sysprep Package** page, click **Next** twice.
-
-16. On the **Confirmation** page, click **Finish**.
-
-## Edit the task sequence
-
-
-After you create the task sequence, we recommend that you configure the task sequence for an optimal deployment experience. The configurations include enabling support for Unified Extensible Firmware Interface (UEFI), dynamic organizational unit (OU) allocation, computer replace scenarios, and more.
-
-1.  On CM01, using the Configuration Manager Console, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** task sequence, and select **Edit**.
-
-2.  In the **Install** group, select the **Set Variable for Drive Letter** action and configure the following:
-
-    * OSDPreserveDriveLetter: True
-    
-    >[!NOTE]
-    >If you don't change this value, your Windows installation will end up in E:\\Windows.
-
-3.  In the **Post Install** group, select **Apply Network Settings**, and configure the Domain OU value to use the **Contoso / Workstations** OU (browse for values).
-
-4.  In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.)
-
-5.  After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**.
-
-6.  After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings:
-
-    * Name: HP EliteBook 8560w
-
-    * Driver Package: Windows 10 x64 - HP EliteBook 8560w
-
-    * Options: Task Sequence Variable: Model equals HP EliteBook 8560w
-    
-    >[!NOTE]
-    >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
-    
-    ![Driver package options](../images/fig27-driverpackage.png "Driver package options")
-    
-    *Figure 24. The driver package options*
-
-7.  In the **State Restore / Install Applications** group, select the **Install Application** action.
-
-8.  Select the **Install the following applications** option, and add the OSD / Adobe Reader XI - OSD Install application to the list.
-
-    ![Add an application to the task sequence](../images/fig28-addapp.png "Add an application to the task sequence")
-
-    *Figure 25. Add an application to the Configuration Manager task sequence*
-
-9.  In the **State Restore** group, after the **Set Status 5** action, add a **Request State Store** action with the following settings:
-
-    * Restore state from another computer
-
-    * If computer account fails to connect to state store, use the Network Access account
-
-    * Options: Continue on error
-
-    * Options / Condition:
-    
-      * Task Sequence Variable
-      
-      * USMTLOCAL not equals True
-
-10. In the **State Restore** group, after the **Restore User State** action, add a **Release State Store** action with the following settings:
-
-    * Options: Continue on error
-
-    * Options / Condition:
-    
-      * Task Sequence Variable
-      
-      * USMTLOCAL not equals True
-
-11. Click **OK**.
-
->[!NOTE]
->The Request State Store and Release State Store actions need to be added for common computer replace scenarios.
-
- 
-
-## Move the packages
-
-
-While creating the task sequence with the MDT wizard, a few operating system deployment packages were created. To move these packages to the OSD folder, take the following steps.
-
-1.  On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**.
-
-2.  Select the **MDT** and **Windows 10 x64 Settings** packages, right-click and select **Move**.
-
-3.  In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](../deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](../deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](../deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](../deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](../deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+---
+title: Create a task sequence with Configuration Manager (Windows 10)
+description: In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard.
+ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98
+ms.reviewer: 
+manager: laurawi
+ms.author: greglin
+keywords: deploy, upgrade, task sequence, install
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.pagetype: mdt
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Create a task sequence with Configuration Manager and MDT
+
+
+**Applies to**
+
+-   Windows 10
+
+In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in System Center 2012 R2 Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages.
+
+For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard, both of which are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+## Create a task sequence using the MDT Integration Wizard
+
+
+This section walks you through the process of creating a System Center 2012 R2 Configuration Manager task sequence for production use.
+
+1.  On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
+
+2.  On the **Choose Template** page, select the **Client Task Sequence** template and click **Next**.
+
+3.  On the **General** page, assign the following settings and then click **Next**:
+
+    * Task sequence name: Windows 10 Enterprise x64 RTM
+
+    * Task sequence comments: Production image with Office 2013
+
+4.  On the **Details** page, assign the following settings and then click **Next**:
+
+    * Join a Domain
+
+    * Domain: contoso.com
+
+        * Account: CONTOSO\\CM\_JD
+
+        * Password: Passw0rd!
+
+    * Windows Settings
+
+        * User name: Contoso
+
+        * Organization name: Contoso
+
+        * Product key: <blank>
+
+5.  On the **Capture Settings** page, accept the default settings, and click **Next**.
+
+6.  On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
+
+7.  On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT**. Then click **Next**.
+
+8.  On the **MDT Details** page, assign the name **MDT** and click **Next**.
+
+9.  On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then click **Next**.
+
+10. On the **Deployment Method** page, accept the default settings and click **Next**.
+
+11. On the **Client Package** page, browse and select the **OSD / Configuration Manager Client** package. Then click **Next**.
+
+12. On the **USMT Package** page, browse and select **the OSD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**.
+
+13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Settings\\Windows 10 x64 Settings**. Then click **Next**.
+
+14. On the **Settings Details** page, assign the name **Windows 10 x64 Settings** and click **Next**.
+
+15. On the **Sysprep Package** page, click **Next** twice.
+
+16. On the **Confirmation** page, click **Finish**.
+
+## Edit the task sequence
+
+
+After you create the task sequence, we recommend that you configure the task sequence for an optimal deployment experience. The configurations include enabling support for Unified Extensible Firmware Interface (UEFI), dynamic organizational unit (OU) allocation, computer replace scenarios, and more.
+
+1.  On CM01, using the Configuration Manager Console, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** task sequence, and select **Edit**.
+
+2.  In the **Install** group, select the **Set Variable for Drive Letter** action and configure the following:
+
+    * OSDPreserveDriveLetter: True
+    
+    >[!NOTE]
+    >If you don't change this value, your Windows installation will end up in E:\\Windows.
+
+3.  In the **Post Install** group, select **Apply Network Settings**, and configure the Domain OU value to use the **Contoso / Workstations** OU (browse for values).
+
+4.  In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.)
+
+5.  After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**.
+
+6.  After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings:
+
+    * Name: HP EliteBook 8560w
+
+    * Driver Package: Windows 10 x64 - HP EliteBook 8560w
+
+    * Options: Task Sequence Variable: Model equals HP EliteBook 8560w
+    
+    >[!NOTE]
+    >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
+    
+    ![Driver package options](../images/fig27-driverpackage.png "Driver package options")
+    
+    *Figure 24. The driver package options*
+
+7.  In the **State Restore / Install Applications** group, select the **Install Application** action.
+
+8.  Select the **Install the following applications** option, and add the OSD / Adobe Reader XI - OSD Install application to the list.
+
+    ![Add an application to the task sequence](../images/fig28-addapp.png "Add an application to the task sequence")
+
+    *Figure 25. Add an application to the Configuration Manager task sequence*
+
+9.  In the **State Restore** group, after the **Set Status 5** action, add a **Request State Store** action with the following settings:
+
+    * Restore state from another computer
+
+    * If computer account fails to connect to state store, use the Network Access account
+
+    * Options: Continue on error
+
+    * Options / Condition:
+    
+      * Task Sequence Variable
+      
+      * USMTLOCAL not equals True
+
+10. In the **State Restore** group, after the **Restore User State** action, add a **Release State Store** action with the following settings:
+
+    * Options: Continue on error
+
+    * Options / Condition:
+    
+      * Task Sequence Variable
+      
+      * USMTLOCAL not equals True
+
+11. Click **OK**.
+
+>[!NOTE]
+>The Request State Store and Release State Store actions need to be added for common computer replace scenarios.
+
+ 
+
+## Move the packages
+
+
+While creating the task sequence with the MDT wizard, a few operating system deployment packages were created. To move these packages to the OSD folder, take the following steps.
+
+1.  On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**.
+
+2.  Select the **MDT** and **Windows 10 x64 Settings** packages, right-click and select **Move**.
+
+3.  In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](../deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](../deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](../deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](../deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](../deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
index 895381896b..79b6610104 100644
--- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
+++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
@@ -1,96 +1,97 @@
----
-title: Use the MDT database to stage Windows 10 deployment information (Windows 10)
-description: This topic is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini).
-ms.assetid: 8956ab54-90ba-45d3-a384-4fdec72c4d46
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-ms.pagetype: mdt
-keywords: database, permissions, settings, configure, deploy
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Use the MDT database to stage Windows 10 deployment information
-
-This topic is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). You can use this process, for example, to add the client machines you want to deploy, specify their computer names and IP addresses, indicate applications to be deployed, and determine many additional settings for the machines.
-
-## Database prerequisites
-
-MDT can use either SQL Server Express or full SQL Server, but since the deployment database isn't big, even in large enterprise environments, we recommend using the free SQL Server 2012 SP1 Express database in your environment.
-
->[!NOTE]
->Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database.
- 
-## Create the deployment database
-
-The MDT database is by default created and managed from the Deployment Workbench. In these steps, we assume you have installed SQL Server 2012 SP1 Express on MDT01.
-
->[!NOTE]
->Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01.
- 
-1.  On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**.
-2.  In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and click **Next**:
-    1.  SQL Server Name: MDT01
-    2.  Instance: SQLEXPRESS
-    3.  Port: <blank>
-    4.  Network Library: Named Pipes
-3.  On the **Database** page, select **Create a new database**; in the **Database** field, type **MDT** and click **Next**.
-4.  On the **SQL Share** page, in the **SQL Share** field, type **Logs$** and click **Next**. Click **Next** again and then click **Finish**.
-
-![figure 8](../images/mdt-09-fig08.png)
-
-Figure 8. The MDT database added to MDT01.
-
-## Configure database permissions
-
-After creating the database, you need to assign permissions to it. In MDT, the account you used to run the deployment is used to access the database. In this environment, the network access account is MDT\_BA.
-1.  On MDT01, start SQL Server Management Studio.
-2.  In the **Connect to Server** dialog box, in the **Server name** list, select **MDT01\\SQLEXPRESS** and click **Connect**.
-3.  In the **Object Explorer** pane, expand the top-level **Security** node, right-click **Logins**, and select **New Login**.
-
-    ![figure 9](../images/mdt-09-fig09.png)
-
-    Figure 9. The top-level Security node.
-
-4.  On the **Login - New** page, next to the **Login** name field, click **Search**, and search for **CONTOSO\\MDT\_BA**. Then in the left pane, select **User Mapping**. Select the **MDT** database, and assign the following roles:
-    1.  db\_datareader
-    2.  public (default)
-5.  Click **OK**, and close SQL Server Management Studio.
-
-![figure 10](../images/mdt-09-fig10.png)
-
-Figure 10. Creating the login and settings permissions to the MDT database.
-
-## Create an entry in the database
-
-To start using the database, you add a computer entry and assign a description and computer name. Use the computer's MAC Address as the identifier.
-1.  On MDT01, using the Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration**, and expand **Database**.
-2.  Right-click **Computers**, select **New**, and add a computer entry with the following settings:
-    1.  Description: New York Site - PC00075
-    2.  MacAddress: <PC00075 MAC Address in the 00:00:00:00:00:00 format>
-    3.  Details Tab / OSDComputerName: PC00075
-
-![figure 11](../images/mdt-09-fig11.png)
-
-Figure 11. Adding the PC00075 computer to the database.
-
-## Related topics
-
-[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
-
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-
-[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
-
-[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-
-[Use web services in MDT](use-web-services-in-mdt.md)
-
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
+---
+title: Use MDT database to stage Windows 10 deployment info (Windows 10)
+description: This topic is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini).
+ms.assetid: 8956ab54-90ba-45d3-a384-4fdec72c4d46
+ms.reviewer: 
+manager: laurawi
+ms.author: greglin
+ms.pagetype: mdt
+keywords: database, permissions, settings, configure, deploy
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Use the MDT database to stage Windows 10 deployment information
+
+This topic is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). You can use this process, for example, to add the client machines you want to deploy, specify their computer names and IP addresses, indicate applications to be deployed, and determine many additional settings for the machines.
+
+## Database prerequisites
+
+MDT can use either SQL Server Express or full SQL Server, but since the deployment database isn't big, even in large enterprise environments, we recommend using the free SQL Server 2012 SP1 Express database in your environment.
+
+>[!NOTE]
+>Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database.
+ 
+## Create the deployment database
+
+The MDT database is by default created and managed from the Deployment Workbench. In these steps, we assume you have installed SQL Server 2012 SP1 Express on MDT01.
+
+>[!NOTE]
+>Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01.
+ 
+1.  On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**.
+2.  In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and click **Next**:
+    1.  SQL Server Name: MDT01
+    2.  Instance: SQLEXPRESS
+    3.  Port: <blank>
+    4.  Network Library: Named Pipes
+3.  On the **Database** page, select **Create a new database**; in the **Database** field, type **MDT** and click **Next**.
+4.  On the **SQL Share** page, in the **SQL Share** field, type **Logs$** and click **Next**. Click **Next** again and then click **Finish**.
+
+![figure 8](../images/mdt-09-fig08.png)
+
+Figure 8. The MDT database added to MDT01.
+
+## Configure database permissions
+
+After creating the database, you need to assign permissions to it. In MDT, the account you used to run the deployment is used to access the database. In this environment, the network access account is MDT\_BA.
+1.  On MDT01, start SQL Server Management Studio.
+2.  In the **Connect to Server** dialog box, in the **Server name** list, select **MDT01\\SQLEXPRESS** and click **Connect**.
+3.  In the **Object Explorer** pane, expand the top-level **Security** node, right-click **Logins**, and select **New Login**.
+
+    ![figure 9](../images/mdt-09-fig09.png)
+
+    Figure 9. The top-level Security node.
+
+4.  On the **Login - New** page, next to the **Login** name field, click **Search**, and search for **CONTOSO\\MDT\_BA**. Then in the left pane, select **User Mapping**. Select the **MDT** database, and assign the following roles:
+    1.  db\_datareader
+    2.  public (default)
+5.  Click **OK**, and close SQL Server Management Studio.
+
+![figure 10](../images/mdt-09-fig10.png)
+
+Figure 10. Creating the login and settings permissions to the MDT database.
+
+## Create an entry in the database
+
+To start using the database, you add a computer entry and assign a description and computer name. Use the computer's MAC Address as the identifier.
+1.  On MDT01, using the Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration**, and expand **Database**.
+2.  Right-click **Computers**, select **New**, and add a computer entry with the following settings:
+    1.  Description: New York Site - PC00075
+    2.  MacAddress: <PC00075 MAC Address in the 00:00:00:00:00:00 format>
+    3.  Details Tab / OSDComputerName: PC00075
+
+![figure 11](../images/mdt-09-fig11.png)
+
+Figure 11. Adding the PC00075 computer to the database.
+
+## Related topics
+
+[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+
+[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+
+[Use web services in MDT](use-web-services-in-mdt.md)
+
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
index e86096e831..19ffe1ae2a 100644
--- a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -1,107 +1,108 @@
----
-title: Create an application to deploy with Windows 10 using Configuration Manager (Windows 10)
-description: Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process.
-ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-keywords: deployment, task sequence, custom, customize
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Create an application to deploy with Windows 10 using Configuration Manager
-
-
-**Applies to**
-
--   Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
-
-Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in System Center 2012 R2 Configuration Manager that you later configure the task sequence to use.
-
-For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
->[!NOTE]
->Even though the new application model is fully supported to deploy via the task sequence, the most reliable way to deploy software via the task sequence is still the legacy packages, especially if you deploy many applications.
-
-## Example: Create the Adobe Reader XI application
-
-
-The following steps show you how to create the Adobe Reader XI application. This section assumes that you have downloaded the MSI version of Adobe Reader XI to the C:\\Setup\\Adobe Reader XI folder on CM01.
-
-1.  On CM01, using File Explorer, copy the **C:\\Setup\\Adobe Reader XI** folder to the **E:\\Sources\\Software\\Adobe** folder.
-
-2.  Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**.
-
-3.  Right-click **Applications** and select **Folder / Create Folder**. Assign the name **OSD**.
-
-4.  Right-click the **OSD** folder, and select **Create Application**.
-
-5.  In the Create Application Wizard, on the **General** page, use the following settings:
-
-    * Automatically detect information about this application from installation files
-
-    * Type: Windows Installer (\*.msi file)
-
-    * Location: \\\\CM01\\Sources$\\Software\\Adobe\\Adobe Reader XI
-
-    * \\AdbeRdr11000\_en\_US.msi
-
-    ![The Create Application Wizard](../images/mdt-06-fig20.png "The Create Application Wizard")
-
-    *Figure 19. The Create Application Wizard*
-
-6.  Click **Next**, and wait while Configuration Manager parses the MSI file.
-
-7.  On the **Import Information** page, review the information and then click **Next**.
-
-8.  On the **General Information** page, name the application Adobe Reader XI - OSD Install, click **Next** twice, and then click **Close**.
-
-    >[!NOTE]
-    >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
-  
-    ![Add the OSD Install suffix to the application name](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name")
-  
-    *Figure 20. Add the "OSD Install" suffix to the application name*
-
-9.  In the **Applications** node, select the Adobe Reader XI - OSD Install application, and click **Properties** on the ribbon bar.
-
-10. In the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and click **OK**.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
- 
-
- 
-
-
-
-
-
+---
+title: Create an app to deploy with Windows 10 using Configuration Manager
+description: Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process.
+ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
+ms.reviewer: 
+manager: laurawi
+ms.author: greglin
+keywords: deployment, task sequence, custom, customize
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Create an application to deploy with Windows 10 using Configuration Manager
+
+
+**Applies to**
+
+-   Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+
+Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in System Center 2012 R2 Configuration Manager that you later configure the task sequence to use.
+
+For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+>[!NOTE]
+>Even though the new application model is fully supported to deploy via the task sequence, the most reliable way to deploy software via the task sequence is still the legacy packages, especially if you deploy many applications.
+
+## Example: Create the Adobe Reader XI application
+
+
+The following steps show you how to create the Adobe Reader XI application. This section assumes that you have downloaded the MSI version of Adobe Reader XI to the C:\\Setup\\Adobe Reader XI folder on CM01.
+
+1.  On CM01, using File Explorer, copy the **C:\\Setup\\Adobe Reader XI** folder to the **E:\\Sources\\Software\\Adobe** folder.
+
+2.  Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**.
+
+3.  Right-click **Applications** and select **Folder / Create Folder**. Assign the name **OSD**.
+
+4.  Right-click the **OSD** folder, and select **Create Application**.
+
+5.  In the Create Application Wizard, on the **General** page, use the following settings:
+
+    * Automatically detect information about this application from installation files
+
+    * Type: Windows Installer (\*.msi file)
+
+    * Location: \\\\CM01\\Sources$\\Software\\Adobe\\Adobe Reader XI
+
+    * \\AdbeRdr11000\_en\_US.msi
+
+    ![The Create Application Wizard](../images/mdt-06-fig20.png "The Create Application Wizard")
+
+    *Figure 19. The Create Application Wizard*
+
+6.  Click **Next**, and wait while Configuration Manager parses the MSI file.
+
+7.  On the **Import Information** page, review the information and then click **Next**.
+
+8.  On the **General Information** page, name the application Adobe Reader XI - OSD Install, click **Next** twice, and then click **Close**.
+
+    >[!NOTE]
+    >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
+  
+    ![Add the OSD Install suffix to the application name](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name")
+  
+    *Figure 20. Add the "OSD Install" suffix to the application name*
+
+9.  In the **Applications** node, select the Adobe Reader XI - OSD Install application, and click **Properties** on the ribbon bar.
+
+10. In the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and click **OK**.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
index 097ab5c60f..b695cf75f7 100644
--- a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -1,5 +1,5 @@
 ---
-title: Finalize the operating system configuration for Windows 10 deployment with Configuration Manager (Windows 10)
+title: Finalize operating system configuration for Windows 10 deployment
 description: This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft System Center 2012 R2 Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence.
 ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e
 ms.reviewer: 
diff --git a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
index c0e59fd398..d5fce49214 100644
--- a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
@@ -1,88 +1,89 @@
----
-title: Monitor the Windows 10 deployment with Configuration Manager (Windows 10)
-description: In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench.
-ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-keywords: deploy, upgrade
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Monitor the Windows 10 deployment with Configuration Manager
-
-
-**Applies to**
-
--   Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
-
-In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. You will also use the Deployment Workbench to access the computer remotely via the Microsoft Diagnostics and Recovery Toolkit (DaRT) Remote Connection feature.
-
-For the purposes of this topic, we will use four machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0001 is a Unified Extensible Firmware Interface (UEFI) machine to which Windows 10 Enterprise has been deployed. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-To monitor an operating system deployment conducted through System Center 2012 R2 Configuration Manager, you will use the Deployment Workbench in MDT as follows:
-
-1.  On CM01, using the Deployment Workbench, expand **MDT Production**, and use the **Monitoring** node to view the deployment process (press **F5** to refresh).
-
-    >[!NOTE]
-    >It takes a little while for the task sequence to start reporting monitor information, so if PC0001 does not appear when you press F5 the first time, wait 20 seconds and try again.
-
-    ![PC0001 being deployed by Configuration Manager](../images/mdt-06-fig39.png)
-    
-    *Figure 33. PC0001 being deployed by Configuration Manager*
-
-2.  When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option.
-
-3.  The task sequence will now run and do the following:
-
-    * Install the Windows 10 operating system.
-
-    * Install the Configuration Manager client and the client hotfix.
-
-    * Join the machine to the domain.
-
-    * Install the application added to the task sequence.
-    
-    >[!NOTE]
-    >You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
-  
-4.  If time permits, allow the deployment of PC0001 to complete. Then log in as Administrator in the CONTOSO domain and verify that Adobe Reader XI was installed.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
- 
-
- 
-
-
-
-
-
+---
+title: Monitor the Windows 10 deployment with Configuration Manager
+description: In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench.
+ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce
+ms.reviewer: 
+manager: laurawi
+ms.author: greglin
+keywords: deploy, upgrade
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Monitor the Windows 10 deployment with Configuration Manager
+
+
+**Applies to**
+
+-   Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+
+In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. You will also use the Deployment Workbench to access the computer remotely via the Microsoft Diagnostics and Recovery Toolkit (DaRT) Remote Connection feature.
+
+For the purposes of this topic, we will use four machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0001 is a Unified Extensible Firmware Interface (UEFI) machine to which Windows 10 Enterprise has been deployed. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+To monitor an operating system deployment conducted through System Center 2012 R2 Configuration Manager, you will use the Deployment Workbench in MDT as follows:
+
+1.  On CM01, using the Deployment Workbench, expand **MDT Production**, and use the **Monitoring** node to view the deployment process (press **F5** to refresh).
+
+    >[!NOTE]
+    >It takes a little while for the task sequence to start reporting monitor information, so if PC0001 does not appear when you press F5 the first time, wait 20 seconds and try again.
+
+    ![PC0001 being deployed by Configuration Manager](../images/mdt-06-fig39.png)
+    
+    *Figure 33. PC0001 being deployed by Configuration Manager*
+
+2.  When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option.
+
+3.  The task sequence will now run and do the following:
+
+    * Install the Windows 10 operating system.
+
+    * Install the Configuration Manager client and the client hotfix.
+
+    * Join the machine to the domain.
+
+    * Install the application added to the task sequence.
+    
+    >[!NOTE]
+    >You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
+  
+4.  If time permits, allow the deployment of PC0001 to complete. Then log in as Administrator in the CONTOSO domain and verify that Adobe Reader XI was installed.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deployment/planning/TOC.md b/windows/deployment/planning/TOC.md
index c9dd77d2d6..fc4cb8fefa 100644
--- a/windows/deployment/planning/TOC.md
+++ b/windows/deployment/planning/TOC.md
@@ -6,11 +6,8 @@
 
 ## Features removed or planned for replacement
 ### [Windows 10 features lifecycle](features-lifecycle.md)
-### [Windows 10, version 1903](windows-10-1903-removed-features.md)
-### [Windows 10, version 1809](windows-10-1809-removed-features.md)
-### [Windows 10, version 1803](windows-10-1803-removed-features.md)
-### [Windows 10, version 1709](windows-10-1709-removed-features.md)
-### [Windows 10, version 1703](windows-10-1703-removed-features.md)
+### [Features we're no longer developing](windows-10-deprecated-features.md)
+### [Features we removed](windows-10-removed-features.md)
 
 ## Application Compatibility Toolkit (ACT)
 ### [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md)
diff --git a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
index c434f06486..bb66b25095 100644
--- a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
+++ b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
@@ -1,5 +1,5 @@
 ---
-title: Creating a Custom Compatibility Mode in Compatibility Administrator (Windows 10)
+title: Create a Custom Compatibility Mode (Windows 10)
 description: Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues.
 ms.assetid: 661a1c0d-267f-4a79-8445-62a9a98d09b0
 ms.reviewer: 
diff --git a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
index e4ebfef4e3..8d8da0f126 100644
--- a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
+++ b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
@@ -1,5 +1,5 @@
 ---
-title: Creating an AppHelp Message in Compatibility Administrator (Windows 10)
+title: Create AppHelp Message in Compatibility Administrator (Windows 10)
 description: The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.
 ms.assetid: 5c6e89f5-1942-4aa4-8439-ccf0ecd02848
 ms.reviewer: 
diff --git a/windows/deployment/planning/features-lifecycle.md b/windows/deployment/planning/features-lifecycle.md
index 1e0d36aca0..a59b98bcff 100644
--- a/windows/deployment/planning/features-lifecycle.md
+++ b/windows/deployment/planning/features-lifecycle.md
@@ -1,39 +1,44 @@
----
-title: Windows 10 features lifecycle
-description: Learn about the lifecycle of Windows 10 features
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-manager: laurawi
-ms.author: greglin
-ms.topic: article
----
-# Windows 10 features lifecycle
-
-- Applies to: Windows 10
-
-Each release of Windows 10 contains many new and improved features. Occasionally we also remove features and functionality, usually because there is a better option.
-
-## Features removed or planned for replacement
-
-See the following for details about feature support for each release of Windows 10.
-
-[Windows 10, version 1903](windows-10-1903-removed-features.md)

-[Windows 10, version 1809](windows-10-1809-removed-features.md)

-[Windows 10, version 1803](windows-10-1803-removed-features.md)

-[Windows 10, version 1709](windows-10-1709-removed-features.md)

-[Windows 10, version 1703](windows-10-1703-removed-features.md)
-
-Also see: [Windows 10 release information](https://docs.microsoft.com/windows/release-information/)
-
-## Terminology
-
-The following terms can be used to describe the status that might be assigned to a feature during its lifecycle. 
-
-- **Deprecation**: The stage of the product lifecycle when a feature or functionality is no longer in active development and may be removed in future releases of a product or online service.
-- **End of support**: The stage of the product lifecycle when support and servicing are no longer available for a product.
-- **Retirement**: The stage of the product lifecycle when an online service is shut down so that it is no longer available for use.
-- **Remove or retire a feature**: The stage of the product lifecycle when a feature or functionality is removed from an online service after it has been deprecated.
-- **Replace a feature**: The stage of the product lifecycle when a feature or functionality in an online service is replaced with a different feature or functionality.
+---
+title: Windows 10 features lifecycle
+description: Learn about the lifecycle of Windows 10 features
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+manager: laurawi
+ms.author: greglin
+ms.topic: article
+---
+# Windows 10 features lifecycle
+
+- Applies to: Windows 10
+
+Each release of Windows 10 contains many new and improved features. Occasionally we also remove features and functionality, usually because there is a better option.
+
+## Features no longer being developed
+
+The following topic lists features that are no longer being developed. These features might be removed in a future release.
+
+[Windows 10 features we’re no longer developing](windows-10-deprecated-features.md)
+
+## Features removed
+
+The following topic has details about features that have been removed from Windows 10.
+
+[Windows 10 features we removed](windows-10-removed-features.md)
+
+## Terminology
+
+The following terms can be used to describe the status that might be assigned to a feature during its lifecycle. 
+
+- **Deprecation**: The stage of the product lifecycle when a feature or functionality is no longer in active development and may be removed in future releases of a product or online service.
+- **End of support**: The stage of the product lifecycle when support and servicing are no longer available for a product.
+- **Retirement**: The stage of the product lifecycle when an service is shut down so that it is no longer available for use.
+- **Remove or retire a feature**: The stage of the product lifecycle when a feature or functionality is removed from a service after it has been deprecated.
+- **Replace a feature**: The stage of the product lifecycle when a feature or functionality in a service is replaced with a different feature or functionality.
+
+## Also see
+
+[Windows 10 release information](https://docs.microsoft.com/windows/release-information/)
diff --git a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
index f8f502fe93..e066e2b214 100644
--- a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
+++ b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
@@ -1,5 +1,5 @@
 ---
-title: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator (Windows 10)
+title: Install/Uninstall Custom Databases (Windows 10)
 description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases.
 ms.assetid: 659c9d62-5f32-433d-94aa-12141c01368f
 ms.reviewer: 
diff --git a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
index 5bc84062d1..6135a8daf8 100644
--- a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
+++ b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
@@ -30,13 +30,8 @@ You can access the Query tool from within Compatibility Administrator. The Query
 
 For information about the Search feature, see [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md). However, the Query tool provides more detailed search criteria, including tabs that enable you to search the program properties, the compatibility fix properties, and the fix description. You can perform a search by using SQL SELECT and WHERE clauses, in addition to searching specific types of databases.
 
-<<<<<<< HEAD
 > [!IMPORTANT]
 > You must perform your search with the correct version of the Compatibility Administrator tool. To use the Query tool to search for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. To use the Query tool to search for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator.
-=======
->[!IMPORTANT]
->You must perform your search with the correct version of the Compatibility Administrator tool. To use the Query tool to search for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. To use the Query tool to search for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator.
->>>>>>> bfaab3359a63dde24e6d0dca11b841e045c481f6
 
 ## Querying by Using the Program Properties Tab
 
diff --git a/windows/deployment/planning/windows-10-1703-removed-features.md b/windows/deployment/planning/windows-10-1703-removed-features.md
deleted file mode 100644
index 24b5b1b1d9..0000000000
--- a/windows/deployment/planning/windows-10-1703-removed-features.md
+++ /dev/null
@@ -1,34 +0,0 @@
----
-title: Windows 10, version 1703 removed features
-description: Learn about features that were removed in Windows 10, version 1703
-ms.prod: w10
-manager: laurawi
-ms.mktglfcycl: plan
-ms.localizationpriority: medium
-ms.sitesec: library
-author: greg-lindsay
-ms.topic: article
----
-# Features that are removed or deprecated in Windows 10, version 1703
-
-> Applies to: Windows 10, version 1703
-
-The following features and functionalities in the Windows 10 Creators Update edition (Windows 10, version 1703) have either been removed from the product in the current release (*Removed*) or are not in active development and are planned for potential removal in subsequent releases.
-
-This list is intended for IT professionals who are updating operating systems in a commercial environment. The plan and list are subject to change and may not include every deprecated feature or functionality. For more details about a listed feature or functionality and its replacement, see the documentation for that feature.
-
-| Feature    | Removed | Not actively developed |
-|------------|---------|------------|
-|Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | | X |
-|Apps Corner| | X |
-|By default, Flash autorun in Edge is turned off. Use the Click-to-Run (C2R) option instead. (This setting can be changed by the user.)| X | |
-|Interactive Service Detection Service| X | |
-|Microsoft Paint for languages that are not on the [full localization list](https://www.microsoft.com/windows/windows-10-specifications#Windows-10-localization)| | |
-|NPN support in TLS (superseded by ALPN)| X | |
-|Reading List | | X |
-|Tile Data Layer | | X |
-|TLS DHE_DSS ciphers DisabledByDefault| | X |
-|Windows Information Protection "AllowUserDecryption" policy | X | |
-|WSUS for Windows Mobile, updates are being transitioned to the new Unified Update Platform (UUP) | X | |
-|TCPChimney | | X |
-|IPsec task offload| | X |
diff --git a/windows/deployment/planning/windows-10-1709-removed-features.md b/windows/deployment/planning/windows-10-1709-removed-features.md
deleted file mode 100644
index 5a745277d5..0000000000
--- a/windows/deployment/planning/windows-10-1709-removed-features.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-title: Windows 10, version 1709 removed features
-description: Learn about features that will be removed in Windows 10, version 1709
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: ITPro
-author: greg-lindsay
-manager: laurawi
-ms.topic: article
----
-# Features that are removed or deprecated in Windows 10, version 1709
-
-> Applies to: Windows 10, version 1709
-
-The following features and functionalities in the Windows 10, version 1709 are either removed from the product in the current release (*Removed*) or are not in active development and might be removed in future releases.
-
-This list is intended to help customers consider these removals and deprecations for their own planning. The list is subject to change and may not include every deprecated feature or functionality.
-
-For more information about a listed feature or functionality and its replacement, see the documentation for that feature. You can also follow the provided links in this table to see additional resources. 
-
-| Feature  | Removed | Not actively developed |
--|-|-
-|**3D Builder app**  
 No longer installed by default. Consider using Print 3D and Paint 3D in its place. However, 3D Builder is still available for download from the Windows Store. | X | |
-|**Apndatabase.xml**  
    For more information about the replacement database, see the following Hardware Dev Center articles: 
 [MO Process to update COSA](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission) 
 [COSA FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq) | X | |
-|**Enhanced Mitigation Experience Toolkit (EMET)**  
Use will be blocked. Consider using [Exploit Protection](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/#fMH3bUDAb5HEstZ5.97) as a replacement.| X | |
-|**IIS 6 Management Compatibility**  
 We recommend that users use alternative scripting tools and a newer management console. | | X |
-|**IIS Digest Authentication**  
 We recommend that users use alternative authentication methods.| | X |
-|**Microsoft Paint**  
 Will be available through the Windows Store. Functionality integrated into Paint 3D.| | X |
-|**Outlook Express**  
  Removing this non-functional legacy code.| X | |
-|**Reader app**  
  Functionality to be integrated into Microsoft Edge.| X | |
-|**Reading List** 
 Functionality to be integrated into Microsoft Edge.| X | |
-|**Resilient File System (ReFS)**  
  Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations.  Creation ability will be removed from all other editions. All other editions will have Read and Write ability. 
 (added: August 17, 2017)| | X |
-|**RSA/AES Encryption for IIS**  
  We recommend that users use CNG encryption provider.| | X |
-|**Screen saver functionality in Themes** 
  Disabled in Themes (classified as **Removed** in this table). Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lockscreen features and policies are preferred. | X | X |
-|**Sync your settings** 
 Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The "Sync your settings" options and the Enterprise State Roaming feature will continue to work. 
(updated: August 17, 2017) |  | X |
-|**Syskey.exe** 
 Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see the following Knowledge Base article: [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window)| X | |
-|**System Image Backup (SIB) Solution** 
 We recommend that users use full-disk backup solutions from other vendors.| | X |
-|**TCP Offload Engine** 
 Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see the following PFE Platform Blog article: [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193)| X ||
-|**Tile Data Layer** 
 To be replaced by the Tile Store.| X ||
-|**TLS RC4 Ciphers** 
 To be disabled by default. For more information, see the following Windows IT Center topic: [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)|| X|
-|**Trusted Platform Module (TPM) Owner Password Management**  
This legacy code to be removed.|| X |
-|**Trusted Platform Module (TPM): TPM.msc and TPM Remote Management** 
 To be replaced by a new user interface in a future release.| | X |
-|**Trusted Platform Module (TPM) Remote Management** 
This legacy code to be removed in a future release.|| X |
-|**Windows Hello for Business deployment that uses System Center Configuration Manager** 
  Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience.|| X |
-|**Windows PowerShell 2.0** 
 Applications and components should be migrated to PowerShell 5.0+.| | X |
diff --git a/windows/deployment/planning/windows-10-1803-removed-features.md b/windows/deployment/planning/windows-10-1803-removed-features.md
deleted file mode 100644
index 562f287c68..0000000000
--- a/windows/deployment/planning/windows-10-1803-removed-features.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: Windows 10, version 1803 - Features that have been removed
-description: Learn about features that will be removed or deprecated in Windows 10, version 1803, or a future release
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.date: 08/16/2018
-ms.reviewer: 
-manager: laurawi
-ms.topic: article
----
-# Features removed or planned for replacement starting with Windows 10, version 1803
-
-> Applies to: Windows 10, version 1803
-
-Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Here are the details about the features and functionalities that we removed in Windows 10, version 1803 (also called Windows 10 April 2018 Update).   
-
-> [!TIP]
-> - You can get early access to Windows 10 builds by joining the [Windows Insider program](https://insider.windows.com) - this is a great way to test feature changes.
-- Have questions about other releases? Check out the information for [Features that are removed or deprecated in Windows 10, version 1703](https://docs.microsoft.com/windows/deployment/planning/windows-10-1703-removed-features), [Features that are removed or deprecated in Windows 10, version 1709](https://docs.microsoft.com/windows/deployment/planning/windows-10-1709-removed-features), and [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/en-us/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update).
-
-
-**The list is subject to change and might not include every affected feature or functionality.** 
-
-## Features we removed in this release
-
-We've removed the following features and functionalities from the installed product image in Windows 10, version 1803. Applications or code that depend on these features won't function in this release unless you use an alternate method.   
-
-|Feature	|Instead you can use...|
-|-----------|--------------------
-|Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC or to stream music from OneDrive. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.|
-|People - Suggestions will no longer include unsaved contacts for non-Microsoft accounts|Manually save the contact details for people you send mail to or get mail from.|
-|Language control in the Control Panel|	Use the Settings app to change your language settings.|
-|HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.

When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.

Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10: 
- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10) 
- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) |
-|**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).|
-|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer. 

However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.|
-
-
-## Features we’re no longer developing
-
-We are no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources. 
-
-If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). 
-
-|Feature	|Instead you can use...|
-|-----------|---------------------|
-|[Software Restriction Policies](https://docs.microsoft.com/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.|
-|[Offline symbol packages](https://docs.microsoft.com/windows-hardware/drivers/debugger/debugger-download-symbols) (Debug symbol MSIs)|We're no longer making the symbol packages available as a downloadable MSI. Instead, the [Microsoft Symbol Server is moving to be an Azure-based symbol store](https://blogs.msdn.microsoft.com/windbg/2017/10/18/update-on-microsofts-symbol-server/). If you need the Windows symbols, connect to the Microsoft Symbol Server to cache your symbols locally or use a manifest file with SymChk.exe on a computer with internet access.|
-|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. If for any reason you see an error message about "help not supported," possibly when using a non-Microsoft application, read [this support article](https://support.microsoft.com/help/917607/error-opening-help-in-windows-based-programs-feature-not-included-or-h) for additional information and any next steps.|
-|Contacts feature in File Explorer|We're no longer developing the Contacts feature or the corresponding [Windows Contacts API](https://msdn.microsoft.com/library/ff800913.aspx). Instead, you can use the People app in Windows 10 to maintain your contacts.|
-|Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.|
-|IPv4/6 Transition Technologies (6to4, ISATAP, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.|
-|[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers have been deprecated since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to re-install them after upgrading.|
-|Business Scanning, also called Distributed Scan Management (DSM) **(Added 05/03/2018)**|The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.|
diff --git a/windows/deployment/planning/windows-10-1809-removed-features.md b/windows/deployment/planning/windows-10-1809-removed-features.md
deleted file mode 100644
index 9a2cb63049..0000000000
--- a/windows/deployment/planning/windows-10-1809-removed-features.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: Windows 10, version 1809 - Features that have been removed
-description: Learn about features that will be removed or deprecated in Windows 10, version 1809, or a future release
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.date: 11/16/2018
-ms.reviewer: 
-manager: laurawi
-ms.topic: article
----
-# Features removed or planned for replacement starting with Windows 10, version 1809
-
-> Applies to: Windows 10, version 1809
-
-Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Here are the details about the features and functionalities that we removed in Windows 10, version 1809.   
-
-> [!TIP]
-> You can get early access to Windows 10 builds by joining the [Windows Insider program](https://insider.windows.com) - this is a great way to test feature changes.
-> Have questions about other releases? Check out the information for [Features removed or planned for replacement starting with Windows 10, version 1809](https://docs.microsoft.com/windows/deployment/planning/windows-10-1809-removed-features), [Features removed or planned for replacement starting with Windows Server, version 1709](https://docs.microsoft.com/windows-server/get-started/removed-features-1709), and [Features that are removed or deprecated in Windows 10, version 1703](https://docs.microsoft.com/windows/deployment/planning/windows-10-1703-removed-features).
-
-
-**The list is subject to change and might not include every affected feature or functionality.** 
-
-## Features we removed in this release
-
-We're removing the following features and functionalities from the installed product image in Windows 10, version 1809. Applications or code that depend on these features won't function in this release unless you use an alternate method.   
-
-|Feature	|Instead you can use...|
-|-----------|--------------------
-|Business Scanning, also called Distributed Scan Management (DSM)|We're removing this secure scanning and scanner management capability - there are no devices that support this feature.|
-|[FontSmoothing setting](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-visualeffects-fontsmoothing) in unattend.xml|The FontSmoothing setting let you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use [ClearType](https://docs.microsoft.com/typography/cleartype/) by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it'll be ignored.|
-|Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.|
-|limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.|
-|Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.|
-|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.|
-
-## Features we’re no longer developing
-
-We're no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources. 
-
-If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). 
-
-|Feature	|Instead you can use...|
-|-----------|---------------------|
-|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because third party partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.|
-|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.|
-|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97), that provides the same screen snipping abilities, as well as additional features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the “Screen snip” button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.|
-
-
diff --git a/windows/deployment/planning/windows-10-1903-removed-features.md b/windows/deployment/planning/windows-10-1903-removed-features.md
deleted file mode 100644
index 7d8e437274..0000000000
--- a/windows/deployment/planning/windows-10-1903-removed-features.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-title: Windows 10, version 1903 - Features that have been removed
-description: Learn about features that will be removed or deprecated in Windows 10, version 1903, or a future release
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-manager: laurawi
-ms.author: greglin
-ms.topic: article
----
-# Features removed or planned for replacement starting with Windows 10, version 1903
-
-> Applies to: Windows 10, version 1903
-
-Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that we removed in Windows 10, version 1903. **The list below is subject to change and might not include every affected feature or functionality.** 
-
-> [!NOTE]
-> Join the [Windows Insider program](https://insider.windows.com) to get early access to new Windows 10 builds and test these changes yourself.
-
-## Features we removed or will remove soon
-
-The following features and functionalities are removed from the installed product image for Windows 10, version 1903, or are planned for removal in an upcoming release. Applications or code that depend on these features won't function in this release unless you use another method.   
-
-
-|                      Feature                      |                                                                                                                                                                                                                                                                                    Details                                                                                                                                                                                                                                                                                    |
-|---------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|         XDDM-based remote display driver          | Starting with this release the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote indirect display driver ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). |
-| Desktop messaging app doesn't offer messages sync |                                                                                                                          The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you will only be able to access messages from the device that received the message.                                                                                                                          |
-
-## Features we’re no longer developing
-
-We're no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources. 
-
-If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). 
-
-|Feature    |Details|
-|-----------|---------------------|
-| Taskbar settings roaming| Roaming of taskbar settings is no longer being developed and we plan to disable this capability in a future release|
-|Wi-Fi WEP and TKIP|In this release a warning message will appear when connecting to Wi-Fi networks secured with WEP or TKIP, which are not as secure as those using WPA2 or WPA3. In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. |
-|Windows To Go|Windows To Go is no longer being developed. 

The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.|
-|Print 3D app|Going forward, 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.|
-
diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md
new file mode 100644
index 0000000000..72439c1132
--- /dev/null
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@@ -0,0 +1,66 @@
+---
+title: Windows 10 features we’re no longer developing
+description: Review the list of features that are no longer being developed in Windows 10
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+manager: laurawi
+ms.topic: article
+---
+# Windows 10 features we’re no longer developing
+
+> Applies to: Windows 10
+
+Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that are no longer being developed in Windows 10. For information about features that have been removed, see [Features we removed](windows-10-removed-features.md).
+
+The features described below are no longer being actively developed, and might be removed in a future update. Some features have been replaced with other features or functionality and some are now available from other sources.
+
+**The following list is subject to change and might not include every affected feature or functionality.**
+
+>If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). 
+
+|Feature    |  Details and mitigation  | Announced in version |
+| ----------- | --------------------- | ---- |
+| Hyper-V vSwitch on LBFO | In a future release, the Hyper-V vSwitch will no longer have the capability to be bound to an LBFO team.  Instead, it can be bound via [Switch Embedded Teaming](https://docs.microsoft.com/windows-server/virtualization/hyper-v-virtual-switch/rdma-and-switch-embedded-teaming#bkmk_sswitchembedded) (SET).| 1909 |
+| Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
+| My People / People in the Shell |  My People is no longer being developed. It may be removed in a future update. | 1909 |
+| TSF1/TSF2 IME |  TSF1 and TSF2 IME will be replaced by TSF3 IME in a future release. [Text Services Framework](https://docs.microsoft.com/windows/win32/tsf/what-is-text-services-framework) (TSF) enables language technologies. TSF IME are Windows components that you can add to enable typing text for Japanese, Simplified Chinese, Traditional Chinese, and Korean languages. ​| 1909 |
+| Package State Roaming (PSR) |  PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user. 
 
The recommended replacement for PSR is [Azure App Service](https://docs.microsoft.com/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 |
+| XDDM-based remote display driver  | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information about implementing a remote indirect display driver, ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). | 1903 |
+| Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 |
+| Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which are not as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 |
+| Windows To Go | Windows To Go is no longer being developed. 

The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.|  1903 |
+| Print 3D app | Going forward, 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 |
+|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because third party partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 |
+|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| 1809 |
+|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97), that provides the same screen snipping abilities, as well as additional features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the “Screen snip” button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| 1809 |
+|[Software Restriction Policies](https://docs.microsoft.com/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| 1803 |
+|[Offline symbol packages](https://docs.microsoft.com/windows-hardware/drivers/debugger/debugger-download-symbols) (Debug symbol MSIs)|We're no longer making the symbol packages available as a downloadable MSI. Instead, the [Microsoft Symbol Server is moving to be an Azure-based symbol store](https://blogs.msdn.microsoft.com/windbg/2017/10/18/update-on-microsofts-symbol-server/). If you need the Windows symbols, connect to the Microsoft Symbol Server to cache your symbols locally or use a manifest file with SymChk.exe on a computer with internet access.| 1803 |
+|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. If for any reason you see an error message about "help not supported," possibly when using a non-Microsoft application, read [this support article](https://support.microsoft.com/help/917607/error-opening-help-in-windows-based-programs-feature-not-included-or-h) for additional information and any next steps.| 1803 |
+|Contacts feature in File Explorer|We're no longer developing the Contacts feature or the corresponding [Windows Contacts API](https://msdn.microsoft.com/library/ff800913.aspx). Instead, you can use the People app in Windows 10 to maintain your contacts.| 1803 |
+|Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.| 1803 |
+|IPv4/6 Transition Technologies (6to4, ISATAP, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.| 1803 |
+|[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers has not been developed since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to re-install them after upgrading.| 1803 |
+|Business Scanning| This feature is also called Distributed Scan Management (DSM) **(Added 05/03/2018)**
 
The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| 1803 |
+|IIS 6 Management Compatibility*  | We recommend that users use alternative scripting tools and a newer management console. | 1709 |
+|IIS Digest Authentication | We recommend that users use alternative authentication methods.| 1709 |
+|Resilient File System (ReFS) (added: August 17, 2017)| Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations.  Creation ability will be removed from all other editions. All other editions will have Read and Write ability. | 1709 |
+|RSA/AES Encryption for IIS   | We recommend that users use CNG encryption provider. | 1709 |
+|Screen saver functionality in Themes   | Disabled in Themes. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 |
+|Sync your settings (updated: August 17, 2017) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The **Sync your settings** options and the Enterprise State Roaming feature will continue to work. | 1709 |
+|System Image Backup (SIB) Solution  | We recommend that users use full-disk backup solutions from other vendors. | 1709 |
+|TLS RC4 Ciphers  |To be disabled by default. For more information, see the following Windows IT Center topic: [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)| 1709 |
+|Trusted Platform Module (TPM) Owner Password Management |This functionality within TPM.msc will be migrated to a new user interface.| 1709 |
+|Trusted Platform Module (TPM): TPM.msc and TPM Remote Management  | To be replaced by a new user interface in a future release. | 1709 |
+|Trusted Platform Module (TPM) Remote Management |This functionality within TPM.msc will be migrated to a new user interface. | 1709 |
+|Windows Hello for Business deployment that uses System Center Configuration Manager   |Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 |
+|Windows PowerShell 2.0  | Applications and components should be migrated to PowerShell 5.0+. | 1709 |
+|Apndatabase.xml | Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | 1703 |
+|Tile Data Layer | The [Tile Data Layer](https://docs.microsoft.com/windows/configuration/start-layout-troubleshoot#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 |
+|TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](https://docs.microsoft.com/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 |
+|TCPChimney | TCP Chimney Offload is no longer being developed.  See [Performance Tuning Network Adapters](https://docs.microsoft.com/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 |
+|IPsec Task Offload| [IPsec Task Offload](https://docs.microsoft.com/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and should not be used. | 1703 |
diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md
new file mode 100644
index 0000000000..3063058112
--- /dev/null
+++ b/windows/deployment/planning/windows-10-removed-features.md
@@ -0,0 +1,61 @@
+---
+title: Windows 10 - Features that have been removed
+description: Learn about features and functionality that has been removed or replaced in Windows 10
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+manager: laurawi
+ms.topic: article
+---
+
+# Features and functionality removed in Windows 10
+
+> Applies to: Windows 10
+
+Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that we removed in Windows 10. **The list below is subject to change and might not include every affected feature or functionality.** 
+
+For information about features that might be removed in a future release, see [Windows 10 features we’re no longer developing](windows-10-deprecated-features.md)
+
+> [!NOTE]
+> Join the [Windows Insider program](https://insider.windows.com) to get early access to new Windows 10 builds and test these changes yourself.
+
+The following features and functionalities have been removed from the installed product image for Windows 10. Applications or code that depend on these features won't function in the release when it was removed, or in later releases.
+
+|Feature    |  Details and mitigation  | Removed in version |
+| ----------- | --------------------- | ------ |
+| PNRP APIs| ​The Peer Name Resolution Protocol (PNRP) cloud service was removed in Windows 10, version 1809. We are planning to complete the removal process by removing the corresponding APIs.  | 1909 |
+| Taskbar settings roaming | Roaming of taskbar settings is removed in this release. This feature was announced as no longer being developed in Windows 10, version 1903. | 1909 |
+| Desktop messaging app doesn't offer messages sync |  The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you will only be able to access messages from the device that received the message.  | 1903 |
+|Business Scanning, also called Distributed Scan Management (DSM)|We're removing this secure scanning and scanner management capability - there are no devices that support this feature.| 1809 |
+|[FontSmoothing setting](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-visualeffects-fontsmoothing) in unattend.xml|The FontSmoothing setting let you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use [ClearType](https://docs.microsoft.com/typography/cleartype/) by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it'll be ignored.| 1809 |
+|Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.| 1809 |
+|limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| 1809 |
+|Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| 1809 |
+|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| 1809 |
+|Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC or to stream music from OneDrive. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| 1803 |
+|People - Suggestions will no longer include unsaved contacts for non-Microsoft accounts|Manually save the contact details for people you send mail to or get mail from.| 1803 |
+|Language control in the Control Panel|	Use the Settings app to change your language settings.| 1803 |
+|HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.

When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.

Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10: 
- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10) 
- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | 1803 |
+|**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).| 1803 |
+|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer. 

However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| 1803 |
+|3D Builder app   | No longer installed by default. Consider using Print 3D and Paint 3D in its place. However, 3D Builder is still available for download from the Windows Store.| 1709 |
+|Apndatabase.xml   | For more information about the replacement database, see the following Hardware Dev Center articles: 
 [MO Process to update COSA](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission) 
 [COSA FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq) | 1709 |
+|Enhanced Mitigation Experience Toolkit (EMET)   |Use of this feature will be blocked. Consider using [Exploit Protection](https://blogs.windows.com/windowsexperience/2017/06/28/) as a replacement. | 1709 |
+|Outlook Express  | This legacy application will be removed due to lack of functionality. | 1709 |
+|Reader app  | Functionality to be integrated into Microsoft Edge. | 1709 |
+|Reading List | Functionality to be integrated into Microsoft Edge. | 1709 |
+|Screen saver functionality in Themes   | This functionality is disabled in Themes, and classified as **Removed** in this table. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 |
+|Syskey.exe | Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window). | 1709 |
+|TCP Offload Engine | Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193).| 1709 |
+|Tile Data Layer |To be replaced by the Tile Store.| 1709 |
+|Apps Corner| This Windows 10 mobile application is removed in the version 1703 release. | 1703 |
+|By default, Flash autorun in Edge is turned off. | Use the Click-to-Run (C2R) option instead. (This setting can be changed by the user.) | 1703 |
+|Interactive Service Detection Service| See [Interactive Services](https://docs.microsoft.com/windows/win32/services/interactive-services?redirectedfrom=MSDN) for guidance on how to keep software up to date. | 1703 |
+|Microsoft Paint | This application will not be available for languages that are not on the [full localization list](https://www.microsoft.com/windows/windows-10-specifications#Windows-10-localization). | 1703 |
+|NPN support in TLS | This feature is superseded by Application-Layer Protocol Negotiation (ALPN). | 1703 |
+|Windows Information Protection "AllowUserDecryption" policy | Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. | 1703 |
+|WSUS for Windows Mobile  | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 |
\ No newline at end of file
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index 95816edbdd..49d29f4d8a 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -32,8 +32,8 @@ Servicing stack updates improve the reliability of the update process to mitigat
 
 Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical."
 
-> [!NOTE]
-> You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001).
+>[!NOTE]
+>You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001).
 
 ## What's the difference between a servicing stack update and a cumulative update?
 
diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md
index a6c324c71c..edc9156531 100644
--- a/windows/deployment/update/update-compliance-wd-av-status.md
+++ b/windows/deployment/update/update-compliance-wd-av-status.md
@@ -23,7 +23,7 @@ The Windows Defender AV Status section deals with data concerning signature and
 >[!NOTE]
 >Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx). 
 
-# Windows Defender AV Status sections
+## Windows Defender AV Status sections
 The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query. 
 
 The **Threat Status** blade shows, among devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Selecting either of these will take you to the respective query in Log Search for further investigation. 
diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
index d28b788ca7..4d5f0b31bc 100644
--- a/windows/deployment/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -1,5 +1,5 @@
 ---
-title: Integrate Windows Update for Business with management solutions (Windows 10)
+title: Integrate Windows Update for Business (Windows 10)
 description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager.
 ms.prod: w10
 ms.mktglfcycl: manage
diff --git a/windows/deployment/update/waas-manage-updates-configuration-manager.md b/windows/deployment/update/waas-manage-updates-configuration-manager.md
index 7563d572b3..1ebdd76767 100644
--- a/windows/deployment/update/waas-manage-updates-configuration-manager.md
+++ b/windows/deployment/update/waas-manage-updates-configuration-manager.md
@@ -1,5 +1,5 @@
 ---
-title: Deploy Windows 10 updates using System Center Configuration Manager (Windows 10)
+title: Deploy Windows 10 updates via System Center Configuration Manager
 description: System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10.
 ms.prod: w10
 ms.mktglfcycl: manage
diff --git a/windows/deployment/update/waas-mobile-updates.md b/windows/deployment/update/waas-mobile-updates.md
index e425484498..c0d1218ade 100644
--- a/windows/deployment/update/waas-mobile-updates.md
+++ b/windows/deployment/update/waas-mobile-updates.md
@@ -1,6 +1,6 @@
 ---
-title: Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile (Windows 10)
-description: tbd
+title: Deploy updates to Windows 10 Mobile or Windows 10 IoT Mobile
+description: Deploy updates to devices in your organization that are running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile.
 ms.prod: w10
 ms.mktglfcycl: manage
 author: jaimeo
diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md
index cbfbcdff46..c7be3666ed 100644
--- a/windows/deployment/update/waas-morenews.md
+++ b/windows/deployment/update/waas-morenews.md
@@ -1,5 +1,5 @@
 ---
-title: Windows as a service  
+title: Windows as a service news & resources
 ms.prod: w10
 ms.topic: article
 ms.manager: elizapo
diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md
index 71135004a4..7eda1ffad1 100644
--- a/windows/deployment/update/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/update/waas-optimize-windows-10-updates.md
@@ -42,17 +42,17 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
 | Delivery Optimization | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
 | BranchCache | ![no](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
 
->[!NOTE]
->System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/client-peer-cache).
+> [!NOTE]
+> System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/client-peer-cache).
 >
->In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/library/mt613173.aspx).
+> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://docs.microsoft.com/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic).
 
 ## Express update delivery
 
 Windows 10 quality update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
 
->[!NOTE]
->Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business.
+> [!NOTE]
+> Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business.
 
 ### How Microsoft supports Express
 - **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update.
@@ -81,8 +81,8 @@ The Windows Update client will try to download Express first, and under certain
 
 At this point, the download is complete and the update is ready to be installed.
 
->[!TIP]
->Express will **always** be leveraged if your machines are updated regularly with the latest cumulative updates.
+> [!TIP]
+> Express will **always** be leveraged if your machines are updated regularly with the latest cumulative updates.
 
 ## Steps to manage updates for Windows 10
 
@@ -98,7 +98,6 @@ At this point, the download is complete and the update is ready to be installed.
 
 ## Related topics
 
-
 - [Update Windows 10 in the enterprise](index.md)
 - [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) 
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md
index 6a9df9bd4f..66ffdd5dd6 100644
--- a/windows/deployment/update/waas-servicing-differences.md
+++ b/windows/deployment/update/waas-servicing-differences.md
@@ -39,7 +39,7 @@ Windows 10 provided an opportunity to end the era of infinite fragmentation. Wit
 
 This helps simplify servicing. Devices with the original Release to Market (RTM) version of a feature release installed could get up to date by installing the most recent LCU. 
 
-Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security and Internet Explorer 11 (IE11) fixes. The security classification, by definition, requires a reboot of the device to complete installation of the update.
+Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security, and Internet Explorer 11 (IE11) fixes. A reboot of the device might be required to complete installation of the update.
 
 
 ![High level cumulative update model](images/servicing-cadence.png)
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index d3aee0caf9..8b7d1bcfd2 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -1,6 +1,6 @@
 ---
-title: Walkthrough use Group Policy to configure Windows Update for Business - Windows 10
-description: Configure Windows Update for Business settings using Group Policy.
+title: Configure Windows Update for Business via Group Policy (Windows 10)
+description: Walkthrough demonstrating how to configure Windows Update for Business settings, using Group Policy.
 ms.prod: w10
 ms.mktglfcycl: manage
 author: jaimeo
@@ -11,7 +11,7 @@ manager: laurawi
 ms.topic: article
 ---
 
-# Walkthrough: use Group Policy to configure Windows Update for Business
+# Walkthrough: Use Group Policy to configure Windows Update for Business
 
 
 **Applies to**
@@ -58,7 +58,7 @@ You can control when updates are applied, for example by deferring when an updat
 Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates.   
 
 - Drivers (on/off): **Computer configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates**
-- Microsoft product updates (on/off): **Computer configuration > Administrative Templates > Windows Components > Windows Update > Get updates for other Microsoft Products**
+- Microsoft product updates (on/off): **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates > Install updates for other Microsoft products**
 
 We recommend that you allow the driver policy to allow drivers to updated on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. We also recommend that you leave the "Microsoft product updates" setting on.
 
diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md
index 3acd3f759a..1cec56cb46 100644
--- a/windows/deployment/update/windows-as-a-service.md
+++ b/windows/deployment/update/windows-as-a-service.md
@@ -14,6 +14,7 @@ manager: laurawi
 ms.localizationpriority: high
 ms.collection: M365-modern-desktop
 ---
+
 # Windows as a service
 
 Find the tools and resources you need to help deploy and support Windows as a service in your organization.
diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md
index 044398b870..b8d84e3075 100644
--- a/windows/deployment/update/windows-update-error-reference.md
+++ b/windows/deployment/update/windows-update-error-reference.md
@@ -6,7 +6,7 @@ ms.mktglfcycl:
 audience: itpro
 itproauthor: jaimeo
 author: jaimeo
-ms.localizationprioauthor: jaimeo
+ms.localizationpriority: medium
 ms.audience: itpro
 author: jaimeo
 ms.date: 09/18/2018
diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md
index 2590530152..5b7b68067e 100644
--- a/windows/deployment/update/windows-update-overview.md
+++ b/windows/deployment/update/windows-update-overview.md
@@ -21,7 +21,7 @@ ms.topic: article
 
 With the release of Windows 10, we moved the update model to the Unified Update Platform. Unified Update Platform (UUP) is a single publishing, hosting, scan and download model for all types of OS updates, desktop and mobile for all Windows-based operating systems, for everything from monthly quality updates to new feature updates.  
 
-Ues the following information to get started with Windows Update:
+Use the following information to get started with Windows Update:
 
 - Understand the UUP architecture
 - Understand [how Windows Update works](how-windows-update-works.md)
diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
index 82f4193c52..513ae0cfd8 100644
--- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
+++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
@@ -1,216 +1,217 @@
----
-title: Perform an in-place upgrade to Windows 10 using Configuration Manager (Windows 10)
-description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. Use a System Center Configuration Manager task sequence to completely automate the process.
-ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-keywords: upgrade, update, task sequence, deploy
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Perform an in-place upgrade to Windows 10 using Configuration Manager
-
-
-**Applies to**
-
--   Windows 10
-
-The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process.
-
-## Proof-of-concept environment
-
-
-For the purposes of this topic, we will use three machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-![figure 1](../images/upgrademdt-fig1-machines.png)
-
-Figure 1. The machines used in this topic.
-
-## Upgrade to Windows 10 with System Center 2012 R2 Configuration Manager
-
-
-System Center 2012 R2 Configuration Manager SP1 adds support to manage and deploy Windows 10. Although it does not include built-in support to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 to Windows 10, you can build a custom task sequence to perform the necessary tasks.
-
-## Create the task sequence
-
-
-To help with this process, the Configuration Manager team has published [a blog](https://go.microsoft.com/fwlink/p/?LinkId=620179) that provides a sample task sequence, as well as the [original blog that includes the instructions for setting up the task sequence](https://go.microsoft.com/fwlink/p/?LinkId=620180). To summarize, here are the tasks you need to perform:
-
-1.  Download the [Windows10Upgrade1506.zip](https://go.microsoft.com/fwlink/p/?LinkId=620182) file that contains the sample task sequence and related scripts. Extract the contents onto a network share.
-2.  Copy the Windows 10 Enterprise RTM x64 media into the extracted but empty **Windows vNext Upgrade Media** folder.
-3.  Using the Configuration Manager Console, right-click the **Task Sequences** node, and then choose **Import Task Sequence**. Select the **Windows-vNextUpgradeExport.zip** file that you extracted in Step 1.
-4.  Distribute the two created packages (one contains the Windows 10 Enterprise x64 media, the other contains the related scripts) to the Configuration Manager distribution point.
-
-For full details and an explanation of the task sequence steps, review the full details of the two blogs that are referenced above.
-
-## Create a device collection
-
-
-After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the Configuration Manager client installed.
-
-1.  On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
-    -   General
-
-        -   Name: Windows 10 Enterprise x64 Upgrade
-
-        -   Limited Collection: All Systems
-
-    -   Membership rules:
-
-        -   Direct rule
-
-            -   Resource Class: System Resource
-
-            -   Attribute Name: Name
-
-            -   Value: PC0001
-
-        -   Select Resources
-
-        -   Select PC0001
-
-2.  Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0001 machine in the collection.
-
-## Deploy the Windows 10 upgrade
-
-
-In this section, you create a deployment for the Windows 10 Enterprise x64 Update application.
-
-1.  On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Windows vNext Upgrade** task sequence, and then select **Deploy**.
-2.  On the **General** page, select the **Windows 10 Enterprise x64 Upgrade** collection, and then click **Next**.
-3.  On the **Content** page, click **Next**.
-4.  On the **Deployment Settings** page, select the following settings, and then click **Next**:
-    -   Action: Install
-
-    -   Purpose: Available
-
-5.  On the **Scheduling** page, accept the default settings, and then click **Next**.
-6.  On the **User Experience** page, accept the default settings, and then click **Next**.
-7.  On the **Alerts** page, accept the default settings, and then click **Next**.
-8.  On the **Summary** page, click **Next**, and then click **Close**.
-
-## Start the Windows 10 upgrade
-
-
-In this section, you start the Windows 10 Upgrade task sequence on PC0001 (currently running Windows 7 SP1).
-
-1.  On PC0001, start the **Software Center**.
-2.  Select the **Windows vNext Upgrade** task sequence, and then click **Install**.
-
-When the task sequence begins, it will automatically initiate the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
-
-![figure 2](../images/upgradecfg-fig2-upgrading.png)
-
-Figure 2. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequence.
-
-After the task sequence finishes, the computer will be fully upgraded to Windows 10.
-
-## Upgrade to Windows 10 with System Center Configuration Manager Current Branch
-
-
-With System Center Configuration Manager Current Branch, new built-in functionality makes it easier to upgrade to Windows 10.
-
-**Note**  
-For more details about Configuration Manager Current Branch, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released.
-
- 
-
-### Create the OS upgrade package
-
-First, you need to create an operating system upgrade package that contains the full Windows 10 Enterprise x64 installation media.
-
-1.  On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Operating System Upgrade Packages** node, then select **Add Operating System Upgrade Package**.
-2.  On the **Data Source** page, specify the UNC path to the Windows 10 Enterprise x64 media, and then click **Next**.
-3.  On the **General** page, specify Windows 10 Enterprise x64 Upgrade, and then click **Next**.
-4.  On the **Summary** page, click **Next**, and then click **Close**.
-5.  Right-click the created **Windows 10 Enterprise x64 Update** package, and then select **Distribute Content**. Choose the CM01 distribution point.
-
-### Create the task sequence
-
-To create an upgrade task sequence, perform the following steps:
-
-1.  On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Task Sequences** node, and then select **Create Task Sequence**.
-2.  On the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**.
-3.  On the **Task Sequence Information** page, specify **Windows 10 Enterprise x64 Upgrade**, and then click **Next**.
-4.  On the **Upgrade the Windows operating system** page, select the **Windows 10 Enterprise x64 Upgrade operating system upgrade** package, and then click **Next**.
-5.  Click **Next** through the remaining wizard pages, and then click **Close**.
-
-![figure 3](../images/upgradecfg-fig3-upgrade.png)
-
-Figure 3. The Configuration Manager upgrade task sequence.
-
-### Create a device collection
-
-After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the next version of System Center Configuration Manager client installed.
-
-1.  On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
-    -   General
-
-        -   Name: Windows 10 Enterprise x64 Upgrade
-
-        -   Limited Collection: All Systems
-
-    -   Membership rules:
-
-        -   Direct rule
-
-            -   Resource Class: System Resource
-
-            -   Attribute Name: Name
-
-            -   Value: PC0001
-
-        -   Select Resources
-
-        -   Select PC0001
-
-2.  Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0001 machine in the collection.
-
-### Deploy the Windows 10 upgrade
-
-In this section, you create a deployment for the Windows 10 Enterprise x64 Update application.
-
-1.  On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Windows vNext Upgrade** task sequence, and then select **Deploy**.
-2.  On the **General** page, select the **Windows 10 Enterprise x64 Upgrade** collection, and then click **Next**.
-3.  On the **Content** page, click **Next**.
-4.  On the **Deployment Settings** page, select the following settings and click **Next**:
-    -   Action: Install
-
-    -   Purpose: Available
-
-5.  On the **Scheduling** page, accept the default settings, and then click **Next**.
-6.  On the **User Experience** page, accept the default settings, and then click **Next**.
-7.  On the **Alerts** page, accept the default settings, and then click **Next**.
-8.  On the **Summary** page, click **Next**, and then click **Close**.
-
-### Start the Windows 10 upgrade
-
-In this section, you start the Windows 10 Upgrade task sequence on PC0001 (currently running Windows 7 SP1).
-
-1.  On PC0001, start the **Software Center**.
-2.  Select the **Windows 10 Enterprise x64 Upgrade** task sequence, and then click **Install.**
-
-When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
-
-After the task sequence completes, the computer will be fully upgraded to Windows 10.
-
-## Related topics
-
-
-[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
-
-[Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620109)
-
- 
-
- 
-
-
-
-
-
+---
+title: Perform in-place upgrade to Windows 10 via Configuration Manager
+description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. Use a System Center Configuration Manager task sequence to completely automate the process.
+ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
+ms.reviewer: 
+manager: laurawi
+ms.author: greglin
+keywords: upgrade, update, task sequence, deploy
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Perform an in-place upgrade to Windows 10 using Configuration Manager
+
+
+**Applies to**
+
+-   Windows 10
+
+The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process.
+
+## Proof-of-concept environment
+
+
+For the purposes of this topic, we will use three machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+![figure 1](../images/upgrademdt-fig1-machines.png)
+
+Figure 1. The machines used in this topic.
+
+## Upgrade to Windows 10 with System Center 2012 R2 Configuration Manager
+
+
+System Center 2012 R2 Configuration Manager SP1 adds support to manage and deploy Windows 10. Although it does not include built-in support to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 to Windows 10, you can build a custom task sequence to perform the necessary tasks.
+
+## Create the task sequence
+
+
+To help with this process, the Configuration Manager team has published [a blog](https://go.microsoft.com/fwlink/p/?LinkId=620179) that provides a sample task sequence, as well as the [original blog that includes the instructions for setting up the task sequence](https://go.microsoft.com/fwlink/p/?LinkId=620180). To summarize, here are the tasks you need to perform:
+
+1.  Download the [Windows10Upgrade1506.zip](https://go.microsoft.com/fwlink/p/?LinkId=620182) file that contains the sample task sequence and related scripts. Extract the contents onto a network share.
+2.  Copy the Windows 10 Enterprise RTM x64 media into the extracted but empty **Windows vNext Upgrade Media** folder.
+3.  Using the Configuration Manager Console, right-click the **Task Sequences** node, and then choose **Import Task Sequence**. Select the **Windows-vNextUpgradeExport.zip** file that you extracted in Step 1.
+4.  Distribute the two created packages (one contains the Windows 10 Enterprise x64 media, the other contains the related scripts) to the Configuration Manager distribution point.
+
+For full details and an explanation of the task sequence steps, review the full details of the two blogs that are referenced above.
+
+## Create a device collection
+
+
+After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the Configuration Manager client installed.
+
+1.  On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
+    -   General
+
+        -   Name: Windows 10 Enterprise x64 Upgrade
+
+        -   Limited Collection: All Systems
+
+    -   Membership rules:
+
+        -   Direct rule
+
+            -   Resource Class: System Resource
+
+            -   Attribute Name: Name
+
+            -   Value: PC0001
+
+        -   Select Resources
+
+        -   Select PC0001
+
+2.  Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0001 machine in the collection.
+
+## Deploy the Windows 10 upgrade
+
+
+In this section, you create a deployment for the Windows 10 Enterprise x64 Update application.
+
+1.  On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Windows vNext Upgrade** task sequence, and then select **Deploy**.
+2.  On the **General** page, select the **Windows 10 Enterprise x64 Upgrade** collection, and then click **Next**.
+3.  On the **Content** page, click **Next**.
+4.  On the **Deployment Settings** page, select the following settings, and then click **Next**:
+    -   Action: Install
+
+    -   Purpose: Available
+
+5.  On the **Scheduling** page, accept the default settings, and then click **Next**.
+6.  On the **User Experience** page, accept the default settings, and then click **Next**.
+7.  On the **Alerts** page, accept the default settings, and then click **Next**.
+8.  On the **Summary** page, click **Next**, and then click **Close**.
+
+## Start the Windows 10 upgrade
+
+
+In this section, you start the Windows 10 Upgrade task sequence on PC0001 (currently running Windows 7 SP1).
+
+1.  On PC0001, start the **Software Center**.
+2.  Select the **Windows vNext Upgrade** task sequence, and then click **Install**.
+
+When the task sequence begins, it will automatically initiate the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
+
+![figure 2](../images/upgradecfg-fig2-upgrading.png)
+
+Figure 2. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequence.
+
+After the task sequence finishes, the computer will be fully upgraded to Windows 10.
+
+## Upgrade to Windows 10 with System Center Configuration Manager Current Branch
+
+
+With System Center Configuration Manager Current Branch, new built-in functionality makes it easier to upgrade to Windows 10.
+
+**Note**  
+For more details about Configuration Manager Current Branch, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released.
+
+ 
+
+### Create the OS upgrade package
+
+First, you need to create an operating system upgrade package that contains the full Windows 10 Enterprise x64 installation media.
+
+1.  On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Operating System Upgrade Packages** node, then select **Add Operating System Upgrade Package**.
+2.  On the **Data Source** page, specify the UNC path to the Windows 10 Enterprise x64 media, and then click **Next**.
+3.  On the **General** page, specify Windows 10 Enterprise x64 Upgrade, and then click **Next**.
+4.  On the **Summary** page, click **Next**, and then click **Close**.
+5.  Right-click the created **Windows 10 Enterprise x64 Update** package, and then select **Distribute Content**. Choose the CM01 distribution point.
+
+### Create the task sequence
+
+To create an upgrade task sequence, perform the following steps:
+
+1.  On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Task Sequences** node, and then select **Create Task Sequence**.
+2.  On the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**.
+3.  On the **Task Sequence Information** page, specify **Windows 10 Enterprise x64 Upgrade**, and then click **Next**.
+4.  On the **Upgrade the Windows operating system** page, select the **Windows 10 Enterprise x64 Upgrade operating system upgrade** package, and then click **Next**.
+5.  Click **Next** through the remaining wizard pages, and then click **Close**.
+
+![figure 3](../images/upgradecfg-fig3-upgrade.png)
+
+Figure 3. The Configuration Manager upgrade task sequence.
+
+### Create a device collection
+
+After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the next version of System Center Configuration Manager client installed.
+
+1.  On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
+    -   General
+
+        -   Name: Windows 10 Enterprise x64 Upgrade
+
+        -   Limited Collection: All Systems
+
+    -   Membership rules:
+
+        -   Direct rule
+
+            -   Resource Class: System Resource
+
+            -   Attribute Name: Name
+
+            -   Value: PC0001
+
+        -   Select Resources
+
+        -   Select PC0001
+
+2.  Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0001 machine in the collection.
+
+### Deploy the Windows 10 upgrade
+
+In this section, you create a deployment for the Windows 10 Enterprise x64 Update application.
+
+1.  On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Windows vNext Upgrade** task sequence, and then select **Deploy**.
+2.  On the **General** page, select the **Windows 10 Enterprise x64 Upgrade** collection, and then click **Next**.
+3.  On the **Content** page, click **Next**.
+4.  On the **Deployment Settings** page, select the following settings and click **Next**:
+    -   Action: Install
+
+    -   Purpose: Available
+
+5.  On the **Scheduling** page, accept the default settings, and then click **Next**.
+6.  On the **User Experience** page, accept the default settings, and then click **Next**.
+7.  On the **Alerts** page, accept the default settings, and then click **Next**.
+8.  On the **Summary** page, click **Next**, and then click **Close**.
+
+### Start the Windows 10 upgrade
+
+In this section, you start the Windows 10 Upgrade task sequence on PC0001 (currently running Windows 7 SP1).
+
+1.  On PC0001, start the **Software Center**.
+2.  Select the **Windows 10 Enterprise x64 Upgrade** task sequence, and then click **Install.**
+
+When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
+
+After the task sequence completes, the computer will be fully upgraded to Windows 10.
+
+## Related topics
+
+
+[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+
+[Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620109)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index c5cc2c3ba1..37da456194 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -22,9 +22,11 @@ ms.topic: article
 
 ## Upgrade paths
 
-This topic provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. For more information about migrating to a different edition of Windows 10, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md).
+This topic provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. 
 
-> **Windows 10 version upgrade**: You can directly upgrade any semi-annual channel version of Windows 10 to a newer, supported semi-annual channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information. 
+If you are also migrating to a different edition of Windows, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md). Methods and supported paths are described on this page to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths, but please note that applications and settings are not maintained when the Windows edition is downgraded.
+
+> **Windows 10 version upgrade**: You can directly upgrade any semi-annual channel version of Windows 10 to a newer, supported semi-annual channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information.
 > 
 > **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
 > 
diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
index 8a830c5fd9..b0cf117686 100644
--- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
+++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
@@ -1,86 +1,87 @@
----
-title: Getting Started with the User State Migration Tool (USMT) (Windows 10)
-description: Getting Started with the User State Migration Tool (USMT)
-ms.assetid: 506ff1d2-94b8-4460-8672-56aad963504b
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Getting Started with the User State Migration Tool (USMT)
-This topic outlines the general process that you should follow to migrate files and settings.
-
-## In this Topic
--   [Step 1: Plan Your Migration](#step-1-plan-your-migration)
-
--   [Step 2: Collect files and settings from the source computer](#step-2-collect-files-and-settings-from-the-source-computer)
-
--   [Step 3: Prepare the destination computer and restore files and settings](#step-3-prepare-the-destination-computer-and-restore-files-and-settings)
-
-## Step 1: Plan your migration
-1.  [Plan Your Migration](usmt-plan-your-migration.md). Depending on whether your migration scenario is refreshing or replacing computers, you can choose an online migration or an offline migration using Windows Preinstallation Environment (WinPE) or the files in the Windows.old directory. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md).
-
-2.  [Determine What to Migrate](usmt-determine-what-to-migrate.md). Data you might consider migrating includes end-user information, applications settings, operating-system settings, files, folders, and registry keys.
-
-3.  Determine where to store data. Depending on the size of your migration store, you can store the data remotely, locally in a hard-link migration store or on a local external storage device, or directly on the destination computer. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md).
-
-4.  Use the **/GenMigXML** command-line option to determine which files will be included in your migration, and to determine whether any modifications are necessary. For more information see [ScanState Syntax](usmt-scanstate-syntax.md)
-
-5.  Modify copies of the Migration.xml and MigDocs.xml files and create custom .xml files, if it is required. To modify the migration behavior, such as migrating the **Documents** folder but not the **Music** folder, you can create a custom .xml file or modify the rules in the existing migration .xml files. The document finder, or **MigXmlHelper.GenerateDocPatterns** helper function, can be used to automatically find user documents on a computer without creating extensive custom migration .xml files.
-
-    **Important**  
-    We recommend that you always make and modify copies of the .xml files included in User State Migration Tool (USMT) 10.0. Never modify the original .xml files.
-    
-    You can use the MigXML.xsd file to help you write and validate the .xml files. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md).
-
-6.  Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, use the [ScanState Syntax](usmt-scanstate-syntax.md) option together with the other .xml files when you use the **ScanState** command. For example, the following command creates a Config.xml file by using the MigDocs and MigApp.xml files:
-
-    `scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scanstate.log`
-
-7.  Review the migration state of the components listed in the Config.xml file, and specify `migrate=no` for any components that you do not want to migrate.
-
-## Step 2: Collect files and settings from the source computer
-1.  Back up the source computer.
-
-2.  Close all applications. If some applications are running when you run the **ScanState** command, USMT might not migrate all of the specified data. For example, if Microsoft® Office Outlook® is open, USMT might not migrate PST files.
-
-    **Note**  
-    USMT will fail if it cannot migrate a file or setting unless you specify the **/C** option. When you specify the **/C** option, USMT will ignore the errors, and log an error every time that it encounters a file that is being used that USMT did not migrate. You can use the **<ErrorControl>** section in the Config.xml file to specify which errors should be ignored, and which should cause the migration to fail.
-
-3.  Run the **ScanState** command on the source computer to collect files and settings. You should specify all of the .xml files that you want the **ScanState** command to use. For example,
-
-    `scanstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log`
-
-    **Note**  
-    If the source computer is running Windows 7, or Windows 8, you must run the **ScanState** command in **Administrator** mode. To run in **Administrator** mode, right-click **Command Prompt**, and then click **Run As Administrator**. If the source computer is running Windows XP, you must run the **ScanState** command from an account that has administrative credentials. For more information about the how the **ScanState** command processes and stores the data, see [How USMT Works](usmt-how-it-works.md).
-
-4.  Run the **USMTUtils** command with the **/Verify** option to ensure that the store you created is not corrupted.
-
-## Step 3: Prepare the destination computer and restore files and settings
-1.  Install the operating system on the destination computer.
-
-2.  Install all applications that were on the source computer. Although it is not always required, we recommend installing all applications on the destination computer before you restore the user state. This makes sure that migrated settings are preserved.
-
-    **Note**  
-    The application version that is installed on the destination computer should be the same version as the one on the source computer. USMT does not support migrating the settings for an older version of an application to a newer version. The exception to this is Microsoft® Office, which USMT can migrate from an older version to a newer version.
-
-3.  Close all applications. If some applications are running when you run the **LoadState** command, USMT might not migrate all of the specified data. For example, if Microsoft Office Outlook is open, USMT might not migrate PST files.
-
-    **Note**  
-    Use **/C** to continue your migration if errors are encountered, and use the **<ErrorControl>** section in the Config.xml file to specify which errors should be ignored, and which errors should cause the migration to fail.
-
-4.  Run the **LoadState** command on the destination computer. Specify the same set of .xml files that you specified when you used the **ScanState** command. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file by using the **LoadState** command. Then, the **LoadState** command will migrate only the files and settings that you want to migrate. For more information about the how the **LoadState** command processes and migrates data, see [How USMT Works](usmt-how-it-works.md).
-
-    For example, the following command migrates the files and settings:
-
-    `loadstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log`
-
-    **Note**  
-    Run the **LoadState** command in administrator mode. To do this, right-click **Command Prompt**, and then click **Run As Administrator**.
-
-5.  Log off after you run the **LoadState** command. Some settings (for example, fonts, wallpaper, and screen saver settings) will not take effect until the next time that the user logs on.
+---
+title: User State Migration Tool (USMT) - Getting Started (Windows 10)
+description: Getting Started with the User State Migration Tool (USMT)
+ms.assetid: 506ff1d2-94b8-4460-8672-56aad963504b
+ms.reviewer: 
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Getting Started with the User State Migration Tool (USMT)
+This topic outlines the general process that you should follow to migrate files and settings.
+
+## In this Topic
+-   [Step 1: Plan Your Migration](#step-1-plan-your-migration)
+
+-   [Step 2: Collect files and settings from the source computer](#step-2-collect-files-and-settings-from-the-source-computer)
+
+-   [Step 3: Prepare the destination computer and restore files and settings](#step-3-prepare-the-destination-computer-and-restore-files-and-settings)
+
+## Step 1: Plan your migration
+1.  [Plan Your Migration](usmt-plan-your-migration.md). Depending on whether your migration scenario is refreshing or replacing computers, you can choose an online migration or an offline migration using Windows Preinstallation Environment (WinPE) or the files in the Windows.old directory. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md).
+
+2.  [Determine What to Migrate](usmt-determine-what-to-migrate.md). Data you might consider migrating includes end-user information, applications settings, operating-system settings, files, folders, and registry keys.
+
+3.  Determine where to store data. Depending on the size of your migration store, you can store the data remotely, locally in a hard-link migration store or on a local external storage device, or directly on the destination computer. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md).
+
+4.  Use the **/GenMigXML** command-line option to determine which files will be included in your migration, and to determine whether any modifications are necessary. For more information see [ScanState Syntax](usmt-scanstate-syntax.md)
+
+5.  Modify copies of the Migration.xml and MigDocs.xml files and create custom .xml files, if it is required. To modify the migration behavior, such as migrating the **Documents** folder but not the **Music** folder, you can create a custom .xml file or modify the rules in the existing migration .xml files. The document finder, or **MigXmlHelper.GenerateDocPatterns** helper function, can be used to automatically find user documents on a computer without creating extensive custom migration .xml files.
+
+    **Important**  
+    We recommend that you always make and modify copies of the .xml files included in User State Migration Tool (USMT) 10.0. Never modify the original .xml files.
+    
+    You can use the MigXML.xsd file to help you write and validate the .xml files. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md).
+
+6.  Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, use the [ScanState Syntax](usmt-scanstate-syntax.md) option together with the other .xml files when you use the **ScanState** command. For example, the following command creates a Config.xml file by using the MigDocs and MigApp.xml files:
+
+    `scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scanstate.log`
+
+7.  Review the migration state of the components listed in the Config.xml file, and specify `migrate=no` for any components that you do not want to migrate.
+
+## Step 2: Collect files and settings from the source computer
+1.  Back up the source computer.
+
+2.  Close all applications. If some applications are running when you run the **ScanState** command, USMT might not migrate all of the specified data. For example, if Microsoft® Office Outlook® is open, USMT might not migrate PST files.
+
+    **Note**  
+    USMT will fail if it cannot migrate a file or setting unless you specify the **/C** option. When you specify the **/C** option, USMT will ignore the errors, and log an error every time that it encounters a file that is being used that USMT did not migrate. You can use the **<ErrorControl>** section in the Config.xml file to specify which errors should be ignored, and which should cause the migration to fail.
+
+3.  Run the **ScanState** command on the source computer to collect files and settings. You should specify all of the .xml files that you want the **ScanState** command to use. For example,
+
+    `scanstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log`
+
+    **Note**  
+    If the source computer is running Windows 7, or Windows 8, you must run the **ScanState** command in **Administrator** mode. To run in **Administrator** mode, right-click **Command Prompt**, and then click **Run As Administrator**. If the source computer is running Windows XP, you must run the **ScanState** command from an account that has administrative credentials. For more information about the how the **ScanState** command processes and stores the data, see [How USMT Works](usmt-how-it-works.md).
+
+4.  Run the **USMTUtils** command with the **/Verify** option to ensure that the store you created is not corrupted.
+
+## Step 3: Prepare the destination computer and restore files and settings
+1.  Install the operating system on the destination computer.
+
+2.  Install all applications that were on the source computer. Although it is not always required, we recommend installing all applications on the destination computer before you restore the user state. This makes sure that migrated settings are preserved.
+
+    **Note**  
+    The application version that is installed on the destination computer should be the same version as the one on the source computer. USMT does not support migrating the settings for an older version of an application to a newer version. The exception to this is Microsoft® Office, which USMT can migrate from an older version to a newer version.
+
+3.  Close all applications. If some applications are running when you run the **LoadState** command, USMT might not migrate all of the specified data. For example, if Microsoft Office Outlook is open, USMT might not migrate PST files.
+
+    **Note**  
+    Use **/C** to continue your migration if errors are encountered, and use the **<ErrorControl>** section in the Config.xml file to specify which errors should be ignored, and which errors should cause the migration to fail.
+
+4.  Run the **LoadState** command on the destination computer. Specify the same set of .xml files that you specified when you used the **ScanState** command. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file by using the **LoadState** command. Then, the **LoadState** command will migrate only the files and settings that you want to migrate. For more information about the how the **LoadState** command processes and migrates data, see [How USMT Works](usmt-how-it-works.md).
+
+    For example, the following command migrates the files and settings:
+
+    `loadstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log`
+
+    **Note**  
+    Run the **LoadState** command in administrator mode. To do this, right-click **Command Prompt**, and then click **Run As Administrator**.
+
+5.  Log off after you run the **LoadState** command. Some settings (for example, fonts, wallpaper, and screen saver settings) will not take effect until the next time that the user logs on.
diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md
index 2bffb25cd7..3439d25d7a 100644
--- a/windows/deployment/usmt/usmt-general-conventions.md
+++ b/windows/deployment/usmt/usmt-general-conventions.md
@@ -50,7 +50,7 @@ Before you modify the .xml files, become familiar with the following guidelines:
 
 -   **File names with brackets**
 
-    If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named File.txt, you must specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`.
+    If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named **file].txt**, you must specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`.
 
 -   **Using quotation marks**
 
diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md
index 4b2d8385c2..e9bb2376d5 100644
--- a/windows/deployment/usmt/usmt-hard-link-migration-store.md
+++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md
@@ -113,6 +113,9 @@ For example, a company has decided to deploy Windows 10 on all of their compute
 
 3.  An administrator runs the LoadState command-line tool on each computer. The LoadState tool restores user state back on each computer.
 
+> [!NOTE]
+> During the update of a domain-joined computer, the profiles of users whose SID cannot be resolved will not be migrated. When using a hard-link migration store, it could cause a data loss.
+     
 ## Hard-Link Migration Store Details
 
 
@@ -233,4 +236,3 @@ The following XML sample specifies that files locked by an application under the
 
 
 
-
diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md
index 46feb45c03..31c2c53103 100644
--- a/windows/deployment/windows-10-deployment-tools-reference.md
+++ b/windows/deployment/windows-10-deployment-tools-reference.md
@@ -1,28 +1,30 @@
----
-title: Windows 10 deployment tools (Windows 10)
-description: Learn about the tools available to deploy Windows 10.
-ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB
-ms.reviewer: 
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 07/12/2017
-ms.topic: article
----
-
-# Windows 10 deployment tools
-
-Learn about the tools available to deploy Windows 10.
-
-|Topic |Description |
-|------|------------|
-|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. |
-|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
-|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
-|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. |
-|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
-|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
-|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
+---
+title: Windows 10 deployment tools reference
+description: Learn about the tools available to deploy Windows 10.
+ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB
+ms.reviewer: 
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 07/12/2017
+ms.topic: article
+---
+
+# Windows 10 deployment tools
+
+Learn about the tools available to deploy Windows 10.
+
+|Topic |Description |
+|------|------------|
+|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. |
+|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
+|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
+|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. |
+|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
+|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
+|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md
index 43fe3a68c7..c9973b520d 100644
--- a/windows/deployment/windows-10-deployment-tools.md
+++ b/windows/deployment/windows-10-deployment-tools.md
@@ -1,28 +1,30 @@
----
-title: Windows 10 deployment tools (Windows 10)
-description: Learn about the tools available to deploy Windows 10.
-ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB
-ms.reviewer: 
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 10/16/2017
-ms.topic: article
----
-
-# Windows 10 deployment tools
-
-Learn about the tools available to deploy Windows 10.
-
-|Topic |Description |
-|------|------------|
-|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. |
-|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
-|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
-|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. |
-|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
-|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
-|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
+---
+title: Windows 10 deployment tools
+description: Learn about the tools available to deploy Windows 10.
+ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB
+ms.reviewer: 
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 10/16/2017
+ms.topic: article
+---
+
+# Windows 10 deployment tools
+
+Learn about the tools available to deploy Windows 10.
+
+|Topic |Description |
+|------|------------|
+|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. |
+|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
+|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
+|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. |
+|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
+|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
+|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md
index 0de74e46b1..d94b04fdcb 100644
--- a/windows/deployment/windows-autopilot/TOC.md
+++ b/windows/deployment/windows-autopilot/TOC.md
@@ -19,6 +19,8 @@
 ## [Configuring device profiles](profiles.md)
 ## [Enrollment Status Page](enrollment-status.md)
 ## [BitLocker encryption](bitlocker.md)
+## [DFCI management](dfci-management.md)
+## [Windows Autopilot update](autopilot-update.md)
 ## [Troubleshooting](troubleshooting.md)
 ## [Known issues](known-issues.md)
 
diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md
index c97fb6e3bb..b527168e97 100644
--- a/windows/deployment/windows-autopilot/autopilot-faq.md
+++ b/windows/deployment/windows-autopilot/autopilot-faq.md
@@ -1,6 +1,6 @@
 ---
-title: Windows Autopilot support
-ms.reviewer: 
+title: Windows Autopilot FAQ
+ms.reviewer: This topic provides OEMs, partners, administrators, and end-users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot. 
 manager: laurawi
 description: Support information for Windows Autopilot
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
@@ -99,7 +99,7 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e
 |How do I know that I received Autopilot?|You can tell that you received Windows Autopilot (as in the device received a configuration but has not yet applied it) when you skip the selection page (as seen below), and are immediately taken to a generic or customized sign-in page.|
 |Windows Autopilot didn’t work, what do I do now?| Questions and actions to assist in troubleshooting:  Did a screen not get skipped?   Did a user end up as an admin when configured not to? Remember that AAD Admins will be local admins regardless of whether Windows Autopilot is configured to disable local admin  Collection information – run licensingdiag.exe and send the .cab (Cabinet file) file that is generated to AutopilotHelp@microsoft.com. If possible, collect an ETL from WPR. Often in these cases, users are not signing into the right AAD tenant, or are creating local user accounts.  For a complete list of support options, refer to [Windows Autopilot support](autopilot-support.md). |
 | If an Administrator makes changes to an existing profile, will the changes take effect on devices that have that profile assigned to them that have already been deployed? |No. Windows Autopilot profiles are not resident on the device. They are downloaded during OOBE, the settings defined at the time are applied. Then, the profile is discarded on the device. If the device is re-imaged or reset, the new profile settings will take effect the next time the device goes through OOBE.|
-|What is the experience if a device isn’t registered or if an IT Admin doesn’t configure Windows Autopilot prior to an end user attempting to self-deploy?          |If the device isn’t registered, it will not receive the Windows Autopilot experience and the end user will go through normal OOBE. The Windows Autopilot configurations will NOT be applied until the user runs through OOBE again, after registration. If a device is started before an MDM profile is created, the device will go through standard OOBE experience.  The IT Admin would then have to manually enrol that device into the MDM, after which—the next time that device is “reset”—it will go through the Windows Autopilot OOBE experience.|
+|What is the experience if a device isn’t registered or if an IT Admin doesn’t configure Windows Autopilot prior to an end user attempting to self-deploy?          |If the device isn’t registered, it will not receive the Windows Autopilot experience and the end user will go through normal OOBE. The Windows Autopilot configurations will NOT be applied until the user runs through OOBE again, after registration. If a device is started before an MDM profile is created, the device will go through standard OOBE experience.  The IT Admin would then have to manually enroll that device into the MDM, after which—the next time that device is “reset”—it will go through the Windows Autopilot OOBE experience.|
 |What may be a reason why I did not receive a customized sign-in screen during Autopilot?                                          |Tenant branding must be configured in portal.azure.com to receive a customized sign-in experience.|
 |What happens if a device is registered with Azure AD but does not have an Windows Autopilot profile assigned?                                |The regular AAD OOBE will occur since no Windows Autopilot profile was assigned to the device.|
 |How can I collect logs on Autopilot?|The best way to collect logs on Windows Autopilot performance is to collect a Windows Performance Recorder (WPR) trace during OOBE. The XML file (WPRP extension) for this trace may be provided upon request.|
@@ -132,7 +132,7 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e
 |------------------|-----------------|
 |If I wipe the machine and restart, will I still receive Windows Autopilot?|Yes, if the device is still registered for Windows Autopilot and is running Windows 10, version 1703 7B and above releases, it will receive the Windows Autopilot experience.|
 |Can I harvest the device fingerprint on existing machines?|Yes, if the device is running Windows 10, version 1703 and above, you can harvest device fingerprints for registration. There are no plans to backport the functionality to previous releases and no way to harvest them on pre-Windows 10 Windows 10, version 1703 devices that have not been updated to Windows 10, version 1703.|
-|What is Windows 10, version 1703 7B and why does it matter?| Windows 10, version 1703 7B is a Windows 10, version 1703 image bundled with cumulative updates. To receive Autopilot, clients **must** run Windows 10, version 1703 7B or later. These cumulative updates contain a critical fix for Autopilot. Consider the following:

Windows Autopilot will not apply its profiles to the machine unless AAD credentials match the expected AAD tenant. For the Windows 10, version 1703 release, it was assumed that would be determined by the domain name, so the domain name used to register (for example contoso.com) should match the domain name used to sign in (for example user@contoso.com). But what happens if your tenant has multiple domains (for example us.contoso.com, or fr.contoso.com)? Since these domain names do not match, the device will not be configured for Autopilot. However, both domains are part of the same AAD tenant, and as such it was determined the matching scheme was not useful. This was improved upon by making use of the tenant ID. By using the tenant ID, we can determine that if the user signs into a domain with a tenant matching the one they registered with, we can safely consider this to be a match. The fix for this problem already exists in Windows 10, version 1709 and was backported into the Windows 10, version 1703 7B release.  

**Key Take-Aways**:  When using pre-Windows 10, version 1703 7B clients the user’s domain **must** match the domain they registered with. This functionality is found in Windows 10 version 1709 clients using build >= 16215, and Windows 10, version 1703 clients >= 7B. |
+|What is Windows 10, version 1703 7B and why does it matter?| Windows 10, version 1703 7B is a Windows 10, version 1703 image bundled with cumulative updates. To receive Autopilot, clients **must** run Windows 10, version 1703 7B or later. These cumulative updates contain a critical fix for Autopilot. Consider the following:

Windows Autopilot will not apply its profiles to the machine unless AAD credentials match the expected AAD tenant. For the Windows 10, version 1703 release, it was assumed that would be determined by the domain name, so the domain name used to register (for example contoso.com) should match the domain name used to sign in (for example user@contoso.com). But what happens if your tenant has multiple domains (for example us.contoso.com, or fr.contoso.com)? Since these domain names do not match, the device will not be configured for Autopilot. However, both domains are part of the same AAD tenant, and as such it was determined the matching scheme was not useful. This was improved upon by making use of the tenant ID. By using the tenant ID, we can determine that if the user signs into a domain with a tenant matching the one they registered with, we can safely consider this to be a match. The fix for this problem already exists in Windows 10, version 1709 and was backported into the Windows 10, version 1703 7B release.  

**Key takeaways**:  When using pre-Windows 10, version 1703 7B clients the user’s domain **must** match the domain they registered with. This functionality is found in Windows 10 version 1709 clients using build >= 16215, and Windows 10, version 1703 clients >= 7B. |
 |What is the impact of not updating to 7B?|See the detailed scenario described directly above.|
 |Is Windows Autopilot supported on other SKUs, e.g. Surface Hub, HoloLens, Windows Mobile.|No, Windows Autopilot isn’t supported on other SKUs.|
 |Does Windows Autopilot work after MBR or image re-installation?|Yes.|
diff --git a/windows/deployment/windows-autopilot/autopilot-update.md b/windows/deployment/windows-autopilot/autopilot-update.md
new file mode 100644
index 0000000000..9a5f1765eb
--- /dev/null
+++ b/windows/deployment/windows-autopilot/autopilot-update.md
@@ -0,0 +1,48 @@
+---
+title: Windows Autopilot update
+ms.reviewer: 
+manager: laurawi
+description: Windows Autopilot update 
+keywords: Autopilot, update, Windows 10
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+ms.localizationpriority: medium
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Windows Autopilot update
+
+**Applies to**
+
+-   Windows 10, version 1903
+
+Windows Autopilot update enables you to get the latest Autopilot features and critical issue fixes without the need to move to latest Windows OS version. With Autopilot update, organizations can keep their current OS version and still benefit from new Autopilot features and bug fixes.
+ 
+During the Autopilot deployment process, Windows Autopilot update has been added as a new node after the critical [Windows Zero Day Patch (ZDP) update](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) check. During the update process, Windows Autopilot devices reach out to Windows Update to check for a new Autopilot update.  If there is an Autopilot update available, the device will download and install the update, then restart automatically. See the following example.
+
+   ![Autopilot update 1](images/update1.png)

+   ![Autopilot update 2](images/update2.png)

+   ![Autopilot update 3](images/update3.png)
+
+The following diagram illustrates a typical Windows Autopilot deployment orchestration during the Out of Box Experience (OOBE) with the new Windows Autopilot update node.
+
+   ![Autopilot update flow](images/update-flow.png)
+
+## Release cadence
+
+- When an Autopilot update is available, it is typically released on the 4th Tuesday of the month. The update could be released on a different week if there is an exception.
+- A knowledge base (KB) article will also be published to document the changes that are included in the update.
+
+See [Autopilot update history](windows-autopilot-whats-new.md#windows-autopilot-update-history).
+
+## See also
+
+[Windows Update during OOBE](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe)

+[What's new in Windows Autopilot](windows-autopilot-whats-new.md)

\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/dfci-management.md b/windows/deployment/windows-autopilot/dfci-management.md
new file mode 100644
index 0000000000..550420a264
--- /dev/null
+++ b/windows/deployment/windows-autopilot/dfci-management.md
@@ -0,0 +1,70 @@
+---
+title: DFCI Management
+ms.reviewer: 
+manager: laurawi
+description: With Windows Autopilot Deployment and Intune, you can manage UEFI (BIOS) settings after they're enrolled by using the Device Firmware Configuration Interface (DFCI) 
+keywords: Autopilot, DFCI, UEFI, Windows 10
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+ms.localizationpriority: medium
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# DFCI Management
+
+**Applies to**
+
+-   Windows 10
+
+With Windows Autopilot Deployment and Intune, you can manage Unified Extensible Firmware Interface (UEFI) settings after they're enrolled by using the Device Firmware Configuration Interface (DFCI).  DFCI [enables Windows to pass management commands](https://docs.microsoft.com/windows/client-management/mdm/uefi-csp) from Intune to UEFI to Autopilot deployed devices. This allows you to limit end user's control over BIOS settings. For example, you can lock down the boot options to prevent users from booting up another OS, such as one that doesn't have the same security features.
+
+If a user reinstalls a previous Windows version, install a separate OS, or format the hard drive, they can't override DFCI management. This feature can also prevent malware from communicating with OS processes, including elevated OS processes. DFCI’s trust chain uses public key cryptography, and doesn't depend on local UEFI password security. This layer of security blocks local users from accessing managed settings from the device’s UEFI menus.
+
+For an overview of DFCI benefits, scenarios, and prerequisites, see [Device Firmware Configuration Interface (DFCI) Introduction](https://microsoft.github.io/mu/dyn/mu_plus/DfciPkg/Docs/Dfci_Feature/).
+
+## DFCI management lifecycle
+
+The DFCI management lifecycle can be viewed as UEFI integration, device registration, profile creation, enrollment, management, retirement, and recovery. See the following figure.
+
+   ![Lifecycle](images/dfci.png)
+
+## Requirements
+
+- Windows 10, version 1809 or later and a supported UEFI is required.
+- The device manufacturer must have DFCI added to their UEFI firmware in the manufacturing process, or as a firmware update that you install. Work with your device vendors to determine the [manufacturers that support DFCI](#oems-that-support-dfci), or the firmware version needed to use DFCI.
+- The device must be managed with Microsoft Intune. For more information, see [Enroll Windows devices in Intune using Windows Autopilot](https://docs.microsoft.com/intune/enrollment/enrollment-autopilot).
+- The device must be registered for Windows Autopilot by a [Microsoft Cloud Solution Provider (CSP) partner](https://partner.microsoft.com/membership/cloud-solution-provider), or registered directly by the OEM. 
+
+>[!IMPORTANT]
+>Devices manually registered for Autopilot (such as by [importing from a csv file](https://docs.microsoft.com/intune/enrollment/enrollment-autopilot#add-devices)) are not allowed to use DFCI. By design, DFCI management requires external attestation of the device’s commercial acquisition through an OEM or a Microsoft CSP partner registration to Windows Autopilot. When your device is registered, its serial number is displayed in the list of Windows Autopilot devices.
+
+## Managing DFCI profile with Windows Autopilot
+
+There are four basic steps in managing DFCI profile with Windows Autopilot:
+
+1. Create an Autopilot Profile
+2. Create an Enrollment status page profile
+3. Create a DFCI profile
+4. Assign the profiles
+
+See [Create the profiles](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows#create-the-profiles) and [Assign the profiles, and reboot](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows#assign-the-profiles-and-reboot) for details.
+
+You can also [change existing DFCI settings](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows#update-existing-dfci-settings) on devices that are in use. In your existing DFCI profile, change the settings and save your changes. Since the profile is already assigned, the new DFCI settings take effect when next time the device syncs or the device reboots.
+
+## OEMs that support DFCI
+
+- [Microsoft Surface](https://docs.microsoft.com/surface/surface-manage-dfci-guide)
+
+Additional OEMs are pending.
+
+## See also
+
+[Microsoft DFCI Scenarios](https://microsoft.github.io/mu/dyn/mu_plus/DfciPkg/Docs/Scenarios/DfciScenarios/)

+[Windows Autopilot and Surface devices](https://docs.microsoft.com/surface/windows-autopilot-and-surface-devices)

\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/images/dfci.png b/windows/deployment/windows-autopilot/images/dfci.png
new file mode 100644
index 0000000000..6c68ed8b80
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/dfci.png differ
diff --git a/windows/deployment/windows-autopilot/images/update-flow.png b/windows/deployment/windows-autopilot/images/update-flow.png
new file mode 100644
index 0000000000..c90f54e96c
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/update-flow.png differ
diff --git a/windows/deployment/windows-autopilot/images/update1.png b/windows/deployment/windows-autopilot/images/update1.png
new file mode 100644
index 0000000000..83d98a29b5
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/update1.png differ
diff --git a/windows/deployment/windows-autopilot/images/update2.png b/windows/deployment/windows-autopilot/images/update2.png
new file mode 100644
index 0000000000..04dbcaddc1
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/update2.png differ
diff --git a/windows/deployment/windows-autopilot/images/update3.png b/windows/deployment/windows-autopilot/images/update3.png
new file mode 100644
index 0000000000..851adb58ec
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/update3.png differ
diff --git a/windows/deployment/windows-autopilot/index.md b/windows/deployment/windows-autopilot/index.md
index efeffc2e04..ae223e3032 100644
--- a/windows/deployment/windows-autopilot/index.md
+++ b/windows/deployment/windows-autopilot/index.md
@@ -30,14 +30,14 @@ This guide is intended for use by an IT-specialist, system architect, or busines
 ## In this guide
 
 
-
What's new Windows Autopilot is always being updated with new features! Check this topic to read about the latests capabilities.
+
What's new Windows Autopilot is always being updated with new features! Check this topic to read about the latest capabilities.
 

 
 ### Understanding Windows Autopilot
 
 

 
Overview of Windows AutopilotA review of Windows Autopilot is provided with a video walkthrough. Benefits and general requirements are discussed.
-
RequirementsDetailed software, network, licensiing, and configuration requirments are provided.
+
RequirementsDetailed software, network, licensing, and configuration requirements are provided.
 
Scenarios and CapabilitiesA summary of Windows Autopilot deployment scenarios and capabilities.
 
Get startedInterested in trying out Autopilot? See this step-by-step walkthrough to test Windows Autopilot on a virtual machine or physical device with a free 30-day trial premium Intune account.
 

@@ -56,10 +56,11 @@ This guide is intended for use by an IT-specialist, system architect, or busines
 
 

 
Registering devicesThe process of registering a device with the Windows Autopilot deployment service is described.
-
Configuring device profilesThe device profile settings that specifie its behavior when it is deployed are described.
+
Configuring device profilesThe device profile settings that specific its behavior when it is deployed are described.
 
Enrollment status pageSettings that are available on the Enrollment Status Page are described.
 
BitLocker encryption Available options for configuring BitLocker on Windows Autopilot devices are described.
-
Troubleshooting Windows AutopilotDiagnotic event information and troubleshooting procedures are provided.
+
DFCI management Manage UEFI settings using the Device Firmware Configuration Interface (DFCI) with Windows Autopilot and Intune.
+
Troubleshooting Windows AutopilotDiagnostic event information and troubleshooting procedures are provided.
 
Known issuesA list of current known issues and solutions is provided.
 

 
diff --git a/windows/deployment/windows-autopilot/known-issues.md b/windows/deployment/windows-autopilot/known-issues.md
index c1f9331822..db8c0256dd 100644
--- a/windows/deployment/windows-autopilot/known-issues.md
+++ b/windows/deployment/windows-autopilot/known-issues.md
@@ -25,12 +25,20 @@ ms.topic: article
 
 
+
+
 
+  
 

 
IssueMore information
+
+
Windows Autopilot device provisioning can fail with TPM attestation errors or ESP timeouts on devices where the real-time clock is off by a significant amount of time (e.g. several minutes or more).To fix this issue: 
  1. Boot the device to the start of the out-of-box experience (OOBE).
+
  2. Establish a network connection (wired or wireless).
+
  3. Run the command w32tm /resync /force to sync the time with the default time server (time.windows.com).

+
Windows Autopilot for existing devices does not work for Windows 10, version 1903; you see screens that you've disabled in your Windows Autopilot profile, such as the Windows 10 License Agreement screen.
 
 

 This happens because Windows 10, version 1903 deletes the AutopilotConfigurationFile.json file.
 		To fix this issue: 
  1. Edit the Configuration Manager task sequence and disable the Prepare Windows for Capture step.
 
  2. Add a new Run command line step that runs c:\windows\system32\sysprep\sysprep.exe /oobe /reboot.

-More information
+More information
TPM attestation fails on Windows 10 1903 due to missing AKI extension in EK certificate.  (An additional validation added in Windows 10 1903 to check that the TPM EK certs had the proper attributes according to the TCG specifications uncovered that a number of them don’t, so that validation will be removed).
 Download and install the KB4517211 update.
 
The following known issues are resolved by installing the August 30, 2019 KB4512941 update (OS Build 18362.329):
diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md
index 7aacf56861..9fd9e87869 100644
--- a/windows/deployment/windows-autopilot/white-glove.md
+++ b/windows/deployment/windows-autopilot/white-glove.md
@@ -96,6 +96,9 @@ If the pre-provisioning process completes successfully:
  ![white-glove-result](images/white-glove-result.png)
 - Click **Reseal** to shut the device down.  At that point, the device can be shipped to the end user.
 
+>[!NOTE]
+>Technician Flow inherits behavior from [Self-Deploying Mode](self-deploying.md). Per the Self-Deploying Mode documentation, it leverages the Enrollment Status Page to hold the device in a provisioning state and prevent the user from proceeding to the desktop after enrollment but before software and configuration is done applying. As such, if Enrollment Status Page is disabled, the reseal button may appear before software and configuration is done applying letting you proceed to the user flow before technician flow provisioning is complete. The green screen validates that enrollment was successful, not that the technician flow is necessarily complete.
+
 If the pre-provisioning process fails:
 - A red status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps.
 - Diagnostic logs can be gathered from the device, and then it can be reset to start the process over again.
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
index 80be0dc299..e11c96bd77 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
@@ -82,6 +82,7 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti
   
Intel- https://ekop.intel.com/ekcertservice 
   
Qualcomm- https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1
   
AMD- https://ftpm.amd.com/pki/aia
+  
Infineon- https://pki.infineon.com
 

 
 ## Licensing requirements
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset.md b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
index d0424dce3f..4aab58218f 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-reset.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
@@ -9,7 +9,8 @@ ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
+audience: itpro
+author: greg-lindsay
 ms.author: greglin
 ms.collection: M365-modern-desktop
 ms.topic: article
@@ -31,7 +32,9 @@ The Windows Autopilot Reset process automatically retains information from the e
 -   Azure Active Directory device membership and MDM enrollment information.
 
 Windows Autopilot Reset will block the user from accessing the desktop until this information is restored, including re-applying any provisioning packages.  For devices enrolled in an MDM service, Windows Autopilot Reset will also block until an MDM sync is completed.  
-
+When Autopilot reset is used on a device, the device's primary user will be removed. The next user who signs in after the reset will be set as the primary user.
+ 
+ 
 >[!NOTE]
 >The Autopilot Reset does not support Hybrid Azure AD joined devices.
 
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
index 5ee0171987..e76aa507b3 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
@@ -1,67 +1,70 @@
----
-title: Windows Autopilot scenarios and capabilities
-description: Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot scenarios and capabilities
-
-**Applies to: Windows 10**
-
-## Scenarios
-
-Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management).
-
-The following Windows Autopilot scenarios are described in this guide:
-
-| Scenario | More information |
-| --- | --- |
-| Deploy devices that will be set up by a member of the organization and configured for that person | [Windows Autopilot user-driven mode](user-driven.md) |
-| Deploy devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.| [Windows Autopilot self-deploying mode](self-deploying.md) |
-| Re-deploy a device in a business-ready state.| [Windows Autopilot Reset](windows-autopilot-reset.md) |
-| Pre-provision a device with up-to-date applications, policies and settings.| [White glove](white-glove.md) |
-| Deploy Windows 10 on an existing Windows 7 or 8.1 device | [Windows Autopilot for existing devices](existing-devices.md) |
-
-## Windows Autopilot capabilities
-
-### Windows Autopilot is self-updating during OOBE
-
-Starting with the Windows 10, version 1903, Autopilot functional and critical updates will begin downloading automatically during OOBE after a device gets connected to a network and the [critical driver and Windows zero-day patch (ZDP) updates](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) have completed. The user or IT admin cannot opt-out of these Autopilot updates; they are required for Windows Autopilot deployment to operate properly.  Windows will alert the user that the device is checking for, downloading and installing the updates.
-
-### Cortana voiceover and speech recognition during OOBE
-
-In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs.
-
-If desired, you can enable Cortana voiceover and speech recognition during OOBE by creating the following registry key. This key does not exist by default.
-
-HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\EnableVoiceForAllEditions
-
-The key value is a DWORD with  **0** = disabled and **1** = enabled.
-
-| Value | Description |
-| --- | --- |
-| 0 | Cortana voiceover is disabled |
-| 1 | Cortana voiceover is enabled |
-| No value | Device will fall back to default behavior of the edition |
-
-To change this key value, use WCD tool to create as PPKG as documented [here](https://docs.microsoft.com/windows/configuration/wcd/wcd-oobe#nforce).
-
-### Bitlocker encryption
-
-With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md)
-
-## Related topics
-
-[Windows Autopilot: What's new](windows-autopilot-whats-new.md)
+---
+title: Windows Autopilot scenarios and capabilities
+description: Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.reviewer: mniehaus
+manager: laurawi
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Windows Autopilot scenarios and capabilities
+
+**Applies to: Windows 10**
+
+## Scenarios
+
+Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management).
+
+The following Windows Autopilot scenarios are described in this guide:
+
+| Scenario | More information |
+| --- | --- |
+| Deploy devices that will be set up by a member of the organization and configured for that person | [Windows Autopilot user-driven mode](user-driven.md) |
+| Deploy devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.| [Windows Autopilot self-deploying mode](self-deploying.md) |
+| Re-deploy a device in a business-ready state.| [Windows Autopilot Reset](windows-autopilot-reset.md) |
+| Pre-provision a device with up-to-date applications, policies and settings.| [White glove](white-glove.md) |
+| Deploy Windows 10 on an existing Windows 7 or 8.1 device | [Windows Autopilot for existing devices](existing-devices.md) |
+
+## Windows Autopilot capabilities
+
+### Windows Autopilot is self-updating during OOBE
+
+Starting with the Windows 10, version 1903, Autopilot functional and critical updates will begin downloading automatically during OOBE after a device gets connected to a network and the [critical driver and Windows zero-day patch (ZDP) updates](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) have completed. The user or IT admin cannot opt-out of these Autopilot updates; they are required for Windows Autopilot deployment to operate properly.  Windows will alert the user that the device is checking for, downloading and installing the updates.
+
+See [Windows Autopilot update](autopilot-update.md) for more information.
+
+### Cortana voiceover and speech recognition during OOBE
+
+In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs.
+
+If desired, you can enable Cortana voiceover and speech recognition during OOBE by creating the following registry key. This key does not exist by default.
+
+HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\EnableVoiceForAllEditions
+
+The key value is a DWORD with  **0** = disabled and **1** = enabled.
+
+| Value | Description |
+| --- | --- |
+| 0 | Cortana voiceover is disabled |
+| 1 | Cortana voiceover is enabled |
+| No value | Device will fall back to default behavior of the edition |
+
+To change this key value, use WCD tool to create as PPKG as documented [here](https://docs.microsoft.com/windows/configuration/wcd/wcd-oobe#nforce).
+
+### Bitlocker encryption
+
+With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md)
+
+## Related topics
+
+[Windows Autopilot: What's new](windows-autopilot-whats-new.md)
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md b/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md
index 36ee6c06ad..7a40f71943 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md
@@ -1,51 +1,58 @@
----
-title: Windows Autopilot what's new
-ms.reviewer: 
-manager: laurawi
-description: Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot: What's new
-
-**Applies to**
-
--   Windows 10
-
-## New in Windows 10, version 1903
-
-[Windows Autopilot for white glove deployment](white-glove.md) is new in Windows 10, version 1903. See the following video:
-
-

-
-> [!VIDEO https://www.youtube.com/embed/nE5XSOBV0rI]
-
-Also new in this version of Windows:
-- The Intune enrollment status page (ESP) now tracks Intune Management Extensions.
-- [Cortana voiceover and speech recognition during OOBE](windows-autopilot-scenarios.md#cortana-voiceover-and-speech-recognition-during-oobe) is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
-- [Windows Autopilot is self-updating during OOBE](windows-autopilot-scenarios.md#windows-autopilot-is-self-updating-during-oobe). Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
-- Windows Autopilot will set the diagnostics data level to Full on Windows 10 version 1903 and later during OOBE. 
-
-## New in Windows 10, version 1809
-
-Windows Autopilot [self-deploying mode](self-deploying.md) enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured by Windows Autopilot. This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. 
-
-You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. 
-
->[!NOTE]
->Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809.
-
-## Related topics
-
-[What's new in Microsoft Intune](https://docs.microsoft.com/intune/whats-new)

-[What's new in Windows 10](https://docs.microsoft.com/windows/whats-new/)
+---
+title: Windows Autopilot what's new
+ms.reviewer: 
+manager: laurawi
+description: Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Windows Autopilot: What's new
+
+**Applies to**
+
+-   Windows 10
+
+## Windows Autopilot update history
+
+Check back here soon for a link to the latest update.
+
+See [Windows Autopilot update](autopilot-update.md) for more information.
+
+## New in Windows 10, version 1903
+
+[Windows Autopilot for white glove deployment](white-glove.md) is new in Windows 10, version 1903. See the following video:
+
+

+
+> [!VIDEO https://www.youtube.com/embed/nE5XSOBV0rI]
+
+Also new in this version of Windows:
+- The Intune enrollment status page (ESP) now tracks Intune Management Extensions.
+- [Cortana voiceover and speech recognition during OOBE](windows-autopilot-scenarios.md#cortana-voiceover-and-speech-recognition-during-oobe) is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
+- [Windows Autopilot is self-updating during OOBE](windows-autopilot-scenarios.md#windows-autopilot-is-self-updating-during-oobe). Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
+- Windows Autopilot will set the diagnostics data level to Full on Windows 10 version 1903 and later during OOBE. 
+
+## New in Windows 10, version 1809
+
+Windows Autopilot [self-deploying mode](self-deploying.md) enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured by Windows Autopilot. This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. 
+
+You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. 
+
+>[!NOTE]
+>Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809.
+
+## Related topics
+
+[What's new in Microsoft Intune](https://docs.microsoft.com/intune/whats-new)

+[What's new in Windows 10](https://docs.microsoft.com/windows/whats-new/)
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index 742ae20f20..72b8aaf445 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -1,5 +1,5 @@
 ---
-title: Windows 10 deployment tools (Windows 10)
+title: Windows 10 deployment scenarios and tools
 description: To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process.
 ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877
 ms.reviewer: 
diff --git a/windows/hub/index.md b/windows/hub/index.md
index d9e3556000..97ce2a79a5 100644
--- a/windows/hub/index.md
+++ b/windows/hub/index.md
@@ -19,12 +19,12 @@ Find the latest how to and support content that IT pros need to evaluate, plan,
 
  
 
-## Check out [what's new in Windows 10, version 1903](/windows/whats-new/whats-new-windows-10-version-1903).
+## Check out [what's new in Windows 10, version 1909](/windows/whats-new/whats-new-windows-10-version-1909).
 

 
diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md
index f1560f3a73..98e412e213 100644
--- a/windows/privacy/Microsoft-DiagnosticDataViewer.md
+++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md
@@ -21,8 +21,7 @@ ms.reviewer:
 
 **Applies to**
 
--   Windows 10, version 1809
--   Windows 10, version 1803
+-   Windows 10, version 1803 and newer
 -   Windows Server, version 1803
 -   Windows Server 2019
 
diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md
index 8e10f74a84..de11fa6d06 100644
--- a/windows/privacy/TOC.md
+++ b/windows/privacy/TOC.md
@@ -8,7 +8,7 @@
 ### [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
 ### [Diagnostic Data Viewer for PowerShell Overview](Microsoft-DiagnosticDataViewer.md)
 ## Basic level Windows diagnostic data events and fields
-### [Windows 10, version 1903 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
+### [Windows 10, version 1903 and Windows 10, version 1909 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
 ### [Windows 10, version 1809 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
 ### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
 ### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
index f7e901603e..824be067b1 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@@ -1,6 +1,6 @@
 ---
 description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
-title: Windows 10, version 1903 basic diagnostic events and fields (Windows 10)
+title: Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields (Windows 10)
 keywords: privacy, telemetry
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -13,15 +13,16 @@ manager: dansimp
 ms.collection: M365-security-compliance
 ms.topic: article
 audience: ITPro
-ms.date: 04/23/2019
+ms.date: 12/04/2019
 ---
 
 
-# Windows 10, version 1903 basic level Windows diagnostic events and fields
+# Windows 10, version 1903 and Windows 10, version 1909 basic level Windows diagnostic events and fields
 
  **Applies to**
 
 - Windows 10, version 1903
+- Windows 10, version 1909
 
 
 The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information.
@@ -666,7 +667,7 @@ The following fields are available:
 - **HasUxBlockOverride**  Does the file have a block that is overridden by a tag in the SDB?
 - **MigApplication**  Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode?
 - **MigRemoval**  Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade?
-- **NeedsDismissAction**  Will the file cause an action that can be dimissed?
+- **NeedsDismissAction**  Will the file cause an action that can be dismissed?
 - **NeedsInstallPostUpgradeData**  After upgrade, the file will have a post-upgrade notification to install a replacement for the app.
 - **NeedsNotifyPostUpgradeData**  Does the file have a notification that should be shown after upgrade?
 - **NeedsReinstallPostUpgradeData**  After upgrade, this file will have a post-upgrade notification to reinstall the app.
@@ -1469,7 +1470,7 @@ The following fields are available:
 - **RunAppraiser**  Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
 - **RunDate**  The date that the telemetry run was stated, expressed as a filetime.
 - **RunGeneralTel**  Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic.
-- **RunOnline**  Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
+- **RunOnline**  Indicates if appraiser was able to connect to Windows Update and therefore is making decisions using up-to-date driver coverage information.
 - **RunResult**  The hresult of the Appraiser telemetry run.
 - **ScheduledUploadDay**  The day scheduled for the upload.
 - **SendingUtc**  Indicates if the Appraiser client is sending events during the current telemetry run.
@@ -1678,7 +1679,7 @@ This event sends Windows Insider data from customers participating in improvemen
 The following fields are available:
 
 - **DeviceSampleRate**  The telemetry sample rate assigned to the device.
-- **DriverTargetRing**  Indicates if the device is participating in receiving pre-release drivers and firmware contrent.
+- **DriverTargetRing**  Indicates if the device is participating in receiving pre-release drivers and firmware content.
 - **EnablePreviewBuilds**  Used to enable Windows Insider builds on a device.
 - **FlightIds**  A list of the different Windows Insider builds on this device.
 - **FlightingBranchName**  The name of the Windows Insider branch currently used by the device.
@@ -1935,7 +1936,7 @@ This event sends data about the current user's default preferences for browser a
 The following fields are available:
 
 - **CalendarType**  The calendar identifiers that are used to specify different calendars.
-- **DefaultApp**  The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
+- **DefaultApp**  The current user's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
 - **DefaultBrowserProgId**  The ProgramId of the current user's default browser.
 - **LongDateFormat**  The long date format the user has selected.
 - **ShortDateFormat**  The short date format the user has selected.
@@ -5135,8 +5136,8 @@ The following fields are available:
 - **DeploymentProviderMode**  The mode of operation of the update deployment provider.
 - **DeviceModel**  Device model as defined in the system bios
 - **EventInstanceID**  A globally unique identifier for event instance
-- **EventScenario**  Indicates the purpose of the event - whether because scan started, succeded, failed, etc.
-- **EventType**  Possible values are "Child", "Bundle", "Relase" or "Driver".
+- **EventScenario**  Indicates the purpose of the event - whether because scan started, succeeded, failed, etc.
+- **EventType**  Possible values are "Child", "Bundle", "Release" or "Driver".
 - **FlightId**  The specific id of the flight the device is getting
 - **HandlerType**  Indicates the kind of content (app, driver, windows patch, etc.)
 - **RevisionNumber**  Identifies the revision number of this specific piece of content
@@ -5241,7 +5242,7 @@ The following fields are available:
 
 - **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client
 - **ClientVersion**  The version number of the software distribution client
-- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed
 - **EventType**  Possible values are "Child", "Bundle", "Relase" or "Driver"
 - **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough
 - **FileId**  A hash that uniquely identifies a file
@@ -5274,7 +5275,7 @@ The following fields are available:
 - **IsNetworkMetered**  Indicates whether Windows considered the current network to be ?metered"
 - **MOAppDownloadLimit**  Mobile operator cap on size of application downloads, if any
 - **MOUpdateDownloadLimit**  Mobile operator cap on size of operating system update downloads, if any
-- **PowerState**  Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
+- **PowerState**  Indicates the power state of the device at the time of heartbeat (DC, AC, Battery Saver, or Connected Standby)
 - **RelatedCV**  The previous correlation vector that was used by the client, before swapping with a new one
 - **ResumeCount**  Number of times this active download has resumed from a suspended state
 - **RevisionNumber**  Identifies the revision number of this specific piece of content
@@ -5311,7 +5312,7 @@ The following fields are available:
 - **DriverPingBack**  Contains information about the previous driver and system state.
 - **DriverRecoveryIds**  The list of identifiers that could be used for uninstalling the drivers if a recovery is required.
 - **EventInstanceID**  A globally unique identifier for event instance.
-- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was canceled, succeeded, or failed.
 - **EventType**  Possible values are Child, Bundle, or Driver.
 - **ExtendedErrorCode**  The extended error code.
 - **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode is not specific enough.
@@ -5436,7 +5437,7 @@ The following fields are available:
 - **DriverPingBack**  Contains information about the previous driver and system state.
 - **DriverRecoveryIds**  The list of identifiers that could be used for uninstalling the drivers when a recovery is required.
 - **EventInstanceID**  A globally unique identifier for event instance.
-- **EventScenario**  Indicates the purpose of the event (a scan started, succeded, failed, etc.).
+- **EventScenario**  Indicates the purpose of the event (a scan started, succeeded, failed, etc.).
 - **EventType**  Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver".
 - **ExtendedStatusCode**  Secondary status code for certain scenarios where StatusCode is not specific enough.
 - **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
@@ -5488,7 +5489,7 @@ The following fields are available:
 
 - **CallerApplicationName**  Name of application making the Windows Update request. Used to identify context of request.
 - **EndpointUrl**  URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments.
-- **EventScenario**  Indicates the purpose of the event - whether because scan started, succeded, failed, etc.
+- **EventScenario**  Indicates the purpose of the event - whether because scan started, succeeded, failed, etc.
 - **ExtendedStatusCode**  Secondary status code for certain scenarios where StatusCode was not specific enough.
 - **LeafCertId**  The integral ID from the FragmentSigning data for the certificate that failed.
 - **ListOfSHA256OfIntermediateCerData**  A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
@@ -5515,7 +5516,7 @@ The following fields are available:
 
 ### Microsoft.Windows.SysReset.FlightUninstallCancel
 
-This event indicates the customer has cancelled uninstallation of Windows.
+This event indicates the customer has canceled uninstallation of Windows.
 
 
 
@@ -6019,7 +6020,7 @@ The following fields are available:
 - **Setup360Result**  The result of Setup360 (HRESULT used to diagnose errors).
 - **Setup360Scenario**  The Setup360 flow type (for example, Boot, Media, Update, MCT).
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of the target OS).
-- **State**  Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State**  Exit state of given Setup360 run. Example: succeeded, failed, blocked, canceled.
 - **TestId**  An ID that uniquely identifies a group of events.
 - **WuId**  This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
 
@@ -6041,7 +6042,7 @@ The following fields are available:
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
 - **TestId**  ID that uniquely identifies a group of events.
 - **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
 
@@ -6063,7 +6064,7 @@ The following fields are available:
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State**  Exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
 - **TestId**  ID that uniquely identifies a group of events.
 - **WuId**  Windows Update client ID.
 
@@ -6085,7 +6086,7 @@ The following fields are available:
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled
 - **TestId**  A string to uniquely identify a group of events.
 - **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
 
@@ -6129,7 +6130,7 @@ The following fields are available:
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of the target OS).
-- **State**  The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State**  The exit state of the Setup360 run. Example: succeeded, failed, blocked, canceled.
 - **TestId**  ID that uniquely identifies a group of events.
 - **WuId**  Windows Update client ID.
 
@@ -6151,7 +6152,7 @@ The following fields are available:
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
 - **Setup360Scenario**  Setup360 flow type (Boot, Media, Update, MCT).
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
 - **TestId**  A string to uniquely identify a group of events.
 - **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
 
@@ -6173,7 +6174,7 @@ The following fields are available:
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type, Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
 - **TestId**  A string to uniquely identify a group of events.
 - **WuId**  Windows Update client ID.
 
@@ -6288,7 +6289,7 @@ The following fields are available:
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
 - **TestId**  A string to uniquely identify a group of events.
 - **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
 
@@ -6330,7 +6331,7 @@ The following fields are available:
 
 ### Microsoft.Windows.WERVertical.OSCrash
 
-This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+This event sends binary data from the collected dump file whenever a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
 
 The following fields are available:
 
@@ -6793,12 +6794,12 @@ The following fields are available:
 
 - **CatalogId**  The Store Catalog ID for the product being installed.
 - **ProductId**  The Store Product ID for the product being installed.
-- **SkuId**  Specfic edition of the app being updated.
+- **SkuId**  Specific edition of the app being updated.
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.StateTransition
 
-Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time there is a change in a product's fulfillment status (pending, working, paused, cancelled, or complete), to help keep Windows up to date and secure.
+Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time there is a change in a product's fulfillment status (pending, working, paused, canceled, or complete), to help keep Windows up to date and secure.
 
 The following fields are available:
 
@@ -7177,7 +7178,7 @@ The following fields are available:
 - **detectionBlockreason**  The reason detection did not complete.
 - **detectionRetryMode**  Indicates whether we will try to scan again.
 - **errorCode**  The error code returned for the current process.
-- **eventScenario**  End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **eventScenario**  End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was canceled, succeeded, or failed.
 - **flightID**  The specific ID of the Windows Insider build the device is getting.
 - **interactive**  Indicates whether the session was user initiated.
 - **networkStatus**  Error info
@@ -7215,7 +7216,7 @@ This event indicates the reboot was postponed due to needing a display.
 The following fields are available:
 
 - **displayNeededReason**  Reason the display is needed.
-- **eventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **eventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed.
 - **rebootOutsideOfActiveHours**  Indicates whether the reboot was to occur outside of active hours.
 - **revisionNumber**  Revision number of the update.
 - **updateId**  Update ID.
@@ -7310,7 +7311,7 @@ The following fields are available:
 
 - **batteryLevel**  Current battery capacity in mWh or percentage left.
 - **deferReason**  Reason for install not completing.
-- **errorCode**  The error code reppresented by a hexadecimal value.
+- **errorCode**  The error code represented by a hexadecimal value.
 - **eventScenario**  End-to-end update session ID.
 - **flightID**  The ID of the Windows Insider build the device is getting.
 - **flightUpdate**  Indicates whether the update is a Windows Insider build.
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 709a681130..260868ca64 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -142,13 +142,25 @@ The data transmitted at the Basic and Enhanced data diagnostic levels is quite s
 
 The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
 
+Solutions like Desktop Analytics or Microsoft Defender Advanced Threat Protection need Windows devices to reach diagnostics endpoints which enable organizations to leverage solutions based on diagnostics data. These solutions leverage Windows components like the Connected User Experiences and Telemetry service, Windows Defender Advanced Threat Protection service, Windows Error Reporting, and Online Crash Analysis.
+
+For a complete list of diagnostics endpoints leveraged by Desktop Analytics, see [Enable data sharing for Desktop Analytics](https://docs.microsoft.com/configmgr/desktop-analytics/enable-data-sharing).
+For a complete list of diagnostics endpoints leveraged by Microsoft Defender Advanced Threat Protection, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
+
 The following table defines the endpoints for Connected User Experiences and Telemetry component:
 
-Windows release | Endpoint
---- | ---
-Windows 10, versions 1703 or later, with the 2018-09 cumulative update installed| **Diagnostics data** - v10c.vortex-win.data.microsoft.com

**Functional** - v20.vortex-win.data.microsoft.com
**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
**Settings** - win.data.microsoft.com
-Windows 10, versions 1803 or later, without the 2018-09 cumulative update installed | **Diagnostics data** - v10.events.data.microsoft.com

**Functional** - v20.vortex-win.data.microsoft.com
**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
**Settings** - win.data.microsoft.com
-Windows 10, version 1709 or earlier | **Diagnostics data** - v10.vortex-win.data.microsoft.com

**Functional** - v20.vortex-win.data.microsoft.com
**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
**Settings** - win.data.microsoft.com
+| Windows release                                                                     | Endpoint                                                                            |
+| ----------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- |
+| Windows 10, versions 1703 or later, with the 2018-09 cumulative update installed    | **Diagnostics data:** v10c.vortex-win.data.microsoft.com

**Functional:** v20.vortex-win.data.microsoft.com

**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country,
for example: **de**.vortex-win.data.microsoft.com

**Settings:** settings-win.data.microsoft.com |
+| Windows 10, versions 1803 or later, without the 2018-09 cumulative update installed | **Diagnostics data:** v10.events.data.microsoft.com

**Functional:** v20.vortex-win.data.microsoft.com

**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country,
for example: **de**.vortex-win.data.microsoft.com

**Settings:** settings-win.data.microsoft.com      |
+| Windows 10, version 1709 or earlier                                                 | **Diagnostics data:** v10.vortex-win.data.microsoft.com

**Functional:** v20.vortex-win.data.microsoft.com

**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country,
for example: **de**.vortex-win.data.microsoft.com

**Settings:** settings-win.data.microsoft.com  |
+
+The following table defines **additional diagnostics endpoints** not covered by services in the links above:
+
+| Service | Endpoint                                                                            |
+| ----------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- |
+| Onedrive app for Windows 10    | https://vortex.data.microsoft.com/collect/v1 |
+
 
 The following table defines the endpoints for other diagnostic data services:
 
@@ -385,7 +397,7 @@ In Windows 10, version 1709, we introduced the **Limit Enhanced diagnostic data
 
 - **Some crash dump types.** Triage dumps for user mode and mini dumps for kernel mode.
 
->[!NOTE]
+> [!NOTE]
 > Triage dumps are a type of [minidumps](https://docs.microsoft.com/windows/desktop/debug/minidump-files) that go through a process of user-sensitive information scrubbing. Some user-sensitive information may be missed in the process, and will therefore be sent with the dump.
 
 With the retirement of Windows Analytics, this policy will continue to be supported by Desktop Analytics, but will not include Office related diagnostic data.
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index 819728ac85..64cfa25866 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -21,8 +21,7 @@ ms.reviewer:
 
 **Applies to**
 
--   Windows 10, version 1809
--   Windows 10, version 1803
+-   Windows 10, version 1803 and newer
 
 ## Introduction
 The Diagnostic Data Viewer is a Windows app that lets you review the Windows diagnostic data your device is sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft.
@@ -44,8 +43,8 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn
 ### Download the Diagnostic Data Viewer
 Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
 
-    >[!Important]
-    >It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the case, see [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2094264).
+> [!Important]
+> It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the case, see [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2094264).
 
 ### Start the Diagnostic Data Viewer
 You can start this app from the **Settings** panel.
@@ -118,17 +117,15 @@ When you're done reviewing your diagnostic data, you should turn of data viewing
 ## Modifying the size of your data history
 By default, Diagnostic Data Viewer shows you up to 1GB or 30 days of data (whichever comes first) for Windows diagnostic data. Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first. 
 
-    >[!Important]
-    >Note that if you have [Office diagnostic data viewing enabled](#view-office-diagnostic-data), the Office data history is fixed at 1 GB and cannot be modified.
+> [!Important]
+> Note that if you have [Office diagnostic data viewing enabled](#view-office-diagnostic-data), the Office data history is fixed at 1 GB and cannot be modified.
 
 **Modify the size of your data history**
     
-    To make changes to the size of your Windows diagnostic data history, visit the **app settings**, located at the bottom of the navigation menu. Data will be incrementally dropped with the oldest data points first once your chosen size or time limit is reached.  
+To make changes to the size of your Windows diagnostic data history, visit the **app settings**, located at the bottom of the navigation menu. Data will be incrementally dropped with the oldest data points first once your chosen size or time limit is reached.  
 
-    >[!Important]
-    >Decreasing the maximum amount of diagnostic data viewable through the tool will remove all data history and requires a reboot of your device. Additionally, increasing the maximum amount of diagnostic data viewable by the tool may come with performance impacts to your machine.
-
-    ![Change the size of your data history through the app settings](images/ddv-change-db-size.png) 
+> [!Important]
+> Decreasing the maximum amount of diagnostic data viewable through the tool will remove all data history and requires a reboot of your device. Additionally, increasing the maximum amount of diagnostic data viewable by the tool may come with performance impacts to your machine.
 
 ## View additional diagnostic data in the View problem reports tool
 Available on Windows 1809 and higher, you can review additional Windows Error Reporting diagnostic data in the **View problem reports** page within the Diagnostic Data Viewer. 
diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
index c6e50f98f3..41c5fa5a8a 100644
--- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
+++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
@@ -1,6 +1,6 @@
 ---
+title: Enhanced diagnostic data required by Windows Analytics (Windows 10)
 description: Use this article to learn more about the limit enhanced diagnostic data events policy used by Desktop Analytics
-title: Windows 10 diagnostic data events and fields collected through the limit enhanced diagnostic data policy (Windows 10)
 keywords: privacy, diagnostic data
 ms.prod: w10
 ms.mktglfcycl: manage
diff --git a/windows/privacy/gdpr-it-guidance.md b/windows/privacy/gdpr-it-guidance.md
index b268fb53f1..892203bace 100644
--- a/windows/privacy/gdpr-it-guidance.md
+++ b/windows/privacy/gdpr-it-guidance.md
@@ -19,13 +19,9 @@ ms.reviewer:
 # Windows and the GDPR: Information for IT Administrators and Decision Makers
 
 Applies to:
-- Windows 10, version 1809
-- Windows 10, version 1803
-- Windows 10, version 1709
-- Windows 10, version 1703
+- Windows 10, version 1703 and newer
 - Windows 10 Team Edition, version 1703 for Surface Hub
-- Windows Server 2019
-- Windows Server 2016
+- Windows Server 2016 and newer
 - Desktop Analytics
 
 This topic provides IT Decision Makers with a basic understanding of the relationship between users in an organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn what role an IT organization plays for that relationship.
diff --git a/windows/privacy/gdpr-win10-whitepaper.md b/windows/privacy/gdpr-win10-whitepaper.md
index 259561932e..fb8707befe 100644
--- a/windows/privacy/gdpr-win10-whitepaper.md
+++ b/windows/privacy/gdpr-win10-whitepaper.md
@@ -1,6 +1,6 @@
 ---
-title: Beginning your General Data Protection Regulation (GDPR) journey for Windows 10 (Windows 10)
-description: Use this article to understand what GDPR is and about the products Microsoft provides to help you get started towards compliance.
+title: General Data Protection Regulation (GDPR) for Windows 10
+description: Use this article to understand what GDPR is and which products Microsoft provides to help you get started towards compliance.
 keywords: privacy, GDPR
 ms.prod: w10
 ms.mktglfcycl: manage
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index b9a39fb4e3..291b0a7d56 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -67,7 +67,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt
 
 1. **Internet Explorer** The following Microsoft Internet Explorer MDM policies are available in the [Internet Explorer CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer)
    1. MDM Policy: [InternetExplorer/AllowSuggestedSites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-allowsuggestedsites). Recommends websites based on the user’s browsing activity. **Set to Disabled**
-   1. MDM Policy: [InternetExplorer/PreventManagingSmartScreenFilter]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-preventmanagingsmartscreenfilter). Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. **Set to String** with Value:
+   1. MDM Policy: [InternetExplorer/PreventManagingSmartScreenFilter]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-preventmanagingsmartscreenfilter). Prevents the user from managing Windows Defender SmartScreen, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. **Set to String** with Value:
       1. **\\**
    1. MDM Policy: [InternetExplorer/DisableFlipAheadFeature]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disableflipaheadfeature). Determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. **Set to Enabled**
    1. MDM Policy: [InternetExplorer/DisableHomePageChange]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disablehomepagechange). Determines whether users can change the default Home Page or not. **Set to String** with Value:
@@ -90,7 +90,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt
    1. MDM Policy: [Browser/AllowMicrosoftCompatbilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist). Specify the Microsoft compatibility list in Microsoft Edge. **Set to 0 (zero)**
    1. MDM Policy: [Browser/AllowPasswordManager](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager). Choose whether employees can save passwords locally on their devices. **Set to 0 (zero)**
    1. MDM Policy: [Browser/AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar). Choose whether the Address Bar shows search suggestions. **Set to 0  (zero)**
-   1. MDM Policy: [Browser/AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen). Choose whether SmartScreen is turned on or off.  **Set to 0  (zero)**
+   1. MDM Policy: [Browser/AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen). Choose whether Windows Defender SmartScreen is turned on or off.  **Set to 0  (zero)**
 
 1. **Network Connection Status Indicator**
    1. [Connectivity/DisallowNetworkConnectivityActiveTests](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests).  Note: After you apply this policy you must restart the device for the policy setting to take effect. **Set to 1 (one)**
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 48a8bcd1ea..ef6d2bf3ee 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -417,7 +417,7 @@ To turn off Insider Preview builds for Windows 10:
 | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the Address Bar. 
 **Set Value to: Disabled**|
 | Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the Address Bar. 
 **Set Value to: Enabled** 
 You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.|
 | Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer. 
 **Set Value to: Enabled**|
-| Prevent managing SmartScreen filter | Choose whether employees can manage the SmartScreen Filter in Internet Explorer. 
 **Set Value to: Enabled** and then set **Select SmartScreen filtering mode** to **Off**.|
+| Prevent managing Windows Defender SmartScreen | Choose whether employees can manage the Windows Defender SmartScreen in Internet Explorer. 
 **Set Value to: Enabled** and then set **Select Windows Defender SmartScreen mode** to **Off**.|
 
 
 | Registry Key                                         | Registry path                                                                                       |
@@ -426,7 +426,7 @@ To turn off Insider Preview builds for Windows 10:
 | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer
REG_DWORD: AllowServicePoweredQSA 
**Set Value to: 0**|
 | Turn off the auto-complete feature for web addresses |HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\CurrentVersion\\Explorer\\AutoComplete
REG_SZ: AutoSuggest 
Set Value to: **no** |
 | Turn off browser geolocation | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation
REG_DWORD: PolicyDisableGeolocation 
**Set Value to: 1** |
-| Prevent managing SmartScreen filter | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9 
**Set Value to: 0** |
+| Prevent managing Windows Defender SmartScreen | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9 
**Set Value to: 0** |
 
 There are more Group Policy objects that are used by Internet Explorer:
 
@@ -577,7 +577,7 @@ Alternatively, you can configure the following Registry keys as described:
 | Configure Do Not Track   | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: DoNotTrack
 REG_DWORD: **1** |
 | Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_SZ name: FormSuggest Passwords
 REG_SZ: **No** |
 | Configure search suggestions in Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes
REG_DWORD name: ShowSearchSuggestionsGlobal 
Value: **0**|
-| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9 
Value: **0** |
+| Configure Windows Defender SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9 
Value: **0** |
 | Allow web content on New Tab page  | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI
REG_DWORD name: AllowWebContentOnNewTabPage 
Value: **0** |
 | Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Internet Settings
REG_SZ name: ProvisionedHomePages 
Value: **<>**|
 | Prevent the First Run webpage from opening on Microsoft Edge | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main 
REG_DWORD name: PreventFirstRunPage 
Value: **1**|
@@ -875,7 +875,7 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin
 
 - Create a REG_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one).
 
-To turn off **Turn on SmartScreen Filter to check web content (URLs) that Microsoft Store apps use**:
+To turn off **Turn on Windows Defender SmartScreen to check web content (URLs) that Microsoft Store apps use**:
 
 - Turn off the feature in the UI.
 
diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md
index ae5da4bba4..28c2ac9038 100644
--- a/windows/privacy/manage-windows-1709-endpoints.md
+++ b/windows/privacy/manage-windows-1709-endpoints.md
@@ -1,5 +1,5 @@
 ---
-title: Connection endpoints for Windows 10, version 1709
+title: Connection endpoints for Windows 10 Enterprise, version 1709
 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact.
 keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
 ms.prod: w10
@@ -15,11 +15,11 @@ ms.topic: article
 ms.date: 6/26/2018
 ms.reviewer: 
 ---
-# Manage connection endpoints for Windows 10, version 1709
+# Manage connection endpoints for Windows 10 Enterprise, version 1709
 
 **Applies to**
 
-- Windows 10, version 1709
+- Windows 10 Enterprise, version 1709
 
 Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
 
diff --git a/windows/privacy/manage-windows-1803-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md
index 2ad044d990..cb80bc42cd 100644
--- a/windows/privacy/manage-windows-1803-endpoints.md
+++ b/windows/privacy/manage-windows-1803-endpoints.md
@@ -15,11 +15,11 @@ ms.topic: article
 ms.date: 6/26/2018
 ms.reviewer: 
 ---
-# Manage connection endpoints for Windows 10, version 1803
+# Manage connection endpoints for Windows 10 Enterprise, version 1803
 
 **Applies to**
 
-- Windows 10, version 1803
+- Windows 10 Enterprise, version 1803
 
 Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
 
diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md
index d096e3ff63..83bf617928 100644
--- a/windows/privacy/manage-windows-1809-endpoints.md
+++ b/windows/privacy/manage-windows-1809-endpoints.md
@@ -15,11 +15,11 @@ ms.topic: article
 ms.date: 6/26/2018
 ms.reviewer: 
 ---
-# Manage connection endpoints for Windows 10, version 1809
+# Manage connection endpoints for Windows 10 Enterprise, version 1809
 
 **Applies to**
 
-- Windows 10, version 1809
+- Windows 10 Enterprise, version 1809
 
 Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
 
@@ -413,7 +413,7 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op
 |MpCmdRun.exe|HTTPS|go.microsoft.com |
 
 The following endpoints are used for Windows Defender Smartscreen reporting and notifications.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Smartscreen notifications will no appear.
+If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Windows Defender Smartscreen notifications will no appear.
 
 | Source process | Protocol | Destination |
 |----------------|----------|------------|
diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md
index 01c084966d..2151461b3a 100644
--- a/windows/privacy/manage-windows-1903-endpoints.md
+++ b/windows/privacy/manage-windows-1903-endpoints.md
@@ -50,7 +50,9 @@ The following methodology was used to derive these network endpoints:
 
 |Area|Description|Protocol|Destination|
 |----------------|----------|----------|------------|
-|Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com|
+|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
+||The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com|
+|||HTTP|tile-service.weather.microsoft.com
 |||HTTP|tile-service.weather.microsoft.com
 ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US
 ||The following endpoint is used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*|
@@ -65,8 +67,10 @@ The following methodology was used to derive these network endpoints:
 |Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com|
 |||HTTPS|ris-prod-atm.trafficmanager.net|
 |||HTTPS|validation-v2.sls.trafficmanager.net|
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.|HTTP|ctldl.windowsupdate.com|
-|Cortana and Search|The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions. |HTTPS|store-images.*microsoft.com|
+|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+|||HTTP|ctldl.windowsupdate.com|
+|Cortana and Search|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
+||The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions.|HTTPS|store-images.*microsoft.com|
 ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com/client|
 |||HTTPS|www.bing.com|
 |||HTTPS|www.bing.com/proactive|
@@ -76,10 +80,12 @@ The following methodology was used to derive these network endpoints:
 |||HTTP|fp-vp.azureedge.net|
 |||HTTP|odinvzc.azureedge.net|
 |||HTTP|spo-ring.msedge.net|
-|Device authentication|
+|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
 ||The following endpoint is used to authenticate a device. If you  turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*|
+|Device metadata|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
 ||The following endpoint is used to retrieve device metadata. If you  turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com|
-|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|HTTP|v10.events.data.microsoft.com|
+|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|||HTTP|v10.events.data.microsoft.com|
 |||HTTPS|v10.vortex-win.data.microsoft.com/collect/v1|
 |||HTTP|www.microsoft.com|
 ||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|co4.telecommand.telemetry.microsoft.com|
@@ -87,16 +93,21 @@ The following methodology was used to derive these network endpoints:
 |||HTTPS|cs1137.wpc.gammacdn.net|
 |||TLS v1.2|modern.watson.data.microsoft.com*|
 |||HTTPS|watson.telemetry.microsoft.com|
-|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.|HTTPS|*licensing.mp.microsoft.com*|
-|Location|The following endpoints are used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net|
+|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)|
+|||HTTPS|*licensing.mp.microsoft.com*|
+|Location|The following endpoints are used for location data. If you turn off traffic for this endpoint, apps cannot use location data. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location)|
+|||HTTPS|inference.location.live.net|
 |||HTTP|location-inference-westus.cloudapp.net|
-|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net|
+|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)|
+||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net|
 |||HTTP|*maps.windows.com*|
-|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |HTTP|login.msa.akadns6.net|
+|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
+||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |HTTP|login.msa.akadns6.net|
 |||HTTP|us.configsvc1.live.com.akadns.net|
 |Microsoft Edge|This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com|
 |Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com|
-|Microsoft Store|The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com|
+|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com|
 ||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTP|storecatalogrevocation.storequality.microsoft.com|
 ||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com*|
 |||HTTPS|store-images.microsoft.com|
@@ -106,9 +117,10 @@ The following methodology was used to derive these network endpoints:
 |||HTTP|storeedgefd.dsx.mp.microsoft.com|
 |||HTTP|markets.books.microsoft.com|
 |||HTTP |share.microsoft.com|
-|Network Connection Status Indicator (NCSI)|
+|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
 ||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*|
-Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net|
+|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
+|||HTTP|*.c-msedge.net|
 |||HTTPS|*.e-msedge.net|
 |||HTTPS|*.s-msedge.net|
 |||HTTPS|nexusrules.officeapps.live.com|
@@ -120,29 +132,35 @@ Office|The following endpoints are used to connect to the Office 365 portal's sh
 |||HTTPS|onecollector.cloudapp.aria|
 |||HTTP|v10.events.data.microsoft.com/onecollector/1.0/|
 |||HTTPS|self.events.data.microsoft.com|
-||The following endpoint is used to connect the Office To-Do app to its cloud service. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store.|HTTPS|to-do.microsoft.com
-|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.|HTTP \ HTTPS|g.live.com/1rewlive5skydrive/*|
+||The following endpoint is used to connect the Office To-Do app to its cloud service. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store.|HTTPS|to-do.microsoft.com|
+|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)|
+|||HTTP \ HTTPS|g.live.com/1rewlive5skydrive/*|
 |||HTTP|msagfx.live.com|
 |||HTTPS|oneclient.sfx.ms|
-|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.|HTTPS|cy2.settings.data.microsoft.com.akadns.net|
+|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|||HTTPS|cy2.settings.data.microsoft.com.akadns.net|
 |||HTTPS|settings.data.microsoft.com|
 |||HTTPS|settings-win.data.microsoft.com|
-|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|browser.pipe.aria.microsoft.com|
+|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
+|||HTTPS|browser.pipe.aria.microsoft.com|
 |||HTTP|config.edge.skype.com|
 |||HTTP|s2s.config.skype.com|
 |||HTTPS|skypeecs-prod-usw-0-b.cloudapp.net|
-|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.|HTTPS|wdcp.microsoft.com|
+|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
+|||HTTPS|wdcp.microsoft.com|
 |||HTTPS|definitionupdates.microsoft.com|
 |||HTTPS|go.microsoft.com|
 ||The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off traffic for these endpoints, Smartscreen notifications will not appear.|HTTPS|*smartscreen.microsoft.com|
 |||HTTPS|smartscreen-sn3p.smartscreen.microsoft.com|
 |||HTTPS|unitedstates.smartscreen-prod.microsoft.com|
-|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.|TLS v1.2|*.search.msn.com|
+|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
+|||TLS v1.2|*.search.msn.com|
 |||HTTPS|arc.msn.com|
 |||HTTPS|g.msn.com*|
 |||HTTPS|query.prod.cms.rt.microsoft.com|
 |||HTTPS|ris.api.iris.microsoft.com|
-|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com|
+|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
+|||HTTPS|*.prod.do.dsp.mp.microsoft.com|
 |||HTTP|cs9.wac.phicdn.net|
 |||HTTP|emdl.ws.microsoft.com|
 ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com|
@@ -151,7 +169,6 @@ Office|The following endpoints are used to connect to the Office 365 portal's sh
 |||HTTPS|*.update.microsoft.com|
 ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com|
 
-
 ## Other Windows 10 editions
 
 To view endpoints for other versions of Windows 10 Enterprise, see:
diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md
index 47ce5b00ee..50ebcf0f14 100644
--- a/windows/privacy/windows-10-and-privacy-compliance.md
+++ b/windows/privacy/windows-10-and-privacy-compliance.md
@@ -1,6 +1,6 @@
 ---
+title: Windows 10 & Privacy Compliance Guide
 description: This article provides information to help IT and compliance professionals understand the personal data policies as related to Windows 10.
-title: Windows 10 & Privacy Compliance - A Guide for IT and Compliance Professionals
 keywords: privacy, GDPR, compliance
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -19,11 +19,9 @@ ms.date: 05/21/2019
 # Windows 10 & Privacy Compliance:
A Guide for IT and Compliance Professionals
 
 Applies to:
-- Windows 10, version 1903
-- Windows 10, version 1809
+- Windows 10, version 1809 and newer
 - Windows 10 Team Edition, version 1703 for Surface Hub
-- Windows Server 2019
-- Windows Server 2016
+- Windows Server 2016 and newer
 - Windows Analytics
 
 For more information about the GDPR, see:
diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md
index a8f66dc068..85c77ad883 100644
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@@ -12,13 +12,14 @@ ms.author: dansimp
 manager: dansimp
 ms.collection: M365-security-compliance
 ms.topic: article
-ms.date: 04/15/2019
+ms.date: 12/04/2019
 ms.reviewer: 
 ---
 
 # Windows 10, version 1709 and newer diagnostic data for the Full level
 
 Applies to:
+- Windows 10, version 1909
 - Windows 10, version 1903
 - Windows 10, version 1809
 - Windows 10, version 1803
@@ -248,7 +249,7 @@ This type of data includes details about the health of the device, operating sys
 [Pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
 
 - Data about the reliability of content that appears in the [Windows Spotlight](https://docs.microsoft.com/windows/configuration/windows-spotlight) (rotating lock screen images) is used for Windows Spotlight reliability investigations.
-- Timing data about how quickly Cortana responds to voice commands is used to improve Cortana listening peformance.
+- Timing data about how quickly Cortana responds to voice commands is used to improve Cortana listening performance.
 - Timing data about how quickly the facial recognition feature starts up and finishes is used to improve facial recognition performance.
 - Data about when an Application Window fails to appear is used to investigate issues with Application Window reliability and performance.
 
diff --git a/windows/privacy/windows-personal-data-services-configuration.md b/windows/privacy/windows-personal-data-services-configuration.md
index 93c2b4da00..1366bdd1e6 100644
--- a/windows/privacy/windows-personal-data-services-configuration.md
+++ b/windows/privacy/windows-personal-data-services-configuration.md
@@ -19,7 +19,7 @@ ms.reviewer:
 # Windows 10 personal data services configuration
 
 Applies to:
-- Windows 10, version 1803
+- Windows 10, version 1803 and newer
 
 Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT organization.
 
diff --git a/windows/release-information/TOC.md b/windows/release-information/TOC.md
index 41ca5d90c0..f0457af621 100644
--- a/windows/release-information/TOC.md
+++ b/windows/release-information/TOC.md
@@ -1,5 +1,8 @@
 # [Windows 10 release information](index.md)
 # [Message center](windows-message-center.yml)
+# Version 1909
+## [Known issues and notifications](status-windows-10-1909.yml)
+## [Resolved issues](resolved-issues-windows-10-1909.yml)
 # Version 1903
 ## [Known issues and notifications](status-windows-10-1903.yml)
 ## [Resolved issues](resolved-issues-windows-10-1903.yml)
@@ -12,9 +15,6 @@
 # Version 1709
 ## [Known issues and notifications](status-windows-10-1709.yml)
 ## [Resolved issues](resolved-issues-windows-10-1709.yml)
-# Version 1703
-## [Known issues and notifications](status-windows-10-1703.yml)
-## [Resolved issues](resolved-issues-windows-10-1703.yml)
 # Version 1607 and Windows Server 2016
 ## [Known issues and notifications](status-windows-10-1607-and-windows-server-2016.yml)
 ## [Resolved issues](resolved-issues-windows-10-1607.yml)
diff --git a/windows/release-information/resolved-issues-windows-10-1507.yml b/windows/release-information/resolved-issues-windows-10-1507.yml
index 50c83837eb..d782b8d33e 100644
--- a/windows/release-information/resolved-issues-windows-10-1507.yml
+++ b/windows/release-information/resolved-issues-windows-10-1507.yml
@@ -36,7 +36,6 @@ sections:
       
-      

   

     
-       
+       
         Read what's new in Windows 10
       
What's New? 

     
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >		OS Build 10240.18305

August 13, 2019
KB4512497		Resolved
KB4517276		August 17, 2019 
02:00 PM PT

       
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved External
August 09, 2019 
07:03 PM PT

       
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved
KB4507458		July 09, 2019 
10:00 AM PT
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible

See details >		OS Build 10240.18215

May 14, 2019
KB4499154		Resolved
KB4505051		May 19, 2019 
02:00 PM PT

       

       "
 
@@ -74,12 +73,3 @@ sections:
       
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4507458.

Back to topOS Build 10240.18244

June 11, 2019
KB4503291Resolved
KB4507458Resolved:
July 09, 2019 
10:00 AM PT

Opened:
June 12, 2019 
11:11 AM PT
       
       "
-
-- title: May 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Unable to access some gov.uk websites
After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: We have released an \"optional, out-of-band\" update for Windows 10 (KB4505051) to resolve this issue. If you are affected, we recommend you apply this update by installing KB4505051 from Windows Update and then restarting your device.

This update will not be applied automatically. To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505051, search for it in the Microsoft Update Catalog.
 

Back to top		OS Build 10240.18215

May 14, 2019
KB4499154		Resolved
KB4505051		Resolved:
May 19, 2019 
02:00 PM PT

Opened:
May 16, 2019 
01:57 PM PT

-      "
diff --git a/windows/release-information/resolved-issues-windows-10-1607.yml b/windows/release-information/resolved-issues-windows-10-1607.yml
index f95b379a56..84bc5ffff2 100644
--- a/windows/release-information/resolved-issues-windows-10-1607.yml
+++ b/windows/release-information/resolved-issues-windows-10-1607.yml
@@ -47,10 +47,6 @@ sections:
       
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >OS Build 14393.3025

June 11, 2019
KB4503267Resolved
KB4503294June 18, 2019 
02:00 PM PT
       
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

See details >OS Build 14393.2999

May 23, 2019
KB4499177Resolved
KB4503267June 11, 2019 
10:00 AM PT
       
Issue using PXE to start a device from WDS
There may be issues using PXE to start a device from a WDS server configured to use Variable Window Extension.

See details >OS Build 14393.2848

March 12, 2019
KB4489882Resolved
KB4503267June 11, 2019 
10:00 AM PT
-      
Update not showing as applicable through WSUS or SCCM or when manually installed
Update not showing as applicable through WSUS or SCCM or when manually installed

See details >OS Build 14393.2969

May 14, 2019
KB4494440Resolved
KB4498947May 14, 2019 
10:00 AM PT
-      
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible

See details >OS Build 14393.2969

May 14, 2019
KB4494440Resolved
KB4505052May 19, 2019 
02:00 PM PT
-      
Layout and cell size of Excel sheets may change when using MS UI Gothic 
When using MS UI Gothic or MS PGothic in Excel, the text, layout, or cell size may become narrower or wider.

See details >OS Build 14393.2941

April 25, 2019
KB4493473Resolved
KB4494440May 14, 2019 
10:00 AM PT
-      
Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

See details >OS Build 14393.2941

April 25, 2019
KB4493473Resolved
KB4494440May 14, 2019 
10:00 AM PT
       
       "
 
@@ -112,18 +108,6 @@ sections:
     text: "
       
-      
-      
-      
-      
DetailsOriginating updateStatusHistory

       
Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4494440 and restarting.

Affected platforms:
  • Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2016
Resolution: This issue was resolved in KB4507460.

Back to top		OS Build 14393.2969

May 14, 2019
KB4494440		Resolved
KB4507460		Resolved:
July 09, 2019 
10:00 AM PT

Opened:
May 21, 2019 
08:50 AM PT
Update not showing as applicable through WSUS or SCCM or when manually installed
KB4494440 or later updates may not show as applicable through WSUS or SCCM to the affected platforms.  When manually installing the standalone update from Microsoft Update Catalog, it may fail to install with the error, \"The update is not applicable to your computer.\"


Affected platforms:
  • Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2016

Resolution: The servicing stack update (SSU) (KB4498947) must be installed before installing the latest cumulative update (LCU). The LCU will not be reported as applicable until the SSU is installed. For more information, see Servicing stack updates.

Back to top		OS Build 14393.2969

May 14, 2019
KB4494440		Resolved
KB4498947		Resolved:
May 14, 2019 
10:00 AM PT

Opened:
May 24, 2019 
04:20 PM PT
Unable to access some gov.uk websites
After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: We have released an \"optional, out-of-band\" update for Windows 10 (KB4505052) to resolve this issue. If you are affected, we recommend you apply this update by installing KB4505052 from Windows Update and then restarting your device.

This update will not be applied automatically. To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505052, search for it in the Microsoft Update Catalog.
 

Back to top		OS Build 14393.2969

May 14, 2019
KB4494440		Resolved
KB4505052		Resolved:
May 19, 2019 
02:00 PM PT

Opened:
May 16, 2019 
01:57 PM PT
Layout and cell size of Excel sheets may change when using MS UI Gothic 
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.

Back to top		OS Build 14393.2941

April 25, 2019
KB4493473		Resolved
KB4494440		Resolved:
May 14, 2019 
10:00 AM PT

Opened:
May 10, 2019 
10:35 AM PT

-      "
-
-- title: April 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
DetailsOriginating updateStatusHistory
Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail after installing KB4493473
 
Affected platforms:  
  • Client: Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016 
  • Server: Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016 
Resolution: This issue was resolved in KB4494440.

Back to top		OS Build 14393.2941

April 25, 2019
KB4493473		Resolved
KB4494440		Resolved:
May 14, 2019 
10:00 AM PT

Opened:
April 25, 2019 
02:00 PM PT

       

       "
 
diff --git a/windows/release-information/resolved-issues-windows-10-1703.yml b/windows/release-information/resolved-issues-windows-10-1703.yml
deleted file mode 100644
index 5d1e5cf2ba..0000000000
--- a/windows/release-information/resolved-issues-windows-10-1703.yml
+++ /dev/null
@@ -1,106 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Resolved issues in Windows 10, version 1703
-metadata:
-  document_id: 
-  title: Resolved issues in Windows 10, version 1703
-  description: Resolved issues in Windows 10, version 1703
-  keywords: ["Resolved issues in Windows 10", "Windows 10", "Windows 10, version 1703"]
-  ms.localizationpriority: high
-  author: greg-lindsay
-  ms.author: greglin
-  manager: dougkim
-  ms.topic: article
-  ms.devlang: na
-
-sections:
-- items:
-  - type: markdown
-    text: "
-      See a list of known issues that have been resolved for Windows 10, version 1703 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
-      
-      " 
-- items:
-  - type: markdown
-    text: "
-        

-      "
-
-- title: Resolved issues
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
SummaryOriginating updateStatusDate resolved
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		OS Build 15063.2046

September 23, 2019
KB4522011		Resolved
KB4520010		October 08, 2019 
10:00 AM PT
IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.

See details >		OS Build 15063.2045

September 10, 2019
KB4516068		Resolved
September 17, 2019 
04:47 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices may not start after updating when connected to a domain that is configured to use MIT Kerberos realms.

See details >		OS Build 15063.1955

July 16, 2019
KB4507467		Resolved
KB4512507		August 13, 2019 
10:00 AM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >		OS Build 15063.1988

August 13, 2019
KB4512507		Resolved
KB4512474		August 17, 2019 
02:00 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >		OS Build 15063.1868

June 11, 2019
KB4503279		Resolved External
August 09, 2019 
07:03 PM PT
Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.

See details >		OS Build 15063.1805

May 14, 2019
KB4499181		Resolved
KB4507450		July 09, 2019 
10:00 AM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

See details >		OS Build 15063.1839

May 28, 2019
KB4499162		Resolved
KB4509476		June 26, 2019 
04:00 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >		OS Build 15063.1868

June 11, 2019
KB4503279		Resolved
KB4503289		June 18, 2019 
02:00 PM PT
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

See details >		OS Build 15063.1839

May 28, 2019
KB4499162		Resolved
KB4503279		June 11, 2019 
10:00 AM PT
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible

See details >		OS Build 15063.1805

May 14, 2019
KB4499181		Resolved
KB4505055		May 19, 2019 
02:00 PM PT
Layout and cell size of Excel sheets may change when using MS UI Gothic 
When using MS UI Gothic or MS PGothic in Excel, the text, layout, or cell size may become narrower or wider.

See details >		OS Build 15063.1784

April 25, 2019
KB4493436		Resolved
KB4499181		May 14, 2019 
10:00 AM PT

-      "
-
-- title: Issue details
-- items:
-  - type: markdown
-    text: "
-        

-        
 
-      "
-- title: September 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
-      
DetailsOriginating updateStatusHistory
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520010.

Back to top		OS Build 15063.2046

September 23, 2019
KB4522011		Resolved
KB4520010		Resolved:
October 08, 2019 
10:00 AM PT

Opened:
September 30, 2019 
06:26 PM PT
IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard.


Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: After investigation, we have found that this issue does not affect this version of Windows.

Back to top		OS Build 15063.2045

September 10, 2019
KB4516068		Resolved
Resolved:
September 17, 2019 
04:47 PM PT

Opened:
September 13, 2019 
05:25 PM PT

-      "
-
-- title: August 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
-      
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512507, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512474. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512474 and install. For instructions, see Update Windows 10.

Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).

Back to top		OS Build 15063.1988

August 13, 2019
KB4512507		Resolved
KB4512474		Resolved:
August 17, 2019 
02:00 PM PT

Opened:
August 14, 2019 
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503279) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 15063.1868

June 11, 2019
KB4503279		Resolved External
Last updated:
August 09, 2019 
07:03 PM PT

Opened:
August 09, 2019 
04:25 PM PT

-      "
-
-- title: July 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507467. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
-

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512507 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.

Back to top		OS Build 15063.1955

July 16, 2019
KB4507467		Resolved
KB4512507		Resolved:
August 13, 2019 
10:00 AM PT

Opened:
July 25, 2019 
06:10 PM PT

-      "
-
-- title: June 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
-      
-      
DetailsOriginating updateStatusHistory
Difficulty connecting to some iSCSI-based SANs
Devices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499162. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509476.

Back to top		OS Build 15063.1839

May 28, 2019
KB4499162		Resolved
KB4509476		Resolved:
June 26, 2019 
04:00 PM PT

Opened:
June 20, 2019 
04:46 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503289.

Back to top		OS Build 15063.1868

June 11, 2019
KB4503279		Resolved
KB4503289		Resolved:
June 18, 2019 
02:00 PM PT

Opened:
June 12, 2019 
11:11 AM PT
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503279.

Back to top		OS Build 15063.1839

May 28, 2019
KB4499162		Resolved
KB4503279		Resolved:
June 11, 2019 
10:00 AM PT

Opened:
June 05, 2019 
05:49 PM PT

-      "
-
-- title: May 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
-      
-      
DetailsOriginating updateStatusHistory
Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4499181 and restarting.

Affected platforms:
  • Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2016
Resolution: This issue was resolved in KB4507450.

Back to top		OS Build 15063.1805

May 14, 2019
KB4499181		Resolved
KB4507450		Resolved:
July 09, 2019 
10:00 AM PT

Opened:
May 21, 2019 
08:50 AM PT
Unable to access some gov.uk websites
After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: We have released an \"optional, out-of-band\" update for Windows 10 (KB4505055) to resolve this issue. If you are affected, we recommend you apply this update by installing KB4505055 from Windows Update and then restarting your device.

This update will not be applied automatically. To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505055, search for it in the Microsoft Update Catalog.
 

Back to top		OS Build 15063.1805

May 14, 2019
KB4499181		Resolved
KB4505055		Resolved:
May 19, 2019 
02:00 PM PT

Opened:
May 16, 2019 
01:57 PM PT
Layout and cell size of Excel sheets may change when using MS UI Gothic 
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.

Back to top		OS Build 15063.1784

April 25, 2019
KB4493436		Resolved
KB4499181		Resolved:
May 14, 2019 
10:00 AM PT

Opened:
May 10, 2019 
10:35 AM PT

-      "
diff --git a/windows/release-information/resolved-issues-windows-10-1709.yml b/windows/release-information/resolved-issues-windows-10-1709.yml
index 9ec5a0c287..35c7f5856c 100644
--- a/windows/release-information/resolved-issues-windows-10-1709.yml
+++ b/windows/release-information/resolved-issues-windows-10-1709.yml
@@ -41,9 +41,6 @@ sections:
       
Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

See details >OS Build 16299.1182

May 28, 2019
KB4499147Resolved
KB4509477June 26, 2019 
04:00 PM PT
       
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >OS Build 16299.1217

June 11, 2019
KB4503284Resolved
KB4503281June 18, 2019 
02:00 PM PT
       
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

See details >OS Build 16299.1182

May 28, 2019
KB4499147Resolved
KB4503284June 11, 2019 
10:00 AM PT
-      
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible

See details >OS Build 16299.1143

May 14, 2019
KB4498946Resolved
KB4505062May 19, 2019 
02:00 PM PT
-      
Layout and cell size of Excel sheets may change when using MS UI Gothic 
When using MS UI Gothic or MS PGothic in Excel, the text, layout, or cell size may become narrower or wider.

See details >OS Build 16299.1127

April 25, 2019
KB4493440Resolved
KB4499179May 14, 2019 
10:00 AM PT
-      
Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

See details >OS Build 16299.1127

April 25, 2019
KB4493440Resolved
KB4499179May 14, 2019 
10:00 AM PT
       
       "
 
@@ -95,22 +92,3 @@ sections:
       
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503284.

Back to topOS Build 16299.1182

May 28, 2019
KB4499147Resolved
KB4503284Resolved:
June 11, 2019 
10:00 AM PT

Opened:
June 05, 2019 
05:49 PM PT
       
       "
-
-- title: May 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
-      
DetailsOriginating updateStatusHistory
Unable to access some gov.uk websites
After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolved: We have released an \"out-of-band\" update for Windows 10 (KB4505062) to resolve this issue.

  • UK customers: This update will be applied automatically to resolve this issue. You may be required to restart your device again. If you are affected by this issue, Check for updates to apply the update immediately.
  • Customers outside of the UK: This update will not be applied automatically. If you are affected by this issue, we recommend you apply this update by installing KB4505062 from Windows Update and then restarting your device.
To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505062, search for it in the Microsoft Update Catalog.
 

Back to top		OS Build 16299.1143

May 14, 2019
KB4498946		Resolved
KB4505062		Resolved:
May 19, 2019 
02:00 PM PT

Opened:
May 16, 2019 
01:57 PM PT
Layout and cell size of Excel sheets may change when using MS UI Gothic 
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.

Back to top		OS Build 16299.1127

April 25, 2019
KB4493440		Resolved
KB4499179		Resolved:
May 14, 2019 
10:00 AM PT

Opened:
May 10, 2019 
10:35 AM PT

-      "
-
-- title: April 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail after installing KB4493440
 
Affected platforms:  
  • Client: Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016 
  • Server: Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016 
Resolution: This issue was resolved in KB4499179.

Back to top		OS Build 16299.1127

April 25, 2019
KB4493440		Resolved
KB4499179		Resolved:
May 14, 2019 
10:00 AM PT

Opened:
April 25, 2019 
02:00 PM PT

-      "
diff --git a/windows/release-information/resolved-issues-windows-10-1803.yml b/windows/release-information/resolved-issues-windows-10-1803.yml
index 9a7946487e..9aadd14d5a 100644
--- a/windows/release-information/resolved-issues-windows-10-1803.yml
+++ b/windows/release-information/resolved-issues-windows-10-1803.yml
@@ -44,9 +44,6 @@ sections:
       
Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

See details >OS Build 17134.799

May 21, 2019
KB4499183Resolved
KB4509478June 26, 2019 
04:00 PM PT
       
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >OS Build 17134.829

June 11, 2019
KB4503286Resolved
KB4503288June 18, 2019 
02:00 PM PT
       
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

See details >OS Build 17134.799

May 21, 2019
KB4499183Resolved
KB4503286June 11, 2019 
10:00 AM PT
-      
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible

See details >OS Build 17134.765

May 14, 2019
KB4499167Resolved
KB4505064May 19, 2019 
02:00 PM PT
-      
Layout and cell size of Excel sheets may change when using MS UI Gothic 
When using MS UI Gothic or MS PGothic in Excel, the text, layout, or cell size may become narrower or wider.

See details >OS Build 17134.753

April 25, 2019
KB4493437Resolved
KB4499167May 14, 2019 
10:00 AM PT
-      
Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

See details >OS Build 17134.753

April 25, 2019
KB4493437Resolved
KB4499167May 14, 2019 
10:00 AM PT
       
       "
 
@@ -101,22 +98,3 @@ sections:
       
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503286.

Back to topOS Build 17134.799

May 21, 2019
KB4499183Resolved
KB4503286Resolved:
June 11, 2019 
10:00 AM PT

Opened:
June 05, 2019 
05:49 PM PT
       
       "
-
-- title: May 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
-      
DetailsOriginating updateStatusHistory
Unable to access some gov.uk websites
After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolved: We have released an \"out-of-band\" update for Windows 10 (KB4505064) to resolve this issue.

  • UK customers: This update will be applied automatically to resolve this issue. You may be required to restart your device again. If you are affected by this issue, Check for updates to apply the update immediately.
  • Customers outside of the UK: This update will not be applied automatically. If you are affected by this issue, we recommend you apply this update by installing KB4505064 from Windows Update and then restarting your device.
To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505064, search for it in the Microsoft Update Catalog.
 

Back to top		OS Build 17134.765

May 14, 2019
KB4499167		Resolved
KB4505064		Resolved:
May 19, 2019 
02:00 PM PT

Opened:
May 16, 2019 
01:57 PM PT
Layout and cell size of Excel sheets may change when using MS UI Gothic 
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.

Back to top		OS Build 17134.753

April 25, 2019
KB4493437		Resolved
KB4499167		Resolved:
May 14, 2019 
10:00 AM PT

Opened:
May 10, 2019 
10:35 AM PT

-      "
-
-- title: April 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail after installing KB4493437
 
Affected platforms:  
  • Client: Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016 
  • Server: Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016 
Resolution: This issue was resolved in KB4499167.

Back to top		OS Build 17134.753

April 25, 2019
KB4493437		Resolved
KB4499167		Resolved:
May 14, 2019 
10:00 AM PT

Opened:
April 25, 2019 
02:00 PM PT

-      "
diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
index fb8c792d7a..f6351c2c0b 100644
--- a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
+++ b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
@@ -32,6 +32,7 @@ sections:
   - type: markdown
     text: "
       
+      
@@ -47,13 +48,6 @@ sections:
       
-      
-      
-      
-      
-      
-      
-      
SummaryOriginating updateStatusDate resolved
Microsoft Defender Advanced Threat Protection might stop running
The Microsoft Defender ATP service might stop running and might fail to send reporting data.

See details >		OS Build 17763.832

October 15, 2019
KB4520062		Resolved
KB4523205		November 12, 2019 
10:00 AM PT

       
Windows Mixed Reality Portal users may intermittently receive a 15-5 error code
You may receive a 15-5 error code in Windows Mixed Reality Portal and your headset may not wake up from sleep.

See details >		OS Build 17763.678

August 13, 2019
KB4511553		Resolved
KB4520062		October 15, 2019 
10:00 AM PT

       
Startup to a black screen after installing updates
Your device may startup to a black screen during the first logon after installing updates.

See details >		OS Build 17763.557

June 11, 2019
KB4503327		Resolved
KB4520062		October 15, 2019 
10:00 AM PT

       
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		OS Build 17763.740

September 23, 2019
KB4522015		Resolved
KB4519338		October 08, 2019 
10:00 AM PT
Printing from Microsoft Edge or other UWP apps may result in the error 0x80070007
Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) apps, you may receive an error.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Resolved
KB4501371		June 18, 2019 
02:00 PM PT

       
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

See details >		OS Build 17763.529

May 21, 2019
KB4497934		Resolved
KB4503327		June 11, 2019 
10:00 AM PT

       
Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may terminate the connection.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Resolved
KB4503327		June 11, 2019 
10:00 AM PT
Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
Upgrade block: Certain new Intel display drivers may accidentally turn on unsupported features in Windows.

See details >		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
May 21, 2019 
07:42 AM PT
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible

See details >		OS Build 17763.503

May 14, 2019
KB4494441		Resolved
KB4505056		May 19, 2019 
02:00 PM PT
Layout and cell size of Excel sheets may change when using MS UI Gothic 
When using MS UI Gothic or MS PGothic in Excel, the text, layout, or cell size may become narrower or wider.

See details >		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
KB4494441		May 14, 2019 
10:00 AM PT
Windows 10, version 1809 update history may show an update installed twice
Some customers are reporting that KB4494441 installed twice on their device

See details >		OS Build 17763.503

May 14, 2019
KB4494441		Resolved
May 16, 2019 
02:37 PM PT
Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

See details >		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
KB4494441		May 14, 2019 
10:00 AM PT
Latest cumulative update (KB 4495667) installs automatically
Reports that the optional cumulative update (KB 4495667) installs automatically.

See details >		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
May 08, 2019 
03:37 PM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
After further investigation ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Resolved
May 08, 2019 
03:30 PM PT

       

       "
 
@@ -64,6 +58,15 @@ sections:
         

         
 
       "
+- title: October 2019
+- items:
+  - type: markdown
+    text: "
+      
+      
+      
DetailsOriginating updateStatusHistory
Microsoft Defender Advanced Threat Protection might stop running
After installing the optional non-security update (KB4520062), the Microsoft Defender Advanced Threat Protection (ATP) service might stop running and might fail to send reporting data. You might also receive a 0xc0000409 error in Event Viewer on MsSense.exe.

Note Microsoft Windows Defender Antivirus is not affected by this issue.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4523205.

Back to top		OS Build 17763.832

October 15, 2019
KB4520062		Resolved
KB4523205		Resolved:
November 12, 2019 
10:00 AM PT

Opened:
October 17, 2019 
05:14 PM PT

+      "
+
 - title: September 2019
 - items:
   - type: markdown
@@ -116,20 +119,6 @@ sections:
     text: "
       
-      
-      
-      
-      
-      
-      
DetailsOriginating updateStatusHistory

       
Printing from Microsoft Edge or other UWP apps may result in the error 0x80070007
When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications you may receive the error, \"Your printer has experienced an unexpected configuration problem. 0x80070007e.\"
 
Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4501371

Back to top		OS Build 17763.379

March 12, 2019
KB4489899		Resolved
KB4501371		Resolved:
June 18, 2019 
02:00 PM PT

Opened:
May 02, 2019 
04:47 PM PT
Unable to access some gov.uk websites
After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolved: We have released an \"out-of-band\" update for Windows 10 (KB4505056) to resolve this issue.

  • UK customers: This update will be applied automatically to resolve this issue. You may be required to restart your device again. If you are affected by this issue, Check for updates to apply the update immediately.
  • Customers outside of the UK: This update will not be applied automatically. If you are affected by this issue, we recommend you apply this update by installing KB4505056 from Windows Update and then restarting your device.
To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505056, search for it in the Microsoft Update Catalog.
 

Back to top		OS Build 17763.503

May 14, 2019
KB4494441		Resolved
KB4505056		Resolved:
May 19, 2019 
02:00 PM PT

Opened:
May 16, 2019 
01:57 PM PT
Layout and cell size of Excel sheets may change when using MS UI Gothic 
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.

Back to top		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
KB4494441		Resolved:
May 14, 2019 
10:00 AM PT

Opened:
May 10, 2019 
10:35 AM PT
Windows 10, version 1809 update history may show an update installed twice
Affected platforms:
  • Client: Windows 10, version 1809
Cause:
In certain situations, installing an update requires multiple download and restart steps. In cases where two intermediate steps of the installation complete successfully, the View your Update history page will report that installation completed successfully twice. 

Resolution:
No action is required on your part. The update installation may take longer and may require more than one restart, but will install successfully after all intermediate installation steps have completed. We are working on improving this update experience to ensure the Update history correctly reflects the installation of the latest cumulative update (LCU).

Back to top		OS Build 17763.503

May 14, 2019
KB4494441		Resolved
Resolved:
May 16, 2019 
02:37 PM PT

Opened:
May 14, 2019 
02:56 PM PT
Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail after installing KB4495667
 
Affected platforms:  
  • Client: Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016 
  • Server: Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016 
Resolution: This issue was resolved in KB4494441.

Back to top		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
KB4494441		Resolved:
May 14, 2019 
10:00 AM PT

Opened:
May 14, 2019 
01:19 PM PT
Latest cumulative update (KB 4495667) installs automatically
Due to a servicing side issue some users were offered KB4495667 (optional update) automatically and rebooted devices.  This issue has been mitigated.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution:: This issue has been mitigated on the servicing side to prevent auto installing of this update. Customers do not need to take any action.
 

Back to top		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
Resolved:
May 08, 2019 
03:37 PM PT

Opened:
May 05, 2019 
12:01 PM PT

-      "
-
-- title: April 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
DetailsOriginating updateStatusHistory
System may be unresponsive after restart if ArcaBit antivirus software installed
ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server).

Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart.

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: ArcaBit has released an update to address this issue for affected platforms. For more information, see the ArcaBit support article.

Resolution: This issue has been resolved. ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server).

Back to top		OS Build 17763.437

April 09, 2019
KB4493509		Resolved
Resolved:
May 08, 2019 
03:30 PM PT

Opened:
April 09, 2019 
10:00 AM PT

       

       "
 
@@ -141,12 +130,3 @@ sections:
       
Issue using PXE to start a device from WDS
After installing KB4489899, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4503327.

Back to topOS Build 17763.379

March 12, 2019
KB4489899Resolved
KB4503327Resolved:
June 11, 2019 
10:00 AM PT

Opened:
March 12, 2019 
10:00 AM PT
       
       "
-
-- title: November 2018
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
Upgrade block: Microsoft has identified issues with certain new Intel display drivers. Intel inadvertently released versions of its display driver (versions 24.20.100.6344, 24.20.100.6345) to OEMs that accidentally turned on unsupported features in Windows. 
 
As a result, after updating to Windows 10, version 1809, audio playback from a monitor or television connected to a PC via HDMI, USB-C, or a DisplayPort may not function correctly on devices with these drivers.
Note: This Intel display driver issue is different from the Intel Smart Sound Technology driver (version 09.21.00.3755) audio issue previously documented.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019 
Next steps: Intel has released updated drivers to OEM device manufacturers. OEMs need to make the updated driver available via Windows Update. For more information, see the Intel Customer Support article.

Resolution: Microsoft has removed the safeguard hold. 



Back to top		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
Resolved:
May 21, 2019 
07:42 AM PT

Opened:
November 13, 2018 
10:00 AM PT

-      "
diff --git a/windows/release-information/resolved-issues-windows-10-1903.yml b/windows/release-information/resolved-issues-windows-10-1903.yml
index 9de5f0a7b9..4c483d39b0 100644
--- a/windows/release-information/resolved-issues-windows-10-1903.yml
+++ b/windows/release-information/resolved-issues-windows-10-1903.yml
@@ -32,8 +32,13 @@ sections:
   - type: markdown
     text: "
       
+      
+      
+      
+      
+      
-      
+      
@@ -46,19 +51,15 @@ sections:
       
-      
+      
-      
+      
-      
-      
-      
-      
SummaryOriginating updateStatusDate resolved
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. 

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
November 22, 2019 
04:10 PM PT
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
November 15, 2019 
05:59 PM PT
Updates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive error code 0x80073701.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
November 12, 2019 
08:11 AM PT
Intel Audio displays an intcdaud.sys notification
Devices with a range of Intel Display Audio device drivers may experience battery drain.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
November 12, 2019 
08:04 AM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4505903		July 26, 2019 
02:00 PM PT

       
Cannot launch Camera app 
Microsoft and Intel have identified an issue affecting Intel RealSense SR300 or Intel RealSense S200 camera apps.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4501375		June 27, 2019 
10:00 AM PT
Unable to discover or connect to Bluetooth devices using some Qualcomm adapters
Microsoft has identified compatibility issues with some versions of Qualcomm Bluetooth radio drivers.

See details >		OS Build 18362.116

May 20, 2019
KB4505057		Resolved
KB4517389		October 08, 2019 
10:00 AM PT
Unable to discover or connect to Bluetooth devices using some Qualcomm adapters
Microsoft has identified compatibility issues with some versions of Qualcomm Bluetooth radio drivers.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4517389		October 08, 2019 
10:00 AM PT

       
Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
Some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards may experience compatibility issues.

See details >		N/A 

Resolved
KB4522355		October 24, 2019 
10:00 AM PT

       
dGPU occasionally disappear from device manager on Surface Book 2
Some apps or games may close or fail to open on Surface Book 2 devices with Nvidia dGPU.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
October 18, 2019 
04:33 PM PT

       
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		OS Build 18362.357

September 23, 2019
KB4522016		Resolved
KB4517389		October 08, 2019 
10:00 AM PT
Issues updating when certain versions of Intel storage drivers are installed
Windows 10, version 1903 update may fail with certain versions of Intel Rapid Storage Technology (Intel RST) drivers.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
KB4512941		August 30, 2019 
10:00 AM PT

       
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >		OS Build 18362.295

August 13, 2019
KB4512508		Resolved
KB4512941		August 30, 2019 
10:00 AM PT

       
Initiating a Remote Desktop connection may result in black screen
When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
KB4512941		August 30, 2019 
10:00 AM PT
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start on devices in which the operating system language was changed between updates.

See details >		OS Build 18362.116

May 20, 2019
KB4505057		Resolved
KB4512941		August 30, 2019 
10:00 AM PT
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start on devices in which the operating system language was changed between updates.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4512941		August 30, 2019 
10:00 AM PT

       
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		OS Build 18362.175

June 11, 2019
KB4503293		Resolved
KB4512941		August 30, 2019 
10:00 AM PT

       
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >		OS Build 18362.175

June 11, 2019
KB4503293		Resolved External
August 09, 2019 
07:03 PM PT

       
Display brightness may not respond to adjustments
Devices configured with certain Intel display drivers may experience a driver compatibility issue.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4505903		July 26, 2019 
02:00 PM PT

       
RASMAN service may stop working and result in the error “0xc0000005”
The RASMAN service may stop working with VPN profiles configured as an Always On VPN connection.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
KB4505903		July 26, 2019 
02:00 PM PT
Loss of functionality in Dynabook Smartphone Link app
Users who update to Windows 10, version 1903 may experience a loss of functionality with Dynabook Smartphone Link.

See details >		OS Build 18362.116

May 20, 2019
KB4505057		Resolved
July 11, 2019 
01:54 PM PT
Loss of functionality in Dynabook Smartphone Link app
Users who update to Windows 10, version 1903 may experience a loss of functionality with Dynabook Smartphone Link.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
July 11, 2019 
01:54 PM PT

       
Error attempting to update with external USB device or memory card attached 
PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\"

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
July 11, 2019 
01:53 PM PT

       
Audio not working with Dolby Atmos headphones and home theater 
Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
July 11, 2019 
01:53 PM PT

       
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >		OS Build 18362.175

June 11, 2019
KB4503293		Resolved
KB4501375		June 27, 2019 
10:00 AM PT
Duplicate folders and documents showing in user profile directory
An empty folder with the same name may be created if known folders (e.g. Desktop, Documents) are redirected.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4497935		May 29, 2019 
02:00 PM PT
Older versions of BattlEye anti-cheat software incompatible
Users may experience a compatibility issue with some games that use older versions of BattlEye anti-cheat software.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
June 07, 2019 
04:26 PM PT
D3D applications and games may fail to enter full-screen mode on rotated displays
Some Direct3D (D3D) applications and games may fail to enter full-screen mode on rotated displays.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4497935		May 29, 2019 
02:00 PM PT
AMD RAID driver incompatibility  
Devices running certain AMD RAID drivers may have difficulty installing the Windows 10, version 1903 update.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
June 06, 2019 
11:06 AM PT

       

       "
 
@@ -74,7 +75,7 @@ sections:
   - type: markdown
     text: "
       
-      
+      
DetailsOriginating updateStatusHistory
Unable to discover or connect to Bluetooth devices using some Qualcomm adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Qualcomm. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Qualcomm Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Resolution: This issue was resolved in KB4517389 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.

Back to top		OS Build 18362.116

May 20, 2019
KB4505057		Resolved
KB4517389		Resolved:
October 08, 2019 
10:00 AM PT

Opened:
October 25, 2019 
04:21 PM PT
Unable to discover or connect to Bluetooth devices using some Qualcomm adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Qualcomm. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Qualcomm Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Resolution: This issue was resolved in KB4517389 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4517389		Resolved:
October 08, 2019 
10:00 AM PT

Opened:
October 25, 2019 
04:21 PM PT

       

       "
 
@@ -98,6 +99,7 @@ sections:
   - type: markdown
     text: "
       
+      
DetailsOriginating updateStatusHistory
Updates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive the error message, \"Updates Failed, There were problems installing some updates, but we'll try again later\" or \"Error 0x80073701\" on the Windows Update dialog or within Update history.

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Resolution: This issue has been resolved for most users. If you are still having issues, please see KB4528159.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
Resolved:
November 12, 2019 
08:11 AM PT

Opened:
August 16, 2019 
01:41 PM PT

       
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512508, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512941. The ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512941 and install. For instructions, see Update Windows 10.

Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).

Back to top		OS Build 18362.295

August 13, 2019
KB4512508		Resolved
KB4512941		Resolved:
August 30, 2019 
10:00 AM PT

Opened:
August 14, 2019 
03:34 PM PT

       
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503293) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 18362.175

June 11, 2019
KB4503293		Resolved External
Last updated:
August 09, 2019 
07:03 PM PT

Opened:
August 09, 2019 
04:25 PM PT

       

@@ -132,15 +134,15 @@ sections:
   - type: markdown
     text: "
       
+      
+      
+      
+      
-      
+      
-      
+      
-      
-      
-      
-      
DetailsOriginating updateStatusHistory
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

To safeguard your upgrade experience, we have applied a hold on devices with affected Qualcomm driver from being offered Windows 10, version 1903 or Windows 10, version 1909, until the updated driver is installed.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903
Resolution: This issue was resolved with an updated Qualcomm Wifi driver and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
Last updated:
November 22, 2019 
04:10 PM PT

Opened:
May 21, 2019 
07:13 AM PT
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903
  • Server: Windows 10, version 1909; Windows Server, version 1903
Resolution: This issue was resolved with an updated driver for the affected Realtek Bluetooth radio and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
Last updated:
November 15, 2019 
05:59 PM PT

Opened:
May 21, 2019 
07:29 AM PT
Intel Audio displays an intcdaud.sys notification
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
  
To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809
Resolution: This issue was resolved with updated drivers from your device manufacturer (OEM) or Intel. The safeguard hold has been removed.

Note If you are still experiencing the issue described, please contact your device manufacturer (OEM).

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
Last updated:
November 12, 2019 
08:04 AM PT

Opened:
May 21, 2019 
07:22 AM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

Microsoft has identified some scenarios in which these features may have issues or stop working, for example:
  • Connecting to (or disconnecting from) an external monitor, dock, or projector
  • Rotating the screen
  • Updating display drivers or making other display mode changes
  • Closing full screen applications
  • Applying custom color profiles
  • Running applications that rely on custom gamma ramps
Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4505903		Resolved:
July 26, 2019 
02:00 PM PT

Opened:
May 21, 2019 
07:28 AM PT

       
Cannot launch Camera app 
Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating:
        \"Close other apps, error code: 0XA00F4243.”

To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4501375 and the safeguard hold has been removed.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4501375		Resolved:
June 27, 2019 
10:00 AM PT

Opened:
May 21, 2019 
07:20 AM PT
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4512941.

Back to top		OS Build 18362.116

May 20, 2019
KB4505057		Resolved
KB4512941		Resolved:
August 30, 2019 
10:00 AM PT

Opened:
May 24, 2019 
04:20 PM PT
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4512941.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4512941		Resolved:
August 30, 2019 
10:00 AM PT

Opened:
May 24, 2019 
04:20 PM PT

       
Display brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Windows 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.

To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed. Please ensure you have applied the resolving update before attempting to update to the Windows 10 May 2019 Update (version 1903). Please note, it can take up to 48 hours for the safeguard to be removed.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4505903		Resolved:
July 26, 2019 
02:00 PM PT

Opened:
May 21, 2019 
07:56 AM PT
Loss of functionality in Dynabook Smartphone Link app
Some users may experience a loss of functionality after updating to Windows 10, version 1903 when using the Dynabook Smartphone Link application on Windows devices. Loss of functionality may affect the display of phone numbers in the Call menu and the ability to answer phone calls on the Windows PC.

To safeguard your update experience, we have applied a compatibility hold on devices with Dynabook Smartphone Link from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Back to top		OS Build 18362.116

May 20, 2019
KB4505057		Resolved
Resolved:
July 11, 2019 
01:54 PM PT

Opened:
May 24, 2019 
03:10 PM PT
Loss of functionality in Dynabook Smartphone Link app
Some users may experience a loss of functionality after updating to Windows 10, version 1903 when using the Dynabook Smartphone Link application on Windows devices. Loss of functionality may affect the display of phone numbers in the Call menu and the ability to answer phone calls on the Windows PC.

To safeguard your update experience, we have applied a compatibility hold on devices with Dynabook Smartphone Link from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
Resolved:
July 11, 2019 
01:54 PM PT

Opened:
May 24, 2019 
03:10 PM PT

       
Error attempting to update with external USB device or memory card attached 
If you have an external USB device or SD memory card attached when installing Windows 10, version 1903, you may get an error message stating \"This PC can't be upgraded to Windows 10.\" This is caused by inappropriate drive reassignment during installation.

Sample scenario: An update to Windows 10, version 1903 is attempted on a computer that has a thumb drive inserted into its USB port. Before the update, the thumb drive is mounted in the system as drive G based on the existing drive configuration. After the feature update is installed; however, the device is reassigned a different drive letter (e.g., drive H).

Note The drive reassignment is not limited to removable drives. Internal hard drives may also be affected.

To safeguard your update experience, we have applied a hold on devices with an external USB device or SD memory card attached from being offered Windows 10, version 1903 until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
Resolved:
July 11, 2019 
01:53 PM PT

Opened:
May 21, 2019 
07:38 AM PT

       
Audio not working with Dolby Atmos headphones and home theater 
After updating to Windows 10, version 1903, you may experience loss of audio with Dolby Atmos for home theater (free extension) or Dolby Atmos for headphones (paid extension) acquired through the Microsoft Store due to a licensing configuration error.
 
This occurs due to an issue with a Microsoft Store licensing component, where license holders are not able to connect to the Dolby Access app and enable Dolby Atmos extensions.
 
To safeguard your update experience, we have applied protective hold on devices from being offered Windows 10, version 1903 until this issue is resolved. This configuration error will not result in loss of access for the acquired license once the problem is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
Resolved:
July 11, 2019 
01:53 PM PT

Opened:
May 21, 2019 
07:16 AM PT
Duplicate folders and documents showing in user profile directory
If you have redirected known folders (e.g. Desktop, Documents, or Pictures folders) you may see an empty folder with the same name in your %userprofile% directories after updating to Windows 10, version 1903. This may occur if known folders were redirected when you chose to back up your content to OneDrive using the OneDrive wizard, or if you chose to back up your content during the Windows Out-of-Box-Experience (OOBE). This may also occur if you redirected your known folders manually through the Properties dialog box in File Explorer. ?This issue does not cause any user files to be deleted and a solution is in progress.

To safeguard your update experience, we have applied a quality hold on devices with redirected known folders from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4497935 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.
(Posted June 11, 2019)

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4497935		Resolved:
May 29, 2019 
02:00 PM PT

Opened:
May 21, 2019 
07:16 AM PT
Older versions of BattlEye anti-cheat software incompatible
Microsoft and BattlEye have identified a compatibility issue with some games that use older versions of BattlEye anti-cheat software. When launching a game that uses an older, impacted version of BattlEye anti-cheat software on a device running Windows 10, version 1903, the device may experience a system crash.

To safeguard your gaming experience, we have applied a compatibility hold on devices with the impacted versions of BattlEye software used by games installed on your PC. This will prevent Windows 10, version 1903 from being offered until the incompatible version of BattlEye software is no longer installed on the device. 

Affected platforms:
  • Client: Windows 10, version 1903
Workaround: Before updating your machine, we recommend you do one or more of the following:

  • Verify that your game is up to date with the latest available version of BattlEye software. Some game platforms allow you to validate your game files, which can confirm that your installation is fully up to date.
  • Restart your system and open the game again.
  • Uninstall BattlEye using https://www.battleye.com/downloads/UninstallBE.exe, and then reopen your game.
  • Uninstall and reinstall your game.
Resolution: This issue was resolved externally by BattlEye for all known impacted games. For a list of recent games that use BattlEye, go to https://www.battleye.com/. We recommend following the workaround before updating to Windows 10, version 1903, as games with incompatible versions of BattleEye may fail to open after updating Windows. If you have confirmed your game is up to date and you have any issues with opening games related to a BattlEye error, please see https://www.battleye.com/support/faq/.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
Resolved:
June 07, 2019 
04:26 PM PT

Opened:
May 21, 2019 
07:34 AM PT
D3D applications and games may fail to enter full-screen mode on rotated displays
Some Direct3D (D3D) applications and games (e.g., 3DMark) may fail to enter full-screen mode on displays where the display orientation has been changed from the default (e.g., a landscape display in portrait mode).

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Resolution: This issue was resolved in KB4497935

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4497935		Resolved:
May 29, 2019 
02:00 PM PT

Opened:
May 21, 2019 
07:05 AM PT
AMD RAID driver incompatibility  
Microsoft and AMD have identified an incompatibility with AMD RAID driver versions earlier than 9.2.0.105. When you attempt to install the Windows 10, version 1903 update on a Windows 10-based computer with an affected driver version, the installation process stops and you get a message like the following:
AMD Ryzen™ or AMD Ryzen™ Threadripper™ configured in SATA or NVMe RAID mode.
“A driver is installed that causes stability problems on Windows. This driver will be disabled. Check with your software/driver provider for an updated version that runs on this version of Windows.”
 
To safeguard your update experience, we have applied a compatibility hold on devices with these AMD drivers from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue has been resolved externally by AMD. To resolve this issue, you will need to download the latest AMD RAID drivers directly from AMD at https://www.amd.com/en/support/chipsets/amd-socket-tr4/x399. The drivers must be version 9.2.0.105 or later. Install the drivers on the affected computer, and then restart the installation process for the Windows 10, version 1903 feature update.
 
Note The safeguard hold will remain in place on machines with the older AMD RAID drivers. We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
Resolved:
June 06, 2019 
11:06 AM PT

Opened:
May 21, 2019 
07:12 AM PT

       

       "
diff --git a/windows/release-information/resolved-issues-windows-10-1909.yml b/windows/release-information/resolved-issues-windows-10-1909.yml
new file mode 100644
index 0000000000..002f9b5358
--- /dev/null
+++ b/windows/release-information/resolved-issues-windows-10-1909.yml
@@ -0,0 +1,55 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Resolved issues in Windows 10, version 1909 and Windows Server, version 1909
+metadata:
+  document_id: 
+  title: Resolved issues in Windows 10, version 1909 and Windows Server, version 1909
+  description: Resolved issues in Windows 10, version 1909 and Windows Server 1909
+  keywords: ["Resolved issues in Windows 10", "Windows 10", "Windows 10, version 1909"]
+  ms.localizationpriority: high
+  author: greg-lindsay
+  ms.author: greglin
+  manager: dougkim
+  ms.topic: article
+  ms.devlang: na
+
+sections:
+- items:
+  - type: markdown
+    text: "
+      See a list of known issues that have been resolved for Windows 10, version 1909 and Windows Server, version 1909 over the last six months. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s) to search the page.
+      
+      " 
+- items:
+  - type: markdown
+    text: "
+        

+      "
+
+- title: Resolved issues
+- items:
+  - type: markdown
+    text: "
+      
+      
+      
+      
SummaryOriginating updateStatusDate resolved
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. 

See details >		OS Build 18363.476

November 12, 2019
KB4524570		Resolved External
November 22, 2019 
04:10 PM PT
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.

See details >		OS Build 18363.476

November 12, 2019
KB4524570		Resolved External
November 15, 2019 
05:59 PM PT

+      "
+
+- title: Issue details
+- items:
+  - type: markdown
+    text: "
+        

+        
 
+      "
+- title: May 2019
+- items:
+  - type: markdown
+    text: "
+      
+      
+      
+      
DetailsOriginating updateStatusHistory
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

To safeguard your upgrade experience, we have applied a hold on devices with affected Qualcomm driver from being offered Windows 10, version 1903 or Windows 10, version 1909, until the updated driver is installed.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903
Resolution: This issue was resolved with an updated Qualcomm Wifi driver and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

Back to top		OS Build 18363.476

November 12, 2019
KB4524570		Resolved External
Last updated:
November 22, 2019 
04:10 PM PT

Opened:
May 21, 2019 
07:13 AM PT
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903
  • Server: Windows 10, version 1909; Windows Server, version 1903
Resolution: This issue was resolved with an updated driver for the affected Realtek Bluetooth radio and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

Back to top		OS Build 18363.476

November 12, 2019
KB4524570		Resolved External
Last updated:
November 15, 2019 
05:59 PM PT

Opened:
May 21, 2019 
07:29 AM PT

+      "
diff --git a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
index 8b2b541e7e..3ba826b5ad 100644
--- a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
+++ b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -41,11 +41,6 @@ sections:
       
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >June 11, 2019
KB4503292Resolved External
August 09, 2019 
07:03 PM PT
       
IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

See details >May 14, 2019
KB4499164Resolved
KB4503277June 20, 2019 
02:00 PM PT
       
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >June 11, 2019
KB4503292Resolved
KB4503277June 20, 2019 
02:00 PM PT
-      
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible

See details >May 14, 2019
KB4499164Resolved
KB4505050May 18, 2019 
02:00 PM PT
-      
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.

See details >April 09, 2019
KB4493472Resolved
May 14, 2019 
01:23 PM PT
-      
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection, managed by Sophos Central or Sophos Enterprise Console, may be unresponsive.

See details >April 09, 2019
KB4493472Resolved
May 14, 2019 
01:22 PM PT
-      
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >April 09, 2019
KB4493472Resolved
May 14, 2019 
01:21 PM PT
-      
Authentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.

See details >March 12, 2019
KB4489878Resolved
KB4499164May 14, 2019 
10:00 AM PT
       
       "
 
@@ -96,32 +91,11 @@ sections:
       
       "
 
-- title: May 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Unable to access some gov.uk websites
After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolved: We have released an \"optional\" update for Internet Explorer 11 (KB4505050) to resolve this issue. We recommend you apply this update by installing KB4505050 from Windows Update and then restarting your device.
To download and install this update, see How to get an update through Windows Update. This update is also available through the Microsoft Update Catalog website.

Back to top		May 14, 2019
KB4499164		Resolved
KB4505050		Resolved:
May 18, 2019 
02:00 PM PT

Opened:
May 16, 2019 
01:57 PM PT

-      "
-
 - title: April 2019
 - items:
   - type: markdown
     text: "
       
-      
-      
-      
-      
DetailsOriginating updateStatusHistory

       
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles: 

Back to top		April 09, 2019
KB4493472		Resolved External
Last updated:
August 13, 2019 
06:59 PM PT

Opened:
April 09, 2019 
10:00 AM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.

Back to top		April 09, 2019
KB4493472		Resolved
Resolved:
May 14, 2019 
01:23 PM PT

Opened:
April 09, 2019 
10:00 AM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493472.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.

Back to top		April 09, 2019
KB4493472		Resolved
Resolved:
May 14, 2019 
01:22 PM PT

Opened:
April 09, 2019 
10:00 AM PT
System may be unresponsive after restart if Avira antivirus software installed
Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1 
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.

Back to top		April 09, 2019
KB4493472		Resolved
Resolved:
May 14, 2019 
01:21 PM PT

Opened:
April 09, 2019 
10:00 AM PT

-      "
-
-- title: March 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
DetailsOriginating updateStatusHistory
Authentication may fail for services after the Kerberos ticket expires
After installing KB4489878, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.

Affected platforms: 
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4499164.

Back to top		March 12, 2019
KB4489878		Resolved
KB4499164		Resolved:
May 14, 2019 
10:00 AM PT

Opened:
March 12, 2019 
10:00 AM PT

       

       "
diff --git a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
index dd4aae95a7..be34bac3ce 100644
--- a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
+++ b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
@@ -32,6 +32,7 @@ sections:
   - type: markdown
     text: "
       
+      
@@ -41,11 +42,6 @@ sections:
       
-      
-      
-      
-      
-      
SummaryOriginating updateStatusDate resolved
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print, you may receive an error or the application may stop responding or close.

See details >		August 13, 2019
KB4512489		Resolved
KB4525250		November 12, 2019 
10:00 AM PT

       
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		September 24, 2019
KB4516041		Resolved
KB4520005		October 08, 2019 
10:00 AM PT

       
Windows RT 8.1 devices may have issues opening Internet Explorer 11
On Windows RT 8.1 devices, Internet Explorer 11 may not open and you may receive an error.

See details >		September 10, 2019
KB4516067		Resolved
KB4516041		September 24, 2019 
10:00 AM PT

       
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		June 11, 2019
KB4503276		Resolved
KB4512478		August 17, 2019 
02:00 PM PT
IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

See details >		May 14, 2019
KB4499151		Resolved
KB4503283		June 20, 2019 
02:00 PM PT

       
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >		June 11, 2019
KB4503276		Resolved
KB4503283		June 20, 2019 
02:00 PM PT

       
Issue using PXE to start a device from WDS
There may be issues using PXE to start a device from a WDS server configured to use Variable Window Extension.

See details >		March 12, 2019
KB4489881		Resolved
KB4503276		June 11, 2019 
10:00 AM PT
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible

See details >		May 14, 2019
KB4499151		Resolved
KB4505050		May 18, 2019 
02:00 PM PT
Layout and cell size of Excel sheets may change when using MS UI Gothic 
When using MS UI Gothic or MS PGothic in Excel, the text, layout, or cell size may become narrower or wider.

See details >		April 25, 2019
KB4493443		Resolved
KB4499151		May 14, 2019 
10:00 AM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493446		Resolved
May 14, 2019 
01:22 PM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection, managed by Sophos Central or Sophos Enterprise Console, may be unresponsive.

See details >		April 09, 2019
KB4493446		Resolved
May 14, 2019 
01:22 PM PT
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493446		Resolved
May 14, 2019 
01:21 PM PT

       

       "
 
@@ -56,6 +52,15 @@ sections:
         

         
 
       "
+- title: November 2019
+- items:
+  - type: markdown
+    text: "
+      
+      
+      
DetailsOriginating updateStatusHistory
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print from a 32-bit app on a 64-bit operating system (OS), you may receive an error, or the application may stop responding or close. Note This issue only affects the 64-bit Security Only updates listed and does not affect any Monthly Rollup.

Affected platforms:
  • Client: Windows 8.1
  • Server: Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4525250. However, the issue occurs when you install only KB4512489 (released on August 13, 2019) without installing KB4507457, the previous Security Only update (released July 9, 2019). Reminder When using the Security Only updates, you must install the latest and all previous Security Only updates to ensure that the device contains all resolved security vulnerabilities.

Back to top		August 13, 2019
KB4512489		Resolved
KB4525250		Resolved:
November 12, 2019 
10:00 AM PT

Opened:
November 27, 2019 
04:02 PM PT

+      "
+
 - title: September 2019
 - items:
   - type: markdown
@@ -95,25 +100,12 @@ sections:
       
       "
 
-- title: May 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
-      
DetailsOriginating updateStatusHistory
Unable to access some gov.uk websites
After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolved: We have released an \"optional\" update for Internet Explorer 11 (KB4505050) to resolve this issue. We recommend you apply this update by installing KB4505050 from Windows Update and then restarting your device.
To download and install this update, see How to get an update through Windows Update. This update is also available through the Microsoft Update Catalog website.

Back to top		May 14, 2019
KB4499151		Resolved
KB4505050		Resolved:
May 18, 2019 
02:00 PM PT

Opened:
May 16, 2019 
01:57 PM PT
Layout and cell size of Excel sheets may change when using MS UI Gothic 
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.

Back to top		April 25, 2019
KB4493443		Resolved
KB4499151		Resolved:
May 14, 2019 
10:00 AM PT

Opened:
May 10, 2019 
10:35 AM PT

-      "
-
 - title: April 2019
 - items:
   - type: markdown
     text: "
       
-      
-      
-      
DetailsOriginating updateStatusHistory

       
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:  

Back to top		April 09, 2019
KB4493446		Resolved External
Last updated:
August 13, 2019 
06:59 PM PT

Opened:
April 09, 2019 
10:00 AM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.

Back to top		April 09, 2019
KB4493446		Resolved
Resolved:
May 14, 2019 
01:22 PM PT

Opened:
April 09, 2019 
10:00 AM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493446.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.

Back to top		April 09, 2019
KB4493446		Resolved
Resolved:
May 14, 2019 
01:22 PM PT

Opened:
April 09, 2019 
10:00 AM PT
System may be unresponsive after restart if Avira antivirus software installed
Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1 
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.

Back to top		April 09, 2019
KB4493446		Resolved
Resolved:
May 14, 2019 
01:21 PM PT

Opened:
April 09, 2019 
10:00 AM PT

       

       "
 
diff --git a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
index 535126c94e..c0a8e854fa 100644
--- a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
+++ b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
@@ -38,9 +38,6 @@ sections:
       
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >August 13, 2019
KB4512476Resolved
KB4517301August 16, 2019 
02:00 PM PT
       
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >June 11, 2019
KB4503273Resolved External
August 09, 2019 
07:03 PM PT
       
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >June 11, 2019
KB4503273Resolved
KB4503271June 20, 2019 
02:00 PM PT
-      
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection, managed by Sophos Central or Sophos Enterprise Console, may be unresponsive.

See details >April 09, 2019
KB4493471Resolved
May 14, 2019 
01:21 PM PT
-      
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >April 09, 2019
KB4493471Resolved
May 14, 2019 
01:19 PM PT
-      
Authentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.

See details >March 12, 2019
KB4489880Resolved
KB4499149May 14, 2019 
10:00 AM PT
       
       "
 
@@ -88,22 +85,3 @@ sections:
       
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503271.  If you are using Security Only updates, see KB4508640 for resolving KB for your platform.

Back to topJune 11, 2019
KB4503273Resolved
KB4503271Resolved:
June 20, 2019 
02:00 PM PT

Opened:
June 12, 2019 
11:11 AM PT
       
       "
-
-- title: April 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
-      
DetailsOriginating updateStatusHistory
System unresponsive after restart if Sophos Endpoint Protection installed
Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493471.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.

Back to top		April 09, 2019
KB4493471		Resolved
Resolved:
May 14, 2019 
01:21 PM PT

Opened:
April 09, 2019 
10:00 AM PT
System may be unresponsive after restart if Avira antivirus software installed
Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493471.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1 
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.

Back to top		April 09, 2019
KB4493471		Resolved
Resolved:
May 14, 2019 
01:19 PM PT

Opened:
April 09, 2019 
10:00 AM PT

-      "
-
-- title: March 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Authentication may fail for services after the Kerberos ticket expires
After installing KB4489880, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.

Affected platforms: 
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4499149.

Back to top		March 12, 2019
KB4489880		Resolved
KB4499149		Resolved:
May 14, 2019 
10:00 AM PT

Opened:
March 12, 2019 
10:00 AM PT

-      "
diff --git a/windows/release-information/resolved-issues-windows-server-2012.yml b/windows/release-information/resolved-issues-windows-server-2012.yml
index 660872c996..268770f5d8 100644
--- a/windows/release-information/resolved-issues-windows-server-2012.yml
+++ b/windows/release-information/resolved-issues-windows-server-2012.yml
@@ -32,6 +32,7 @@ sections:
   - type: markdown
     text: "
       
+      
@@ -40,10 +41,6 @@ sections:
       
-      
-      
-      
-      
SummaryOriginating updateStatusDate resolved
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print, you may receive an error or the application may stop responding or close.

See details >		August 13, 2019
KB4512482		Resolved
KB4525253		November 12, 2019 
10:00 AM PT

       
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		September 24, 2019
KB4516069		Resolved
KB4520007		October 08, 2019 
10:00 AM PT

       
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		June 11, 2019
KB4503285		Resolved
KB4512512		August 17, 2019 
02:00 PM PT

       
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >		August 13, 2019
KB4512518		Resolved
KB4517302		August 16, 2019 
02:00 PM PT
IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

See details >		May 14, 2019
KB4499171		Resolved
KB4503295		June 21, 2019 
02:00 PM PT

       
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >		June 11, 2019
KB4503285		Resolved
KB4503295		June 20, 2019 
02:00 PM PT

       
Issue using PXE to start a device from WDS
There may be issues using PXE to start a device from a WDS server configured to use Variable Window Extension.

See details >		March 12, 2019
KB4489891		Resolved
KB4503285		June 11, 2019 
10:00 AM PT
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible

See details >		May 14, 2019
KB4499171		Resolved
KB4505050		May 18, 2019 
02:00 PM PT
Layout and cell size of Excel sheets may change when using MS UI Gothic 
When using MS UI Gothic or MS PGothic in Excel, the text, layout, or cell size may become narrower or wider.

See details >		April 25, 2019
KB4493462		Resolved
KB4499171		May 14, 2019 
10:00 AM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection, managed by Sophos Central or Sophos Enterprise Console, may be unresponsive.

See details >		April 09, 2019
KB4493451		Resolved
May 14, 2019 
01:21 PM PT
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493451		Resolved
May 14, 2019 
01:19 PM PT

       

       "
 
@@ -54,6 +51,15 @@ sections:
         

         
 
       "
+- title: November 2019
+- items:
+  - type: markdown
+    text: "
+      
+      
+      
DetailsOriginating updateStatusHistory
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print from a 32-bit app on a 64-bit operating system (OS), you may receive an error, or the application may stop responding or close. Note This issue only affects the 64-bit Security Only updates listed and does not affect any Monthly Rollup.

Affected platforms:
  • Client: Windows 8.1
  • Server: Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4525253. However, the issue occurs when you install only KB4512482 (released on August 13, 2019) without installing KB4507447, the previous Security Only update (released July 9, 2019). Reminder When using the Security Only updates, you must install the latest and all previous Security Only updates to ensure that the device contains all resolved security vulnerabilities.

Back to top		August 13, 2019
KB4512482		Resolved
KB4525253		Resolved:
November 12, 2019 
10:00 AM PT

Opened:
November 27, 2019 
04:02 PM PT

+      "
+
 - title: September 2019
 - items:
   - type: markdown
@@ -93,26 +99,6 @@ sections:
       
       "
 
-- title: May 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
-      
DetailsOriginating updateStatusHistory
Unable to access some gov.uk websites
After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolved: We have released an \"optional\" update for Internet Explorer 11 (KB4505050) to resolve this issue. We recommend you apply this update by installing KB4505050 from Windows Update and then restarting your device.
To download and install this update, see How to get an update through Windows Update. This update is also available through the Microsoft Update Catalog website.

Back to top		May 14, 2019
KB4499171		Resolved
KB4505050		Resolved:
May 18, 2019 
02:00 PM PT

Opened:
May 16, 2019 
01:57 PM PT
Layout and cell size of Excel sheets may change when using MS UI Gothic 
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.

Back to top		April 25, 2019
KB4493462		Resolved
KB4499171		Resolved:
May 14, 2019 
10:00 AM PT

Opened:
May 10, 2019 
10:35 AM PT

-      "
-
-- title: April 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
-      
DetailsOriginating updateStatusHistory
System unresponsive after restart if Sophos Endpoint Protection installed
Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493451.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.

Back to top		April 09, 2019
KB4493451		Resolved
Resolved:
May 14, 2019 
01:21 PM PT

Opened:
April 09, 2019 
10:00 AM PT
System may be unresponsive after restart if Avira antivirus software installed
Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493451.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1 
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.

Back to top		April 09, 2019
KB4493451		Resolved
Resolved:
May 14, 2019 
01:19 PM PT

Opened:
April 09, 2019 
10:00 AM PT

-      "
-
 - title: March 2019
 - items:
   - type: markdown
diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml
index 0e940b2321..780532c8fb 100644
--- a/windows/release-information/status-windows-10-1507.yml
+++ b/windows/release-information/status-windows-10-1507.yml
@@ -29,21 +29,21 @@ sections:
     columns: 3
     items:
     
-    - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
+    - href: https://aka.ms/how-to-get-1909
       html: Get the update >
       image: 
-        src: https://docs.microsoft.com/media/common/i_deploy.svg
-      title: Windows 10, version 1903 rollout in progress
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Using-machine-learning-to-improve-the-Windows-10-update/ba-p/877860
-      html: Learn how machine learning informs each rollout >
+        src: http://docs.microsoft.com/media/common/i_download-install.svg
+      title: Windows 10, version 1909 now available
+    - href: https://aka.ms/1909mechanics
+      html: Explore the improvements >
       image: 
-        src: https://docs.microsoft.com/media/common/i_multi-connect.svg
-      title: Improving the Windows 10 update experience
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376
-      html: Learn more >
+        src: http://docs.microsoft.com/media/common/i_investigate.svg
+      title: Windows 10, version 1909 delivery options
+    - href: https://aka.ms/whats-new-in-1909
+      html: Learn about the latest capabilities for IT >
       image: 
-        src: https://docs.microsoft.com/media/common/i_investigate.svg
-      title: Windows 10 update servicing cadence
+        src: http://docs.microsoft.com/media/common/i_article.svg
+      title: What’s new in Windows 10, version 1909
 - items:
   - type: markdown
     text: "
@@ -61,7 +61,6 @@ sections:
     text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.


       
-      
SummaryOriginating updateStatusLast updated

       
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 10240.18368

October 08, 2019
KB4520011		Mitigated External
November 05, 2019 
03:36 PM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		OS Build 10240.18334

September 23, 2019
KB4522009		Resolved
KB4520011		October 08, 2019 
10:00 AM PT

       
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		OS Build 10240.18094

January 08, 2019
KB4480962		Mitigated
April 25, 2019 
02:00 PM PT

       

       "
@@ -82,15 +81,6 @@ sections:
       
       "
 
-- title: September 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520011.

Back to top		OS Build 10240.18334

September 23, 2019
KB4522009		Resolved
KB4520011		Resolved:
October 08, 2019 
10:00 AM PT

Opened:
September 30, 2019 
06:26 PM PT

-      "
-
 - title: January 2019
 - items:
   - type: markdown
diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
index d3cf6d65f2..b7c13357d2 100644
--- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
+++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
@@ -29,21 +29,21 @@ sections:
     columns: 3
     items:
     
-    - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
+    - href: https://aka.ms/how-to-get-1909
       html: Get the update >
       image: 
-        src: https://docs.microsoft.com/media/common/i_deploy.svg
-      title: Windows 10, version 1903 rollout in progress
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Using-machine-learning-to-improve-the-Windows-10-update/ba-p/877860
-      html: Learn how machine learning informs each rollout >
+        src: http://docs.microsoft.com/media/common/i_download-install.svg
+      title: Windows 10, version 1909 now available
+    - href: https://aka.ms/1909mechanics
+      html: Explore the improvements >
       image: 
-        src: https://docs.microsoft.com/media/common/i_multi-connect.svg
-      title: Improving the Windows 10 update experience
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376
-      html: Learn more >
+        src: http://docs.microsoft.com/media/common/i_investigate.svg
+      title: Windows 10, version 1909 delivery options
+    - href: https://aka.ms/whats-new-in-1909
+      html: Learn about the latest capabilities for IT >
       image: 
-        src: https://docs.microsoft.com/media/common/i_investigate.svg
-      title: Windows 10 update servicing cadence
+        src: http://docs.microsoft.com/media/common/i_article.svg
+      title: What’s new in Windows 10, version 1909
 - items:
   - type: markdown
     text: "
@@ -61,7 +61,6 @@ sections:
     text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.


       
-      
@@ -84,15 +83,6 @@ sections:
       
SummaryOriginating updateStatusLast updated

       
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 14393.3274

October 08, 2019
KB4519998		Mitigated External
November 05, 2019 
03:36 PM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		OS Build 14393.3206

September 23, 2019
KB4522010		Resolved
KB4519998		October 08, 2019 
10:00 AM PT

       
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		OS Build 14393.2724

January 08, 2019
KB4480961		Mitigated
April 25, 2019 
02:00 PM PT

       
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.

See details >		OS Build 14393.2608

November 13, 2018
KB4467691		Mitigated
February 19, 2019 
10:00 AM PT

       
Cluster service may fail if the minimum password length is set to greater than 14
The cluster service may fail to start if “Minimum Password Length” is configured with greater than 14 characters.

See details >		OS Build 14393.2639

November 27, 2018
KB4467684		Mitigated
April 25, 2019 
02:00 PM PT

       "
 
-- title: September 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4519998.

Back to top		OS Build 14393.3206

September 23, 2019
KB4522010		Resolved
KB4519998		Resolved:
October 08, 2019 
10:00 AM PT

Opened:
September 30, 2019 
06:26 PM PT

-      "
-
 - title: January 2019
 - items:
   - type: markdown
diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml
deleted file mode 100644
index 5ad1df7093..0000000000
--- a/windows/release-information/status-windows-10-1703.yml
+++ /dev/null
@@ -1,95 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Windows 10, version 1703
-metadata:
-  document_id: 
-  title: Windows 10, version 1703
-  description: View announcements and review known issues and fixes for Windows 10 version 1703
-  keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
-  ms.localizationpriority: high
-  author: greg-lindsay
-  ms.author: greglin
-  manager: dougkim
-  ms.topic: article
-  ms.devlang: na
-
-sections:
-- items:
-  - type: markdown
-    text: "
-      Find information on known issues for Windows 10, version 1703. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
-      
- 
-
Windows 10, version 1703 has reached end of service
Consumer and commercial editions of Windows 10, version 1703 have reached end of service. Devices running these editions are no longer receiving monthly security and quality updates containing protections from the latest security threats. We recommend that you update these devices to the latest version of Windows 10 immediately. For more information on end of service dates currently supported versions of Windows 10, see the Windows lifecycle fact sheet.

Note This page will be retired on Tuesday, November 12, 2019.

-

-
-      " 
-
-- items:
-  - type: list
-    style: cards
-    className: cardsM
-    columns: 3
-    items:
-    
-    - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
-      html: Get the update >
-      image: 
-        src: https://docs.microsoft.com/media/common/i_deploy.svg
-      title: Windows 10, version 1903 rollout in progress
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Using-machine-learning-to-improve-the-Windows-10-update/ba-p/877860
-      html: Learn how machine learning informs each rollout >
-      image: 
-        src: https://docs.microsoft.com/media/common/i_multi-connect.svg
-      title: Improving the Windows 10 update experience
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376
-      html: Learn more >
-      image: 
-        src: https://docs.microsoft.com/media/common/i_investigate.svg
-      title: Windows 10 update servicing cadence
-- items:
-  - type: markdown
-    text: "
-      
-      "
-- items:
-  - type: markdown
-    text: "
-        

-      "
-
-- title: Known issues
-- items:
-  - type: markdown
-    text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.


-      
-      
-      
-      
SummaryOriginating updateStatusLast updated
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		OS Build 15063.2046

September 23, 2019
KB4522011		Resolved
KB4520010		October 08, 2019 
10:00 AM PT
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		OS Build 15063.1563

January 08, 2019
KB4480973		Mitigated
April 25, 2019 
02:00 PM PT

-      "
-
-- title: Issue details
-- items:
-  - type: markdown
-    text: "
-        

-        
 
-      "
-- title: September 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520010.

Back to top		OS Build 15063.2046

September 23, 2019
KB4522011		Resolved
KB4520010		Resolved:
October 08, 2019 
10:00 AM PT

Opened:
September 30, 2019 
06:26 PM PT

-      "
-
-- title: January 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. 

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following: 
  • Perform the operation from a process that has administrator privilege. 
  • Perform the operation from a node that doesn’t have CSV ownership. 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 15063.1563

January 08, 2019
KB4480973		Mitigated
Last updated:
April 25, 2019 
02:00 PM PT

Opened:
January 08, 2019 
10:00 AM PT

-      "
diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml
index 01a0e958ec..20cdc6691b 100644
--- a/windows/release-information/status-windows-10-1709.yml
+++ b/windows/release-information/status-windows-10-1709.yml
@@ -29,21 +29,21 @@ sections:
     columns: 3
     items:
     
-    - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
+    - href: https://aka.ms/how-to-get-1909
       html: Get the update >
       image: 
-        src: https://docs.microsoft.com/media/common/i_deploy.svg
-      title: Windows 10, version 1903 rollout in progress
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Using-machine-learning-to-improve-the-Windows-10-update/ba-p/877860
-      html: Learn how machine learning informs each rollout >
+        src: http://docs.microsoft.com/media/common/i_download-install.svg
+      title: Windows 10, version 1909 now available
+    - href: https://aka.ms/1909mechanics
+      html: Explore the improvements >
       image: 
-        src: https://docs.microsoft.com/media/common/i_multi-connect.svg
-      title: Improving the Windows 10 update experience
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376
-      html: Learn more >
+        src: http://docs.microsoft.com/media/common/i_investigate.svg
+      title: Windows 10, version 1909 delivery options
+    - href: https://aka.ms/whats-new-in-1909
+      html: Learn about the latest capabilities for IT >
       image: 
-        src: https://docs.microsoft.com/media/common/i_investigate.svg
-      title: Windows 10 update servicing cadence
+        src: http://docs.microsoft.com/media/common/i_article.svg
+      title: What’s new in Windows 10, version 1909
 - items:
   - type: markdown
     text: "
@@ -60,9 +60,8 @@ sections:
   - type: markdown
     text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.


       
+      
-      
-      
SummaryOriginating updateStatusLast updated
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 16299.1387

September 10, 2019
KB4516066		Mitigated
November 12, 2019 
08:05 AM PT

       
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 16299.1451

October 08, 2019
KB4520004		Mitigated External
November 05, 2019 
03:36 PM PT
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 16299.1387

September 10, 2019
KB4516066		Mitigated
October 29, 2019 
05:15 PM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		OS Build 16299.1392

September 23, 2019
KB4522012		Resolved
KB4520004		October 08, 2019 
10:00 AM PT

       
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		OS Build 16299.904

January 08, 2019
KB4480978		Mitigated
April 25, 2019 
02:00 PM PT

       

       "
@@ -88,16 +87,7 @@ sections:
   - type: markdown
     text: "
       
-      
-      
DetailsOriginating updateStatusHistory
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

Note This issue does not affect using a Microsoft Account during OOBE.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.

Next steps: We are working on a resolution and estimate a solution will be available in late November.

Back to top		OS Build 16299.1387

September 10, 2019
KB4516066		Mitigated
Last updated:
October 29, 2019 
05:15 PM PT

Opened:
October 29, 2019 
05:15 PM PT

-      "
-
-- title: September 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
+      
DetailsOriginating updateStatusHistory
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520004.

Back to top		OS Build 16299.1392

September 23, 2019
KB4522012		Resolved
KB4520004		Resolved:
October 08, 2019 
10:00 AM PT

Opened:
September 30, 2019 
06:26 PM PT
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

Note This issue does not affect using a Microsoft Account during OOBE.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 16299.1387

September 10, 2019
KB4516066		Mitigated
Last updated:
November 12, 2019 
08:05 AM PT

Opened:
October 29, 2019 
05:15 PM PT

       

       "
 
diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml
index 4fa63b7381..259b1f258f 100644
--- a/windows/release-information/status-windows-10-1803.yml
+++ b/windows/release-information/status-windows-10-1803.yml
@@ -21,7 +21,7 @@ sections:
       Find information on known issues for Windows 10, version 1803. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
       
  
-
Current status as of August 7, 2019:       
Windows 10, version 1803 (the April 2018 Update) will reach end of service on November 12, 2019 for Home and Pro editions. We will begin updating devices running Windows 10, version 1803 to Windows 10, version 1903 (the May 2019 Update) starting July 16, 2019 to help ensure that these devices remain in a serviced and secure state. For more information, see the Windows 10, version 1903 section of the release information dashboard.

+
Current status as of November 12, 2019:       
Windows 10, version 1803 (the April 2018 Update) Home and Pro editions have reached end of service. For Windows 10 devices that are at, or within several months of reaching end of service, Windows Update will automatically initiate a feature update (with users having the ability to choose a convenient time); keeping those devices supported and receiving the monthly updates that are critical to device security and ecosystem health.

 

 
       " 
@@ -33,21 +33,21 @@ sections:
     columns: 3
     items:
     
-    - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
+    - href: https://aka.ms/how-to-get-1909
       html: Get the update >
       image: 
-        src: https://docs.microsoft.com/media/common/i_deploy.svg
-      title: Windows 10, version 1903 rollout in progress
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Using-machine-learning-to-improve-the-Windows-10-update/ba-p/877860
-      html: Learn how machine learning informs each rollout >
+        src: http://docs.microsoft.com/media/common/i_download-install.svg
+      title: Windows 10, version 1909 now available
+    - href: https://aka.ms/1909mechanics
+      html: Explore the improvements >
       image: 
-        src: https://docs.microsoft.com/media/common/i_multi-connect.svg
-      title: Improving the Windows 10 update experience
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376
-      html: Learn more >
+        src: http://docs.microsoft.com/media/common/i_investigate.svg
+      title: Windows 10, version 1909 delivery options
+    - href: https://aka.ms/whats-new-in-1909
+      html: Learn about the latest capabilities for IT >
       image: 
-        src: https://docs.microsoft.com/media/common/i_investigate.svg
-      title: Windows 10 update servicing cadence
+        src: http://docs.microsoft.com/media/common/i_article.svg
+      title: What’s new in Windows 10, version 1909
 - items:
   - type: markdown
     text: "
@@ -64,11 +64,8 @@ sections:
   - type: markdown
     text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.


       
+      
-      
-      
-      
-      
SummaryOriginating updateStatusLast updated
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 17134.1006

September 10, 2019
KB4516058		Mitigated
November 12, 2019 
08:05 AM PT

       
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 17134.1069

October 08, 2019
KB4520008		Mitigated External
November 05, 2019 
03:36 PM PT
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 17134.1006

September 10, 2019
KB4516058		Mitigated
October 29, 2019 
05:15 PM PT
Windows Mixed Reality Portal users may intermittently receive a 15-5 error code
You may receive a 15-5 error code in Windows Mixed Reality Portal and your headset may not wake up from sleep.

See details >		OS Build 17134.950

August 13, 2019
KB4512501		Resolved
KB4519978		October 15, 2019 
10:00 AM PT
Startup to a black screen after installing updates
Your device may startup to a black screen during the first logon after installing updates.

See details >		OS Build 17134.829

June 11, 2019
KB4503286		Resolved
KB4519978		October 15, 2019 
10:00 AM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		OS Build 17134.1009

September 23, 2019
KB4522014		Resolved
KB4520008		October 08, 2019 
10:00 AM PT

       
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		OS Build 17134.523

January 08, 2019
KB4480966		Mitigated
April 25, 2019 
02:00 PM PT

       

       "
@@ -94,26 +91,7 @@ sections:
   - type: markdown
     text: "
       
-      
-      
DetailsOriginating updateStatusHistory
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

Note This issue does not affect using a Microsoft Account during OOBE.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.

Next steps: We are working on a resolution and estimate a solution will be available in late November.

Back to top		OS Build 17134.1006

September 10, 2019
KB4516058		Mitigated
Last updated:
October 29, 2019 
05:15 PM PT

Opened:
October 29, 2019 
05:15 PM PT

-      "
-
-- title: September 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
-      
DetailsOriginating updateStatusHistory
Windows Mixed Reality Portal users may intermittently receive a 15-5 error code
After installing KB4512501, Windows Mixed Reality Portal users may intermittently receive a 15-5 error code. In some cases, Windows Mixed Reality Portal may report that the headset is sleeping and pressing “Wake up” may appear to produce no action.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10, version 1803
Resolution: This issue was resolved in KB4519978.

Back to top		OS Build 17134.950

August 13, 2019
KB4512501		Resolved
KB4519978		Resolved:
October 15, 2019 
10:00 AM PT

Opened:
September 11, 2019 
05:32 PM PT
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520008.

Back to top		OS Build 17134.1009

September 23, 2019
KB4522014		Resolved
KB4520008		Resolved:
October 08, 2019 
10:00 AM PT

Opened:
September 30, 2019 
06:26 PM PT

-      "
-
-- title: June 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
+      
DetailsOriginating updateStatusHistory
Startup to a black screen after installing updates
We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.


Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803
  • Server: Windows Server 2019
Resolution: This issue was resolved in KB4519978.

Back to top		OS Build 17134.829

June 11, 2019
KB4503286		Resolved
KB4519978		Resolved:
October 15, 2019 
10:00 AM PT

Opened:
June 14, 2019 
04:41 PM PT
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

Note This issue does not affect using a Microsoft Account during OOBE.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17134.1006

September 10, 2019
KB4516058		Mitigated
Last updated:
November 12, 2019 
08:05 AM PT

Opened:
October 29, 2019 
05:15 PM PT

       

       "
 
diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
index fcc5aa3645..88e42ce4a7 100644
--- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
+++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
@@ -21,7 +21,7 @@ sections:
       Find information on known issues for Windows 10, version 1809 and Windows Server 2019. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
       
  
-
Current status:
Windows 10, version 1809 is designated for broad deployment and available for any user who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel.

+
Current status as of November 12, 2019:
Windows 10, version 1809 is designated for broad deployment. The recommended servicing status is Semi-Annual Channel.

 

 
       " 
@@ -33,21 +33,21 @@ sections:
     columns: 3
     items:
     
-    - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
+    - href: https://aka.ms/how-to-get-1909
       html: Get the update >
       image: 
-        src: https://docs.microsoft.com/media/common/i_deploy.svg
-      title: Windows 10, version 1903 rollout in progress
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Using-machine-learning-to-improve-the-Windows-10-update/ba-p/877860
-      html: Learn how machine learning informs each rollout >
+        src: http://docs.microsoft.com/media/common/i_download-install.svg
+      title: Windows 10, version 1909 now available
+    - href: https://aka.ms/1909mechanics
+      html: Explore the improvements >
       image: 
-        src: https://docs.microsoft.com/media/common/i_multi-connect.svg
-      title: Improving the Windows 10 update experience
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376
-      html: Learn more >
+        src: http://docs.microsoft.com/media/common/i_investigate.svg
+      title: Windows 10, version 1909 delivery options
+    - href: https://aka.ms/whats-new-in-1909
+      html: Learn about the latest capabilities for IT >
       image: 
-        src: https://docs.microsoft.com/media/common/i_investigate.svg
-      title: Windows 10 update servicing cadence
+        src: http://docs.microsoft.com/media/common/i_article.svg
+      title: What’s new in Windows 10, version 1909
 - items:
   - type: markdown
     text: "
@@ -64,12 +64,9 @@ sections:
   - type: markdown
     text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.


       
+      
+      
-      
-      
-      
-      
-      
SummaryOriginating updateStatusLast updated
Microsoft Defender Advanced Threat Protection might stop running
The Microsoft Defender ATP service might stop running and might fail to send reporting data.

See details >		OS Build 17763.832

October 15, 2019
KB4520062		Resolved
KB4523205		November 12, 2019 
10:00 AM PT
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 17763.737

September 10, 2019
KB4512578		Mitigated
November 12, 2019 
08:05 AM PT

       
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 17763.805

October 08, 2019
KB4519338		Mitigated External
November 05, 2019 
03:36 PM PT
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 17763.737

September 10, 2019
KB4512578		Mitigated
October 29, 2019 
05:15 PM PT
Microsoft Defender Advanced Threat Protection might stop running
The Microsoft Defender ATP service might stop running and might fail to send reporting data.

See details >		OS Build 17763.832

October 15, 2019
KB4520062		Investigating
October 18, 2019 
04:23 PM PT
Windows Mixed Reality Portal users may intermittently receive a 15-5 error code
You may receive a 15-5 error code in Windows Mixed Reality Portal and your headset may not wake up from sleep.

See details >		OS Build 17763.678

August 13, 2019
KB4511553		Resolved
KB4520062		October 15, 2019 
10:00 AM PT
Startup to a black screen after installing updates
Your device may startup to a black screen during the first logon after installing updates.

See details >		OS Build 17763.557

June 11, 2019
KB4503327		Resolved
KB4520062		October 15, 2019 
10:00 AM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		OS Build 17763.740

September 23, 2019
KB4522015		Resolved
KB4519338		October 08, 2019 
10:00 AM PT

       
Devices with some Asian language packs installed may receive an error
Devices with Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
May 03, 2019 
10:59 AM PT

       
Certain operations performed on a Cluster Shared Volume may fail 
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		OS Build 17763.253

January 08, 2019
KB4480116		Mitigated
April 09, 2019 
10:00 AM PT

       

@@ -96,27 +93,8 @@ sections:
   - type: markdown
     text: "
       
-      
-      
-      
DetailsOriginating updateStatusHistory
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

Note This issue does not affect using a Microsoft Account during OOBE.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.

Next steps: We are working on a resolution and estimate a solution will be available in late November.

Back to top		OS Build 17763.737

September 10, 2019
KB4512578		Mitigated
Last updated:
October 29, 2019 
05:15 PM PT

Opened:
October 29, 2019 
05:15 PM PT
Microsoft Defender Advanced Threat Protection might stop running
After installing the optional non-security update (KB4520062), the Microsoft Defender Advanced Threat Protection (ATP) service might stop running and might fail to send reporting data. You might also receive a 0xc0000409 error in Event Viewer on MsSense.exe.

Note Microsoft Windows Defender Antivirus is not affected by this issue.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Next steps: At this time, we suggest that devices in an affected environment do not install the optional non-security update, KB4520062. We are working on a resolution and estimate a solution will be available in mid-November.

Back to top		OS Build 17763.832

October 15, 2019
KB4520062		Investigating
Last updated:
October 18, 2019 
04:23 PM PT

Opened:
October 17, 2019 
05:14 PM PT

-      "
-
-- title: September 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
-      
DetailsOriginating updateStatusHistory
Windows Mixed Reality Portal users may intermittently receive a 15-5 error code
After installing KB4511553, Windows Mixed Reality Portal users may intermittently receive a 15-5 error code. In some cases, Windows Mixed Reality Portal may report that the headset is sleeping and pressing “Wake up” may appear to produce no action.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10, version 1803
Resolution: This issue was resolved in KB4520062.

Back to top		OS Build 17763.678

August 13, 2019
KB4511553		Resolved
KB4520062		Resolved:
October 15, 2019 
10:00 AM PT

Opened:
September 11, 2019 
05:32 PM PT
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4519338.

Back to top		OS Build 17763.740

September 23, 2019
KB4522015		Resolved
KB4519338		Resolved:
October 08, 2019 
10:00 AM PT

Opened:
September 30, 2019 
06:26 PM PT

-      "
-
-- title: June 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
+      
+      
DetailsOriginating updateStatusHistory
Startup to a black screen after installing updates
We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.


Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803
  • Server: Windows Server 2019
Resolution: This issue was resolved in KB4520062.

Back to top		OS Build 17763.557

June 11, 2019
KB4503327		Resolved
KB4520062		Resolved:
October 15, 2019 
10:00 AM PT

Opened:
June 14, 2019 
04:41 PM PT
Microsoft Defender Advanced Threat Protection might stop running
After installing the optional non-security update (KB4520062), the Microsoft Defender Advanced Threat Protection (ATP) service might stop running and might fail to send reporting data. You might also receive a 0xc0000409 error in Event Viewer on MsSense.exe.

Note Microsoft Windows Defender Antivirus is not affected by this issue.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4523205.

Back to top		OS Build 17763.832

October 15, 2019
KB4520062		Resolved
KB4523205		Resolved:
November 12, 2019 
10:00 AM PT

Opened:
October 17, 2019 
05:14 PM PT
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

Note This issue does not affect using a Microsoft Account during OOBE.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.737

September 10, 2019
KB4512578		Mitigated
Last updated:
November 12, 2019 
08:05 AM PT

Opened:
October 29, 2019 
05:15 PM PT

       

       "
 
diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml
index d0dd443d7e..92a393b9b2 100644
--- a/windows/release-information/status-windows-10-1903.yml
+++ b/windows/release-information/status-windows-10-1903.yml
@@ -21,7 +21,7 @@ sections:
       Find information on known issues and the status of the rollout for Windows 10, version 1903 and Windows Server, version 1903. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
       
  
-
Current status as of September 26, 2019:   
Windows 10, version 1903 (the May 2019 Update) is designated ready for broad deployment for all users via Windows Update.

As devices running the Home, Pro, and Pro for Workstation editions of Windows 10, version 1803 (the April 2018 Update) will reach end of service on November 12, 2019, we are broadly updating these devices, as well as those running earlier versions of Windows 10 that are past end of service, to keep these devices both supported and receiving monthly updates. If you are not offered the Windows 10, version 1903 feature update, please check below for known issues and safeguard holds that may affect your device.

We recommend commercial customers running earlier versions of Windows 10 begin broad deployments of Windows 10, version 1903 in their organizations.

Note Follow @WindowsUpdate to find out when new content is published to the release information dashboard.

+
Current status as of November 12, 2019:   
Windows 10, version 1903 (the May 2019 Update) is designated ready for broad deployment for all users via Windows Update.

We recommend commercial customers running earlier versions of Windows 10 begin broad deployments of Windows 10, version 1903 in their organizations.

Note Follow @WindowsUpdate to find out when new content is published to the release information dashboard.

 

 
       " 
@@ -33,21 +33,21 @@ sections:
     columns: 3
     items:
     
-    - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
+    - href: https://aka.ms/how-to-get-1909
       html: Get the update >
       image: 
-        src: https://docs.microsoft.com/media/common/i_deploy.svg
-      title: Windows 10, version 1903 rollout in progress
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Using-machine-learning-to-improve-the-Windows-10-update/ba-p/877860
-      html: Learn how machine learning informs each rollout >
+        src: http://docs.microsoft.com/media/common/i_download-install.svg
+      title: Windows 10, version 1909 now available
+    - href: https://aka.ms/1909mechanics
+      html: Explore the improvements >
       image: 
-        src: https://docs.microsoft.com/media/common/i_multi-connect.svg
-      title: Improving the Windows 10 update experience
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376
-      html: Learn more >
+        src: http://docs.microsoft.com/media/common/i_investigate.svg
+      title: Windows 10, version 1909 delivery options
+    - href: https://aka.ms/whats-new-in-1909
+      html: Learn about the latest capabilities for IT >
       image: 
-        src: https://docs.microsoft.com/media/common/i_investigate.svg
-      title: Windows 10 update servicing cadence
+        src: http://docs.microsoft.com/media/common/i_article.svg
+      title: What’s new in Windows 10, version 1909
 - items:
   - type: markdown
     text: "
@@ -64,18 +64,14 @@ sections:
   - type: markdown
     text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.


       
+      
+      
+      
+      
+      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
-      
+      
+      
SummaryOriginating updateStatusLast updated
Issues with some older versions of Avast and AVG anti-virus products
Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.

See details >		N/A 

Mitigated External
November 25, 2019 
05:25 PM PT
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. 

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
November 22, 2019 
04:10 PM PT
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
November 15, 2019 
05:59 PM PT
Updates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive error code 0x80073701.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
November 12, 2019 
08:11 AM PT
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 18362.356

September 10, 2019
KB4515384		Mitigated
November 12, 2019 
08:05 AM PT

       
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 18362.418

October 08, 2019
KB4517389		Mitigated External
November 05, 2019 
03:36 PM PT
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 18362.356

September 10, 2019
KB4515384		Mitigated
October 29, 2019 
05:15 PM PT
Cannot launch Camera app 
Microsoft and Intel have identified an issue affecting Intel RealSense SR300 or Intel RealSense S200 camera apps.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4501375		June 27, 2019 
10:00 AM PT
Unable to discover or connect to Bluetooth devices using some Qualcomm adapters
Microsoft has identified compatibility issues with some versions of Qualcomm Bluetooth radio drivers.

See details >		OS Build 18362.116

May 20, 2019
KB4505057		Resolved
KB4517389		October 08, 2019 
10:00 AM PT
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
October 25, 2019 
04:21 PM PT
Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
Some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards may experience compatibility issues.

See details >		N/A 

Resolved
KB4522355		October 24, 2019 
10:00 AM PT
dGPU occasionally disappear from device manager on Surface Book 2
Some apps or games may close or fail to open on Surface Book 2 devices with Nvidia dGPU.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
October 18, 2019 
04:33 PM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		OS Build 18362.357

September 23, 2019
KB4522016		Resolved
KB4517389		October 08, 2019 
10:00 AM PT
Updates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive error code 0x80073701.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
August 16, 2019 
04:28 PM PT
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. 

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated External
August 01, 2019 
08:44 PM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
KB4505903		August 01, 2019 
06:27 PM PT
Intel Audio displays an intcdaud.sys notification
Devices with a range of Intel Display Audio device drivers may experience battery drain.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
May 21, 2019 
04:47 PM PT
Intel Audio displays an intcdaud.sys notification
Devices with a range of Intel Display Audio device drivers may experience battery drain.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
November 12, 2019 
08:04 AM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4505903		July 26, 2019 
02:00 PM PT

       

       "
 
@@ -91,6 +87,7 @@ sections:
   - type: markdown
     text: "
       
+      
DetailsOriginating updateStatusHistory
Issues with some older versions of Avast and AVG anti-virus products
Microsoft and Avast has identified compatibility issues with some older versions of Avast Antivirus and AVG Antivirus that might still be installed by a small number of users. Any application from Avast or AVG that contains Antivirus version 19.5.4444.567 or earlier is affected.

To safeguard your upgrade experience, we have applied a hold on devices with affected Avast and AVG Antivirus from being offered or installing Windows 10, version 1903 or Windows 10, version 1909, until the application is updated.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903
  • Server: Windows Server, version 1909; Windows Server, version 1903
Workaround: Before updating to Windows 10, version 1903 or Windows 10, version 1909, you will need to download and install an updated version of your Avast or AVG application. Guidance for Avast and AVG customers can be found in the following support articles:
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new version of your Avast or AVG application has been installed and the Windows 10, version 1903 or Windows 10, version 1909 feature update has been automatically offered to you.

Back to top		N/A 

Mitigated External
Last updated:
November 25, 2019 
05:25 PM PT

Opened:
November 22, 2019 
04:10 PM PT

       
TLS connections might fail or timeout
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
  • \"The request was aborted: Could not create SSL/TLS secure Channel\"
  • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

Back to top		OS Build 18362.418

October 08, 2019
KB4517389		Mitigated External
Last updated:
November 05, 2019 
03:36 PM PT

Opened:
November 05, 2019 
03:36 PM PT

       

       "
@@ -100,18 +97,7 @@ sections:
   - type: markdown
     text: "
       
-      
-      
-      
DetailsOriginating updateStatusHistory
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

Note This issue does not affect using a Microsoft Account during OOBE.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.

Next steps: We are working on a resolution and estimate a solution will be available in late November.

Back to top		OS Build 18362.356

September 10, 2019
KB4515384		Mitigated
Last updated:
October 29, 2019 
05:15 PM PT

Opened:
October 29, 2019 
05:15 PM PT
Unable to discover or connect to Bluetooth devices using some Qualcomm adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Qualcomm. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Qualcomm Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Resolution: This issue was resolved in KB4517389 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.

Back to top		OS Build 18362.116

May 20, 2019
KB4505057		Resolved
KB4517389		Resolved:
October 08, 2019 
10:00 AM PT

Opened:
October 25, 2019 
04:21 PM PT

-      "
-
-- title: September 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
+      
DetailsOriginating updateStatusHistory
Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
Microsoft and NEC have found incompatibility issues with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards when running Windows 10, version 1903 on specific models of NEC devices. If these devices are updated to Windows 10, version 1903, they will no longer be able to use any Wi-Fi connections. The Wi-Fi driver may have a yellow exclamation point in device manager. The task tray icon for networking may show the icon for no internet and Network & Internet settings may not show any Wi-Fi networks.

To safeguard your update experience, we have applied a compatibility hold on the affected devices from being offered Windows 10, version 1903.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4522355. The safeguard hold is estimated to be removed in mid-November.

Back to top		N/A 

Resolved
KB4522355		Resolved:
October 24, 2019 
10:00 AM PT

Opened:
September 13, 2019 
05:25 PM PT
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517389.

Back to top		OS Build 18362.357

September 23, 2019
KB4522016		Resolved
KB4517389		Resolved:
October 08, 2019 
10:00 AM PT

Opened:
September 30, 2019 
06:26 PM PT
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

Note This issue does not affect using a Microsoft Account during OOBE.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 18362.356

September 10, 2019
KB4515384		Mitigated
Last updated:
November 12, 2019 
08:05 AM PT

Opened:
October 29, 2019 
05:15 PM PT

       

       "
 
@@ -120,16 +106,7 @@ sections:
   - type: markdown
     text: "
       
-      
-      
DetailsOriginating updateStatusHistory
Updates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive the error message, \"Updates Failed, There were problems installing some updates, but we'll try again later\" or \"Error 0x80073701\" on the Windows Update dialog or within Update history.

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
Last updated:
August 16, 2019 
04:28 PM PT

Opened:
August 16, 2019 
01:41 PM PT

-      "
-
-- title: July 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
+      
DetailsOriginating updateStatusHistory
dGPU occasionally disappear from device manager on Surface Book 2
Microsoft has identified a compatibility issue on some Surface Book 2 devices configured with Nvidia discrete graphics processing units (dGPUs). After updating to Windows 10, version 1903 (the May 2019 Update), some apps or games that needs to perform graphics intensive operations may close or fail to open.
 
To safeguard your update experience, we have applied a compatibility hold on Surface Book 2 devices with Nvidia dGPU from being offered Windows 10, version 1903 until this issue is resolved.
 
Affected platforms:
  • Client: Windows 10, version 1903
Resolved: To resolve this issue, you will need to update the firmware of your Surface Book 2 device. Please see the Surface Book 2 update history page for instructions on how to install the October 2019 updates on your device. There is no update for Windows needed for this issue.
 
The safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
Resolved:
October 18, 2019 
04:33 PM PT

Opened:
July 12, 2019 
04:20 PM PT
Updates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive the error message, \"Updates Failed, There were problems installing some updates, but we'll try again later\" or \"Error 0x80073701\" on the Windows Update dialog or within Update history.

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Resolution: This issue has been resolved for most users. If you are still having issues, please see KB4528159.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
Resolved:
November 12, 2019 
08:11 AM PT

Opened:
August 16, 2019 
01:41 PM PT

       

       "
 
@@ -138,10 +115,9 @@ sections:
   - type: markdown
     text: "
       
-      
-      
-      
-      
-      
+      
+      
+      
+      
DetailsOriginating updateStatusHistory
Cannot launch Camera app 
Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating:
        \"Close other apps, error code: 0XA00F4243.”

To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4501375 and the safeguard hold has been removed.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4501375		Resolved:
June 27, 2019 
10:00 AM PT

Opened:
May 21, 2019 
07:20 AM PT
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Workaround: Check with your device manufacturer (OEM) to see if an updated driver is available and install it. You will need to install a Realtek driver version greater than 1.5.1011.0.

Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool. 

Next steps: Microsoft is working with Realtek to release new drivers for all affected system via Windows Update.

October 25, 2019 note This issue was previously grouped with the Qualcomm radio issue, which is now resolved. There is no change to this issue except to remove reference to Qualcomm.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
Last updated:
October 25, 2019 
04:21 PM PT

Opened:
May 21, 2019 
07:29 AM PT
Intermittent loss of Wi-Fi connectivity
Some older computers may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

To safeguard your upgrade experience, we have applied a hold on devices with this Qualcomm driver from being offered Windows 10, version 1903, until the updated driver is installed.

Affected platforms:
  • Client: Windows 10, version 1903
Workaround: Before updating to Windows 10, version 1903, you will need to download and install an updated Wi-Fi driver from your device manufacturer (OEM).
 
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated External
Last updated:
August 01, 2019 
08:44 PM PT

Opened:
May 21, 2019 
07:13 AM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

Microsoft has identified some scenarios in which these features may have issues or stop working, for example:
  • Connecting to (or disconnecting from) an external monitor, dock, or projector
  • Rotating the screen
  • Updating display drivers or making other display mode changes
  • Closing full screen applications
  • Applying custom color profiles
  • Running applications that rely on custom gamma ramps
Affected platforms:
  • Client: Windows 10, version 1903
Workaround: If you find that your night light has stopped working, try turning the night light off and on, or restarting your computer. For other color setting issues, restart your computer to correct the issue.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
KB4505903		Last updated:
August 01, 2019 
06:27 PM PT

Opened:
May 21, 2019 
07:28 AM PT
Intel Audio displays an intcdaud.sys notification
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
  
To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809
Workaround:
On the “What needs your attention\" notification, click the Back button to remain on your current version of Windows 10. (Do not click Confirm as this will proceed with the update and you may experience compatibility issues.) Affected devices will automatically revert to the previous working configuration.

For more information, see Intel's customer support guidance and the Microsoft knowledge base article KB4465877.

Note We recommend you do not attempt to update your devices until newer device drivers are installed.

Next steps: You can opt to wait for newer drivers to be installed automatically through Windows Update or check with the computer manufacturer for the latest device driver software availability and installation procedures.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
Last updated:
May 21, 2019 
04:47 PM PT

Opened:
May 21, 2019 
07:22 AM PT
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

To safeguard your upgrade experience, we have applied a hold on devices with affected Qualcomm driver from being offered Windows 10, version 1903 or Windows 10, version 1909, until the updated driver is installed.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903
Resolution: This issue was resolved with an updated Qualcomm Wifi driver and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
Last updated:
November 22, 2019 
04:10 PM PT

Opened:
May 21, 2019 
07:13 AM PT
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903
  • Server: Windows 10, version 1909; Windows Server, version 1903
Resolution: This issue was resolved with an updated driver for the affected Realtek Bluetooth radio and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
Last updated:
November 15, 2019 
05:59 PM PT

Opened:
May 21, 2019 
07:29 AM PT
Intel Audio displays an intcdaud.sys notification
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
  
To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809
Resolution: This issue was resolved with updated drivers from your device manufacturer (OEM) or Intel. The safeguard hold has been removed.

Note If you are still experiencing the issue described, please contact your device manufacturer (OEM).

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
Last updated:
November 12, 2019 
08:04 AM PT

Opened:
May 21, 2019 
07:22 AM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

Microsoft has identified some scenarios in which these features may have issues or stop working, for example:
  • Connecting to (or disconnecting from) an external monitor, dock, or projector
  • Rotating the screen
  • Updating display drivers or making other display mode changes
  • Closing full screen applications
  • Applying custom color profiles
  • Running applications that rely on custom gamma ramps
Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4505903		Resolved:
July 26, 2019 
02:00 PM PT

Opened:
May 21, 2019 
07:28 AM PT

       

       "
diff --git a/windows/release-information/status-windows-10-1909.yml b/windows/release-information/status-windows-10-1909.yml
new file mode 100644
index 0000000000..23177c4408
--- /dev/null
+++ b/windows/release-information/status-windows-10-1909.yml
@@ -0,0 +1,107 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+title: Windows 10, version 1909 and Windows Server, version 1909
+metadata:
+  document_id: 
+  title: Windows 10, version 1909 and Windows Server, version 1909
+  description: View announcements and review known issues and fixes for Windows 10 version 1909 and Windows Server 1909
+  keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
+  ms.localizationpriority: high
+  author: greg-lindsay
+  ms.author: greglin
+  manager: dougkim
+  ms.topic: article
+  ms.devlang: na
+
+sections:
+- items:
+  - type: markdown
+    text: "
+      Find information on known issues and the status of the rollout for Windows 10, version 1909 and Windows Server, version 1909. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
+      
+ 
+
Current status as of December 5, 2019:
Windows 10, version 1909 is available for any user on a recent version of Windows 10 who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel.
 
Beginning today, we will slowly start the phased process to automatically initiate a feature update for devices running the October 2018 Update (Windows 10, version 1809) Home and Pro editions, keeping those devices supported and receiving the monthly updates that are critical to device security and ecosystem health. We are starting this rollout process several months in advance of the end of service date to provide adequate time for a smooth update process.

For information on how users running Windows 10, version 1903 can update to Windows 10, version 1909 in a new, streamlined way, see this post.
 
Note follow @WindowsUpdate on Twitter to find out when new content is published to the release information dashboard.

+

+
+      " 
+
+- items:
+  - type: list
+    style: cards
+    className: cardsM
+    columns: 3
+    items:
+    
+    - href: https://aka.ms/how-to-get-1909
+      html: Get the update >
+      image: 
+        src: http://docs.microsoft.com/media/common/i_download-install.svg
+      title: Windows 10, version 1909 now available
+    - href: https://aka.ms/1909mechanics
+      html: Explore the improvements >
+      image: 
+        src: http://docs.microsoft.com/media/common/i_investigate.svg
+      title: Windows 10, version 1909 delivery options
+    - href: https://aka.ms/whats-new-in-1909
+      html: Learn about the latest capabilities for IT >
+      image: 
+        src: http://docs.microsoft.com/media/common/i_article.svg
+      title: What’s new in Windows 10, version 1909
+- items:
+  - type: markdown
+    text: "
+      
+      "
+- items:
+  - type: markdown
+    text: "
+        

+      "
+
+- title: Known issues
+- items:
+  - type: markdown
+    text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.


+      
+      
+      
+      
+      
+      
SummaryOriginating updateStatusLast updated
Issues with some older versions of Avast and AVG anti-virus products
Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.

See details >		N/A 

Mitigated External
November 25, 2019 
05:25 PM PT
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. 

See details >		OS Build 18363.476

November 12, 2019
KB4524570		Resolved External
November 22, 2019 
04:10 PM PT
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.

See details >		OS Build 18363.476

November 12, 2019
KB4524570		Resolved External
November 15, 2019 
05:59 PM PT
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 18363.476

November 12, 2019
KB4524570		Mitigated
November 12, 2019 
08:05 AM PT

+      "
+
+- title: Issue details
+- items:
+  - type: markdown
+    text: "
+        

+        
 
+      "
+- title: November 2019
+- items:
+  - type: markdown
+    text: "
+      
+      
+      
DetailsOriginating updateStatusHistory
Issues with some older versions of Avast and AVG anti-virus products
Microsoft and Avast has identified compatibility issues with some older versions of Avast Antivirus and AVG Antivirus that might still be installed by a small number of users. Any application from Avast or AVG that contains Antivirus version 19.5.4444.567 or earlier is affected.

To safeguard your upgrade experience, we have applied a hold on devices with affected Avast and AVG Antivirus from being offered or installing Windows 10, version 1903 or Windows 10, version 1909, until the application is updated.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903
  • Server: Windows Server, version 1909; Windows Server, version 1903
Workaround: Before updating to Windows 10, version 1903 or Windows 10, version 1909, you will need to download and install an updated version of your Avast or AVG application. Guidance for Avast and AVG customers can be found in the following support articles:
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new version of your Avast or AVG application has been installed and the Windows 10, version 1903 or Windows 10, version 1909 feature update has been automatically offered to you.

Back to top		N/A 

Mitigated External
Last updated:
November 25, 2019 
05:25 PM PT

Opened:
November 22, 2019 
04:10 PM PT

+      "
+
+- title: October 2019
+- items:
+  - type: markdown
+    text: "
+      
+      
+      
DetailsOriginating updateStatusHistory
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

Note This issue does not affect using a Microsoft Account during OOBE.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 18363.476

November 12, 2019
KB4524570		Mitigated
Last updated:
November 12, 2019 
08:05 AM PT

Opened:
October 29, 2019 
05:15 PM PT

+      "
+
+- title: May 2019
+- items:
+  - type: markdown
+    text: "
+      
+      
+      
+      
DetailsOriginating updateStatusHistory
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

To safeguard your upgrade experience, we have applied a hold on devices with affected Qualcomm driver from being offered Windows 10, version 1903 or Windows 10, version 1909, until the updated driver is installed.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903
Resolution: This issue was resolved with an updated Qualcomm Wifi driver and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

Back to top		OS Build 18363.476

November 12, 2019
KB4524570		Resolved External
Last updated:
November 22, 2019 
04:10 PM PT

Opened:
May 21, 2019 
07:13 AM PT
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903
  • Server: Windows 10, version 1909; Windows Server, version 1903
Resolution: This issue was resolved with an updated driver for the affected Realtek Bluetooth radio and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

Back to top		OS Build 18363.476

November 12, 2019
KB4524570		Resolved External
Last updated:
November 15, 2019 
05:59 PM PT

Opened:
May 21, 2019 
07:29 AM PT

+      "
diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
index 1f8aaa76bb..dadedc3369 100644
--- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
+++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -29,21 +29,21 @@ sections:
     columns: 3
     items:
     
-    - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
+    - href: https://aka.ms/how-to-get-1909
       html: Get the update >
       image: 
-        src: https://docs.microsoft.com/media/common/i_deploy.svg
-      title: Windows 10, version 1903 rollout in progress
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Using-machine-learning-to-improve-the-Windows-10-update/ba-p/877860
-      html: Learn how machine learning informs each rollout >
+        src: http://docs.microsoft.com/media/common/i_download-install.svg
+      title: Windows 10, version 1909 now available
+    - href: https://aka.ms/1909mechanics
+      html: Explore the improvements >
       image: 
-        src: https://docs.microsoft.com/media/common/i_multi-connect.svg
-      title: Improving the Windows 10 update experience
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376
-      html: Learn more >
+        src: http://docs.microsoft.com/media/common/i_investigate.svg
+      title: Windows 10, version 1909 delivery options
+    - href: https://aka.ms/whats-new-in-1909
+      html: Learn about the latest capabilities for IT >
       image: 
-        src: https://docs.microsoft.com/media/common/i_investigate.svg
-      title: Windows 10 update servicing cadence
+        src: http://docs.microsoft.com/media/common/i_article.svg
+      title: What’s new in Windows 10, version 1909
 - items:
   - type: markdown
     text: "
@@ -60,8 +60,8 @@ sections:
   - type: markdown
     text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.


       
+      
-      
SummaryOriginating updateStatusLast updated
MSRT might fail to install and be re-offered from Windows Update or WSUS 
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.

See details >
Mitigated
November 15, 2019 
05:59 PM PT

       
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		October 08, 2019
KB4519976		Mitigated External
November 05, 2019 
03:36 PM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		September 24, 2019
KB4516048		Resolved
KB4519976		October 08, 2019 
10:00 AM PT

       
IA64 and x64 devices may fail to start after installing updates
After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start.

See details >		August 13, 2019
KB4512506		Mitigated
August 17, 2019 
12:59 PM PT

       

       "
@@ -78,19 +78,11 @@ sections:
   - type: markdown
     text: "
       
+      
DetailsOriginating updateStatusHistory
MSRT might fail to install and be re-offered from Windows Update or WSUS 
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from Windows Update (WU), Windows Server Update Services (WSUS) or Configuration Manager and might be re-offered. If you use WU or WSUS, you might also receive the following error in the WindowsUpdate.log, “Misc  WARNING: Digital Signatures on file C:\\Windows\\SoftwareDistribution\\Download\\XXXX are not trusted: Error 0x800b0109”. If you use Configuration Manager, you might also receive the following error in the WUAHandler.log, \"Failed to download updates to the WUAgent datastore. Error = 0x800b0109.     WUAHandler   14/11/2019 16:33:23        980 (0x03D4)\". Note All Configuration Manager information also applies to System Center Configuration Manager (SCCM) and Microsoft Endpoint Configuration Manager.

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: You can manually install the November 2019 update for Windows Malicious Software Removal Tool (MSRT) by downloading it here for 32-bit x86-based devices or here for 64-bit x64-based devices. If you are using WSUS or Configuration Manager, guidance can be found here.

Next steps: This issue has been mitigated on the server side and MSRT will no longer offered to affected platforms. We are working on a resolution and estimate a solution will be available in the December 2019 release of Windows Malicious Software Removal Tool (MSRT).

Back to top
Mitigated
Last updated:
November 15, 2019 
05:59 PM PT

Opened:
November 15, 2019 
05:59 PM PT

       
TLS connections might fail or timeout
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
  • \"The request was aborted: Could not create SSL/TLS secure Channel\"
  • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

Back to top		October 08, 2019
KB4519976		Mitigated External
Last updated:
November 05, 2019 
03:36 PM PT

Opened:
November 05, 2019 
03:36 PM PT

       

       "
 
-- title: September 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4519976. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

Back to top		September 24, 2019
KB4516048		Resolved
KB4519976		Resolved:
October 08, 2019 
10:00 AM PT

Opened:
September 30, 2019 
06:26 PM PT

-      "
-
 - title: August 2019
 - items:
   - type: markdown
diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
index e0f869f26a..d20fb293cd 100644
--- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
+++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
@@ -29,21 +29,21 @@ sections:
     columns: 3
     items:
     
-    - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
+    - href: https://aka.ms/how-to-get-1909
       html: Get the update >
       image: 
-        src: https://docs.microsoft.com/media/common/i_deploy.svg
-      title: Windows 10, version 1903 rollout in progress
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Using-machine-learning-to-improve-the-Windows-10-update/ba-p/877860
-      html: Learn how machine learning informs each rollout >
+        src: http://docs.microsoft.com/media/common/i_download-install.svg
+      title: Windows 10, version 1909 now available
+    - href: https://aka.ms/1909mechanics
+      html: Explore the improvements >
       image: 
-        src: https://docs.microsoft.com/media/common/i_multi-connect.svg
-      title: Improving the Windows 10 update experience
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376
-      html: Learn more >
+        src: http://docs.microsoft.com/media/common/i_investigate.svg
+      title: Windows 10, version 1909 delivery options
+    - href: https://aka.ms/whats-new-in-1909
+      html: Learn about the latest capabilities for IT >
       image: 
-        src: https://docs.microsoft.com/media/common/i_investigate.svg
-      title: Windows 10 update servicing cadence
+        src: http://docs.microsoft.com/media/common/i_article.svg
+      title: What’s new in Windows 10, version 1909
 - items:
   - type: markdown
     text: "
@@ -60,8 +60,8 @@ sections:
   - type: markdown
     text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.


       
+      
-      
SummaryOriginating updateStatusLast updated
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print, you may receive an error or the application may stop responding or close.

See details >		August 13, 2019
KB4512489		Resolved
KB4525250		November 12, 2019 
10:00 AM PT

       
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		October 08, 2019
KB4520005		Mitigated External
November 05, 2019 
03:36 PM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		September 24, 2019
KB4516041		Resolved
KB4520005		October 08, 2019 
10:00 AM PT

       
Japanese IME doesn't show the new Japanese Era name as a text input option
With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.

See details >		April 25, 2019
KB4493443		Mitigated
May 15, 2019 
05:53 PM PT

       
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		January 08, 2019
KB4480963		Mitigated
April 25, 2019 
02:00 PM PT

       

@@ -79,19 +79,11 @@ sections:
   - type: markdown
     text: "
       
+      
DetailsOriginating updateStatusHistory
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print from a 32-bit app on a 64-bit operating system (OS), you may receive an error, or the application may stop responding or close. Note This issue only affects the 64-bit Security Only updates listed and does not affect any Monthly Rollup.

Affected platforms:
  • Client: Windows 8.1
  • Server: Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4525250. However, the issue occurs when you install only KB4512489 (released on August 13, 2019) without installing KB4507457, the previous Security Only update (released July 9, 2019). Reminder When using the Security Only updates, you must install the latest and all previous Security Only updates to ensure that the device contains all resolved security vulnerabilities.

Back to top		August 13, 2019
KB4512489		Resolved
KB4525250		Resolved:
November 12, 2019 
10:00 AM PT

Opened:
November 27, 2019 
04:02 PM PT

       
TLS connections might fail or timeout
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
  • \"The request was aborted: Could not create SSL/TLS secure Channel\"
  • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

Back to top		October 08, 2019
KB4520005		Mitigated External
Last updated:
November 05, 2019 
03:36 PM PT

Opened:
November 05, 2019 
03:36 PM PT

       

       "
 
-- title: September 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520005. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

Back to top		September 24, 2019
KB4516041		Resolved
KB4520005		Resolved:
October 08, 2019 
10:00 AM PT

Opened:
September 30, 2019 
06:26 PM PT

-      "
-
 - title: May 2019
 - items:
   - type: markdown
diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml
index 9e2992e255..ba7311b1cc 100644
--- a/windows/release-information/status-windows-server-2008-sp2.yml
+++ b/windows/release-information/status-windows-server-2008-sp2.yml
@@ -29,21 +29,21 @@ sections:
     columns: 3
     items:
     
-    - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
+    - href: https://aka.ms/how-to-get-1909
       html: Get the update >
       image: 
-        src: https://docs.microsoft.com/media/common/i_deploy.svg
-      title: Windows 10, version 1903 rollout in progress
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Using-machine-learning-to-improve-the-Windows-10-update/ba-p/877860
-      html: Learn how machine learning informs each rollout >
+        src: http://docs.microsoft.com/media/common/i_download-install.svg
+      title: Windows 10, version 1909 now available
+    - href: https://aka.ms/1909mechanics
+      html: Explore the improvements >
       image: 
-        src: https://docs.microsoft.com/media/common/i_multi-connect.svg
-      title: Improving the Windows 10 update experience
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376
-      html: Learn more >
+        src: http://docs.microsoft.com/media/common/i_investigate.svg
+      title: Windows 10, version 1909 delivery options
+    - href: https://aka.ms/whats-new-in-1909
+      html: Learn about the latest capabilities for IT >
       image: 
-        src: https://docs.microsoft.com/media/common/i_investigate.svg
-      title: Windows 10 update servicing cadence
+        src: http://docs.microsoft.com/media/common/i_article.svg
+      title: What’s new in Windows 10, version 1909
 - items:
   - type: markdown
     text: "
@@ -60,9 +60,8 @@ sections:
   - type: markdown
     text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.


       
+      
-      
-      
SummaryOriginating updateStatusLast updated
MSRT might fail to install and be re-offered from Windows Update or WSUS 
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.

See details >
Mitigated
November 15, 2019 
05:59 PM PT

       
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		October 08, 2019
KB4520002		Mitigated External
November 05, 2019 
03:36 PM PT
Issues manually installing updates by double-clicking the .msu file
You may encounter issues manually installing updates by double-clicking the .msu file and may receive an error.

See details >		September 10, 2019
KB4474419		Resolved
KB4474419		September 23, 2019 
10:00 AM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		September 24, 2019
KB4516030		Resolved
KB4520002		October 08, 2019 
10:00 AM PT

       

       "
 
@@ -78,16 +77,7 @@ sections:
   - type: markdown
     text: "
       
+      
DetailsOriginating updateStatusHistory
MSRT might fail to install and be re-offered from Windows Update or WSUS 
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from Windows Update (WU), Windows Server Update Services (WSUS) or Configuration Manager and might be re-offered. If you use WU or WSUS, you might also receive the following error in the WindowsUpdate.log, “Misc  WARNING: Digital Signatures on file C:\\Windows\\SoftwareDistribution\\Download\\XXXX are not trusted: Error 0x800b0109”. If you use Configuration Manager, you might also receive the following error in the WUAHandler.log, \"Failed to download updates to the WUAgent datastore. Error = 0x800b0109.     WUAHandler   14/11/2019 16:33:23        980 (0x03D4)\". Note All Configuration Manager information also applies to System Center Configuration Manager (SCCM) and Microsoft Endpoint Configuration Manager.

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: You can manually install the November 2019 update for Windows Malicious Software Removal Tool (MSRT) by downloading it here for 32-bit x86-based devices or here for 64-bit x64-based devices. If you are using WSUS or Configuration Manager, guidance can be found here.

Next steps: This issue has been mitigated on the server side and MSRT will no longer offered to affected platforms. We are working on a resolution and estimate a solution will be available in the December 2019 release of Windows Malicious Software Removal Tool (MSRT).

Back to top
Mitigated
Last updated:
November 15, 2019 
05:59 PM PT

Opened:
November 15, 2019 
05:59 PM PT

       
TLS connections might fail or timeout
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
  • \"The request was aborted: Could not create SSL/TLS secure Channel\"
  • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

Back to top		October 08, 2019
KB4520002		Mitigated External
Last updated:
November 05, 2019 
03:36 PM PT

Opened:
November 05, 2019 
03:36 PM PT

       

       "
-
-- title: September 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
-      
DetailsOriginating updateStatusHistory
Issues manually installing updates by double-clicking the .msu file
After installing the SHA-2 update (KB4474419) released on September 10, 2019, you may encounter issues manually installing updates by double-clicking on the .msu file and may receive the error, \"Installer encountered an error: 0x80073afc. The resource loader failed to find MUI file.\"

Affected platforms:
  • Server: Windows Server 2008 SP2
Workaround: Open a command prompt and use the following command (replacing <msu location> with the actual location and filename of the update): wusa.exe <msu location> /quiet

Resolution: This issue is resolved in KB4474419 released October 8, 2019. It will install automatically from Windows Update and Windows Server Update Services (WSUS). If you need to install this update manually, you will need to use the workaround above.

Note If you previously installed KB4474419 released September 23, 2019, then you already have the latest version of this update and do not need to reinstall.

Back to top		September 10, 2019
KB4474419		Resolved
KB4474419		Resolved:
September 23, 2019 
10:00 AM PT

Opened:
September 20, 2019 
04:57 PM PT
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520002. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

Back to top		September 24, 2019
KB4516030		Resolved
KB4520002		Resolved:
October 08, 2019 
10:00 AM PT

Opened:
September 30, 2019 
06:26 PM PT

-      "
diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml
index 560b75a79f..734e55f864 100644
--- a/windows/release-information/status-windows-server-2012.yml
+++ b/windows/release-information/status-windows-server-2012.yml
@@ -29,21 +29,21 @@ sections:
     columns: 3
     items:
     
-    - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
+    - href: https://aka.ms/how-to-get-1909
       html: Get the update >
       image: 
-        src: https://docs.microsoft.com/media/common/i_deploy.svg
-      title: Windows 10, version 1903 rollout in progress
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Using-machine-learning-to-improve-the-Windows-10-update/ba-p/877860
-      html: Learn how machine learning informs each rollout >
+        src: http://docs.microsoft.com/media/common/i_download-install.svg
+      title: Windows 10, version 1909 now available
+    - href: https://aka.ms/1909mechanics
+      html: Explore the improvements >
       image: 
-        src: https://docs.microsoft.com/media/common/i_multi-connect.svg
-      title: Improving the Windows 10 update experience
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376
-      html: Learn more >
+        src: http://docs.microsoft.com/media/common/i_investigate.svg
+      title: Windows 10, version 1909 delivery options
+    - href: https://aka.ms/whats-new-in-1909
+      html: Learn about the latest capabilities for IT >
       image: 
-        src: https://docs.microsoft.com/media/common/i_investigate.svg
-      title: Windows 10 update servicing cadence
+        src: http://docs.microsoft.com/media/common/i_article.svg
+      title: What’s new in Windows 10, version 1909
 - items:
   - type: markdown
     text: "
@@ -60,8 +60,8 @@ sections:
   - type: markdown
     text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.


       
+      
-      
SummaryOriginating updateStatusLast updated
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print, you may receive an error or the application may stop responding or close.

See details >		August 13, 2019
KB4512482		Resolved
KB4525253		November 12, 2019 
10:00 AM PT

       
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		October 08, 2019
KB4520007		Mitigated External
November 05, 2019 
03:36 PM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		September 24, 2019
KB4516069		Resolved
KB4520007		October 08, 2019 
10:00 AM PT

       
Japanese IME doesn't show the new Japanese Era name as a text input option
With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.

See details >		April 25, 2019
KB4493462		Mitigated
May 15, 2019 
05:53 PM PT

       
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		January 08, 2019
KB4480975		Mitigated
April 25, 2019 
02:00 PM PT

       

@@ -79,19 +79,11 @@ sections:
   - type: markdown
     text: "
       
+      
DetailsOriginating updateStatusHistory
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print from a 32-bit app on a 64-bit operating system (OS), you may receive an error, or the application may stop responding or close. Note This issue only affects the 64-bit Security Only updates listed and does not affect any Monthly Rollup.

Affected platforms:
  • Client: Windows 8.1
  • Server: Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4525253. However, the issue occurs when you install only KB4512482 (released on August 13, 2019) without installing KB4507447, the previous Security Only update (released July 9, 2019). Reminder When using the Security Only updates, you must install the latest and all previous Security Only updates to ensure that the device contains all resolved security vulnerabilities.

Back to top		August 13, 2019
KB4512482		Resolved
KB4525253		Resolved:
November 12, 2019 
10:00 AM PT

Opened:
November 27, 2019 
04:02 PM PT

       
TLS connections might fail or timeout
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
  • \"The request was aborted: Could not create SSL/TLS secure Channel\"
  • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

Back to top		October 08, 2019
KB4520007		Mitigated External
Last updated:
November 05, 2019 
03:36 PM PT

Opened:
November 05, 2019 
03:36 PM PT

       

       "
 
-- title: September 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520007. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

Back to top		September 24, 2019
KB4516069		Resolved
KB4520007		Resolved:
October 08, 2019 
10:00 AM PT

Opened:
September 30, 2019 
06:26 PM PT

-      "
-
 - title: May 2019
 - items:
   - type: markdown
diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml
index a158f15e9b..cd3d50c72c 100644
--- a/windows/release-information/windows-message-center.yml
+++ b/windows/release-information/windows-message-center.yml
@@ -23,21 +23,21 @@ sections:
     columns: 2
     items:
     
-    - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
+    - href: https://aka.ms/how-to-get-1909
       html: Get the update >
       image: 
-        src: https://docs.microsoft.com/media/common/i_deploy.svg
-      title: Windows 10, version 1903 rollout in progress
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Using-machine-learning-to-improve-the-Windows-10-update/ba-p/877860
-      html: Learn how machine learning informs each rollout >
+        src: http://docs.microsoft.com/media/common/i_download-install.svg
+      title: Windows 10, version 1909 now available
+    - href: https://aka.ms/1909mechanics
+      html: Explore the improvements >
       image: 
-        src: https://docs.microsoft.com/media/common/i_multi-connect.svg
-      title: Improving the Windows 10 update experience
-    - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376
-      html: Learn more >
+        src: http://docs.microsoft.com/media/common/i_investigate.svg
+      title: Windows 10, version 1909 delivery options
+    - href: https://aka.ms/whats-new-in-1909
+      html: Learn about the latest capabilities for IT >
       image: 
-        src: https://docs.microsoft.com/media/common/i_investigate.svg
-      title: Windows 10 update servicing cadence
+        src: http://docs.microsoft.com/media/common/i_article.svg
+      title: What’s new in Windows 10, version 1909
     - href: https://docs.microsoft.com/windows/windows-10/release-information
       html: Visit the Windows 10 release information page >
       image: 
@@ -50,9 +50,15 @@ sections:
     text: "
       
       
+      
+      
+      
+      
+      
+      
-      
+      
diff --git a/windows/security/identity-protection/TOC.md b/windows/security/identity-protection/TOC.md
index a3c24b5cf6..b03ec007b8 100644
--- a/windows/security/identity-protection/TOC.md
+++ b/windows/security/identity-protection/TOC.md
@@ -1,5 +1,7 @@
 # [Identity and access management](index.md)
 
+## [Technical support policy for lost or forgotten passwords](password-support-policy.md)
+
 ## [Access Control Overview](access-control/access-control.md)
 ### [Dynamic Access Control Overview](access-control/dynamic-access-control.md)
 ### [Security identifiers](access-control/security-identifiers.md)
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index 63a6a403c2..d42dc24268 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -16,15 +16,15 @@ ms.date: 08/17/2017
 ms.reviewer: 
 ---
 
-## Additional mitigations
+# Additional mitigations
 
 Windows Defender Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Windows Defender Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
 
-### Restricting domain users to specific domain-joined devices
+## Restricting domain users to specific domain-joined devices
 
 Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
 
-#### Kerberos armoring
+### Kerberos armoring
 
 Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. 
 
@@ -34,7 +34,7 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring,
 -   All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
 -   All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
 
-#### Protecting domain-joined device secrets
+### Protecting domain-joined device secrets
 
 Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
 
@@ -46,7 +46,7 @@ Domain-joined device certificate authentication has the following requirements:
 -   Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.
 -   A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
 
-##### Deploying domain-joined device certificates
+#### Deploying domain-joined device certificates
 
 To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates.
 
@@ -78,7 +78,7 @@ CertReq -EnrollCredGuardCert MachineAuthentication
 > [!NOTE]
 > You must restart the device after enrolling the machine authentication certificate.
  
-##### How a certificate issuance policy can be used for access control
+#### How a certificate issuance policy can be used for access control
 
 Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/library/dd378897(v=ws.10).aspx) on TechNet.
 
@@ -100,7 +100,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
     .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”"
     ```
 
-#### Restricting user sign on
+### Restricting user sign on
 
 So we now have completed the following:
 
@@ -129,17 +129,17 @@ Authentication policies have the following requirements:
 > [!NOTE]
 > When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
 
-##### Discovering authentication failures due to authentication policies
+#### Discovering authentication failures due to authentication policies
 
 To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
 
 To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/library/dn486813(v=ws.11).aspx).
 
-### Appendix: Scripts
+## Appendix: Scripts
 
 Here is a list of scripts mentioned in this topic.
 
-#### Get the available issuance policies on the certificate authority
+### Get the available issuance policies on the certificate authority
 
 Save this script file as get-IssuancePolicy.ps1.
 
@@ -330,7 +330,7 @@ write-host "There are no issuance policies which are not mapped to groups"
 > [!NOTE]
 > If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
  
-#### Link an issuance policy to a group
+### Link an issuance policy to a group
 
 Save the script file as set-IssuancePolicyToGroupLink.ps1.
 
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
index 60d02adb71..6d52746433 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
@@ -1,5 +1,5 @@
 ---
-title: Considerations when using Windows Defender Credential Guard (Windows 10)
+title: Advice while using Windows Defender Credential Guard (Windows 10)
 description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows 10.
 ms.prod: w10
 ms.mktglfcycl: explore
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
index b2f1d37cea..0083c4e274 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
@@ -1,6 +1,6 @@
 ---
-title: Windows Defender Credential Guard protection limits (Windows 10)
-description: Scenarios not protected by Windows Defender Credential Guard in Windows 10.
+title: Windows Defender Credential Guard protection limits & mitigations (Windows 10)
+description: Scenarios not protected by Windows Defender Credential Guard in Windows 10, and additional mitigations you can use.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
index bd6b456162..104cadf507 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
@@ -22,9 +22,6 @@ ms.reviewer:
 -   Windows 10
 -   Windows Server 2016
 
-Prefer video? See [Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
-in the Deep Dive into Windows Defender Credential Guard video series.
-
 Some ways to store credentials are not protected by Windows Defender Credential Guard, including:
 
 -   Software that manages credentials outside of Windows feature protection
@@ -46,4 +43,6 @@ do not qualify as credentials because they cannot be presented to another comput
 
 **Deep Dive into Windows Defender Credential Guard: Related videos**
 
-[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
+[Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection: Manage Credential Guard](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/manage-credential-guard?u=3322)
+> [!NOTE]
+> - Note: Requires [LinkedIn Learning subscription](https://www.linkedin.com/learning/subscription/products) to view the full video
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index 9197e2d07d..013c2a4130 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -1,6 +1,6 @@
 ---
-title: Planning an adequate number of Windows Server 2019 Domain Controllers for Windows Hello for Business deployments
-description: Planning an adequate number of Windows Server 2019 Domain Controllers for Windows Hello for Business deployments
+title: Having enough Domain Controllers for Windows Hello for Business deployments
+description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments
 keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index 4563787217..a98db0c85a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -1,6 +1,6 @@
 ---
-title: Prepare and Deploy Windows Server 2016 Active Directory Federation Services (Windows Hello for Business)
-description: How toPrepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business
+title: Prepare & Deploy Windows AD FS certificate trust (Windows Hello for Business)
+description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business
 keywords: identity, PIN, biometric, Hello, passport
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -54,6 +54,7 @@ Windows Hello for Business on-premises deployments require a federation server f
 The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority.  The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm:
 * Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS)
 * Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com)
+* Subject Alternate Name: Your device registration service name, such as *enterpriseregistration.contoso.com*
 
 You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**.  The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com.
 
@@ -193,6 +194,9 @@ Sign-in the federation server with _domain administrator_ equivalent credentials
 
 ### Add the AD FS Service account to the KeyCredential Admin group and the Windows Hello for Business Users group
 
+> [!NOTE]
+> If you have a Windows Server 2016 domain controller in your domain, you can use the **Key Admins** group instead of **KeyCredential Administrators** and skip the **Configure Permissions for Key Registration** step.
+
 The **KeyCredential Administrators** global group provides the AD FS service with the permissions needed to perform key registration.  The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user.
 
 Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
@@ -363,9 +367,12 @@ Active Directory Federation Server used for Windows Hello for Business certifica
 Approximately 60 days prior to enrollment agent certificate’s expiration, the AD FS service attempts to renew the certificate until it is successful.  If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate.  You can view the AD FS event logs to determine the status of the enrollment agent certificate.
 
 ### Service Connection Point (SCP) in Active Directory for ADFS Device Registration Service
+> [!NOTE]
+> Normally this script is not needed, as enabling Device Registration via the ADFS Management console already creates the objects. You can validate the SCP using the script below. For detailed information about the Device Registration Service, see [Configuring Device Registration](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn614658(v=ws.11)?redirectedfrom=MSDN)
+
 Now you will add the Service connection Point to ADFS device registration Service for your Active directory by running the following script:
 
->[!TIP] 
+> [!TIP]
 > Make sure to change the $enrollmentService and $configNC variables before running the script.
 
 ```Powershell
@@ -483,7 +490,7 @@ Before you continue with the deployment, validate your deployment progress by re
 * Confirm you properly configured the Windows Hello for Business authentication certificate template—to include:   
     * Issuance requirements of an authorized signature from a certificate request agent.
     * The certificate template was properly marked as a Windows Hello for Business certificate template using certutil.exe
-    * The Windows Hello for Business Users group, or equivalent has the allow enroll and allow auto enroll permissions
+    * The Windows Hello for Business Users group, or equivalent has the allow enroll permissions
 * Confirm all certificate templates were properly published to the appropriate issuing certificate authorities.
 * Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template.
 * Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet.
@@ -496,6 +503,11 @@ Before you continue with the deployment, validate your deployment progress by re
 
 You need to verify the AD FS service has properly enrolled for an enrollment agent certificate template.  You can verify this is a variety ways, depending on if your service account is a normal user account or if the service account is a group managed service account.
 
+> [!IMPORTANT]
+> After following the previous steps, if you are unable to validate that the devices are, in fact, being registered automatically, there is a Group Policy at:
+> **Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration >** "Register Domain Joined Computers As Devices". Set the policy to **Enabled**
+> and the registration will happen automatically.
+
 ### Event Logs
 
 Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate.  First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished.  Once confirmed the AD FS certificate enrollment cycle completed review the CertificateLifecycle-User event log.  In this event log, look for event ID 1006, which indicates a new certificate was installed.  Details of the event log should show
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index b353c305a2..c6b2d2ced0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -1,5 +1,5 @@
 ---
-title: Configure Windows Hello for Business Policy settings (Windows Hello for Business)
+title: Configure Windows Hello for Business Policy settings - certificate trust
 description: Configure Windows Hello for Business Policy settings for Windows Hello for Business
 keywords: identity, PIN, biometric, Hello, passport
 ms.prod: w10
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 9a09812b07..f3b86a3536 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -1,6 +1,6 @@
 ---
-title: Validate Active Directory prerequisites (Windows Hello for Business)
-description: How to Validate Active Directory prerequisites for Windows Hello for Business
+title: Update Active Directory schema for cert-trust deployment (Windows Hello for Business)
+description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the certificate trust model.
 keywords: identity, PIN, biometric, Hello, passport
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -24,7 +24,7 @@ ms.reviewer:
 -   Certificate trust
 
 
-The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema.  The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest.  The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the next step.
+The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema.  The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest.  The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the **Updating the Schema** and **Create the KeyCredential Admins Security Global Group** steps.
 
 Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 DVD or ISO.  Before running adprep.exe, you must identify the domain controller hosting the schema master role.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index ff7f5deec6..a125f1f5ad 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -1,6 +1,6 @@
 ---
-title: Validate and Deploy Multifactor Authentication Services (MFA) (Windows Hello for Business)
-description: How to Validate and Deploy Multifactor Authentication Services for Windows Hello for Business
+title: Validate and Deploy MFA for Windows Hello for Business with certificate trust
+description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business
 keywords: identity, PIN, biometric, Hello, passport
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
index 2e79df76db..e0c4077f94 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -1,5 +1,5 @@
 ---
-title: Validate Public Key Infrastructure (Windows Hello for Business)
+title: Validate Public Key Infrastructure - certificate trust model (Windows Hello for Business)
 description: How to Validate Public Key Infrastructure for Windows Hello for Business
 keywords: identity, PIN, biometric, Hello, passport
 ms.prod: w10
@@ -69,7 +69,7 @@ Sign-in to a certificate authority or management workstations with _Domain Admin
 4. On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
 5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name.  Adjust the validity and renewal period to meet your enterprise’s needs.   
     **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
-6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected.  Select **None** from the **Subject name format** list.  Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
+6. On the **Subject Name** tab, select the **Build from this Active Directory information** button if it is not already selected.  Select **None** from the **Subject name format** list.  Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.  Click **OK**. 
 8. Close the console.
 
@@ -104,7 +104,7 @@ Sign-in to a certificate authority or management workstations with _Domain Admin
 5. On the **General** tab, type **Internal Web Server** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise’s needs.   
     **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
 6. On the **Request Handling** tab, select **Allow private key to be exported**.
-7. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
+7. On the **Subject Name** tab, select the **Supply in the request** button if it is not already selected.
 8. On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box.  Click **OK**. Select the **Allow** check box next to the **Enroll** permission.
 9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.  Click **OK**. 
 10. Close the console.
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index cf4016e37e..300a074c68 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -41,196 +41,64 @@ When a user encounters an error when creating the work PIN, advise the user to t
 5.  On mobile devices, if you are unable to setup a PIN after multiple attempts, reset your device and start over. For help on how to reset your phone go to [Reset my phone](https://go.microsoft.com/fwlink/p/?LinkId=715697).
 If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance.
 
-
MessageDate
Windows 10, version 1909 now available
Learn how to get Windows 10, version 1909 (the November 2019 Update), and explore how we’ve worked to make this a great experience for all devices, including a new, streamlined (and fast) update experience for devices updating directly from the May 2019 Update.
November 12, 2019 
10:00 AM PT
Windows 10, version 1909 delivery options
Learn how devices running Windows 10, version 1903 can update to Windows 10, version 1909 using the same servicing technology used to deliver monthly quality updates, resulting in a single restart and reducing update-related downtime.
November 12, 2019 
10:00 AM PT
What’s new for IT pros in Windows 10, version 1909
Explore the latest features for IT, get information about media availability and related tools, and find answers to frequently asked questions.
November 12, 2019 
10:00 AM PT
Take action: November 2019 security update available for all supported versions of Windows
The November 2019 security update release, referred to as our “B” release, is now available for all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
November 12, 2019 
10:00 AM PT
Timing of Windows 10 optional update releases (November/December 2019)
For the balance of this calendar year, there will be no optional non-security “C” and “D” releases for Windows 10. The \"C\" releases normally target the third week of the month, with \"D\" releases targeting the fourth week. Note There will be a December Security Update Tuesday release, as usual. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer
November 12, 2019 
10:00 AM PT
Windows 10, version 1803 Home and Pro editions have reached end of service
Windows 10, version 1803 (the April 2018 Update) Home and Pro editions have reached end of service. For Windows 10 devices that are at, or within several months of reaching end of service, Windows Update will automatically initiate a feature update (with users having the ability to choose a convenient time); keeping those devices supported and receiving the monthly updates that are critical to device security and ecosystem health. For more information on end of service dates for currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
November 12, 2019 
10:00 AM PT

       
October 2019 Windows 10, version 1903 \"D\" optional release is available.
The October 2019 optional monthly “D” release for Windows 10, version 1903 is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
October 24, 2019 
08:00 AM PT

       
October 2019 Windows \"C\" optional release is available.
The October 2019 optional monthly “C” release for all supported versions of Windows is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
October 15, 2019 
09:59 AM PT
Windows 10, version 1703 has reached end of service
Consumer and commercial editions of Windows 10, version 1703 have reached end of service. As devices running these editions are no longer receiving monthly security and quality updates containing protections from the latest security threats, we recommend that you update these devices to the latest version of Windows 10 immediately. For more information on end of service dates currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
October 09, 2019 
12:00 PM PT
Windows 10, version 1703 has reached end of service
Consumer and commercial editions of Windows 10, version 1703 have reached end of service. As devices running these editions are no longer receiving monthly security and quality updates containing protections from the latest security threats, we recommend that you update these devices to the latest version of Windows 10 immediately. For more information on end of service dates for currently supported versions of Windows 10, see the Windows lifecycle fact sheet.

Note The Windows 10, version 1703 section will be removed from this dashboard on November 12, 2019.
October 09, 2019 
12:00 PM PT

       
Take Action: October 2019 security update available for all supported versions of Windows
The October 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1903 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
 
October 08, 2019 
08:00 AM PT

       
Take action: Security update available for all supported versions of Windows
On October 3, 2019, Microsoft expanded delivery of the out-of-band Internet Explorer scripting engine security vulnerability (CVE-2019-1367) update released on September 23, 2019 to Windows Update and Windows Server Update Services (WSUS). This is now a required security update for all supported versions of Windows as it includes the Internet Explorer scripting engine vulnerability mitigation and corrects a recent printing issue some users have experienced. All customers using Windows Update or WSUS will be offered this update automatically. We recommend that you install this update as soon as a possible, then restart your PC to fully apply the mitigations and help secure your devices. As with all cumulative updates, this update supersedes any preceding update.
 
Note: This update does not replace the standard October 2019 monthly security update release, which is scheduled for October 8, 2019.
October 03, 2019 
08:00 AM PT

       
September 2019 Windows 10, version 1903 \"D\" optional release is available
The September 2019 optional monthly “D” release for Windows 10, version 1903 is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
September 26, 2019 
02:00 PM PT

+| Hex        | Cause                                                              | Mitigation                                  |
+| :--------- | :----------------------------------------------------------------- | :------------------------------------------ |
+| 0x80090005 | NTE\_BAD\_DATA                                                     | Unjoin the device from Azure AD and rejoin. |
+| 0x8009000F | The container or key already exists.                               | Unjoin the device from Azure AD and rejoin. |
+| 0x80090011 | The container or key was not found.                                | Unjoin the device from Azure AD and rejoin. |
+| 0x80090029 | TPM is not set up.                                                 | Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. |
+| 0x8009002A | NTE\_NO\_MEMORY                                                    | Close programs which are taking up memory and try again. |
+| 0x80090031 | NTE\_AUTHENTICATION\_IGNORED                                       | Reboot the device. If the error occurs again after rebooting, [reset the TPM](https://go.microsoft.com/fwlink/p/?LinkId=619969) or run [Clear-TPM](https://go.microsoft.com/fwlink/p/?LinkId=629650). |
+| 0x80090035 | Policy requires TPM and the device does not have TPM.              | Change the Windows Hello for Business policy to not require a TPM. |
+| 0x80090036 | User canceled an interactive dialog.                               | User will be asked to try again. |
+| 0x801C0003 | User is not authorized to enroll.                                  | Check if the user has permission to perform the operation​. |
+| 0x801C000E | Registration quota reached.                                        | Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](https://go.microsoft.com/fwlink/p/?LinkId=626933). |
+| 0x801C000F | Operation successful, but the device requires a reboot.            | Reboot the device.               |
+| 0x801C0010 | The AIK certificate is not valid or trusted.                       | Sign out and then sign in again. |
+| 0x801C0011 | The attestation statement of the transport key is invalid.         | Sign out and then sign in again. |
+| 0x801C0012 | Discovery request is not in a valid format.                        | Sign out and then sign in again. |
+| 0x801C0015 | The device is required to be joined to an Active Directory domain. | ​Join the device to an Active Directory domain. |
+| 0x801C0016 | The federation provider configuration is empty                     | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the file is not empty. |
+| 0x801C0017 | ​The federation provider domain is empty                            | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the FPDOMAINNAME element is not empty. |
+| 0x801C0018 | The federation provider client configuration URL is empty          | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the CLIENTCONFIG element contains a valid URL. |
+| 0x801C03E9 | Server response message is invalid                                 | Sign out and then sign in again. |
+| 0x801C03EA | Server failed to authorize user or device.                         | Check if the token is valid and user has permission to register Windows Hello for Business keys. |
+| 0x801C03EB | Server response http status is not valid                           | Sign out and then sign in again. |
+| 0x801C03EC | Unhandled exception from server.                                   | sign out and then sign in again. |
+| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed. 

 -or- 

 Token was not found in the Authorization header. 

 -or- 

 Failed to read one or more objects. 

 -or- 

 The request sent to the server was invalid. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin.
+| 0x801C03EE | Attestation failed.                                                | Sign out and then sign in again. |
+| 0x801C03EF | The AIK certificate is no longer valid.                            | Sign out and then sign in again. |
+| 0x801C03F2 | Windows Hello key registration failed.                             | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue refer to [Duplicate Attributes Prevent Dirsync](https://docs.microsoft.com/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync).
+| 0x801C044D | Authorization token does not contain device ID.                    | Unjoin the device from Azure AD and rejoin. |
+|            | Unable to obtain user token.                                       | Sign out and then sign in again. Check network and credentials. |
+| 0x801C044E | Failed to receive user credentials input.                          | Sign out and then sign in again. |
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 
- 
- 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
HexCauseMitigation
0x801C044DAuthorization token does not contain device IDUnjoin the device from Azure AD and rejoin
0x80090036User canceled an interactive dialogUser will be asked to try again
0x80090011The container or key was not foundUnjoin the device from Azure AD and rejoin
0x8009000FThe container or key already existsUnjoin the device from Azure AD and rejoin
0x8009002ANTE_NO_MEMORYClose programs which are taking up memory and try again.
0x80090005NTE_BAD_DATAUnjoin the device from Azure AD and rejoin
0x80090029TPM is not set up.Sign on with an administrator account. Click Start, type "tpm.msc", and select tpm.msc Microsoft Common Console Document. In the Actions pane, select Prepare the TPM. 
0x80090031NTE_AUTHENTICATION_IGNOREDReboot the device. If the error occurs again after rebooting, reset the TPM or run Clear-TPM
0x80090035Policy requires TPM and the device does not have TPM.Change the Windows Hello for Business policy to not require a TPM.
0x801C0003User is not authorized to enrollCheck if the user has permission to perform the operation​.
0x801C000ERegistration quota reached
Unjoin some other device that is currently joined using the same account or increase the maximum number of devices per user.
0x801C000FOperation successful but the device requires a rebootReboot the device.
0x801C0010The AIK certificate is not valid or trustedSign out and then sign in again.
0x801C0011The attestation statement of the transport key is invalidSign out and then sign in again.
0x801C0012Discovery request is not in a valid formatSign out and then sign in again.
0x801C0015The device is required to be joined to an Active Directory domain​Join the device to an Active Directory domain.
0x801C0016The federation provider configuration is emptyGo to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the file is not empty.
0x801C0017​The federation provider domain is emptyGo to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the FPDOMAINNAME element is not empty.
0x801C0018The federation provider client configuration URL is emptyGo to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the CLIENTCONFIG element contains a valid URL.
0x801C03E9Server response message is invalidSign out and then sign in again.
0x801C03EAServer failed to authorize user or device.Check if the token is valid and user has permission to register Windows Hello for Business keys.
0x801C03EBServer response http status is not validSign out and then sign in again.
0x801C03ECUnhandled exception from server.sign out and then sign in again.
0x801C03ED
Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed

-
-or-

-
Token was not found in the Authorization header

-
-or-

-
Failed to read one or more objects

-
-or-
The request sent to the server was invalid.
Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin.
0x801C03EEAttestation failedSign out and then sign in again.
0x801C03EFThe AIK certificate is no longer validSign out and then sign in again.
0x801C03F2Windows Hello key registration failed.ERROR_BAD_DIRECTORY_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue refer to Duplicate Attributes Prevent Dirsync. 
0x801C044DUnable to obtain user tokenSign out and then sign in again. Check network and credentials.
0x801C044EFailed to receive user creds inputSign out and then sign in again.

 
 ## Errors with unknown mitigation
 
 For errors listed in this table, contact Microsoft Support for assistance.
 
-| Hex         | Cause     |
+| Hex         | Cause   |
 |-------------|---------|
-| 0x80072f0c  | Unknown    |
-| 0x80070057 | Invalid parameter or argument is passed |
-| 0x80090027  | Caller provided wrong parameter. If third-party code receives this error they must change their code. |
-| 0x8009002D  | NTE\_INTERNAL\_ERROR   |
-| 0x80090020  | NTE\_FAIL     |
-| 0x801C0001  | ​ADRS server response is not in valid format    |
-| 0x801C0002  | Server failed to authenticate the user   |
-| 0x801C0006  | Unhandled exception from server    |
-| 0x801C000C  | Discovery failed      |
-| 0x801C001B  | ​The device certificate is not found    |
-| 0x801C000B  | Redirection is needed and redirected location is not a well known server   |
+| 0X80072F0C  | Unknown |
+| 0x80070057  | Invalid parameter or argument is passed. |
+| 0x80090020  | NTE\_FAIL |
+| 0x80090027  | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. |
+| 0x8009002D  | NTE\_INTERNAL\_ERROR |
+| 0x801C0001  | ​ADRS server response is not in a valid format. |
+| 0x801C0002  | Server failed to authenticate the user. |
+| 0x801C0006  | Unhandled exception from server. |
+| 0x801C000B  | Redirection is needed and redirected location is not a well known server. |
+| 0x801C000C  | Discovery failed. |
+| 0x801C0013  | Tenant ID is not found in the token. |
+| 0x801C0014  | User SID is not found in the token. |
 | 0x801C0019  | ​The federation provider client configuration is empty    |
-| 0x801C001A  | The DRS endpoint in the federation provider client configuration is empty   |
-| 0x801C0013  | Tenant ID is not found in the token    |
-| 0x801C0014  | User SID is not found in the token       |
-| 0x801C03F1  | There is no UPN in the token       |
-| 0x801C03F0  | ​There is no key registered for the user   |
-| 0x801C03F1  | ​There is no UPN in the token          |
-| ​0x801C044C | There is no core window for the current thread     |
- 
+| 0x801C001A  | The DRS endpoint in the federation provider client configuration is empty. |
+| 0x801C001B  | ​The device certificate is not found. |
+| 0x801C03F0  | ​There is no key registered for the user. |
+| 0x801C03F1  | ​There is no UPN in the token. |
+| ​0x801C044C  | There is no core window for the current thread. |
+
 
 ## Related topics
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
index 1db3c21e10..015331499c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
@@ -51,7 +51,7 @@ In this task you will
 
 The designed Windows for Business configuration has you give the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute.  You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
 
-Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but will they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute.
+Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute.
 
 Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index 62304559ae..b05057da97 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -1,5 +1,5 @@
 ---
-title: Conditional Access
+title: Dynamic lock
 description: Conditional Access
 keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access
 ms.prod: w10
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 6e32dda47f..a40f945ba3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -30,12 +30,12 @@ ms.reviewer:
 - Azure Active Directory
 - Hybrid Windows Hello for Business deployment
 - Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
-- Windows 10, version 1709 or later, **Enterprise Edition**
+- Windows 10, version 1709 to 1809, **Enterprise Edition**. There is no licensing requirement for this feature since version 1903.
 
 The Microsoft PIN reset services enables you to help users recover who have forgotten their PIN.  Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.
 
 >[!IMPORTANT]
-> The Microsoft PIN Reset service only works with Windows 10, version 1709 or later **Enterprise Edition**.  The feature does not work with the **Pro** edition.]
+> The Microsoft PIN Reset service only works with Windows 10, version 1709 to 1809 with **Enterprise Edition**.  The feature works with **Pro** edition with Windows 10, version 1903 and newer.
 
 ### Onboarding the Microsoft PIN reset service to your Intune tenant
 
@@ -43,20 +43,26 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
 
 ### Connect Azure Active Directory with the PIN reset service
 
-1. Visit [Microsoft PIN Reset Service Integration website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant.
-2. After you log in, click **Accept** to give consent for the PIN reset service to access your account.

-![PIN reset service application in Azure](images/pinreset/pin-reset-service-home-screen.png)

-3. In the Azure portal, you can verify that the Microsoft PIN reset service is integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.

-![PIN reset service permissions page](images/pinreset/pin-reset-service-application.png)
+1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant.
+2. After you log in, click **Accept** to give consent for the PIN reset service to access your account.
+![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png)
+3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant.
+4. After you log in, click **Accept** to give consent for the PIN reset client to access your account.
+![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png)
+5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
+![PIN reset service permissions page](images/pinreset/pin-reset-applications.png)
+
+>[!NOTE]
+>After you Accept the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN Reset applications are listed for your tenant.
 
 ### Configure Windows devices to use PIN reset using Group Policy
 
-You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object. 
+You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
 
 1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
 2. Edit the Group Policy object from step 1.
 3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
-4. Close the Group Policy Management Editor to save the Group Policy object.  Close the GPMC. 
+4. Close the Group Policy Management Editor to save the Group Policy object.  Close the GPMC.
 
 ### Configure Windows devices to use PIN reset using Microsoft Intune
 
@@ -64,7 +70,7 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10
 
 #### Create a PIN Reset Device configuration profile using Microsoft Intune
 
-1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account. 
+1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account.
 2. You need your tenant ID to complete the following task.  You can discovery your tenant ID viewing the **Properties** of your Azure Active Directory from the Azure Portal. It will be listed under Directory ID. You can also use the following command in a command Window on any Azure AD joined or hybrid Azure AD joined computer.

 
     ```
diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md
index 950be3148c..d9832ef853 100644
--- a/windows/security/identity-protection/hello-for-business/hello-features.md
+++ b/windows/security/identity-protection/hello-for-business/hello-features.md
@@ -15,7 +15,7 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 localizationpriority: medium
-ms.date: 05/05/2018
+ms.date: 11/27/2019
 ---
 # Windows Hello for Business Features
 
@@ -25,238 +25,25 @@ ms.date: 05/05/2018
 
 Consider these additional features you can use after your organization deploys Windows Hello for Business.
 
-## Conditional access 
+## Conditional access
 
-**Requirements:**
-* Azure Active Directory  
-* Hybrid Windows Hello for Business deployment 
-
-
-In a mobile-first, cloud-first world, Azure Active Directory enables single sign-on to devices, applications, and services from anywhere. With the proliferation of devices (including BYOD), work off corporate networks, and 3rd party SaaS applications, IT professionals are faced with two opposing goals:+  
-* Empower the end users to be productive wherever and whenever
-* Protect the corporate assets at any time
- 
-To improve productivity, Azure Active Directory provides your users with a broad range of options to access your corporate assets. With application access management, Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain applications even for the right people? For example, it might be OK for you if the right people are accessing certain applications from a trusted network; however, you might not want them to access these applications from a network you don't trust. You can address these questions using conditional access.
-
-Read [Conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal) to learn more about Conditional Access.  Afterwards, read [Getting started with conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal-get-started) to start deploying Conditional access.
+Azure Active Directory provides a wide set of options for protecting access to corporate resources. Conditional access provides more fine grained control over who can access certain resources and under what conditions. For more information see [Conditional Access](hello-feature-conditional-access.md).
 
 ## Dynamic lock
 
-**Requirements:**
-* Windows 10, version 1703
-
-Dynamic lock enables you to configure Windows 10 devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value.  You configure the dynamic lock policy using Group Policy.  You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.  The name of the policy is **Configure dynamic lock factors**.
-
-The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
-
-> [!IMPORTANT]
->Microsoft recommends using the default values for this policy settings.  Measurements are relative based on the varying conditions of each environment.  Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting. 
-
-```
- 
-	 
-
-```
-
-For this policy setting, the **type** and **scenario** attribute values are static and cannot change.  The **classofDevice** attribute defaults Phones and uses the values from the following table 
-
-|Description|Value|
-|:-------------|:-------:|
-|Miscellaneous|0|
-|Computer|256|
-|Phone|512|
-|LAN/Network Access Point|768|
-|Audio/Video|1024|
-|Peripheral|1280|
-|Imaging|1536|
-|Wearable|1792|
-|Toy|2048|
-|Health|2304|
-|Uncategorized|7936|
-
-The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range".  The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device.  The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10.  
-
-RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
+Dynamic lock uses a paired Bluetooth device to determine user presence and locks the device if a user is not present. For more information and configuration steps see [Dynamic Lock](hello-feature-dynamic-lock.md). 
 
 ## PIN reset
 
-**Applies to:**
--   Windows 10, version 1709 or later
-
-
-### Hybrid Deployments
-
-**Requirements:**
-- Azure Active Directory
-- Hybrid Windows Hello for Business deployment
-- Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
-- Windows 10, version 1709 or later, **Enterprise Edition**
- 
-The Microsoft PIN reset services enables you to help users who have forgotten their PIN.  Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.
-
->[!IMPORTANT]
-> The Microsoft PIN Reset service only works with Windows 10, version 1709 or later **Enterprise Edition**.  The feature does not work with the **Pro** edition.
-
-#### Onboarding the Microsoft PIN reset service to your Intune tenant
-
-Before you can remotely reset PINs, you must on-board the Microsoft PIN reset service to your Azure Active Directory tenant, and configure devices you manage. 
-
-#### Connect Azure Active Directory with the PIN reset service
-
-1. Visit [Microsoft PIN Reset Service Integration website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant.
-2. After you log in, click **Accept** to give consent for the PIN reset service to access your account.

-![PIN reset service application in Azure](images/pinreset/pin-reset-service-home-screen.png)

-3. In the Azure portal, you can verify that the Microsoft PIN reset service is integrated from the **Enterprise applications**, **All applications** blade.

-![PIN reset service permissions page](images/pinreset/pin-reset-service-application.png)
-
-#### Configure Windows devices to use PIN reset using Group Policy
-You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object. 
-
-1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
-2. Edit the Group Policy object from step 1.
-3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
-4. Close the Group Policy Management Editor to save the Group Policy object.  Close the GPMC. 
-
-#### Configure Windows devices to use PIN reset using Microsoft Intune
-To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 custom device policy](https://docs.microsoft.com/intune/custom-settings-windows-10) to enable the feature. Configure the policy using the following Windows policy configuration service provider (CSP):
-
-##### Create a PIN Reset Device configuration profile using Microsoft Intune
-
-1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account. 
-2. You need your tenant ID to complete the following task.  You can discovery your tenant ID viewing the **Properties** of your Azure Active Directory from the Azure Portal.  You can also use the following command in a command Window on any Azure AD joined or hybrid Azure AD joined computer.

-   ```
-   dsregcmd /status | findstr -snip "tenantid"
-   ```
-3. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. Click **Create profile**.
-4. Type **Use PIN Recovery** in the **Name** field. Select **Windows 10 and later** from the **Platform** list.  Select **Custom** from the **Profile type** list.
-5. In the **Custom OMA-URI Settings** blade, Click **Add**.
-6. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where *tenant ID* is your Azure Active Directory tenant ID from step 2.
-7. Select **Boolean** from the **Data type** list and select **True** from the **Value** list.
-8. Click **OK** to save the row configuration. Click **OK** to close the Custom OMA-URI Settings blade.  Click **Create to save the profile.
- 
-##### Assign the PIN Reset Device configuration profile using Microsoft Intune
-1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account. 
-2. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. From the list of device configuration profiles, click the profile that contains the PIN reset configuration.
-3. In the device configuration profile, click **Assignments**.
-4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups.
-
-### On-premises Deployments
-
-**Requirements**
-* Active Directory
-* On-premises Windows Hello for Business deployment
-* Reset from settings - Windows 10, version 1703, Professional
-* Reset above Lock - Windows 10, version 1709, Professional
-
-On-premises deployments provide users with the ability to reset forgotten PINs either through the settings page or from above the user's lock screen.  Users must know or be provided their password for authentication, must perform a second factor of authentication, and then re-provision Windows Hello for Business.
-
->[!IMPORTANT]
->Users must have corporate network connectivity to domain controllers and the federation service to reset their PINs.
-
-#### Reset PIN from Settings
-1. Sign-in to Windows 10, version 1703 or later using an alternate credential.
-2. Open **Settings**, click **Accounts**, click **Sign-in options**.
-3. Under **PIN**, click **I forgot my PIN** and follow the instructions.
-
-#### Reset PIN above the Lock Screen
- 1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in
- 2. Enter your password and press enter.
- 3. Follow the instructions provided by the provisioning process
- 4. When finished, unlock your desktop using your newly created PIN.
-
->[!NOTE]
-> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video.
+Windows Hello for Business supports user self-management of their PIN. If a user forgets their PIN, they have the ability to reset it from Settings or the lock screen. The Microsoft PIN reset service can be used for completing this reset without the user needing to enroll a new Windows Hello for Business credential. For more information and configuration steps see [Pin Reset](hello-feature-pin-reset.md).
 
 ## Dual Enrollment
 
-**Requirements**
-* Hybrid and On-premises Windows Hello for Business deployments
-* Enterprise Joined or Hybrid Azure joined devices
-* Windows 10, version 1709
+This feature enables provisioning of administrator Windows Hello for Business credentials that can be used by non-privileged accounts to perform administrative actions. These credentials can be used from the non-privileged accounts using **Run as different user** or **Run as administrator**. For more information and configuration steps see [Dual Enrollment](hello-feature-dual-enrollment.md).
 
-> [!NOTE]
-> This feature was previously known as **Privileged Credential** but was renamed to **Dual Enrollment** to prevent any confusion with the **Privileged Access Workstation** feature.
-
-> [!IMPORTANT]
-> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature.  Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users.  Enterprises can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature cannot be used.  Read [Privileged Access Workstations](https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information.
-
-Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device.
-
-By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session.  Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices. 
-
-With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN.  Administrators can also take advantage of this feature with command line applications by using **runas.exe** combined with the **/smartcard** argument.  This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
-
-> [!IMPORTANT]
-> You must configure a Windows 10 computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business.  Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
-
-### Configure Windows Hello for Business Dual Enroll
-In this task you will 
-- Configure Active Directory to support Domain Administrator enrollment
-- Configure Dual Enrollment using Group Policy
-
-#### Configure Active Directory to support Domain Administrator enrollment
-The designed Windows for Business configuration has you give the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute.  You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
-
-Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but will they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute.
-
-Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
-
-1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the **Key Admins** (or **KeyCredential Admins**) group on the AdminSDHolder object.

-```dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink```

-where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and **domainName\keyAdminGroup]** is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment.  For example:

-```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink```
-2. To trigger security descriptor propagation, open **ldp.exe**.
-3. Click **Connection** and select **Connect...**  Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and click **OK**.
-4. Click **Connection** and select **Bind...**  Click **OK** to bind as the currently signed-in user.
-5. Click **Browser** and select **Modify**.  Leave the **DN** text box blank.  Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type **1**.  Click **Enter** to add this to the **Entry List**.
-6. Click **Run** to start the task.
-7. Close LDP.  
-
-#### Configuring Dual Enrollment using Group Policy
-You configure Windows 10 to support dual enrollment using the computer configuration portion of a Group Policy object.
-
-1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users.
-2. Edit the Group Policy object from step 1.
-3. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
-4. Close the Group Policy Management Editor to save the Group Policy object.  Close the GPMC.
-5. Restart computers targeted by this Group Policy object. 
-
-The computer is ready for dual enrollment.  Sign-in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign-out and sign-in as the non-privileged user and enroll for Windows Hello for Business.  You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
-
-## Remote Desktop with Biometrics 
-
-> [!Warning]
-> Some information relates to pre-released product that may change before it is commercially released.  Microsoft makes no warranties, express or implied, with respect to the information provided here. 
-
-**Requirements**
-- Hybrid and On-premises Windows Hello for Business deployments
-- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
-- Certificate trust deployments
-- Biometric enrollments
-- Windows 10, version 1809
-
-Users using earlier versions of Windows 10 could remote desktop to using Windows Hello for Business but were limited to the using their PIN as their authentication gesture.  Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture.  The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809.
-
-> [!IMPORTANT]
-> The remote desktop with biometrics feature only works with certificate trust deployments.  The feature takes advantage of the redirected smart card capabilities of the remote desktop protocol.  Microsoft continues to investigate supporting this feature for key trust deployments.
-
-### How does it work 
-It start with creating cryptographic keys.  Windows generates and stores cryptographic keys using a software component called a key storage provider (KSP).  Software-based keys are created and stored using the Microsoft Software Key Storage Provider.  Smart card keys are created and stored using the Microsoft Smart Card Key Storage Provider.  Keys created and protected by Windows Hello for Business are created and stored using the Microsoft Passport Key Storage Provider.
-
-A certificate on a smart card starts with creating an asymmetric key pair using the Microsoft Smart Card KSP.  Windows requests a certificate based on the key pair from your enterprises issuing certificate authority, which returns a certificate that is stored in the user's Personal certificate store.  The private key remains on the smart card and the public key is stored with the certificate.  Metadata on the certificate (and the key) store the key storage provider used to create the key (remember the certificate contains the public key). 
-
-This same concept applies to Windows Hello for Business. Except, the keys are created using the Microsoft Passport KSP and the user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric).  The certificate APIs hide this complexity.  When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider.  The key storage providers directs the certificate APIs on which provider they use to find the private key associated with the certificate.  This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card). 
-
-Windows Hello for Business emulates a smart card for application compatibility.  Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN.  Windows 10, version 1809 no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows 10 to prompt the user for their biometric gesture or PIN. 
-
-### Compatibility
-Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates.  You can relax knowing a Group Policy setting and a [MDM URI](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
-
-![WHFB Certificate GP Setting](images/rdpbio/rdpbiopolicysetting.png)
-
-> [!IMPORTANT]
-> The remote desktop with biometric feature does not work with [Dual Enrollment](#dual-enrollment) feature or scenarios where the user provides alternative credentials.  Microsoft continues to investigate supporting the feature.
+## Remote Desktop
 
+Users with Windows Hello for Business certificate trust can use their credential to authenticate to remote desktop sessions over RDP. When authenticating to the session, biometric gestures can be used if they are enrolled. For more information and configuration steps see [Remote Desktop](hello-feature-remote-desktop.md).
 
 ## Related topics
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index c0d84c47c0..27c18d43e7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -1,5 +1,5 @@
 ---
-title: Azure AD Join Single Sign-on Deployment Guides
+title: Azure AD Join Single Sign-on Deployment
 description: Azure Active Directory joined devices in a hybrid Deployment for on-premises single sign-on
 keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO, 
 ms.prod: w10
@@ -16,7 +16,7 @@ localizationpriority: medium
 ms.date: 08/19/2018
 ms.reviewer: 
 ---
-# Azure AD Join Single Sign-on Deployment Guides
+# Azure AD Join Single Sign-on Deployment
 
 **Applies to**
 -   Windows 10
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index cd40458897..5304c0af57 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -1,5 +1,5 @@
 ---
-title: Hybrid Windows Hello for Business Prerequisites (Windows Hello for Business)
+title: Hybrid Windows Hello for Business Prerequisites
 description: Prerequisites for Hybrid Windows Hello for Business Deployments
 keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
 ms.prod: w10
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
index a6df7720f8..b186880166 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
@@ -1,5 +1,5 @@
 ---
-title: Configuring Hybrid Windows Hello for Business - Active Directory (AD)
+title: Configure Hybrid Windows Hello for Business - Active Directory (AD)
 description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business
 keywords: identity, PIN, biometric, Hello, passport, WHFB, ad
 ms.prod: w10
@@ -16,7 +16,7 @@ localizationpriority: medium
 ms.date: 08/19/2018
 ms.reviewer: 
 ---
-# Configuring Windows Hello for Business: Active Directory
+# Configure Windows Hello for Business: Active Directory
 
 **Applies to**
 -   Windows 10, version 1703 or later
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index 388da08d52..be3bc06968 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -51,13 +51,16 @@ Sign-in the AD FS server with *Domain Admin* equivalent credentials.
 
 The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user.
 
+> [!TIP]
+> The adfssvc account is the AD FS service account.
+
 Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
 
 1. Open **Active Directory Users and Computers**.
 2. Click the **Users** container in the navigation pane.
 3. Right-click **Windows Hello for Business Users** group
 4. Click the **Members** tab and click **Add**
-5. In the **Enter the object names to select** text box, type **adfssvc**.  Click **OK**.
+5. In the **Enter the object names to select** text box, type **adfssvc** or substitute the name of the AD FS service account in your AD FS deployment.  Click **OK**.
 6. Click **OK** to return to **Active Directory Users and Computers**.
 7. Restart the AD FS server.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index 2e7fe96f8c..e2d7d4fc9c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -1,5 +1,5 @@
 ---
-title: Configuring Hybrid Windows Hello for Business - Directory Synchronization
+title: Configure Hybrid Windows Hello for Business Directory Synch
 description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business
 keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect
 ms.prod: w10
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 804d8a9ca6..9a5ce9f830 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -78,7 +78,8 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
 The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list.  However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
 
 > [!NOTE]
-> The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. If you are using a 3rd party CA, this may not be done by default. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail. 
+> * The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. 
+> * If you are using a 3rd party CA, add the certificate to the NTAuth store. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail. 
 
 ### Enrollment Agent certificate template
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index 653af360e6..351e8af565 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -1,5 +1,5 @@
 ---
-title: Windows Hello for Business Key Trust New Installation (Windows Hello for Business)
+title: Windows Hello for Business Key Trust New Installation
 description: Windows Hello for Business Hybrid baseline deployment
 keywords: identity, PIN, biometric, Hello, passport, WHFB
 ms.prod: w10
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
index 149f51780f..ce98019039 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
@@ -1,6 +1,6 @@
 ---
-title: Configuring Hybrid key trust Windows Hello for Business - Directory Synchronization
-description: Configuring Hybrid key trust Windows Hello for Business - Directory Synchronization
+title: Hybrid Windows Hello for Business - Directory Synchronization
+description: How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization
 keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect, Windows Hello, AD Connect, key trust, key-trust
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -47,9 +47,9 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 > [!div class="checklist"]
 > * Configure group membership for Azure AD Connect
 
->[!div class="step-by-step"]
-[< Configure Active Directory](hello-hybrid-key-whfb-settings-ad.md)
-[Configure PKI >](hello-hybrid-key-whfb-settings-pki.md)  
+> [!div class="step-by-step"]
+> [< Configure Active Directory](hello-hybrid-key-whfb-settings-ad.md)
+> [Configure PKI >](hello-hybrid-key-whfb-settings-pki.md)  
 
 

 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index 9e2635b984..41d11386b2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -1,5 +1,5 @@
 ---
-title: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI)
+title: Configure Hybrid key trust Windows Hello for Business
 description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI)
 keywords: identity, PIN, biometric, Hello, passport, WHFB, PKI, Windows Hello, key trust, key-trust
 ms.prod: w10
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index 122053e414..440ab1ea70 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -1,5 +1,5 @@
 ---
-title: Configuring Hybrid key trust Windows Hello for Business - Group Policy
+title: Configure Hybrid Windows Hello for Business - Group Policy
 description: Configuring Hybrid key trust Windows Hello for Business - Group Policy
 keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, key trust, key-trust
 ms.prod: w10
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
index 48f2e98a5d..5202ec8d19 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
@@ -1,5 +1,5 @@
 ---
-title: Configure Hybrid Windows Hello for Business key trust Settings (Windows Hello for Business)
+title: Configure Hybrid Windows Hello for Business key trust Settings
 description: Configuring Windows Hello for Business Settings in Hybrid deployment
 keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
 ms.prod: w10
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index c1a9b60e79..f1d56f5bb0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -17,6 +17,7 @@ ms.topic: article
 localizationpriority: medium
 ms.date: 05/05/2018
 ---
+
 # Windows Hello for Business
 
 In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.

@@ -29,13 +30,24 @@ Windows Hello addresses the following problems with passwords:
 - Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
 - Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing).
 
->[!div class="mx-tdBreakAll"]
->| | | |
->| :---: | :---: | :---: |
->| [![Overview Icon](images/hello_filter.png)](hello-overview.md)
[Overview](hello-overview.md) | [![Why a PIN is better than a password Icon](images/hello_lock.png)](hello-why-pin-is-better-than-password.md)
[Why PIN is better than a password](hello-why-pin-is-better-than-password.md) | [![Manage Hello Icon](images/hello_gear.png)](hello-manage-in-organization.md)
[Manage Windows Hello in your Organization](hello-manage-in-organization.md) |
+> | | | |
+> | :---: | :---: | :---: |
+> | [![Overview Icon](images/hello_filter.png)](hello-overview.md)
[Overview](hello-overview.md) | [![Why a PIN is better than a password Icon](images/hello_lock.png)](hello-why-pin-is-better-than-password.md)
[Why PIN is better than a password](hello-why-pin-is-better-than-password.md) | [![Manage Hello Icon](images/hello_gear.png)](hello-manage-in-organization.md)
[Manage Windows Hello in your Organization](hello-manage-in-organization.md) |
 
 ## Prerequisites
 
+> [!Important]
+> 1. Hybrid deployments support non-destructive PIN reset that only works with the certificate trust model.
. 
+> **Requirements:**

+> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903

+> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
+>
+> 2. On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.

+> **Requirements:**

+> Reset from settings - Windows 10, version 1703, Professional

+> Reset above lock screen - Windows 10, version 1709, Professional

+> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
+
 ### Cloud Only Deployment
 
 * Windows 10, version 1511 or later
@@ -57,7 +69,7 @@ The table shows the minimum requirements for each deployment. For key trust in a
 | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | 
 | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
 | N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),
 and
Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service |
-| Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/3rd Party MFA Adapter| Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/3rd Party MFA Adapter |
+| Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter |
 | Azure Account | Azure Account | Azure Account | Azure Account |
 | Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory |
 | Azure AD Connect | Azure AD Connect | Azure AD Connect | Azure AD Connect | 
@@ -78,5 +90,5 @@ The table shows the minimum requirements for each deployment.
 | AD FS with 3rd Party MFA Adapter | AD FS with 3rd Party MFA Adapter |
 | Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing |
 
->[!IMPORTANT]
+> [!IMPORTANT]
 > For Windows Hello for Business key trust deployments, if you have several domains, at least one Windows Server Domain Controller 2016 or newer is required for each domain. For more information, see the [planning guide](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers).
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index a6364bad59..de439496b9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -1,6 +1,6 @@
 ---
-title: Prepare and Deploy Windows Server 2016 Active Directory Federation Services (Windows Hello for Business)
-description: How toPrepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business
+title: Prepare & Deploy Windows Active Directory Federation Services with key trust (Windows Hello for Business)
+description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business
 keywords: identity, PIN, biometric, Hello, passport
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index b7c09bf09e..26a28b9593 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -1,5 +1,5 @@
 ---
-title: Configure Windows Hello for Business Policy settings (Windows Hello for Business)
+title: Configure Windows Hello for Business Policy settings - key trust
 description: Configure Windows Hello for Business Policy settings for Windows Hello for Business
 keywords: identity, PIN, biometric, Hello, passport
 ms.prod: w10
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index 0a0ef7ef5b..42d9d4b606 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -1,6 +1,6 @@
 ---
-title: Validate Active Directory prerequisites (Windows Hello for Business)
-description: How to Validate Active Directory prerequisites for Windows Hello for Business
+title: Key registration for on-premises deployment of Windows Hello for Business 
+description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the key trust model.
 keywords: identity, PIN, biometric, Hello, passport
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index f4e3ef2457..6377afa5a8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -1,6 +1,6 @@
 ---
-title: Validate and Deploy Multifactor Authentication Services (MFA) (Windows Hello for Business)
-description: How to Validate and Deploy Multifactor Authentication Services for Windows Hello for Business
+title: Validate and Deploy MFA for Windows Hello for Business with key trust
+description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business with key trust
 keywords: identity, PIN, biometric, Hello, passport
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index 8845f97509..df1cdd141d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -1,5 +1,5 @@
 ---
-title: Validate Public Key Infrastructure (Windows Hello for Business)
+title: Validate Public Key Infrastructure - key trust model (Windows Hello for Business)
 description: How to Validate Public Key Infrastructure for Windows Hello for Business
 keywords: identity, PIN, biometric, Hello, passport
 ms.prod: w10
@@ -16,6 +16,7 @@ localizationpriority: medium
 ms.date: 08/19/2018
 ms.reviewer: 
 ---
+
 # Validate and Configure Public Key Infrastructure
 
 **Applies to**
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 6534a2b0bb..c9213a887f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -36,7 +36,9 @@ You can create a Group Policy or mobile device management (MDM) policy that will
 
 The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.
 
-
+> [!NOTE]
+> Starting with Windows 10, version 1709, the location of the PIN complexity section of the Group Policy is: **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity**.
+ 
 
@@ -320,4 +322,3 @@ If you want to use Windows Hello for Business with certificates, you’ll need a
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
 - [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
 - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index e5194ab324..30d604bb53 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -1,6 +1,6 @@
 ---
-title: Windows Hello for Business (Windows 10)
-ms.reviewer: 
+title: Windows Hello for Business Overview (Windows 10)
+ms.reviewer: An overview of Windows Hello for Business
 description: An overview of Windows Hello for Business 
 keywords: identity, PIN, biometric, Hello, passport
 ms.prod: w10
@@ -15,6 +15,7 @@ ms.collection: M365-identity-device-management
 ms.topic: conceptual
 localizationpriority: medium
 ---
+
 # Windows Hello for Business Overview
 
 **Applies to**
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 73d306bba1..7dffe7b0a9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -64,11 +64,23 @@ The hybrid deployment model is for organizations that:
 * Have identities synchronized to Azure Active Directory using Azure Active Directory Connect
 * Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
 
+> [!Important]
+> Hybrid deployments support non-destructive PIN reset that only works with the certificate trust model.

+> **Requirements:**

+> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903

+> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
+
 ##### On-premises
 The on-premises deployment model is for organizations that do not have cloud identities or use applications hosted in Azure Active Directory.
 
+> [!Important]
+> On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.

+> **Requirements:**

+> Reset from settings - Windows 10, version 1703, Professional

+> Reset above lock screen - Windows 10, version 1709, Professional

+> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
 
-It’s fundamentally important to understand which deployment model to use for a successful deployment.  Some of aspects of the deployment may already be decided for you based on your current infrastructure.
+It’s fundamentally important to understand which deployment model to use for a successful deployment.  Some aspects of the deployment may have already been decided for you based on your current infrastructure.
 
 #### Trust types
 
diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-applications.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-applications.png
new file mode 100644
index 0000000000..3001e771d8
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-applications.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png
new file mode 100644
index 0000000000..9e5e339b30
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-application.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-application.png
deleted file mode 100644
index bacdb127ea..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-application.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-home-screen.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-home-screen.png
deleted file mode 100644
index ae7328c4a4..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-home-screen.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png
new file mode 100644
index 0000000000..e4a92204ee
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png differ
diff --git a/windows/security/identity-protection/images/remote-credential-guard-gp.png b/windows/security/identity-protection/images/remote-credential-guard-gp.png
index a65253b04e..f7db3ee411 100644
Binary files a/windows/security/identity-protection/images/remote-credential-guard-gp.png and b/windows/security/identity-protection/images/remote-credential-guard-gp.png differ
diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md
index d55a5400cc..98e0bb9835 100644
--- a/windows/security/identity-protection/index.md
+++ b/windows/security/identity-protection/index.md
@@ -21,6 +21,7 @@ Learn more about identity and access management technologies in Windows 10 and
 
 | Section | Description |
 |-|-|
+| [Technical support policy for lost or forgotten passwords](password-support-policy.md)| Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so. |
 | [Access control](access-control/access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
 | [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
 | [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. |
diff --git a/windows/security/identity-protection/password-support-policy.md b/windows/security/identity-protection/password-support-policy.md
new file mode 100644
index 0000000000..b92183cdd3
--- /dev/null
+++ b/windows/security/identity-protection/password-support-policy.md
@@ -0,0 +1,58 @@
+---
+title: Technical support policy for lost or forgotten passwords
+description: Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so.
+ms.reviewer: kaushika
+manager: kaushika
+ms.custom:
+- CI ID 110060
+- CSSTroubleshoot 
+ms.author: v-tea
+ms.prod: w10
+ms.sitesec: library
+ms.pagetype: security
+author: Teresa-Motiv
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 11/20/2019
+audience: ITPro
+---
+
+# Technical support policy for lost or forgotten passwords
+
+Microsoft takes security seriously. This is for your protection. Microsoft accounts, the Windows operating system, and other Microsoft products include passwords to help secure your information. This article provides some options that you can use to reset or recover your password if you forget it. Be aware that, if these options don’t work, Microsoft support engineers can't help you retrieve or circumvent a lost or forgotten password.
+
+If you lose or forget a password, you can use the links in this article to find published support information that will help you reset the password.
+
+## How to reset a password for a domain account
+
+If you lose or forget the password for a domain account, contact your IT administrator or Helpdesk. For more information, see [Change or reset your Windows password](https://support.microsoft.com/help/4490115).
+
+## How to reset a password for a Microsoft account
+
+If you lose or forget the password for your Microsoft Account, use the [Recover your account](https://account.live.com/ResetPassword.aspx) wizard.
+
+This wizard requests your security proofs. If you have forgotten your security proofs, or no longer have access to them, select **I no longer have these anymore**. After you select this option, fill out a form for the Microsoft Account team. Provide as much information as you can on this form. The Microsoft Account team reviews the information that you provide to determine whether you are the account holder. This decision is final. Microsoft does not influence the team's choice of action.
+
+## How to reset a password for a local account on a Windows device
+
+Local accounts on a device include the device's Administrator account.
+
+### Windows 10
+
+If you lose or forget the password for a local account on a device that runs Windows 10, see [Reset your Windows 10 local account password](https://support.microsoft.com/help/4028457).
+
+### Windows 8.1 or Windows 7
+
+If you lose or forget the password for a local account on a device that runs Windows 8.1 or Windows 7, see [Change or reset your Windows password](https://support.microsoft.com/help/4490115). In that article, you can select your operating system version from the **Select Product Version** menu.
+
+## How to reset a hardware BIOS password
+
+If you lose or forget the password for the hardware BIOS of a device, contact the device manufacturer for help and support. If you do contact the manufacturer online, make sure that you visit the manufacturer website and not the website of some third party.
+
+## How to reset a password for an individual file
+
+Some applications let you password-protect individual files. If you lose or forget such a password, you can rely on that application only to reset or recover it. Microsoft support engineers cannot help you reset, retrieve, or circumvent such passwords.
+
+## Using third-party password tools
+
+Some third-party companies claim to be able to circumvent passwords that have been applied to files and features that Microsoft programs use. For legal reasons, we cannot recommend or endorse any one of these companies. If you want help to circumvent or reset a password, you can locate and contact a third party for this help. However, you use such third-party products and services at your own risk.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md
index 702f62e6d4..d905fbf992 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-events.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-events.md
@@ -97,14 +97,14 @@ The smart card reader device name is constructed in the form <*VendorName*>
 | 607          | Reader object failed to start monitor thread:  %1        | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code             |
 | 608          | Reader monitor failed to create power down timer: %1     | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code             |
 | 609          | Reader monitor failed to create overlapped event:  %1    | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code             |
-| 610          | Smart Card Reader '%2' rejected IOCTL %3: %1 If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This is a benign error that does not affect end use of a smart card and can be ignored.
%1 = Windows error code
%2 = Name of the smart card reader
%3 = IOCTL that was sent
%4 = First 4 bytes of the command sent to the smart card |
+| 610          | Smart Card Reader '%2' rejected IOCTL %3: %1  If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress.
%1 = Windows error code
%2 = Name of the smart card reader
%3 = IOCTL that was sent
%4 = First 4 bytes of the command sent to the smart card 
 These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios.|
 | 611          | Smart Card Reader initialization failed                  | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve this issue.   |
 | 612          | Reader insertion monitor error retry threshold reached:  %1                 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code          |
 | 615          | Reader removal monitor error retry threshold reached:  %1                   | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code          |
 | 616          | Reader monitor '%2' received uncaught error code:  %1    | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code
%2 = Reader name       |
 | 617          | Reader monitor '%1' exception -- exiting thread          | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
%1 = Smart card reader name                   |
 | 618          | Smart Card Resource Manager encountered an unrecoverable internal error.    | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.    |
-| 621          | Server Control failed to access start event: %1          | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. This error may also occur if the event is queried before the smart card service is ready. In this case the error is benign and can be ignored.
%1 = Windows error code              |
+| 621          | Server Control failed to access start event: %1          | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code      
These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios.       |
 | 622          | Server Control failed to access stop event: %1           | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code             |
 
 ## Smart card Plug and Play events
diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md
index f6f4fac5a3..31855ca5b2 100644
--- a/windows/security/information-protection/TOC.md
+++ b/windows/security/information-protection/TOC.md
@@ -24,6 +24,17 @@
 ### [BitLocker Recovery Guide](bitlocker\bitlocker-recovery-guide-plan.md)
 ### [BitLocker Countermeasures](bitlocker\bitlocker-countermeasures.md)
 ### [Protecting cluster shared volumes and storage area networks with BitLocker](bitlocker\protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)
+### Troubleshoot BitLocker
+#### [Troubleshoot BitLocker](bitlocker\troubleshoot-bitlocker.md)
+#### [BitLocker cannot encrypt a drive: known issues](bitlocker\ts-bitlocker-cannot-encrypt-issues.md)
+#### [Enforcing BitLocker policies by using Intune: known issues](bitlocker\ts-bitlocker-intune-issues.md)
+#### [BitLocker Network Unlock: known issues](bitlocker\ts-bitlocker-network-unlock-issues.md)
+#### [BitLocker recovery: known issues](bitlocker\ts-bitlocker-recovery-issues.md)
+#### [BitLocker configuration: known issues](bitlocker\ts-bitlocker-config-issues.md)
+#### Troubleshoot BitLocker and TPM issues
+##### [BitLocker cannot encrypt a drive: known TPM issues](bitlocker\ts-bitlocker-cannot-encrypt-tpm-issues.md)
+##### [BitLocker and TPM: other known issues](bitlocker\ts-bitlocker-tpm-issues.md)
+##### [Decode Measured Boot logs to track PCR changes](bitlocker\ts-bitlocker-decode-measured-boot-logs.md)
 
 ## [Encrypted Hard Drive](encrypted-hard-drive.md)
 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
index 4ce0666579..71cc07649a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
@@ -37,7 +37,15 @@ If BitLocker is enabled on a drive before Group Policy has been applied to enfor
 
 For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
 
-The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the C: drive to AD DS, you would use the following command from an elevated command prompt: **manage-bde -protectors -adbackup C:**.
+The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt:
+
+```PowerShell
+$BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
+$RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
+
+Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
+BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
+```
 
 > [!IMPORTANT]
 > Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
index b0c94843ad..9096194a09 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
@@ -1,5 +1,5 @@
 ---
-title: BitLocker frequently asked questions (FAQ) (Windows 10)
+title: BitLocker deployment and administration FAQ (Windows 10)
 description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
 ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
 ms.reviewer: 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
index f4f3028fcb..2a5c698b91 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
@@ -1,5 +1,5 @@
 ---
-title: BitLocker frequently asked questions (FAQ) (Windows 10)
+title: BitLocker FAQ (Windows 10)
 description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
 ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
 ms.reviewer: 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index 08e059935f..2314ea2eaf 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -23,22 +23,22 @@ The ideal for BitLocker management is to eliminate the need for IT admins to set
 Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for different types of computers.
 
 
->[!IMPORTANT]
-> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities will be offered from [SCCM in on-prem scenarios](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/viewing-mbam-25-reports-for-the-configuration-manager-integration-topology) in the future.
+> [!IMPORTANT]
+> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities will be offered from [ConfigMgr in on-prem scenarios](https://docs.microsoft.com/configmgr/core/get-started/2019/technical-preview-1909#bkmk_bitlocker/) in the future.
 
 ## Managing domain-joined computers and moving to cloud  
 
-Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
+Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://docs.microsoft.com/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://docs.microsoft.com/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings/).
 
-Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
+Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201/) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
 
 ## Managing devices joined to Azure Active Directory
 
-Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
+Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online.
 
-Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 and on Windows phones.
+Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 and on Windows phones.
 
-For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
+For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD.
 
 This is applicable to Azure Hybrid AD as well. 
 
@@ -52,9 +52,9 @@ For Windows PCs and Windows Phones that enroll using **Connect to work or school
 
 Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. 
 
-The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-core) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) and [How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/).  
+The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-core/) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) and [How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/).  
 
-If you are installing a server manually, such as a stand-alone server, then choosing [Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience) is the easiest path because you can avoid performing the steps to add a GUI to Server Core.
+If you are installing a server manually, such as a stand-alone server, then choosing [Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience/) is the easiest path because you can avoid performing the steps to add a GUI to Server Core.
 
  Additionally, lights out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). 
 
@@ -65,64 +65,60 @@ If you are installing a server manually, such as a stand-alone server, then choo
 For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure Active Directory.  
 
 *Example: Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker*
-``` 
-PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
+```powershell
+Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
 
-PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:"
+$BLV = Get-BitLockerVolume -MountPoint "C:"
+
+BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
+```
 
-PS C:\>BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
-``` 
 For domain-joined computers, including servers, the recovery password should be stored in Active Directory Domain Services (AD DS). 
 
 *Example: Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker*
-``` 
-PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
+```powershell
+Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
 
-PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:"
+$BLV = Get-BitLockerVolume -MountPoint "C:"
 
-PS C:\>Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
- ```
+Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
+```
 
 Subsequently, you can use PowerShell to enable BitLocker. 
 
 *Example: Use PowerShell to enable BitLocker with a TPM protector*
- ```
-PS C:\>Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector 
- ```
-*Example: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456*
- ```
-PS C:\>$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
+```powershell
+Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector 
+```
 
-PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
-  ``` 
+*Example: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456*
+```powershell
+$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
+
+Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
+``` 
 
 ## Related Articles
 
 [BitLocker: FAQs](bitlocker-frequently-asked-questions.md)
 
-[Microsoft BitLocker Administration and Management (MBAM)](https://technet.microsoft.com/windows/hh826072.aspx)
+[Microsoft BitLocker Administration and Management (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/)
 
 [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) 
 
-[System Center 2012 Configuration Manager SP1](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) *(Pre-provision BitLocker task sequence)*
+[BitLocker Group Policy Reference](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings) 
 
-[Enable BitLocker task sequence](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker)
-
-[BitLocker Group Policy Reference](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx) 
-
-[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) 
+[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune/)
 *(Overview)*
 
 [Configuration Settings Providers](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)
 *(Policy CSP: See [Security-RequireDeviceEncryption](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-policies))*
 
-[BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)
-
-

+[BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp/)
 
 **Windows Server setup tools**
 
-[Windows Server Installation Options](https://technet.microsoft.com/library/hh831786(v=ws.11).aspx)
+[Windows Server Installation Options](https://docs.microsoft.com/windows-server/get-started-19/install-upgrade-migrate-19/)
 
 [How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/)
 
@@ -134,10 +130,9 @@ PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpace
 
 [Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/) 
 
-

 
-**Powershell**
+**PowerShell**
 
 [BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell) 
 
-[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs)
+[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs/)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md
index 9e8a4b17a5..b137b40f9c 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md
@@ -1,5 +1,5 @@
 ---
-title: BitLocker frequently asked questions (FAQ) (Windows 10)
+title: BitLocker Network Unlock FAQ (Windows 10)
 description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
 ms.prod: w10
 ms.mktglfcycl: explore
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index 5ce2ab05e6..ebece73d96 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -93,6 +93,7 @@ When installing the BitLocker optional component on a server you will also need
 | [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This topic for IT professionals describes the BCD settings that are used by BitLocker.| 
 | [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic for IT professionals describes how to recover BitLocker keys from AD DS. |
 | [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. |
+| [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
 | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.| 
 | [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic covers how to use BitLocker with Windows 10 IoT Core |
 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
new file mode 100644
index 0000000000..36decb2b2f
--- /dev/null
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
@@ -0,0 +1,40 @@
+---
+title: Breaking out of a Bitlocker recovery loop
+description: This topic  for IT professionals describes how to break out of a Bitlocker recovery loop.
+ms.assetid: #c40f87ac-17d3-47b2-afc6-6c641f72ecee
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: #medium
+ms.author: v-maave
+author: martyav
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 10/28/2019
+---
+
+# Breaking out of a Bitlocker recovery loop
+
+Sometimes, following a crash, you might be unable to successfully boot into your operating system, due to the recovery screen repeatedly prompting you to enter your recovery key. This can be very frustrating.
+
+If you've entered the correct Bitlocker recovery key multiple times, and are still unable to continue past the initial recovery screen, follow these steps to break out of the loop.
+
+> [!NOTE]
+> Only try these steps after you have restarted your device at least once.
+
+1. On the initial recovery screen, don't enter your recovery key. Instead, select **Skip this drive**.
+
+1. On the next screen, select **Troubleshoot**.
+
+1. On the Troubleshoot screen, select **Advanced options**.
+
+1. On the Advanced options screen, select **Command prompt**.
+
+1. From the WinRE command prompt, manually unlock your drive: `manage-bde.exe -unlock C: -rp `
+
+1. Suspend operating system drive protection: `manage-bde.exe -protectors -disable C:`
+
+1. Once the last command is run, you can safely exit the command prompt and continue to boot into your operating system
diff --git a/windows/security/information-protection/bitlocker/images/4509186-en-1.png b/windows/security/information-protection/bitlocker/images/4509186-en-1.png
new file mode 100644
index 0000000000..11f986fb68
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/4509186-en-1.png differ
diff --git a/windows/security/information-protection/bitlocker/images/4509188-en-1.png b/windows/security/information-protection/bitlocker/images/4509188-en-1.png
new file mode 100644
index 0000000000..5b5b7b1b4a
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/4509188-en-1.png differ
diff --git a/windows/security/information-protection/bitlocker/images/4509189-en-1.png b/windows/security/information-protection/bitlocker/images/4509189-en-1.png
new file mode 100644
index 0000000000..8d243a1899
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/4509189-en-1.png differ
diff --git a/windows/security/information-protection/bitlocker/images/4509190-en-1.png b/windows/security/information-protection/bitlocker/images/4509190-en-1.png
new file mode 100644
index 0000000000..bd37969b5d
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/4509190-en-1.png differ
diff --git a/windows/security/information-protection/bitlocker/images/4509191-en-1.png b/windows/security/information-protection/bitlocker/images/4509191-en-1.png
new file mode 100644
index 0000000000..00ef607ab3
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/4509191-en-1.png differ
diff --git a/windows/security/information-protection/bitlocker/images/4509193-en-1.png b/windows/security/information-protection/bitlocker/images/4509193-en-1.png
new file mode 100644
index 0000000000..2085613b3d
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/4509193-en-1.png differ
diff --git a/windows/security/information-protection/bitlocker/images/4509194-en-1.png b/windows/security/information-protection/bitlocker/images/4509194-en-1.png
new file mode 100644
index 0000000000..f4506c399b
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/4509194-en-1.png differ
diff --git a/windows/security/information-protection/bitlocker/images/4509195-en-1.png b/windows/security/information-protection/bitlocker/images/4509195-en-1.png
new file mode 100644
index 0000000000..cbecb03c4e
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/4509195-en-1.png differ
diff --git a/windows/security/information-protection/bitlocker/images/4509196-en-1.png b/windows/security/information-protection/bitlocker/images/4509196-en-1.png
new file mode 100644
index 0000000000..01e94b1243
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/4509196-en-1.png differ
diff --git a/windows/security/information-protection/bitlocker/images/4509198-en-1.png b/windows/security/information-protection/bitlocker/images/4509198-en-1.png
new file mode 100644
index 0000000000..9056658662
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/4509198-en-1.png differ
diff --git a/windows/security/information-protection/bitlocker/images/4509199-en-1.png b/windows/security/information-protection/bitlocker/images/4509199-en-1.png
new file mode 100644
index 0000000000..d68a22eef7
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/4509199-en-1.png differ
diff --git a/windows/security/information-protection/bitlocker/images/4509200-en-1.png b/windows/security/information-protection/bitlocker/images/4509200-en-1.png
new file mode 100644
index 0000000000..689bb19299
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/4509200-en-1.png differ
diff --git a/windows/security/information-protection/bitlocker/images/4509201-en-1.png b/windows/security/information-protection/bitlocker/images/4509201-en-1.png
new file mode 100644
index 0000000000..d521e86eed
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/4509201-en-1.png differ
diff --git a/windows/security/information-protection/bitlocker/images/4509202-en-1.png b/windows/security/information-protection/bitlocker/images/4509202-en-1.png
new file mode 100644
index 0000000000..bfcd2326b6
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/4509202-en-1.png differ
diff --git a/windows/security/information-protection/bitlocker/images/4509203-en-1.png b/windows/security/information-protection/bitlocker/images/4509203-en-1.png
new file mode 100644
index 0000000000..05acc571fe
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/4509203-en-1.png differ
diff --git a/windows/security/information-protection/bitlocker/images/4509204-en-1.png b/windows/security/information-protection/bitlocker/images/4509204-en-1.png
new file mode 100644
index 0000000000..fa13f38ba9
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/4509204-en-1.png differ
diff --git a/windows/security/information-protection/bitlocker/images/4509205-en-1.png b/windows/security/information-protection/bitlocker/images/4509205-en-1.png
new file mode 100644
index 0000000000..a4f5cc15d2
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/4509205-en-1.png differ
diff --git a/windows/security/information-protection/bitlocker/images/4509206-en-1.png b/windows/security/information-protection/bitlocker/images/4509206-en-1.png
new file mode 100644
index 0000000000..7b7e449443
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/4509206-en-1.png differ
diff --git a/windows/security/information-protection/bitlocker/images/pcptool-output.jpg b/windows/security/information-protection/bitlocker/images/pcptool-output.jpg
new file mode 100644
index 0000000000..91d10e6c66
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/pcptool-output.jpg differ
diff --git a/windows/security/information-protection/bitlocker/images/psget-winevent-1.png b/windows/security/information-protection/bitlocker/images/psget-winevent-1.png
new file mode 100644
index 0000000000..21adc928de
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/psget-winevent-1.png differ
diff --git a/windows/security/information-protection/bitlocker/images/psget-winevent-2.png b/windows/security/information-protection/bitlocker/images/psget-winevent-2.png
new file mode 100644
index 0000000000..2941452109
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/psget-winevent-2.png differ
diff --git a/windows/security/information-protection/bitlocker/images/sccm-imageconfig.jpg b/windows/security/information-protection/bitlocker/images/sccm-imageconfig.jpg
new file mode 100644
index 0000000000..40ddf183f6
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/sccm-imageconfig.jpg differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png b/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png
new file mode 100644
index 0000000000..53b374d26e
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png b/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png
new file mode 100644
index 0000000000..bc299cc0e9
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-1.png b/windows/security/information-protection/bitlocker/images/ts-tpm-1.png
new file mode 100644
index 0000000000..1bef01d587
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/ts-tpm-1.png differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-2.png b/windows/security/information-protection/bitlocker/images/ts-tpm-2.png
new file mode 100644
index 0000000000..d4d825029c
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/ts-tpm-2.png differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-3.png b/windows/security/information-protection/bitlocker/images/ts-tpm-3.png
new file mode 100644
index 0000000000..2acac0f3ea
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/ts-tpm-3.png differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-4.png b/windows/security/information-protection/bitlocker/images/ts-tpm-4.png
new file mode 100644
index 0000000000..cb5b84d6b9
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/ts-tpm-4.png differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-5.png b/windows/security/information-protection/bitlocker/images/ts-tpm-5.png
new file mode 100644
index 0000000000..3b3cd2b961
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/ts-tpm-5.png differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-6.png b/windows/security/information-protection/bitlocker/images/ts-tpm-6.png
new file mode 100644
index 0000000000..4e82b9b76e
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/ts-tpm-6.png differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-7.png b/windows/security/information-protection/bitlocker/images/ts-tpm-7.png
new file mode 100644
index 0000000000..8fb9446d93
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/ts-tpm-7.png differ
diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
new file mode 100644
index 0000000000..88e28e59eb
--- /dev/null
+++ b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
@@ -0,0 +1,136 @@
+---
+title: Guidelines for troubleshooting BitLocker
+description: Describes approaches for investigating BitLocker issues, including how to gather diagnostic information
+ms.reviewer: kaushika
+ms.technology: windows
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: Windows Security Technologies\BitLocker
+ms.topic: troubleshooting
+ms.date: 10/17/2019
+---
+
+# Guidelines for troubleshooting BitLocker
+
+This article addresses common issues in BitLocker and provides guidelines to troubleshoot these issues. This article also provides pointers to start the troubleshooting process, including what data to collect and what settings to check in order to narrow down the location in which these issues occur.
+
+## Review the event logs
+
+Open Event Viewer and review the following logs under Applications and Services logs\\Microsoft\\Windows:
+
+- **BitLocker-API**. Review the Management log, the Operational log, and any other logs that are generated in this folder. The default logs have the following unique names:
+   - Microsoft-Windows-BitLocker/BitLocker Operational
+   - Microsoft-Windows-BitLocker/BitLocker Management
+
+- **BitLocker-DrivePreparationTool**. Review the Admin log,  the **Operational log, and any other logs that are generated in this folder. The default logs have the following unique names:
+   - Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
+   - Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
+
+Additionally, review the Windows logs\\System log for events that were produced by the TCM and TCM-WMI event sources.
+
+To filter and display or export logs, you can use the [wevtutil.exe](https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil) command-line tool or the [Get-WinEvent](https://docs.microsoft.com/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6) cmdlet.
+
+For example, to use wevtutil to export the contents of the Operational log from the BitLocker-API folder to a text file that is named BitLockerAPIOpsLog.txt, open a Command Prompt window, and run a command that resembles the following:
+
+```cmd
+wevtutil qe "Microsoft-Windows-BitLocker/BitLocker Operational" /f:text > BitLockerAPIOpsLog.txt
+```
+
+To use the **Get-WinEvent** cmdlet to export the same log to a comma-separated text file, open a Windows Powershell window and run a command that resembles the following:
+
+```ps
+Get-WinEvent -logname "Microsoft-Windows-BitLocker/BitLocker Operational"  | Export-Csv -Path Bitlocker-Operational.csv
+```
+
+You can use Get-WinEvent in an elevated PowerShell window to display filtered information from the System or Application log by using syntax that resembles the following:
+
+- To display BitLocker-related information:
+   ```ps
+   Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | fl
+   ```
+
+   The output of such a command resembles the following.
+
+   ![Display of events that is produced by using Get-WinEvent and a BitLocker filter](./images/psget-winevent-1.png)
+
+- To export BitLocker-related information:
+   ```ps
+   Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | Export-Csv -Path System-BitLocker.csv
+   ```
+
+- To display TPM-related information:
+   ```ps
+   Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | fl
+   ```
+
+- To export TPM-related information:
+   ```ps
+   Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | Export-Csv -Path System-TPM.csv
+   ```
+
+   The output of such a command resembles the following.
+
+   ![Display of events that is produced by using Get-WinEvent and a TPM filter](./images/psget-winevent-2.png)
+
+> [!NOTE]
+> If you intend to contact Microsoft Support, we recommend that you export the logs listed in this section.
+
+## Gather status information from the BitLocker technologies
+
+Open an elevated Windows PowerShell window, and run each of the following commands.
+
+|Command |Notes |
+| - | - |
+|[**get-tpm \> C:\\TPM.txt**](https://docs.microsoft.com/powershell/module/trustedplatformmodule/get-tpm?view=win10-ps) |Exports information about the local computer's Trusted Platform Module (TPM). This cmdlet shows different values depending on whether the TPM chip is version 1.2 or 2.0. This cmdlet is not supported in Windows 7. |
+|[**manage-bde –status \> C:\\BDEStatus.txt**](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde-status) |Exports information about the general encryption status of all drives on the computer. |
+|[**manage-bde c: 
-protectors -get \> C:\\Protectors**](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde-protectors) |Exports information about the protection methods that are used for the BitLocker encryption key.  |
+|[**reagentc /info \> C:\\reagent.txt**](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) |Exports information about an online or offline image about the current status of the Windows Recovery Environment (WindowsRE) and any available recovery image. |
+|[**get-BitLockerVolume \| fl**](https://docs.microsoft.com/powershell/module/bitlocker/get-bitlockervolume?view=win10-ps) |Gets information about volumes that BitLocker Drive Encryption can protect. |
+
+## Review the configuration information
+
+1. Open an elevated Command Prompt window, and run the following commands.
+
+   |Command |Notes |
+   | - | - |
+   |[**gpresult /h \**](https://docs.microsoft.com/windows-server/administration/windows-commands/gpresult) |Exports the Resultant Set of Policy information, and saves the information as an HTML file. |
+   |[**msinfo /report \ /computer \**](https://docs.microsoft.com/windows-server/administration/windows-commands/msinfo32) |Exports comprehensive information about the hardware, system components, and software environment on the local computer. The **/report** option saves the information as a .txt file. |
+
+1. Open Registry Editor, and export the entries in the following subkeys:
+
+   - **HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE**
+   - **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\**
+
+## Check the BitLocker prerequisites
+
+Common settings that can cause issues for BitLocker include the following:
+
+- The TPM must be unlocked. You can check the output of the **get-tpm** command for the status of the TPM.
+- Windows RE must be enabled. You can check the output of the **reagentc** command for the status of WindowsRE.
+- The system reserved partition must use the correct format.
+  - On Unified Extensible Firmware Interface (UEFI) computers, the system reserved partition must be formatted as FAT32.
+  - On legacy computers, the system reserved partition must be formatted as NTFS.
+- If the device that you are troubleshooting is a slate or tablet PC, use  to verify the status of the **Enable use of BitLocker authentication requiring preboot keyboard input on slates** option.
+
+For more information about the BitLocker prerequisites, see [BitLocker basic deployment: Using BitLocker to encrypt volumes](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-basic-deployment#using-bitlocker-to-encrypt-volumes)
+
+## Next steps
+
+If the information that you have examined so far indicates a specific issue (for example, WindowsRE is not enabled), the issue may have a straightforward fix.
+
+Resolving issues that do not have obvious causes depends on exactly which components are involved and what behavior you see. The information that you have gathered can help you narrow down the areas to investigate.
+
+- If you are working on a device that is managed by Microsoft Intune, see [Enforcing BitLocker policies by using Intune: known issues](ts-bitlocker-intune-issues.md).
+- If BitLocker does not start or cannot encrypt a drive and you notice errors or events that are related to the TPM, see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
+- If BitLocker does not start or cannot encrypt a drive, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
+- If BitLocker Network Unlock does not behave as expected, see [BitLocker Network Unlock: known issues](ts-bitlocker-network-unlock-issues.md).
+- If BitLocker does not behave as expected when you recover an encrypted drive, or if you did not expect BitLocker to recover the drive, see [BitLocker recovery: known issues](ts-bitlocker-recovery-issues.md).
+- If BitLocker does not behave as expected or the encrypted drive does not behave as expected, and you notice errors or events that are related to the TPM, see [BitLocker and TPM: other known issues](ts-bitlocker-tpm-issues.md).
+- If BitLocker does not behave as expected or the encrypted drive does not behave as expected, see [BitLocker configuration: known issues](ts-bitlocker-config-issues.md).
+
+We recommend that you keep the information that you have gathered handy in case you decide to contact Microsoft Support for help to resolve your issue.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
new file mode 100644
index 0000000000..2382b91a2a
--- /dev/null
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
@@ -0,0 +1,103 @@
+---
+title: BitLocker cannot encrypt a drive  known issues
+description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive
+ms.reviewer: kaushika
+ms.technology: windows
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: Windows Security Technologies\BitLocker
+ms.topic: troubleshooting
+ms.date: 10/17/2019
+---
+
+# BitLocker cannot encrypt a drive: known issues
+
+This article describes common issues that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
+
+> [!NOTE]
+> If you have determined that your BitLocker issue involves the Trusted Platform Module (TPM), see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
+
+## Error 0x80310059: BitLocker Drive Encryption is already performing an operation on this drive
+
+When you turn on BitLocker Drive Encryption on a computer that is running Windows 10 Professional, you receive a message that resembles the following:
+
+> **ERROR:** An error occurred (code 0x80310059):BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing.NOTE: If the -on switch has failed to add key protectors or start encryption,you may need to call manage-bde -off before attempting -on again.
+
+### Cause
+
+This issue may be caused by settings that are controlled by Group Policy Objects (GPOs).
+
+### Resolution
+
+> [!IMPORTANT]
+> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
+
+To resolve this issue, follow these steps:
+
+1. Start Registry Editor, and navigate to the following subkey:
+   **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE**
+
+1. Delete the following entries:
+   - **OSPlatformValidation\_BIOS**
+   - **OSPlatformValidation\_UEFI**
+   - **PlatformValidation**
+
+1. Exit Registry Editor, and turn on BitLocker Drive Encryption again.
+
+## "Access is denied" message when you try to encrypt removable drives
+
+You have a computer that is running Windows 10, version 1709 or version 1607. You try to encrypt a USB drive by following these steps:
+
+1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**.
+1. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**.
+1. Follow the instructions on the page to enter your password.
+1. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**.
+1. The **Starting encryption** page displays the message "Access is denied."
+
+You receive this message on any computer that runs Windows 10 version 1709 or version 1607, when you use any USB drive.
+
+### Cause
+
+The security descriptor of the BitLocker Drive Encryption service (BDESvc) has an incorrect entry. Instead of NT AUTHORITY\Authenticated Users, the security descriptor uses NT AUTHORITY\INTERACTIVE.
+
+To verify that this issue has occurred, follow these steps:
+
+1. On an affected computer, open an elevated Command Prompt window and an elevated PowerShell window.
+
+1. At the command prompt, enter the following command:
+
+   ```cmd
+   C:\>sc sdshow bdesvc
+   ```
+
+   The output of this command resembles the following:
+
+   > D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
+
+1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](https://docs.microsoft.com/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring?view=powershell-6) command in the PowerShell window, as follows.
+
+   ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE](./images/ts-bitlocker-usb-sddl.png)
+
+   If you see NT AUTHORITY\INTERACTIVE (as highlighted), in the output of this command, this is the cause of the issue. Under typical conditions, the output should resemble the following:
+
+   ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users](./images/ts-bitlocker-usb-default-sddl.png)
+
+> [!NOTE]
+> GPOs that change the security descriptors of services have been known to cause this issue.
+
+### Resolution
+
+1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command:
+
+   ```ps
+   sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
+   ```
+
+1. Restart the computer.
+
+The issue should now be resolved.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
new file mode 100644
index 0000000000..c69bb9ab25
--- /dev/null
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
@@ -0,0 +1,129 @@
+---
+title: BitLocker cannot encrypt a drive known TPM issues 
+description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive, and that you can attribute to the TPM
+ms.reviewer: kaushika
+ms.technology: windows
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: Windows Security Technologies\BitLocker
+ms.topic: troubleshooting
+ms.date: 10/18/2019
+---
+
+# BitLocker cannot encrypt a drive: known TPM issues
+
+This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
+
+> [!NOTE]
+> If you have determined that your BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
+
+## The TPM is locked and you see "The TPM is defending against dictionary attacks and is in a time-out period"
+
+When you turn on BitLocker Drive Encryption, it does not start. Instead, you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
+
+### Cause
+
+The TPM is locked out.
+
+### Resolution
+
+To resolve this issue, follow these steps:
+
+1. Open an elevated PowerShell window and run the following script:
+
+   ```ps
+   $Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm" $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
+   ```
+
+1. Restart the computer. If you are prompted at the restart screen, press F12 to agree.
+1. Try again to start BitLocker Drive Encryption.
+
+## You cannot prepare the TPM, and you see "The TPM is defending against dictionary attacks and is in a time-out period"
+
+You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
+
+### Cause
+
+The TPM is locked out.
+
+### Resolution
+
+To resolve this issue, disable and re-enable the TPM. To do this, follow these steps:
+
+1. Restart the device, and change the BIOS configuration to disable the TPM.
+1. Restart the device again, and return to the TPM management console. You should receive a message that resembles the following:
+   > Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS.
+
+1. Restart the device, and change the BIOS configuration to enable the TPM.
+1. Restart the device, and return to the TPM management console.
+
+If you still cannot prepare the TPM, clear the existing TPM keys. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm).
+
+> [!WARNING]
+> Clearing the TPM can cause data loss.  
+
+## Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005
+
+You have an environment that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. You try to turn on BitLocker Drive Encryption on a computer that runs Windows 7, but the operation fails. You receive a message that resembles "Access Denied" or "Insufficient Rights."
+
+### Cause
+
+The TPM did not have sufficient permissions on the TPM Devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information could not be backed up to AD DS, and BitLocker Drive Encryption could not run.
+
+This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10.
+
+### Resolution  
+
+To verify that you have correctly identified this issue, use one of the following methods:
+
+- Disable the policy or remove the computer from the domain. Then try to turn on BitLocker Drive Encryption again. The operation should now succeed.
+- Use LDAP and network trace tools to examine the LDAP exchanges between the client and the AD DS domain controller to identify the cause of the "Access Denied" or "Insufficient Rights" error. In this case, you should see the error when the client tries to access its object in the "CN=TPM Devices,DC=\<*domain*>,DC=com" container.
+
+1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command:
+
+   ```ps
+   Get-ADComputer -Filter {Name -like "ComputerName"} -Property * | Format-Table name,msTPM-TPMInformationForComputer
+   ```
+
+   In this command, *ComputerName* is the name of the affected computer.
+
+1. To resolve the issue, use a tool such as dsacls.exe to make sure that the access control list of msTPM-TPMInformationForComputer grants both Read and Write permissions to NTAUTHORITY/SELF.
+
+## Cannot prepare the TPM, error 0x80072030: "There is no such object on the server"
+
+Your domain controllers were upgraded from Windows Server 2008 R2to Windows Server 2012 R2. A Group Policy Object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.  
+
+You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following:
+
+> 0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled
+
+You have confirmed that the **ms-TPM-OwnerInformation** and **msTPM-TpmInformationForComputer** attributes are present.
+
+### Cause
+
+The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS may not be correctly set.
+
+### Resolution
+
+To resolve this issue, follow these steps:
+
+1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2.
+1. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133).
+1. In the script, modify the value of **strPathToDomain** to your domain name.
+1. Open an elevated PowerShell window, and run the following command:
+
+   ```ps
+   cscript Add-TPMSelfWriteACE.vbs
+   ```
+   
+   In this command \<*Path*> is the path to the script file.
+
+For more information, see the following articles:
+
+- [Back up the TPM recovery information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds)
+- [Prepare your organization for BitLocker: Planning and policies](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies)
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
new file mode 100644
index 0000000000..346095b34e
--- /dev/null
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
@@ -0,0 +1,182 @@
+---
+title: BitLocker configuration known issues
+description: Describes common issues that involve your BitLocker configuration and BitLocker's general functionality, and provides guidance for addressing those issues.
+ms.reviewer: kaushika
+ms.technology: windows
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: Windows Security Technologies\BitLocker
+ms.topic: troubleshooting
+ms.date: 10/17/2019
+---
+
+# BitLocker configuration: known issues
+
+This article describes common issues that affect your BitLocker configuration and BitLocker's general functionality. This article also provides guidance to address these issues.
+
+## BitLocker encryption is slower in Windows 10
+
+In both Windows 10 and Windows 7, BitLocker runs in the background to encrypt drives. However, in Windows 10, BitLocker is less aggressive about requesting resources. This behavior reduces the chance that BitLocker will affect the computer's performance.
+
+To compensate for these changes, BitLocker uses a new conversion model. This model, (referred to as Encrypt-On-Write), makes sure that any new disk writes on all client SKUs and any internal drives are always encrypted *as soon as you turn on BitLocker*.
+
+> [!IMPORTANT]
+> To preserve backward compatibility, BitLocker uses the previous conversion model to encrypt removable drives.
+
+### Benefits of using the new conversion model
+
+By using the previous conversion model, you cannot consider an internal drive to be protected (and compliant with data protection standards) until the BitLocker conversion is 100 percent complete. Before the process finishes, the data that existed on the drive before encryption began—that is, potentially compromised data—can still be read and written without encryption. Therefore, you must wait for the encryption process to finish before you store sensitive data on the drive. Depending on the size of the drive, this delay can be substantial.
+
+By using the new conversion model, you can safely store sensitive data on the drive as soon as you turn on BitLocker. You don't have to wait for the encryption process to finish, and encryption does not adversely affect performance. The tradeoff is that the encryption process for pre-existing data takes more time.
+
+### Other BitLocker enhancements
+
+After Windows 7 was released, several other areas of BitLocker were improved:
+
+- **New encryption algorithm, XTS-AES**. The new algorithm provides additional protection from a class of attacks on encrypted data that rely on manipulating cipher text to cause predictable changes in plain text.
+
+   By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS are United States Government standards that provide a benchmark for implementing cryptographic software.
+
+- **Improved administration features**. You can manage BitLocker on PCs or other devices by using the following interfaces:
+   -  BitLocker Wizard
+   - manage-bde
+   - Group Policy Objects (GPOs)
+   - Mobile Device Management (MDM) policy
+   - Windows PowerShell
+   - Windows Management Interface (WMI)
+
+- **Integration with Azure Active Directory** (Azure AD). BitLocker can store recovery information in Azure AD to make it easier to recover.
+
+- **[Direct memory access (DMA) Port Protection](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**. By using MDM policies to manage BitLocker, you can block a device's DMA ports and secure the device during its startup.
+
+- **[BitLocker Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock)**. If your BitLocker-enabled desktop or server computer is connected to a wired corporate network in a domain environment, you can automatically unlock its operating system volume during a system restart.
+
+- **Support for [Encrypted Hard Drives](https://docs.microsoft.com/windows/security/information-protection/encrypted-hard-drive)**. Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By taking on that workload, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption.
+
+- **Support for classes of HDD/SSD hybrid disks**. BitLocker can encrypt a disk that uses a small SSD as a non-volatile cache in front of the HDD, such as Intel Rapid Storage Technology.
+
+## Hyper-V Gen 2 VM: Cannot access the volume after BitLocker encryption
+
+Consider the following scenario:
+
+1. You turn on BitLocker on a generation-2 virtual machine (VM) that runs on Hyper-V.
+1. You add data to the data disk as it encrypts.
+1. You restart the VM, and observe the following:
+   - The system volume is not encrypted.
+   - The encrypted volume is not accessible, and the computer lists the volume's file system as "Unknown."
+   - You see a message that resembles: "You need to format the disk in \<*x:*> drive before you can use it"
+
+### Cause
+
+This issue occurs because the third-party filter driver Stcvsm.sys (from StorageCraft) is installed on the VM.
+
+### Resolution
+
+To resolve this issue, remove the third-party software.
+
+## Production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
+
+You have a Windows Server 2019 or 2016 Hyper-V Server that is hosting VMs (guests) that are configured as Windows domain controllers. BitLocker has encrypted the disks that store the Active Directory database and log files. When you run a “production snapshot” of the domain controller guests, the Volume Snap-Shot (VSS) service does not correctly process the backup.
+
+This issue occurs regardless of any of the following variations in the environment:
+
+- How the domain controller volumes are unlocked.
+- Whether the VMs are generation 1 or generation 2.
+- Whether the guest operating system is Windows Server 2019, 2016 or 2012 R2.
+
+In the domain controller Application log, the VSS event source records event ID 8229:
+
+> ID: 8229  
+> Level: Warning  
+> ‎Source: VSS  
+> Message: A VSS writer has rejected an event with error 0x800423f4, The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur.  
+>  
+> Changes that the writer made to the writer components while handling the event will not be available to the requester.  
+>  
+> Check the event log for related events from the application hosting the VSS writer.  
+>  
+> Operation:  
+> PostSnapshot Event
+>  
+> Context:  
+> Execution Context: Writer
+> Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}  
+> Writer Name: NTDS  
+> Writer Instance ID: {d170b355-a523-47ba-a5c8-732244f70e75}
+> Command Line: C:\\Windows\\system32\\lsass.exe
+>  
+> Process ID: 680  
+
+In the domain controller Directory Services event log, you see an event that resembles the following:
+
+> Error Microsoft-Windows-ActiveDirectory\_DomainService 1168  
+> Internal Processing Internal error: An Active Directory Domain Services error has occurred.
+>  
+>‎  Additional Data  
+> ‎  Error value (decimal):  -1022  
+>  
+> Error value (hex): fffffc02  
+>  
+> Internal ID: 160207d9  
+
+> [!NOTE]
+> The internal ID of this event may differ based on your operating system release and path level.
+
+After this issue occurs, if you run the **VSSADMIN list writers** command, you see output that resembles the following for the Active Directory Domain Services (NTDS) VSS Writer:  
+
+> Writer name: 'NTDS'  
+>   Writer Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}  
+>   Writer Instance Id: {08321e53-4032-44dc-9b03-7a1a15ad3eb8}  
+>   State: \[11\] Failed  
+>   Last error: Non-retryable error  
+
+Additionally, you cannot back up the VMs until you restart them.
+
+### Cause
+
+After VSS creates a snapshot of a volume, the VSS writer takes "post snapshot" actions. In the case of a "production snapshot," which you initiate from the host server, Hyper-V tries to mount the snapshotted volume. However, it cannot unlock the volume for unencrypted access. BitLocker on the Hyper-V server does not recognize the volume. Therefore, the access attempt fails and then the snapshot operation fails.
+
+This behavior is by design.
+
+### Workaround
+
+There is one supported way to perform backup and restore of a virtualized domain controller:
+
+- Run Windows Server Backup in the guest operating system.
+
+If you have to take a production snapshot of a virtualized domain controller, you can suspend BitLocker in the guest operating system before you start the production snapshot. However, this approach is not recommended.
+
+For more information and recommendations about backing up virtualized domain controllers, see [Virtualizing Domain Controllers using Hyper-V: Backup and Restore Considerations for Virtualized Domain Controllers](https://docs.microsoft.com/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controllers-hyper-v#backup-and-restore-considerations-for-virtualized-domain-controllers)
+
+### More information
+
+When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry that resembles the following:
+
+```
+\# for hex 0xc0210000 / decimal -1071579136
+‎ STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h
+‎ \# This volume is locked by BitLocker Drive Encryption.
+```
+
+The operation produces the following call stack:
+
+```
+\# Child-SP RetAddr Call Site
+‎ 00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\]
+‎ 01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\]
+‎ 02 00000086\`b357ac10 00007ffc\`e824afa1 ESENT\!COSFileFind::ErrInit+0x10b \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 2476\]
+‎ 03 00000086\`b357b700 00007ffc\`e827bf02 ESENT\!COSFileSystem::ErrFileFind+0xa1 \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 1443\]
+‎ 04 00000086\`b357b960 00007ffc\`e82882a9 ESENT\!JetGetDatabaseFileInfoEx+0xa2 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11503\]
+‎ 05 00000086\`b357c260 00007ffc\`e8288166 ESENT\!JetGetDatabaseFileInfoExA+0x59 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11759\]
+‎ 06 00000086\`b357c390 00007ffc\`e84c64fb ESENT\!JetGetDatabaseFileInfoA+0x46 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 12076\]
+‎ 07 00000086\`b357c3f0 00007ffc\`e84c5f23 ntdsbsrv\!CVssJetWriterLocal::RecoverJetDB+0x12f \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2009\]
+‎ 08 00000086\`b357c710 00007ffc\`e80339e0 ntdsbsrv\!CVssJetWriterLocal::OnPostSnapshot+0x293 \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2190\]
+‎ 09 00000086\`b357cad0 00007ffc\`e801fe6d VSSAPI\!CVssIJetWriter::OnPostSnapshot+0x300 \[d:\\rs1\\base\\stor\\vss\\modules\\jetwriter\\ijetwriter.cpp @ 1704\]
+‎ 0a 00000086\`b357ccc0 00007ffc\`e8022193 VSSAPI\!CVssWriterImpl::OnPostSnapshotGuard+0x1d \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 5228\]
+‎ 0b 00000086\`b357ccf0 00007ffc\`e80214f0 VSSAPI\!CVssWriterImpl::PostSnapshotInternal+0xc3b \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 3552\]
+```
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
new file mode 100644
index 0000000000..c3e4f16427
--- /dev/null
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
@@ -0,0 +1,113 @@
+---
+title: Decode Measured Boot logs to track PCR changes
+description: Provides instructions for installing and using a tool for analyzing log information to identify changes to PCRs
+ms.reviewer: kaushika
+ms.technology: windows
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: Windows Security Technologies\BitLocker
+ms.topic: troubleshooting
+ms.date: 10/17/2019
+---
+
+# Decode Measured Boot logs to track PCR changes
+
+Platform Configuration Registers (PCRs) are memory locations in the Trusted Platform Module (TPM). BitLocker and its related technologies depend on specific PCR configurations. Additionally, specific change in PCRs can cause a device or computer to enter BitLocker recovery mode.  
+
+By tracking changes in the PCRs, and identifying when they changed, you can gain insight into issues that occur or learn why a device or computer entered BitLocker recovery mode. The Measured Boot logs record PCR changes and other information. These logs are located in the C:\\Windows\\Logs\\MeasuredBoot\\ folder.
+
+This article describes tools that you can use to decode these logs: TBSLogGenerator and PCPTool.
+
+For more information about Measured Boot and PCRs, see the following articles:
+
+- [TPM fundamentals: Measured Boot with support for attestation](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-fundamentals#measured-boot-with-support-for-attestation)  
+- [Understanding PCR banks on TPM 2.0 devices](https://docs.microsoft.com/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices)
+
+## Use TBSLogGenerator to decode Measured Boot logs
+
+Use TBSLogGenerator to decode Measured Boot logs that you have collected from Windows 10 and earlier versions. You can install this tool on the following systems:
+
+- A computer that is running Windows Server 2016 and that has a TPM enabled
+- A Gen 2 virtual machine (running on Hyper-V) that is running Windows Server 2016 (you can use the virtual TPM)
+
+To install the tool, follow these steps:
+
+1. Download the Windows Hardware Lab Kit from one of the following locations:
+
+   - [Windows Hardware Lab Kit](https://docs.microsoft.com/windows-hardware/test/hlk/)
+   - Direct download link for Windows Server 2016: [Windows HLK, version 1607](https://go.microsoft.com/fwlink/p/?LinkID=404112)
+
+1. Accept the default installation path.
+
+   ![Specify Location page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-1.png)
+
+1. Under **Select the features you want to install**, select **Windows Hardware Lab Kit—Controller + Studio**.
+
+   ![Select features page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-2.png)
+
+1. Finish the installation.
+
+To use TBSLogGenerator, follow these steps:
+
+1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder:  
+   **C:\\Program Files (x86)\\Windows Kits\\10\\Hardware Lab Kit\\Tests\\amd64\\NTTEST\\BASETEST\\ngscb**
+
+   This folder contains the TBSLogGenerator.exe file.
+
+   ![Properties and location of the TBSLogGenerator.exe file](./images/ts-tpm-3.png)
+
+1. Run the following command:
+   ```cmd
+   TBSLogGenerator.exe -LF \.log > \.txt
+   ```
+   where the variables represent the following values:
+   - \<*LogFolderName*> = the name of the folder that contains the file to be decoded
+   - \<*LogFileName*> = the name of the file to be decoded
+   - \<*DestinationFolderName*> = the name of the folder for the decoded text file
+   - \<*DecodedFileName*> = the name of the decoded text file
+
+   For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file:
+
+    ```cmd
+    TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt
+    ```
+
+   ![Command Prompt window that shows an example of how to use TBSLogGenerator](./images/ts-tpm-4.png)
+
+   The command produces a text file that uses the specified name. In the case of the example, the file is **0000000005-0000000000.txt**. The file is located in the same folder as the original .log file.
+
+   ![Windows Explorer window that shows the text file that TBSLogGenerator produces](./images/ts-tpm-5.png)
+
+The content of this text file resembles the following.
+
+![Contents of the text file, as shown in NotePad](./images/ts-tpm-6.png)
+
+To find the PCR information, go to the end of the file.
+
+   ![View of NotePad that shows the PCR information at the end of the text file](./images/ts-tpm-7.png)
+
+## Use PCPTool to decode Measured Boot logs
+
+PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file.
+
+To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions.
+
+To decode a log, run the following command:
+```cmd
+PCPTool.exe decodelog \.log > \.xml
+```  
+
+where the variables represent the following values:
+- \<*LogFolderPath*> = the path to the folder that contains the file to be decoded
+- \<*LogFileName*> = the name of the file to be decoded
+- \<*DestinationFolderName*> = the name of the folder for the decoded text file
+- \<*DecodedFileName*> = the name of the decoded text file
+
+The content of the XML file resembles the following.
+
+![Command Prompt window that shows an example of how to use PCPTool](./images/pcptool-output.jpg)
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
new file mode 100644
index 0000000000..e2d0822e3c
--- /dev/null
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
@@ -0,0 +1,346 @@
+---
+title: Enforcing BitLocker policies by using Intune  known issues
+description: provides assistance for issues that you may see if you use Microsoft Intune policy to manage silent BitLocker encryption on devices.
+ms.reviewer: kaushika
+ms.technology: windows
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: Windows Security Technologies\BitLocker
+ms.topic: troubleshooting
+ms.date: 10/18/2019
+---
+
+# Enforcing BitLocker policies by using Intune: known issues
+
+This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices.
+
+![The BitLocker status indictors on the Intune portal](./images/4509189-en-1.png)
+
+To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages:
+
+- [Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer](#issue-1)
+- [Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer](#issue-2)
+- [Event ID 854: WinRE is not configured](#issue-3)
+- [Event ID 851: Contact manufacturer for BIOS upgrade](#issue-4)
+- [Error message: The UEFI variable 'SecureBoot' could not be read](#issue-6)
+- [Event ID 846, 778, and 851: Error 0x80072f9a](#issue-7)
+- [Error message: Conflicting Group Policy settings for recovery options on operating system drives](#issue-5)
+
+If you do not have a clear trail of events or error messages to follow, other areas to investigate include the following:
+
+- [Review the hardware requirements for using Intune to manage BitLocker on devices](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption-hardware-requirements)
+- [Review your BitLocker policy configuration](#policy)
+
+For information about how to verify that Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly).
+
+## Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
+
+Event ID 853 can carry different error messages, depending on the context. In this case, the Event ID 853 error message indicates that the device does not appear to have a TPM. The event information resembles the following:
+
+![Details of event ID 853 (TPM is not available, cannot find TPM)](./images/4509190-en-1.png)
+
+### Cause
+
+The device that you are trying to secure may not have a TPM chip, or the device BIOS might be configured to disable the TPM.
+
+### Resolution
+
+To resolve this issue, verify the following:
+
+- The TPM is enabled in the device BIOS.  
+- The TPM status in the TPM management console resembles the following:
+   - Ready (TPM 2.0)
+   - Initialized (TPM 1.2)
+
+For more information, see [Troubleshoot the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm).
+
+## Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer
+
+In this case, you see event ID 853, and the error message in the event indicates that bootable media is available to the device. The event information resembles the following.
+
+![Details of event ID 853 (TPM is not available, bootable media found)](./images/4509191-en-1.png)
+
+### Cause
+
+During the provisioning process, BitLocker Drive Encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery mode automatically starts.
+
+To avoid this situation, the provisioning process stops if it detects removable bootable media.
+
+### Resolution
+
+Remove the bootable media, and restart the device. After the device restarts, verify the encryption status.
+
+## Event ID 854: WinRE is not configured
+
+The event information resembles the following:
+
+> Failed to enable Silent Encryption. WinRe is not configured.
+>  
+> Error: This PC cannot support device encryption because WinRE is not properly configured.
+
+### Cause
+
+Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to recover or reset Windows and diagnose Windows issues. If a device cannot start the regular Windows operating system, the device tries to start WinRE.
+
+The provisioning process enables BitLocker Drive Encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes.
+
+If WinRE is not available on the device, provisioning stops.
+
+### Resolution
+
+You can resolve this issue by verifying the configuration of the disk partitions, the status of WinRE, and the Windows Boot Loader configuration. To do this, follow these steps.
+
+#### Step 1: Verify the configuration of the disk partitions
+
+The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 10 automatically creates a recovery partition that contains the Winre.wim file. The partition configuration resembles the following.
+
+![Default disk partitions, including the recovery partition](./images/4509194-en-1.png)
+
+To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands:
+
+```
+diskpart 
+list volume
+```
+![Output of the list volume command in the Diskpart app](./images/4509195-en-1.png)
+
+If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from System Center Configuration Manager).
+
+![Windows image configuration in System Center Configuration Manager](./images/sccm-imageconfig.jpg)
+
+#### Step 2: Verify the status of WinRE
+
+To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command:
+
+```cmd
+reagentc /info
+```
+The output of this command resembles the following.
+
+![Output of the reagentc /info command](./images/4509193-en-1.png)
+
+If the **Windows RE status** is not **Enabled**, run the following command to enable it:
+
+```cmd
+reagentc /enable
+```
+
+#### Step 3: Verify the Windows Boot Loader configuration
+
+If the partition status is healthy, but the **reagentc /enable** command results in an error, verify that Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window:
+
+```cmd
+bcdedit /enum all
+```
+
+The output of this command resembles the following.
+
+![Output of the bcdedit /enum all command](./images/4509196-en-1.png)
+
+In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros.
+
+## Event ID 851: Contact the manufacturer for BIOS upgrade instructions
+
+The event information resembles the following:
+
+> Failed to enable Silent Encryption.
+>  
+> Error: BitLocker Drive Encryption cannot be enabled on the operating system drive. Contact the computer manufacturer for BIOS upgrade instructions.
+
+### Cause
+
+The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker Drive Encryption does not support legacy BIOS.
+
+### Resolution
+
+To verify the BIOS mode, use the System Information app. To do this, follow these steps:
+
+1. Select **Start**, and enter **msinfo32** in the **Search** box.
+1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**.  
+   ![System Information app, showing the BIOS Mode setting](./images/4509198-en-1.png)
+1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device.
+   > [!NOTE]
+   > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device.
+
+## Error message: The UEFI variable 'SecureBoot' could not be read
+
+You receive an error message that resembles the following:
+
+> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable ‘SecureBoot’ could not be read. A required privilege is not held by the client.
+
+### Cause
+
+A Platform Configuration Register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of Secure Boot. Silent BitLocker Drive Encryption requires that Secure Boot is turned on.
+
+### Resolution
+
+You can resolve this issue by verifying the PCR validation profile of the TPM and the Secure Boot state. To do this, follow these steps:
+
+#### Step 1: Verify the PCR validation profile of the TPM
+
+To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command:
+
+```cmd
+Manage-bde -protectors -get %systemdrive%
+```
+
+In the TPM section of the output of this command, verify that the **PCR Validation Profile** setting includes **7**, as follows.
+
+![Output of the manage-bde command](./images/4509199-en-1.png)
+
+If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then Secure Boot is not turned on.
+
+![Output of the manage-bde command when PCR 7 is not present](./images/4509200-en-1.png)
+
+#### 2. Verify the Secure Boot state
+
+To verify the Secure Boot state, use the System Information app. To do this, follow these steps:
+
+1. Select **Start**, and enter **msinfo32** in the **Search** box.
+1. Verify that the **Secure Boot State** setting is **On**, as follows:  
+   ![System Information app, showing a supported Secure Boot State](./images/4509201-en-1.png)
+1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device.  
+   ![System Information app, showing a supported Secure Boot State](./images/4509202-en-1.png)
+
+> [!NOTE]
+> You can also use the [Confirm-SecureBootUEFI](https://docs.microsoft.com/powershell/module/secureboot/confirm-securebootuefi?view=win10-ps) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command:
+> ```ps
+> PS C:\> Confirm-SecureBootUEFI
+> ```
+> If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."  
+>  
+> If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False."  
+>  
+> If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not supported on this platform."  
+
+## Event ID 846, 778, and 851: Error 0x80072f9a
+
+In this case, you are deploying Intune policy to encrypt a Windows 10, version 1809 device and store the recovery password in Azure Active Directory (Azure AD). As part of the policy configuration, you have selected the **Allow standard users to enable encryption during Azure AD Join** option.
+
+The policy deployment fails and generates the following events (visible in Event Viewer in the **Applications and Services Logs\\Microsoft\\Windows\\BitLocker API** folder):
+
+> Event ID:846
+> 
+> Event:
+> Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
+> 
+> TraceId: {cbac2b6f-1434-4faa-a9c3-597b17c1dfa3}
+> Error: Unknown HResult Error code: 0x80072f9a
+
+> Event ID:778
+> 
+> Event: The BitLocker volume C: was reverted to an unprotected state.
+
+> Event ID: 851
+> 
+> Event:
+> Failed to enable Silent Encryption.
+> 
+> Error: Unknown HResult Error code: 0x80072f9a.
+
+These events refer to Error code 0x80072f9a.
+
+### Cause
+
+These events indicate that the signed-in user does not have permission to read the private key on the certificate that is generated as part of the provisioning and enrollment process. Therefore, the BitLocker MDM policy refresh fails.
+
+The issue affects Windows 10 version 1809.
+
+### Resolution
+
+To resolve this issue, install the [May 21, 2019](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934) update.
+
+## Error message: There are conflicting Group Policy settings for recovery options on operating system drives
+
+You receive a message that resembles the following:
+
+> **Error:** BitLocker Drive Encryption cannot be applied to this drive because there are conflicting Group Policy settings for recovery options on operating system drives. Storing recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker…
+
+### Resolution
+
+To resolve this issue, review your Group Policy Object (GPO) settings for conflicts. For further guidance, see the next section, [Review your BitLocker policy configuration](#policy).
+
+For more information about GPOs and BitLocker, see [BitLocker Group Policy Reference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)?redirectedfrom=MSDN).
+
+## Review your BitLocker policy configuration
+
+For information about how to use policy together with BitLocker and Intune, see the following resources:
+
+- [BitLocker management for enterprises: Managing devices joined to Azure Active Directory](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises#managing-devices-joined-to-azure-active-directory)
+- [BitLocker Group Policy Reference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)?redirectedfrom=MSDN)
+- [Configuration service provider reference](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference)
+- [Policy CSP – BitLocker](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-bitlocker)
+- [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)
+- [Enable ADMX-backed policies in MDM](https://docs.microsoft.com/windows/client-management/mdm/enable-admx-backed-policies-in-mdm)
+- [gpresult](https://docs.microsoft.com/windows-server/administration/windows-commands/gpresult)
+
+Intune offers the following enforcement types for BitLocker:
+
+- **Automatic** (Enforced when the device joins Azure AD during the provisioning process. This option is available in Windows 10 version 1703 and later.)
+- **Silent** (Endpoint protection policy. This option is available in Windows 10 version 1803 and later.)
+- **Interactive** (Endpoint policy for Windows versions that are older than Windows 10 version 1803.)
+
+If your device runs Windows 10 version 1703 or later, supports Modern Standby (also known as Instant Go) and is HSTI-compliant, joining the device to Azure AD triggers automatic device encryption. A separate endpoint protection policy is not required to enforce device encryption.
+
+If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker Drive Encryption. The settings for this policy should resemble the following:
+
+![Intune policy settings](./images/4509186-en-1.png)
+
+The OMA-URI references for these settings are as follows:
+
+- OMA-URI: **./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption**  
+   Value Type: **Integer**  
+   Value: **1**  (1 = Require, 0 = Not Configured)
+
+- OMA-URI: **./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption**  
+   Value Type: **Integer**  
+   Value: **0** (0 = Blocked, 1 = Allowed)  
+
+> [!NOTE]
+> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, you can use an endpoint protection policy to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant.
+
+> [!NOTE]
+> If the **Waiting for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker Drive Encryption wizard.  
+
+If the device does not support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. To do this, the user selects the notification. This action starts the BitLocker Drive Encryption wizard.  
+
+The Intune 1901 release provides settings that you can use to configure automatic device encryption for Autopilot devices for standard users. Each device must meet the following requirements:
+
+- Be HSTI-compliant
+- Support Modern Standby
+- Use Windows 10 version 1803 or later
+
+![Intune policy setting](./images/4509188-en-1.png)
+
+The OMA-URI references for these settings are as follows:
+
+- OMA-URI: **./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption**  
+   Value Type: **Integer**
+   Value: **1**  
+
+> [!NOTE]
+> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when you set **RequireDeviceEncryption** to **1**, **AllowStandardUserEncryption** to **1**, and **AllowWarningForOtherDiskEncryption** to **0**. Intune can enforce silent BitLocker encryption for Autopilot devices that have standard user profiles.
+
+## Verifying that BitLocker is operating correctly
+
+During regular operations, BitLocker Drive Encryption generates events such as Event ID 796 and Event ID 845.
+
+![Event ID 796, as shown in Event Viewer](./images/4509203-en-1.png)
+
+![Event ID 845, as shown in Event Viewer](./images/4509204-en-1.png)
+
+You can also determine whether the BitLocker recovery password has been uploaded to Azure AD by checking the device details in the Azure AD Devices section.
+
+![BitLocker recovery information as viewed in Azure AD](./images/4509205-en-1.png)
+
+On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys:
+
+- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\BitLocker**
+- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device**  
+
+![Registry subkeys that relate to Intune policy](./images/4509206-en-1.png)
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
new file mode 100644
index 0000000000..77216f2dd1
--- /dev/null
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
@@ -0,0 +1,87 @@
+---
+title: BitLocker Network Unlock known issues
+description: Describes several known issues that you may encounter while using Network Unlock, and provided guidance for addressing those issues.
+ms.reviewer: kaushika
+ms.technology: windows
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: Windows Security Technologies\BitLocker
+ms.topic: troubleshooting
+ms.date: 10/7/2019
+---
+# BitLocker Network Unlock: known issues
+
+By using the BitLocker Network Unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To do this, You have to configure your environment to meet the following requirements:
+
+- Each computer belongs to a domain
+- Each computer has a wired connection to the corporate network
+- The corporate network uses DHCP to manage IP addresses
+- Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware
+
+For general guidelines about how to troubleshoot Network Unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#troubleshoot-network-unlock).
+
+This article describes several known issues that you may encounter when you use Network Unlock, and provides guidance to address these issues.
+
+## Tip: Detect whether BitLocker Network Unlock is enabled on a specific computer
+
+You can use the following steps on computers that have either x64 or x32 UEFI systems. You can also script these commands.
+
+1. Open an elevated Command Prompt window and run the following command:
+
+   ```cmd
+   manage-bde protectors get 
+   ```
+
+   where \<*Drive*> is the drive letter, followed by a colon (:), of the bootable drive.
+   If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker Network Unlock.
+
+1. Start Registry Editor, and verify the following settings:
+   - Entry **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE: OSManageNKP** is set to **1**
+   - Subkey **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP\\Certificates** has an entry whose name matches the name of the certificate thumbprint of the Network Unlock key protector that you found in step 1.
+
+## On a Surface Pro 4 device, BitLocker Network Unlock does not work because the UEFI network stack is incorrectly configured
+
+You have configured BitLocker Network Unlock as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have configured the UEFI of the device to use DHCP. However, when you restart the device, it still prompts you for the BitLocker PIN.  
+
+You test another device, such as a different type of tablet or laptop PC, that is configured to use the same infrastructure. The device restarts as expected, without prompting for the BitLocker PIN. You conclude that the infrastructure is correctly configured, and the issue is specific to the device.
+
+### Cause
+
+The UEFI network stack on the device was incorrectly configured.
+
+### Resolution
+
+To correctly configure the UEFI network stack of the Surface Pro 4, you have to use Microsoft Surface Enterprise Management Mode (SEMM). For information about SEMM, see [Enroll and configure Surface devices with SEMM](https://docs.microsoft.com/surface/enroll-and-configure-surface-devices-with-semm).
+
+> [!NOTE]
+> If you cannot use SEMM, you may be able to configure the Surface Pro 4 to use BitLocker Network Unlock by configuring the device to use the network as its first boot option.
+
+## Unable to use BitLocker Network Unlock feature on a Windows client computer
+
+You have configured BitLocker Network Unlock as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have a Windows 8-based client computer that is connected to the corporate LAN by using an Ethernet Cable. However, when you restart the computer, it still prompts you for the BitLocker PIN.  
+
+### Cause
+
+A Windows 8-based or Windows Server 2012-based client computer sometimes does not receive or use the Network Unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server.
+
+DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions. This means that because a DHCP server supports BOOTP clients, the DHCP server replies to BOOTP requests.
+
+The manner in which a DHCP server handles an incoming message depends in part on whether the message uses the Message Type option:
+
+- The first two messages that the BitLocker Network Unlock client sends are DHCP DISCOVER\REQUEST messages. They use the Message Type option, so the DHCP server treats them as DHCP messages.  
+- The third message that the BitLocker Network Unlock client sends does not have the Message Type option. The DHCP server treats the message as a BOOTP request.
+
+A DHCP server that supports BOOTP clients must interact with those clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. (In other words, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages.) After the server sends the BOOTP BOOTREPLY message, the server marks a binding for a BOOTP client as BOUND. A non-DHCP client does not send a DHCPREQUEST message, nor does that client expect a DHCPACK message.
+
+If a DHCP server that is not configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message.
+
+For more information about DHCP and BitLocker Network Unlock, see [BitLocker: How to enable Network Unlock: Network Unlock sequence](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence)
+
+### Resolution
+
+To resolve this issue, change the configuration of the DHCP server by changing the **DHCP** option from **DHCP and BOOTP** to **DHCP**.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
new file mode 100644
index 0000000000..a25ea79f8a
--- /dev/null
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
@@ -0,0 +1,290 @@
+---
+title: BitLocker recovery known issues
+description: Describes common issues that can occur that prevent BitLocker from behaving as expected when recovering a drive, or may cause BitLocker to start recovery unexpectedly. The article provides guidance for addressing those issues.
+ms.reviewer: kaushika
+ms.technology: windows
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: Windows Security Technologies\BitLocker
+ms.topic: troubleshooting
+ms.date: 10/18/2019
+---
+
+# BitLocker recovery: known issues
+
+This article describes common issues that may prevent BitLocker from behaving as expected when you recover a drive, or that may cause BitLocker to start recovery unexpectedly. The article provides guidance to address these issues.
+
+> [!NOTE]
+> In this article, "recovery password" refers to the 48-digit recovery password and "recovery key" refers to 32-digit recovery key. For more information, see [BitLocker key protectors](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bitlocker-key-protectors).
+
+## Windows 10 prompts for a non-existing BitLocker recovery password
+
+Windows 10 prompts you for a BitLocker recovery password. However, you did not configure a BitLocker recovery password.
+
+### Resolution
+
+The BitLocker and Active Directory Domain Services (AD DS) FAQ addresses situations that may produce this symptom, and provides information about how to resolve the issue:
+
+- [What if BitLocker is enabled on a computer before the computer has joined the domain?](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain)
+- [What happens if the backup initially fails? Will BitLocker retry the backup?](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-happens-if-the-backup-initially-fails-will-bitlocker-retry-the-backup)
+
+## The recovery password for a laptop was not backed up, and the laptop is locked
+
+You have a Windows 10 Home-based laptop, and you have to recover its hard disk. The disk was encrypted by using BitLocker Driver Encryption. However, the BitLocker recovery password was not backed up, and the usual user of the laptop is not available to provide the password.
+
+### Resolution
+
+You can use either of the following methods to manually back up or synchronize an online client's existing recovery information:
+
+- Create a Windows Management Instrumentation (WMI) script that backs up the information. For more information, see [BitLocker Drive Encryption Provider](https://docs.microsoft.com/windows/win32/secprov/bitlocker-drive-encryption-provider).
+
+- In an elevated Command Prompt window, use the [manage-bde](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde) command to back up the information.
+
+   For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command:
+
+   ```cmd
+   manage-bde -protectors -adbackup C:
+   ```
+
+> [!NOTE]
+> BitLocker does not automatically manage this backup process.  
+
+## Tablet devices do not support using Manage-bde -forcerecovery to test recovery mode
+
+You have a tablet or slate device, and you try to test BitLocker Recovery by running the following command:
+
+```cmd
+Manage-bde -forcerecovery
+```
+
+However, after you enter the recovery password, the device cannot start.
+
+### Cause
+
+> [!IMPORTANT]
+> Tablet devices do not support the **manage-bde -forcerecovery** command.
+
+This issue occurs because the Windows Boot Manager cannot process touch input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch input.
+
+If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the **manage-bde -forcerecovery** command deletes the TPM protectors on the hard disk. Therefore, WinRE cannot reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting.
+
+This behavior is by design for all versions of Windows.
+
+### Workaround
+
+To resolve the restart loop, follow these steps:
+
+1. On the BitLocker Recovery screen, select **Skip this drive**.
+1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**.
+1. In the Command Prompt window, run the following commands :
+   ```cmd
+   manage-bde –unlock C: -rp <48-digit BitLocker recovery password>
+   manage-bde -protectors -disable C:
+   ```
+1. Close the Command Prompt window.
+1. Shut down the device.
+1. Start the device. Windows should start as usual.
+
+## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
+
+You have a Surface device that has BitLocker Drive Encryption turned on. You update the firmware of the device TPM or install an update that changes the signature of the system firmware. For example, you install the Surface TPM (IFX) update.
+
+You experience one or more of the following symptoms on the Surface device:
+
+- At startup, you are prompted for your BitLocker recovery password. You enter the correct recovery password, but Windows doesn’t start up.
+- Startup progresses directly into the Surface Unified Extensible Firmware Interface (UEFI) settings.
+- The Surface device appears to be in an infinite restart loop.
+
+### Cause
+
+This issue occurs if the Surface device TPM is configured to use Platform Configuration Register (PCR) values other than the default values of PCR 7 and PCR 11. For example, the following settings can configure the TPM this way:
+
+- Secure Boot is turned off.
+- PCR values have been explicitly defined, such as by Group Policy.
+
+Devices that support Connected Standby (also known as *InstantGO* or *Always On, Always Connected PCs*), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are correctly configured. For more information, see "About the Platform Configuration Register (PCR)" at [BitLocker Group Policy Settings](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11)#about-the-platform-configuration-register-pcr)).
+
+### Resolution
+
+To verify the PCR values that are in use on a device, open and elevated Command Prompt window and run the following command:
+
+```cmd
+manage-bde.exe -protectors -get :
+```
+
+In this command, <*OSDriveLetter*> represents the drive letter of the operating system drive.  
+
+To resolve this issue and repair the device, follow these steps.
+
+#### Step 1: Disable the TPM protectors on the boot drive
+
+If you have installed a TPM or UEFI update and your device cannot start, even if you enter the correct BitLocker recovery password, you can restore the ability to start by using the BitLocker recovery password and a Surface recovery image to remove the TPM protectors from the boot drive.
+
+To do this, follow these steps:
+
+1. Obtain your BitLocker recovery password from [your Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator for help.
+1. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive.
+1. Insert the USB Surface recovery image drive into the Surface device, and start the device.
+1. When you are prompted, select the following items:
+   1. Your operating system language.
+   1. Your keyboard layout.
+1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**.
+1. In the Command Prompt window, run the following commands:  
+   ```cmd
+   manage-bde -unlock -recoverypassword  :  
+   manage-bde -protectors -disable :  
+   ```
+   In these commands, \<*Password*\> is the BitLocker recovery password that you obtained in step 1, and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive.  
+   > [!NOTE]
+   > For more information about how to use this command, see [manage-bde: unlock](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde-unlock).
+1. Restart the computer.
+1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1.
+
+> [!NOTE]
+> After you disable the TPM protectors, BitLocker Drive Encryption no longer protects your device. To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
+
+#### Step 2: Use Surface BMR to recover data and reset your device
+
+To recover data from your Surface device if you cannot start Windows, follow steps 1 through 5 of [Step 1](#step-1) to return to the Command Prompt window, and then follow these steps:
+
+1. At the command prompt, run the following command:  
+   ```cmd
+   manage-bde -unlock -recoverypassword  :  
+   ```
+   In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive.  
+1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive.  
+   > [!NOTE]
+   > For more information about the these commands, see the [Windows commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands).
+  
+1. To reset your device by using a Surface recovery image, follow the instructions in the "How to reset your Surface using your USB recovery drive" section in [Creating and using a USB recovery drive](https://support.microsoft.com/help/4023512).  
+
+#### Step 3: Restore the default PCR values
+
+To prevent this issue from recurring, we strongly recommend that you restore the default configuration of Secure Boot and the PCR values.
+
+To enable Secure Boot on a Surface device, follow these steps:
+
+1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet:
+   ```ps
+   Suspend-BitLocker -MountPoint ":" -RebootCount 0  
+   ```
+   In this command, <*DriveLetter*> is the letter that is assigned to your drive.
+1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**.
+1. Restart the device.
+1. Open an elevated PowerShell window, and run the following cmdlet:  
+   ```ps
+   Resume-BitLocker -MountPoint ":"
+   ```
+
+To reset the PCR settings on the TPM, follow these steps:
+
+1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies.  
+   For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings).
+1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet:
+   ```ps
+   Suspend-BitLocker -MountPoint ":" -RebootCount 0  
+   ```
+   
+   where <*DriveLetter*> is the letter assigned to your drive.
+1. Run the following cmdlet:  
+   ```ps
+   Resume-BitLocker -MountPoint ":"
+
+#### Step 4: Suspend BitLocker during TPM or UEFI firmware updates
+
+You can avoid this scenario when you install updates to system firmware or TPM firmware by temporarily suspending BitLocker before you apply such updates.
+
+> [!IMPORTANT]
+> TPM and UEFI firmware updates may require multiple restarts while they install. To keep BitLocker suspended during this process, you must use [Suspend-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/suspend-bitlocker?view=winserver2012r2-ps) and set the **Reboot Count** parameter to either of the following values:
+> - **2** or greater: This value sets the number of times the device can restart before BitLocker Device Encryption resumes.
+> - **0**: This value suspends BitLocker Drive Encryption indefinitely, until you use [Resume-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/resume-bitlocker?view=winserver2012r2-ps) or another mechanism to resume protection.
+
+To suspend BitLocker while you install TPM or UEFI firmware updates:
+
+1. Open an elevated Windows PowerShell window, and run the following cmdlet:
+   ```ps
+   Suspend-BitLocker -MountPoint ":" -RebootCount 0  
+   ```
+   In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive.
+1. Install the Surface device driver and firmware updates.
+1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet:  
+   ```ps
+   Resume-BitLocker -MountPoint ":"
+   ```
+
+To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
+
+## After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery password and returns error 0xC0210000
+
+You have a device that runs Windows 10, version 1703, Windows 10, version 1607, or Windows Server 2016. Also, Hyper-V is enabled on the device. After you install an affected update and restart the device, the device enters BitLocker Recovery mode and you see error code 0xC0210000.
+
+### Workaround
+
+If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps:
+
+1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on.
+1. On the Recovery screen, press Enter. When you are prompted, enter the recovery password.
+1. If your device starts in the (WinRE) and prompts you for the recovery password again, select **Skip the drive**.
+1. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**.
+1. In the Command Prompt window, run the following commands:
+   ```cmd
+   Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group>
+   Manage-bde -protectors -disable c:
+   exit
+   ```
+   
+   These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window.
+   > [!NOTE]
+   > These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment.
+1. Select **Continue**. Windows should start.
+1. After Windows has started, open an elevated Command Prompt window and run the following command:
+   ```cmd
+   Manage-bde -protectors -enable c:
+   ```
+
+> [!IMPORTANT]
+> Unless you suspend BitLocker before you start the device, this issue recurs.
+
+To temporarily suspend BitLocker just before you restart the device, open an elevated Command Prompt window and run the following command:
+
+```cmd
+Manage-bde -protectors -disable c: -rc 1
+```
+
+### Resolution
+
+To resolve this issue, install the appropriate update on the affected device:  
+
+- For Windows 10, version 1703: [July 9, 2019—KB4507450 (OS Build 15063.1928)](https://support.microsoft.com/help/4507450/windows-10-update-kb4507450)
+- For Windows 10, version 1607 and Windows Server 2016: [July 9, 2019—KB4507460 (OS Build 14393.3085)](https://support.microsoft.com/help/4507460/windows-10-update-kb4507460)
+
+## Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000
+
+You have a device that uses TPM 1.2 and runs Windows 10, version 1809. Also, the device uses [Virtualization-based Security](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-vbs) features such as [Device Guard and Credential Guard](https://docs.microsoft.com/windows-hardware/drivers/bringup/device-guard-and-credential-guard). Every time that you start the device, the device enters BitLocker Recovery mode and you see error code 0xc0210000, and a message that resembles the following.
+
+> Recovery
+> 
+> Your PC/Device needs to be repaired.
+> A required file couldn't be accessed because your BitLocker key wasn't loaded correctly.
+>  
+> Error code 0xc0210000
+>  
+> You'll need to use recovery tools. If you don't have any installation media (like a disc or USB device), contact your PC administrator or PC/Device manufacturer.
+
+### Cause
+
+TPM 1.2 does not support Secure Launch. For more information, see [System Guard Secure Launch and SMM protection: Requirements Met by System Guard Enabled Machines](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection\#requirements-met-by-system-guard-enabled-machines)
+
+For more information about this technology, see [Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows)
+
+### Resolution
+
+To resolve this issue, do one of the following:
+
+- Remove any device that uses TPM 1.2 from any group that is subject to Group Policy Objects (GPOs) that enforce Secure Launch.
+- Edit the **Turn On Virtualization Based Security** GPO to set **Secure Launch Configuration** to **Disabled**.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
new file mode 100644
index 0000000000..553780277a
--- /dev/null
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
@@ -0,0 +1,113 @@
+---
+title: BitLocker and TPM other known issues
+description: Describes common issues that relate directly to the TPM, and provides guidance for resolving those issues.
+ms.reviewer: kaushika
+ms.technology: windows
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: Windows Security Technologies\BitLocker
+ms.topic: troubleshooting
+ms.date: 10/18/2019
+---
+
+# BitLocker and TPM: other known issues
+
+This article describes common issues that relate directly to the Trusted Platform Module (TPM), and provides guidance to address these issues.
+
+## Azure AD: Windows Hello for Business and single sign-on do not work
+
+You have an Azure Active Directory (Azure AD)-joined client computer that cannot authenticate correctly. You experience one or more of the following symptoms:
+
+- Windows Hello for Business does not work.
+- Conditional access fails.
+- Single sign-on (SSO) does not work.
+
+Additionally, the computer logs an entry for Event ID 1026, which resembles the following:
+
+> Log Name: System  
+> Source: Microsoft-Windows-TPM-WMI  
+> Date: \  
+> Event ID: 1026  
+> Task Category: None  
+> Level: Information  
+> Keywords:  
+> User: SYSTEM  
+> Computer: \  
+> Description:  
+> The Trusted Platform Module (TPM) hardware on this computer cannot be provisioned for use automatically.  To set up the TPM interactively use the TPM management console (Start-\>tpm.msc) and use the action to make the TPM ready.  
+> Error: The TPM is defending against dictionary attacks and is in a time-out period.  
+> Additional Information: 0x840000  
+
+### Cause
+
+This event indicates that the TPM is not ready or has some setting that prevents access to the TPM keys.  
+
+Additionally, the behavior indicates that the client computer cannot obtain a [Primary Refresh Token (PRT)](https://docs.microsoft.com/azure/active-directory/devices/concept-primary-refresh-token).  
+
+### Resolution
+
+To verify the status of the PRT, use the [dsregcmd /status command](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-device-dsregcmd) to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT was not issued. This may indicate that the computer could not present its certificate for authentication.
+
+To resolve this issue, follow these steps to troubleshoot the TPM:
+
+1. Open the TPM management console (tpm.msc). To do this, select **Start**, and enter **tpm.msc** in the **Search** box.
+1. If you see a notice to either unlock the TPM or reset the lockout, follow those instructions.  
+1. If you do not see such a notice, review the BIOS settings of the computer for any setting that you can use to reset or disable the lockout.
+1. Contact the hardware vendor to determine whether there is a known fix for the issue.
+1. If you still cannot resolve the issue, clear and re-initialize the TPM. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm).
+   > [!WARNING]
+   > Clearing the TPM can cause data loss.  
+
+## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider is not ready for use
+
+You have a Windows 10 version 1703-based computer that uses TPM version 1.2. When you try to open the TPM management console, you receive a message that resembles the following:
+
+> Loading the management console failed. The device that is required by the cryptographic provider is not ready for use.  
+> HRESULT 0x800900300x80090030 - NTE\_DEVICE\_NOT\_READY  
+> The device that is required by this cryptographic provider is not ready for use.  
+> TPM Spec version: TPM v1.2  
+
+On a different device that is running the same version of Windows, you can open the TPM management console.
+
+### Cause (suspected)
+
+These symptoms indicate that the TPM has hardware or firmware issues.
+
+### Resolution
+
+To resolve this issue, switch the TPM operating mode from version 1.2 to version 2.0.  
+
+If this does not resolve the issue, consider replacing the device motherboard. After you replace the motherboard, switch the TPM operating mode from version 1.2 to version 2.0.
+
+## Devices do not join hybrid Azure AD because of a TPM issue
+
+You have a device that you are trying to join to a hybrid Azure AD. However, the join operation appears to fail.
+
+To verify that the join succeeded, use the [dsregcmd /status command](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-device-dsregcmd). In the tool output, the following attributes indicate that the join succeeded:
+
+- **AzureAdJoined: YES**
+- **DomainName: \<*on-prem Domain name*\>**
+
+If the value of **AzureADJoined** is **No**, the join failed.  
+
+### Causes and Resolutions
+
+This issue may occur when the Windows operating system is not the owner of the TPM. The specific fix for this issue depends on which errors or events you experience, as shown in the following table:
+
+|Message |Reason | Resolution|
+| - | - | - |
+|NTE\_BAD\_KEYSET (0x80090016/-2146893802) |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. Make sure that you create the sysprep image by using a computer that is not joined to or registered in Azure AD or hybrid Azure AD. |
+|TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641) |Generic TPM error. |If the device returns this error, disable its TPM. Windows 10, version 1809 and later versions automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
+|TPM\_E\_NOTFIPS (0x80280036/-2144862154) |The FIPS mode of the TPM is currently not supported. |If the device gives this error, disable its TPM. Windows 10, version 1809 and later versions automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
+|NTE\_AUTHENTICATION\_IGNORED (0x80090031/-2146893775) |The TPM is locked out. |This error is transient. Wait for the cooldown period, and then retry the join operation. |
+
+For more information about TPM issues, see the following articles:
+
+- [TPM fundamentals: Anti-hammering](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-fundamentals#anti-hammering)
+- [Troubleshooting hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current)
+- [Troubleshoot the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm)
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 527daea7c6..5474e7faf1 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -73,7 +73,7 @@ Systems running Windows 10 version 1803 that do support Kernel DMA Protection do
 
 ### Using Security Center
 
-Beginning with Wndows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**.
+Beginning with Windows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**.
 
 ![Kernel DMA protection in Security Center](bitlocker/images/kernel-dma-protection-security-center.png)
 
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
index 73692e6065..384c907c62 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -25,7 +25,7 @@ ms.author: dansimp
 
 The Windows operating system has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 operating system includes a series of security features that can mitigate the impact. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
 
-Windows 10 has multiple levels of protection for desktop apps and data, too. Windows Defender uses signatures to detect and quarantine apps that are known to be malicious. The SmartScreen Filter warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control.
+Windows 10 has multiple levels of protection for desktop apps and data, too. Windows Defender uses signatures to detect and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control.
 
 Those are just some of the ways that Windows 10 protects you from malware. However, those security features protect you only after Windows 10 starts. Modern malware—and bootkits specifically—are capable of starting before Windows, completely bypassing operating system security, and remaining completely hidden.
 
@@ -80,7 +80,7 @@ All x86-based Certified For Windows 10 PCs must meet several requirements relat
 
 These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems:
 
--  **Use an operating system with a certified bootloader.** Because all Certified For Windows 10 PCs must trust Microsoft’s certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows 10 PCs. In fact, an [open source bootloader](http://mjg59.dreamwidth.org/20303.html) capable of loading Linux is already available. To begin the process of obtaining a certificate, go to .
+-  **Use an operating system with a certified bootloader.** Because all Certified For Windows 10 PCs must trust Microsoft’s certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows 10 PCs. In fact, an [open source bootloader](http://mjg59.dreamwidth.org/20303.html) capable of loading Linux is already available. To begin the process of obtaining a certificate, go to .
 -  **Configure UEFI to trust your custom bootloader.** All Certified For Windows 10 PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any operating system, including homemade operating systems.
 -  **Turn off Secure Boot.** All Certified For Windows 10 PCs allow you to turn off Secure Boot so that you can run any software. This does not help protect you from bootkits, however.
 
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
index f8b477aa62..94634c4b79 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -131,16 +131,16 @@ Introduced in Windows 10, version 1703, this policy setting configures the TPM t
 > -  Disable it from group policy
 > -  Clear the TPM on the system
 
-# TPM Group Policy settings in the Windows Security app
+## TPM Group Policy settings in the Windows Security app
 
 You can change what users see about TPM in the Windows Security app. The Group Policy settings for the TPM area in the Windows Security app are located at:
 
 **Computer Configuration\\Administrative Templates\\Windows Components\\Windows Security\\Device security** 
 
-## Disable the Clear TPM button
+### Disable the Clear TPM button
 If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it with this Group Policy setting. Select **Enabled** to make the **Clear TPM** button unavailable for use.
 
-## Hide the TPM Firmware Update recommendation
+### Hide the TPM Firmware Update recommendation
 If you don't want users to see the recommendation to update TPM firmware, you can disable it with this setting. Select **Enabled** to prevent users from seeing a recommendation to update their TPM firmware when a vulnerable firmware is detected.
 
 ## Related topics
diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index bf7360d125..a6029ffb2a 100644
--- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -1,5 +1,5 @@
 ---
-title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10)
+title: Make & verify an EFS Data Recovery Agent certificate (Windows 10)
 description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate.
 keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection
 ms.prod: w10
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index d6f39a9895..8f850eed95 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -160,7 +160,7 @@ To add **Desktop apps**, complete the following fields, based on what results yo
     
-        
+        
@@ -299,6 +299,8 @@ For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com
 
 ## Create an Executable rule for unsigned apps
 
+The executable rule helps to create an AppLocker rule to sign any unsigned apps. It enables adding the file path or the app publisher contained in the file's digital signature needed for the WIP policy to be applied. 
+
 1. Open the Local Security Policy snap-in (SecPol.msc).
     
 2. In the left pane, click **Application Control Policies** > **AppLocker** > **Executable Rules**.
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
index a01fabb5ce..7cdf0d2dfd 100644
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@@ -134,6 +134,9 @@ This table provides info about the most common problems you might encounter whil
     

 

 Policy

     

         All fields marked as “*”All files signed by any publisher. (Not recommended)All files signed by any publisher. (Not recommended and may not work)
     

     

         Publisher only

 

 
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).       
+> [!NOTE]
+> When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files. 
+
+> [!NOTE]
+> Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).       
 
diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index 46f40cb732..b11eab1f7d 100644
--- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -1,5 +1,5 @@
 ---
-title: Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP) (Windows 10)
+title: Recommended URLs for Windows Information Protection (Windows 10)
 description: Recommended URLs to add to your Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).
 keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Neutral Resources, WIP and Enterprise Cloud Resources
 ms.prod: w10
diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
index 958ab7847d..94df767962 100644
--- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
@@ -1,5 +1,5 @@
 ---
-title: Using Outlook on the web with Windows Information Protection (WIP) (Windows 10)
+title: Using Outlook on the web with WIP (Windows 10)
 description: Options for using Outlook on the web with Windows Information Protection (WIP).
 keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and OWA configuration, OWA, Outlook Web access
 ms.prod: w10
diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md
index a710de4335..5bb338c311 100644
--- a/windows/security/information-protection/windows-information-protection/wip-learning.md
+++ b/windows/security/information-protection/windows-information-protection/wip-learning.md
@@ -1,6 +1,5 @@
 ---
-title: 
-# Fine-tune Windows Information Policy (WIP) with WIP Learning
+title: Fine-tune Windows Information Policy (WIP) with WIP Learning
 description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company.
 ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2
 ms.reviewer: 
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 65f80dda38..403e6ddf69 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -5,6 +5,7 @@
 ### [Overview of Microsoft Defender ATP capabilities](microsoft-defender-atp/overview.md)
 ### [Threat & Vulnerability Management]()
 #### [Next-generation capabilities](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
+#### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
 #### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
 #### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
 #### [Configuration score](microsoft-defender-atp/configuration-score.md)
@@ -368,7 +369,7 @@
 ###### [Get access with user context](microsoft-defender-atp/exposed-apis-create-app-nativeapp.md)
 
 ##### [APIs]()
-###### [Supported Microsoft Defender ATP query APIs](microsoft-defender-atp/exposed-apis-list.md)
+###### [Supported Microsoft Defender ATP APIs](microsoft-defender-atp/exposed-apis-list.md)
 ###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md)
 
 ###### [Alert]()
@@ -602,9 +603,9 @@
 #### [Family options](windows-defender-security-center/wdsc-family-options.md)
 
 
-### [SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md)
-#### [SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md)
-#### [Set up and use SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md)
+### [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md)
+#### [Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md)
+#### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md)
 
 
 ### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
@@ -1072,7 +1073,7 @@
 ###### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)
 ###### [Network security: Allow LocalSystem NULL session fallback](security-policy-settings/network-security-allow-localsystem-null-session-fallback.md)
 ###### [Network security: Allow PKU2U authentication requests to this computer to use online identities](security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)
-###### [Network security: Configure encryption types allowed for Kerberos Win7 only](security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md)
+###### [Network security: Configure encryption types allowed for Kerberos](security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md)
 ###### [Network security: Do not store LAN Manager hash value on next password change](security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)
 ###### [Network security: Force logoff when logon hours expire](security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md)
 ###### [Network security: LAN Manager authentication level](security-policy-settings/network-security-lan-manager-authentication-level.md)
@@ -1153,18 +1154,11 @@
 ###### [Synchronize directory service data](security-policy-settings/synchronize-directory-service-data.md)
 ###### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md)
 
-### [Windows security guidance for enterprises](windows-security-configuration-framework/windows-security-compliance.md)
+### Windows security guidance for enterprises
 
 #### [Windows security baselines](windows-security-configuration-framework/windows-security-baselines.md)
 ##### [Security Compliance Toolkit](windows-security-configuration-framework/security-compliance-toolkit-10.md)
 ##### [Get support](windows-security-configuration-framework/get-support-for-security-baselines.md)
-#### [Windows security configuration framework](windows-security-configuration-framework/windows-security-configuration-framework.md)
-##### [Level 1 enterprise basic security](windows-security-configuration-framework/level-1-enterprise-basic-security.md)
-##### [Level 2 enterprise enhanced security](windows-security-configuration-framework/level-2-enterprise-enhanced-security.md)
-##### [Level 3 enterprise high security](windows-security-configuration-framework/level-3-enterprise-high-security.md)
-##### [Level 4 enterprise dev/ops workstation](windows-security-configuration-framework/level-4-enterprise-devops-security.md)
-##### [Level 5 enterprise administrator workstation](windows-security-configuration-framework/level-5-enterprise-administrator-security.md)
-
 ### [MBSA removal and alternatives](mbsa-removal-and-guidance.md)
 
 ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index ad2a9abf62..e36022563e 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -2,7 +2,7 @@
 title: Advanced security audit policy settings (Windows 10)
 description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
 ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
-ms.reviewer: 
+ms.reviewer: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
 ms.author: dansimp
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md
index 31d65aafb1..10c0796852 100644
--- a/windows/security/threat-protection/auditing/audit-sam.md
+++ b/windows/security/threat-protection/auditing/audit-sam.md
@@ -56,6 +56,3 @@ For information about reducing the number of events generated in this subcategor
 **Events List:**
 
 -   [4661](event-4661.md)(S, F): A handle to an object was requested.
-
-# 
-
diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
index 5fcf6e9222..530a4255bc 100644
--- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
@@ -1,5 +1,5 @@
 ---
-title: Audit directory service access (Windows 10)
+title: Basic audit directory service access (Windows 10)
 description: Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
 ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09
 ms.reviewer: 
diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md
index 148ab10880..0aaa3b6a99 100644
--- a/windows/security/threat-protection/auditing/event-1108.md
+++ b/windows/security/threat-protection/auditing/event-1108.md
@@ -1,5 +1,5 @@
 ---
-title: 1108(S) The event logging service encountered an error while processing an incoming event published from %1. (Windows 10)
+title: The event logging service encountered an error (Windows 10)
 description: Describes security event 1108(S) The event logging service encountered an error while processing an incoming event published from %1.
 ms.pagetype: security
 ms.prod: w10
diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
index 75322ba7e9..fad5b7ff52 100644
--- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
+++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
@@ -1,5 +1,5 @@
 ---
-title: Monitor the central access policies associated with files and folders (Windows 10)
+title: Monitor central access policies for files or folders (Windows 10)
 description: This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects.
 ms.assetid: 2ea8fc23-b3ac-432f-87b0-6a16506e8eed
 ms.reviewer: 
diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
index 48dacf418f..4a9c0d7f29 100644
--- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
+++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
@@ -1,5 +1,5 @@
 ---
-title: Monitor the central access policies that apply on a file server (Windows 10)
+title: Monitor central access policies on a file server (Windows 10)
 description: This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects.
 ms.assetid: 126b051e-c20d-41f1-b42f-6cff24dcf20c
 ms.reviewer: 
diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index 991a843fa3..f60748b37b 100644
--- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -1,15 +1,16 @@
 ---
-title: Windows Defender Application Control and virtualization-based protection of code integrity (Windows 10)
-description: Hardware and software system integrity hardening capabilites that can be deployed separately or in combination.
+title: WDAC and virtualization-based code integrity (Windows 10)
+description: Hardware and software system integrity-hardening capabilites that can be deployed separately or in combination with Windows Defender Application Control (WDAC).
 keywords: virtualization, security, malware, device guard
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
-author: dansimp
+author: denisebmsft
+ms.author: deniseb
 ms.date: 07/01/2019
 ms.reviewer: 
 manager: dansimp
-ms.author: dansimp
+ms.custom: asr
 ---
 
 # Windows Defender Application Control and virtualization-based protection of code integrity
@@ -38,7 +39,7 @@ Configurable code integrity carries no specific hardware or software requirement
 Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as a independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control). 
 We hope this change will help us better communicate options for adopting application control within an organization.
 
-## Related topics
+## Related articles
 
 [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control)
 
diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
index 58f95ecbc5..92fb064c14 100644
--- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
@@ -1,6 +1,6 @@
 ---
-title: Requirements and deployment planning guidelines for virtualization-based protection of code integrity (Windows 10)
-description: To help you plan a deployment of Microsoft Windows Defender Device Guard, this article describes hardware requirements for Windows Defender Device Guard, outlines deployment approaches, and describes methods for code signing and the deployment of code integrity policies.
+title: Deployment guidelines for Windows Defender Device Guard (Windows 10)
+description: To help you plan a deployment of Microsoft Windows Defender Device Guard, this article describes hardware requirements for Windows Defender Device Guard, outlines deployment approaches, and describes methods for code signing and code integrity policies.
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -21,7 +21,7 @@ ms.author: dansimp
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Computers must meet certain hardware, firmware, and software requirements in order to take adavantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats.
+Computers must meet certain hardware, firmware, and software requirements in order to take advantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats.
 
 For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media.
 
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index bbba6bbb82..7bf9cc9483 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -46,6 +46,7 @@ ms.topic: conceptual
 This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. 
 
 - [Risk-based Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) 
+- [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
 - [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
 - [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
 - [Configuration score](microsoft-defender-atp/configuration-score.md)
@@ -58,7 +59,7 @@ This built-in capability uses a game-changing risk-based approach to the discove
 
 
 **[Attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)**

-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
+The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation.
 
 - [Hardware based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md)
 - [Application control](windows-defender-application-control/windows-defender-application-control.md)
@@ -101,7 +102,7 @@ In conjunction with being able to quickly respond to advanced attacks, Microsoft
 
 - [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
 - [Threat remediation](microsoft-defender-atp/automated-investigations.md#how-threats-are-remediated)
-- [Manage automated investigations](microsoft-defender-atp/manage-auto-investigation.md)
+- [Manage automated investigation](microsoft-defender-atp/manage-auto-investigation.md)
 - [Analyze automated investigation](microsoft-defender-atp/manage-auto-investigation.md#analyze-automated-investigations)
 
 
diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md
index 79047be15a..f11313910d 100644
--- a/windows/security/threat-protection/intelligence/criteria.md
+++ b/windows/security/threat-protection/intelligence/criteria.md
@@ -2,7 +2,7 @@
 title: How Microsoft identifies malware and potentially unwanted applications
 ms.reviewer: 
 description: Learn how Microsoft reviews software for unwanted behavior, advertising, privacy violations, and negative consumer opinion to determine if it is malware (malicious software) or potentially unwanted applications.
-keywords: security, malware, virus research threats, research malware, pc protection, computer infection, virus infection, descriptions, remediation, latest threats, MMPC, Microsoft Malware Protection Center, PUA, potentially unwanted applications
+keywords: security, malware, virus research threats, research malware, device protection, computer infection, virus infection, descriptions, remediation, latest threats, MMdevice, Microsoft Malware Protection Center, PUA, potentially unwanted applications
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
@@ -18,33 +18,31 @@ search.appverid: met150
 
 # How Microsoft identifies malware and potentially unwanted applications
 
-Microsoft aims to provide customers with the most delightful and productive Windows experience possible. To help achieve that, we try our best to ensure our customers are safe and in control of their devices.
+Microsoft aims to provide a delightful and productive Windows experience by working to ensure you are safe and in control of your devices. When you download, install, and run software, you have access to information and tools to do so safely. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. That information is then compared against criteria described in this article.
 
-Microsoft gives you the information and tools you need when downloading, installing, and running software, as well as tools that protect you when we know that something unsafe is happening. Microsoft does this by identifying and analyzing software and online content against criteria described in this article.
-
-You can participate in this process by submitting software for analysis. Our analysts and intelligent systems can then help identify undesirable software and ensure they are covered by our security solutions.
+You can participate in this process by [submitting software for analysis](submission-guide.md) to ensure undesirable software is covered by our security solutions.
 
 Because new forms of malware and potentially unwanted applications are being developed and distributed rapidly, Microsoft reserves the right to adjust, expand, and update these criteria without prior notice or announcements.
 
 ## Malware
 
-Malware is the overarching name for applications and other code, i.e. software, that Microsoft classifies more granularly as *malicious software* or *unwanted software*.
+Malware is the overarching name for applications and other code, like software, that Microsoft classifies more granularly as *malicious software* or *unwanted software*.
 
 ### Malicious software
 
-Malicious software is an application or code that compromises user security. Malicious software might steal your personal information, lock your PC until you pay a ransom, use your PC to send spam, or download other malicious software. In general, malicious software tricks, cheats, or defrauds users, places users in vulnerable states, or performs other malicious activities.
+Malicious software is an application or code that compromises user security. Malicious software may steal your personal information, lock your device until you pay a ransom, use your device to send spam, or download other malicious software. In general, malicious software wants to trick, cheat, or defrauds users, placing them in vulnerable states.
 
 Microsoft classifies most malicious software into one of the following categories:
 
-* **Backdoor:** A type of malware that gives malicious hackers remote access to and control of your PC.
+* **Backdoor:** A type of malware that gives malicious hackers remote access to and control of your device.
 
-* **Downloader:** A type of malware that downloads other malware onto your PC. It needs to connect to the internet to download files.
+* **Downloader:** A type of malware that downloads other malware onto your device. It must connect to the internet to download files.
 
-* **Dropper:** A type of malware that installs other malware files onto your PC. Unlike a downloader, a dropper doesn’t need to connect to the internet to drop malicious files. The dropped files are typically embedded in the dropper itself.
+* **Dropper:** A type of malware that installs other malware files onto your device. Unlike a downloader, a dropper doesn’t have to connect to the internet to drop malicious files. The dropped files are typically embedded in the dropper itself.
 
-* **Exploit:** A piece of code that uses software vulnerabilities to gain access to your PC and perform other tasks, such as installing malware. [See more information about exploits](exploits-malware.md).
+* **Exploit:** A piece of code that uses software vulnerabilities to gain access to your device and perform other tasks, such as installing malware. [See more information about exploits](exploits-malware.md).
 
-* **Hacktool:** A type of tool that can be used to gain unauthorized access to your PC.
+* **Hacktool:** A type of tool that can be used to gain unauthorized access to your device.
 
 * **Macro virus:** A type of malware that spreads through infected documents, such as Microsoft Word or Excel documents. The virus is run when you open an infected document.
 
@@ -52,23 +50,23 @@ Microsoft classifies most malicious software into one of the following categorie
 
 * **Password stealer:** A type of malware that gathers your personal information, such as user names and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit.
 
-* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your PC. It then displays a ransom note stating you must pay money, complete surveys, or perform other actions before you can use your PC again. [See more information about ransomware](ransomware-malware.md).
+* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note which states you must pay money, complete surveys, or perform other actions before you can use your device again. [See more information about ransomware](ransomware-malware.md).
 
-* **Rogue security software:** Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your PC. It also tries to convince you to pay for its services.
+* **Rogue security software:** Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your device. It also tries to convince you to pay for its services.
 
-* **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead it tries to look legitimate, tricking users into downloading and installing it. Once installed, trojans perform a variety of malicious activities, such as stealing personal information, downloading other malware, or giving attackers access to your PC.
+* **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead, it tries to look legitimate and tricks users into downloading and installing it. Once installed, trojans perform various malicious activities such as stealing personal information, downloading other malware, or giving attackers access to your device.
 
-* **Trojan clicker:** A type of trojan that automatically clicks buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your PC.
+* **Trojan clicker:** A type of trojan that automatically clicks buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your device.
 
-* **Worm:** A type of malware that spreads to other PCs. Worms can spread through email, instant messaging, file sharing platforms, social networks, network shares, and removable drives. Sophisticated worms take advantage of software vulnerabilities to propagate.
+* **Worm:** A type of malware that spreads to other devices. Worms can spread through email, instant messaging, file sharing platforms, social networks, network shares, and removable drives. Sophisticated worms take advantage of software vulnerabilities to propagate.
 
 ### Unwanted software
 
-Microsoft believes that you should have control over your Windows experience. Software running on Windows should keep you in control of your PC through informed choices and accessible controls. Microsoft identifies software behaviors that ensure you stay in control. We classify software that does not fully demonstrate these behaviors as "unwanted software".
+Microsoft believes that you should have control over your Windows experience. Software running on Windows should keep you in control of your device through informed choices and accessible controls. Microsoft identifies software behaviors that ensure you stay in control. We classify software that does not fully demonstrate these behaviors as "unwanted software".
 
 #### Lack of choice
 
-You must be notified about what is happening on your PC, including what software does and whether it is active.
+You must be notified about what is happening on your device, including what software does and whether it is active.
 
 Software that exhibits lack of choice might:
 
@@ -84,13 +82,13 @@ Software that exhibits lack of choice might:
 
 * Falsely claim to be software from Microsoft.
 
-Software must not mislead or coerce you into making decisions about your PC. This is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might:
+Software must not mislead or coerce you into making decisions about your device. This is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might:
 
-* Display exaggerated claims about your PC’s health.
+* Display exaggerated claims about your device’s health.
 
-* Make misleading or inaccurate claims about files, registry entries, or other items on your PC.
+* Make misleading or inaccurate claims about files, registry entries, or other items on your device.
 
-* Display claims in an alarming manner about your PC's health and require payment or certain actions in exchange for fixing the purported issues.
+* Display claims in an alarming manner about your device's health and require payment or certain actions in exchange for fixing the purported issues.
 
 Software that stores or transmits your activities or data must:
 
@@ -98,7 +96,7 @@ Software that stores or transmits your activities or data must:
 
 #### Lack of control
 
-You must be able to control software on your computer. You must be able to start, stop, or otherwise revoke authorization to software.
+You must be able to control software on your device. You must be able to start, stop, or otherwise revoke authorization to software.
 
 Software that exhibits lack of control might:
 
@@ -110,7 +108,7 @@ Software that exhibits lack of control might:
 
 * Modify or manipulate webpage content without your consent.
 
-Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that do not provide supported extensibility models will be considered non-extensible and should not be modified.
+Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that do not provide supported extensibility models are considered non-extensible and should not be modified.
 
 #### Installation and removal
 
@@ -120,7 +118,7 @@ Software that delivers *poor installation experience* might bundle or download o
 
 Software that delivers *poor removal experience* might:
 
-* Present confusing or misleading prompts or pop-ups while being uninstalled.
+* Present confusing or misleading prompts or pop-ups when you try to uninstall it.
 
 * Fail to use standard install/uninstall features, such as Add/Remove Programs.
 
@@ -150,25 +148,27 @@ Advertisements shown to you must:
 
 #### Consumer opinion
 
-Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps us identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Windows Defender Antivirus and other Microsoft antimalware solutions.
+Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps Microsoft identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Windows Defender Antivirus and other Microsoft antimalware solutions.
 
 ## Potentially unwanted application (PUA)
 
 Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This optional protection, available to enterprises, helps deliver more productive, performant, and delightful Windows experiences.
 
+Home users can also block downloads from PUA in the new Chromium-based Edge browser by going to **Settings** > **Privacy and services** and turning on **Block potentially unwanted apps**.
+
 *PUAs are not considered malware.*
 
 Microsoft uses specific categories and the category definitions to classify software as a PUA.
 
-* **Advertising software:** Software that displays advertisements or promotions, or prompts the user to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages.
+* **Advertising software:** Software that displays advertisements or promotions, or prompts you to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages.
 
 * **Torrent software:** Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies.
 
-* **Cryptomining software:** Software that uses your computer resources to mine cryptocurrencies.
+* **Cryptomining software:** Software that uses your device resources to mine cryptocurrencies.
 
-* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA based on the criteria outlined in this document.
+* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document.
 
-* **Marketing software:** Software that monitors and transmits the activities of the user to applications or services other than itself for marketing research.
+* **Marketing software:** Software that monitors and transmits the activities of users to applications or services other than itself for marketing research.
 
 * **Evasion software:** Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.
 
diff --git a/windows/security/threat-protection/intelligence/images/Transparency-report-August-2.png b/windows/security/threat-protection/intelligence/images/Transparency-report-August-2.png
deleted file mode 100644
index 9769fd54cb..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/Transparency-report-August-2.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/Transparency-report-November1.png b/windows/security/threat-protection/intelligence/images/Transparency-report-November1.png
new file mode 100644
index 0000000000..8d50120c1e
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/Transparency-report-November1.png differ
diff --git a/windows/security/threat-protection/intelligence/images/prevalent-malware-aug-small.png b/windows/security/threat-protection/intelligence/images/prevalent-malware-aug-small.png
deleted file mode 100644
index f797263dba..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/prevalent-malware-aug-small.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/real-world-aug-small.png b/windows/security/threat-protection/intelligence/images/real-world-aug-small.png
deleted file mode 100644
index 303df698eb..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/real-world-aug-small.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/real-world-protection-aug-small.png b/windows/security/threat-protection/intelligence/images/real-world-protection-aug-small.png
deleted file mode 100644
index 3a188fbf75..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/real-world-protection-aug-small.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/transparency-report-purple-60.png b/windows/security/threat-protection/intelligence/images/transparency-report-purple-60.png
deleted file mode 100644
index 2fffc29ce8..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/transparency-report-purple-60.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/transparency-report-small60.png b/windows/security/threat-protection/intelligence/images/transparency-report-small60.png
deleted file mode 100644
index cd5b9dac12..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/transparency-report-small60.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
index 63ef1862ba..3659eaeffb 100644
--- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md
+++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
@@ -93,7 +93,7 @@ Microsoft provides comprehensive security capabilities that help protect against
 
 * [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access.
 
-* [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) browser protects against threats such as ransomware by preventing exploit kits from running. By using Microsoft [SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index), Microsoft Edge blocks access to malicious websites.
+* [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) browser protects against threats such as ransomware by preventing exploit kits from running. By using [Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index), Microsoft Edge blocks access to malicious websites.
 
 * [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies.
 
diff --git a/windows/security/threat-protection/intelligence/submission-guide.md b/windows/security/threat-protection/intelligence/submission-guide.md
index 05e5ab7db4..7b4028fb4a 100644
--- a/windows/security/threat-protection/intelligence/submission-guide.md
+++ b/windows/security/threat-protection/intelligence/submission-guide.md
@@ -1,7 +1,7 @@
 ---
-title: How Microsoft identifies malware and potentially unwanted applications
-ms.reviewer: 
+title: Submit files for analysis by Microsoft
 description: Learn how to submit files to Microsoft for malware analysis, how to track your submissions, and dispute detections.
+ms.reviewer: 
 keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesn’t detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesn’t detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI, security intelligence
 ms.prod: w10
 ms.mktglfcycl: secure
diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
index 792be1c6c8..9e4f0183e2 100644
--- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
+++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
@@ -18,61 +18,63 @@ search.appverid: met150
 
 # Top scoring in industry tests
 
-Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=cx-docs-avreports)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis.
+Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis.
 
 ## Next generation protection
 
-[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-docs-avreports) consistently performs highly in independent tests, displaying how it is a top choice in the antivirus market. Note that these tests only provide results for antivirus and do not test for additional security protections.
+[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) consistently performs highly in independent tests, displaying how it is a top choice in the antivirus market. Keep in mind, these tests only provide results for antivirus and do not test for additional security protections.
 
-Windows Defender Antivirus is the [next generation protection](https://www.youtube.com/watch?v=Xy3MOxkX_o4) capability in the Microsoft Defender ATP security stack which addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). That's because Windows Defender Antivirus detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies.
+Windows Defender Antivirus is the [next generation protection](https://www.youtube.com/watch?v=Xy3MOxkX_o4) capability in the Microsoft Defender ATP security stack that addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign). That's because Windows Defender Antivirus detects and stops malware at first sight with [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak), behavioral analysis, and other advanced technologies.
 


-![String of images showing scores](./images/Transparency-report-August-2.png)
+![String of images showing scores](./images/Transparency-report-November1.png)
 
-**Download the latest transparency report: [Examining industry test results, August 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)**
+**Download the latest transparency report: [Examining industry test results, November 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)**
 
 ### AV-TEST: Protection score of 6.0/6.0 in the latest test
 
-The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
+The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The following scores are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
 
-- May - June 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2019/microsoft-windows-defender-antivirus-4.18-192415/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) **Latest**
+- July — August 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2019/microsoft-windows-defender-antivirus-4.18-193215/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) **Latest**
 
-    Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 2,735 malware samples used. This is the seventh consecutive cycle that Windows Defender Antivirus achieved a perfect Protection score.
+    Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 13,889 malware samples used. This industry-leading antivirus solution has consistently achieved a perfect Protection score in all AV-TEST cycles in the past 14 months.
 
-- March - April 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2019/microsoft-windows-defender-antivirus-4.18-191517/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
+- May — June 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2019/microsoft-windows-defender-antivirus-4.18-192415/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
 
-- January - February 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2019/microsoft-windows-defender-antivirus-4.18-190611/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd)
+- March — April 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2019/microsoft-windows-defender-antivirus-4.18-191517/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
 
-- November - December 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWusR9)
+- January — February 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2019/microsoft-windows-defender-antivirus-4.18-190611/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd)
 
-- September - October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqOqD)
+- November — December 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWusR9)
 
-- July - August 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2018/microsoft-windows-defender-antivirus-4.12--4.18-183212/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y)
+- September — October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqOqD)
 
 ### AV-Comparatives: Protection rating of 99.9% in the latest test
 
-Business Security Test consists of three main parts: the Real-World Protection Test which mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (e.g. USB), and the Performance Test which looks at the impact on the system’s performance.
+Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system’s performance.
 
-- Business Security Test 2019 (March - June): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-2019-march-june/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) **Latest**
+- Business Security Test 2019 (August — September): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-august-september-2019-factsheet/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) **Latest**
 
-    Windows Defender Antivirus has consistently improved in Real-World Protection Rates over the past year, with 99.9% in the latest test.
+    Windows Defender Antivirus has scored consistently high in Real-World Protection Rates over the past year, with 99.9% in the latest test.
 
-- Business Security Test 2018 (August - November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2018-august-november/)
+- Business Security Test 2019 (March — June): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-2019-march-june/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
 
-- Business Security Test 2018 (March - June): [Real-World Protection Rate 98.7%](https://www.av-comparatives.org/tests/business-security-test-2018-march-june/)
+- Business Security Test 2018 (August — November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2018-august-november/)
+
+- Business Security Test 2018 (March — June): [Real-World Protection Rate 98.7%](https://www.av-comparatives.org/tests/business-security-test-2018-march-june/)
 
 ### SE Labs: AAA award in the latest test
 
 SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including endpoint software, network appliances, and cloud services.
 
-- Enterprise Endpoint Protection April - June 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/apr-jun-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
+- Enterprise Endpoint Protection July — September 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jul-sep-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)
 
-    Microsoft's next-gen protection was named as one of the leading products, stopping all of the targeted attacks and all but one public threat. It also handled the legitimate applications correctly.
+    Microsoft's next-gen protection was named one of the leading products, stopping all targeted attacks and all but one public threat.
 
-- Enterprise Endpoint Protection January - March 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jan-mar-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
+- Enterprise Endpoint Protection April — June 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/apr-jun-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
 
-- Enterprise Endpoint Protection October - December 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/oct-dec-2018-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd)
+- Enterprise Endpoint Protection January — March 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jan-mar-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
 
-- Enterprise Endpoint Protection July - September 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/jul-sep-2018-enterprise.pdf) **pdf**
+- Enterprise Endpoint Protection October — December 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/oct-dec-2018-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd)
 
 ## Endpoint detection & response
 
@@ -84,7 +86,7 @@ Microsoft Defender ATP [endpoint detection and response](https://docs.microsoft.
 
 ### MITRE: Industry-leading optics and detection capabilities
 
-MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also known as Boron or UPS). To isolate detection capabilities, all protection and prevention features were turned off. Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK framework, widely regarded today as the most comprehensive catalog of attacker techniques and tactics.
+MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also known as Boron or UPS). To isolate detection capabilities, all protection and prevention features were turned off. Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK framework. The framework is widely regarded today as the most comprehensive catalog of attacker techniques and tactics.
 
 - ATT&CK-based evaluation: [Leading optics and detection capabilities](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/) | [Analysis](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/MITRE-evaluation-highlights-industry-leading-EDR-capabilities-in/ba-p/369831)
 
@@ -92,8 +94,8 @@ MITRE tested the ability of products to detect techniques commonly used by the t
 
 ## To what extent are tests representative of protection in the real world?
 
-It is important to remember that Microsoft sees a wider and broader set of threats beyond what’s tested in the evaluations highlighted above. For example, in an average month, we identify over 100 million new threats.  Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats.
+It is important to remember that Microsoft sees a wider and broader set of threats beyond what’s tested in the evaluations highlighted in this topic. For example, in an average month we identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats.
 
-The capabilities within [Microsoft Defender ATP](https://www.microsoft.com/windowsforbusiness?ocid=cx-docs-avreports) provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry antivirus tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Microsoft Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Microsoft Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively our security suite protects customers in the real world.
+The capabilities within Microsoft Defender ATP provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry antivirus tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Microsoft Defender ATP creates a partial picture of how Microsoft's security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Microsoft Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively Microsoft's security suite protects customers in the real world.
 
-Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Microsoft Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports).
+With independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Microsoft Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview-settings).
diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md
index 28718f36f6..fdf1e1e4bf 100644
--- a/windows/security/threat-protection/intelligence/unwanted-software.md
+++ b/windows/security/threat-protection/intelligence/unwanted-software.md
@@ -41,7 +41,7 @@ Microsoft uses an extensive [evaluation criteria](criteria.md) to identify unwan
 
 To prevent unwanted software infection, download software only from official websites, or from the Microsoft Store. Be wary of downloading software from third-party sites.
 
-Use [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) when browsing the internet. Microsoft Edge includes additional protections that effectively block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites hosting unwanted software using [SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index) (also used by Internet Explorer).
+Use [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) when browsing the internet. Microsoft Edge includes additional protections that effectively block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites hosting unwanted software using [Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index) (also used by Internet Explorer).
 
 Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.
 
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
index d1b7cfa967..0490c8a9a6 100644
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@@ -1,6 +1,6 @@
 ---
-title: Microsoft Baseline Security Analyzer (MBSA) removal and guidance on alternative solutions
-description: This article documents the removal of MBSA and alternative solutions
+title: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
+description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions
 keywords: MBSA, security, removal
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
index 85ea675b5d..bf486af90d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@@ -30,7 +30,7 @@ Use the following advanced features to get better protected from potentially mal
 
 ## Automated investigation
 
-When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigations](automated-investigations.md).
+When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigation](automated-investigations.md).
 
 ## Live response
 
@@ -44,7 +44,7 @@ Enabling this feature allows you to run unsigned scripts in a live response sess
 
 ## Auto-resolve remediated alerts
 
-For tenants created on or after Windows 10, version 1809 the automated investigations capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated".  If you don’t want to have alerts auto-resolved, you’ll need to manually turn off the feature.
+For tenants created on or after Windows 10, version 1809 the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated".  If you don’t want to have alerts auto-resolved, you’ll need to manually turn off the feature.
 
 >[!TIP]
 >For tenants created prior that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
index d342f2228f..405215c2aa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
@@ -23,7 +23,7 @@ ms.date: 10/08/2019
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
 
 Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for Advanced hunting. To understand these concepts better, run your first query.
 
@@ -31,7 +31,7 @@ Advanced hunting is based on the [Kusto query language](https://docs.microsoft.c
 
 In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example:
 
-```
+```kusto
 // Finds PowerShell execution events that could involve a download.
 ProcessCreationEvents  
 | where EventTime > ago(7d)
@@ -42,7 +42,7 @@ ProcessCreationEvents
         or ProcessCommandLine has "Invoke-Shellcode"
         or ProcessCommandLine contains "http:"
 | project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
-| top 100 by EventTime'
+| top 100 by EventTime
 ```
 
 This is how it will look like in Advanced hunting.
@@ -52,7 +52,7 @@ This is how it will look like in Advanced hunting.
 ### Describe the query and specify the table to search
 The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization.
 
-```
+```kusto
 // Finds PowerShell execution events that could involve a download.
 ProcessCreationEvents
 ```
@@ -62,19 +62,19 @@ The query itself will typically start with a table name followed by a series of
 ### Set the time range
 The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
 
-```
+```kusto
 | where EventTime > ago(7d)
 ```
 ### Search for specific executable files
 The time range is immediately followed by a search for files representing the PowerShell application.
 
-```
+```kusto
 | where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
 ```
 ### Search for specific command lines
 Afterwards, the query looks for command lines that are typically used with PowerShell to download files.
 
-```
+```kusto
 | where ProcessCommandLine has "Net.WebClient"
         or ProcessCommandLine has "DownloadFile"
         or ProcessCommandLine has "Invoke-WebRequest"
@@ -84,9 +84,9 @@ Afterwards, the query looks for command lines that are typically used with Power
 ### Select result columns and length 
 Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process.
 
-```
+```kusto
 | project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
-| top 100 by EventTime'
+| top 100 by EventTime
 ```
 
 Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results.
@@ -128,8 +128,8 @@ The **Get started** section provides a few simple queries using commonly used op
 
 ![Image of Advanced hunting window](images/atp-advanced-hunting.png)
 
->[!NOTE]
->Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository.
+> [!NOTE]
+> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository.
 
 ## Access comprehensive query language reference
 
@@ -140,4 +140,4 @@ For detailed information about the query language, see [Kusto query language doc
 - [Understand the schema](advanced-hunting-schema-reference.md)
 - [Apply query best practices](advanced-hunting-best-practices.md)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md
index 35d38020d6..aa02cbcfd9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md
@@ -1,7 +1,7 @@
 ---
 title: DeviceTvmSecureConfigurationAssessment table in the Advanced hunting schema
-description: Learn about the DeviceTvmSecureConfigurationAssessment table in the Advanced hunting schema, such as machine ID, computer name, operating system platform, security configuration details, impact, and compliance information. 
-keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query security configuration, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSecureConfigurationAssessment  
+description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide machine information as well as security configuration details, impact, and compliance information. 
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment  
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -15,7 +15,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/27/2019
+ms.date: 11/12/2019
 ---
 
 # DeviceTvmSecureConfigurationAssessment 
@@ -28,7 +28,7 @@ ms.date: 10/27/2019
 
 [!include[Prerelease information](prerelease.md)]
 
-Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security configuration. Use this reference to check the latest assessment results and determine whether device are compliant.
+Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant.
 
 For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
 
@@ -37,9 +37,9 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 | MachineId | string | Unique identifier for the machine in the service |
 | ComputerName | string | Fully qualified domain name (FQDN) of the machine |
 | OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
-| Timestamp | datetime |Date and time when the record was generated|
+| Timestamp | datetime |Date and time when the record was generated |
 | ConfigurationId | string | Unique identifier for a specific configuration |
-| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|
+| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |
 | ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
 | ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) |
 | IsCompliant | boolean | Indicates whether the configuration or policy is properly configured |
@@ -47,7 +47,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 
 ## Related topics
 
-- [Advanced hunting overview](overview-hunting.md)
-- [All Advanced hunting tables](advanced-hunting-reference.md)
-- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
-- [Query data using Advanced hunting](advanced-hunting.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
+- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md
index 857a5731c6..5cc4303af4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md
@@ -1,7 +1,7 @@
 ---
 title: DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema
-description: Learn about the DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema, security configuration details, and the associated industry benchmarks that it adheres to. 
-keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query security configuration, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, MITRE ATT&CK framework, DeviceTvmSecureConfigurationAssessmentKB
+description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema. 
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -15,7 +15,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/27/2019
+ms.date: 11/12/2019
 ---
 
 # DeviceTvmSecureConfigurationAssessmentKB
@@ -28,7 +28,7 @@ ms.date: 10/27/2019
 
 [!include[Prerelease information](prerelease.md)]
 
-The DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema contains information about the various secure configuration TVM checks during assessments related to your organization. An example of a security configuration is to block JavaScript or VBScript from launching downloaded executable content to prevent accidentally downloading malicious files in your network. Use this reference to construct queries that return information from the table.
+The DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table.
 
 For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
 
@@ -43,11 +43,11 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 | ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
 | ConfigurationBenchmarks | string | List of industry benchmarks recommending the same or similar configuration |
 | RelatedMitreTechniques | string | List of Mitre ATT&CK framework techniques related to the configuration |
-| RelatedMitreTactics  | string | List of Mitre ATT&CK framework tactics related to the configuration|
+| RelatedMitreTactics  | string | List of Mitre ATT&CK framework tactics related to the configuration |
 
 ## Related topics
 
-- [Advanced hunting overview](overview-hunting.md)
-- [All Advanced hunting tables](advanced-hunting-reference.md)
-- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
-- [Query data using Advanced hunting](advanced-hunting.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
+- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md
index fcf0c2e4bd..4b641f2f4f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md
@@ -1,7 +1,7 @@
 ---
 title: DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema
-description: Learn about the DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema, such as operating system platform, version, and architecture, software vendor, name, and version, CVE ID, vulnerability severity, and descriptions
-keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query software inventory, query software vulnerability inventory, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSoftwareInventoryVulnerabilities
+description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the Advanced hunting schema.
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -15,7 +15,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/27/2019
+ms.date: 11/12/2019
 ---
 
 # DeviceTvmSoftwareInventoryVulnerabilities
@@ -29,7 +29,7 @@ ms.date: 10/27/2019
 
 [!include[Prerelease information](prerelease.md)]
 
-The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains an inventory of the software on your devices as well as any known vulnerabilities in the software products. Use this reference to construct queries that return information from the table.
+The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table.
 
 For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
 
@@ -37,20 +37,20 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 |-------------|-----------|-------------|
 | MachineId | string | Unique identifier for the machine in the service |
 | ComputerName | string | Fully qualified domain name (FQDN) of the machine |
-| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
+| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
 | OSVersion | string | Version of the operating system running on the machine |
-| OSArchitecture | string | Architecture of the operating system running on the machine|
-| SoftwareVendor | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape|
-| SoftwareName | string | Name of the software product|
-|SoftwareVersion | string | Version number of the software product|
-| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system|
-| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape|
+| OSArchitecture | string | Architecture of the operating system running on the machine |
+| SoftwareVendor | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
+| SoftwareName | string | Name of the software product |
+| SoftwareVersion | string | Version number of the software product |
+| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
+| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
 
 
 
 ## Related topics
 
-- [Advanced hunting overview](overview-hunting.md)
-- [All Advanced hunting tables](advanced-hunting-reference.md)
-- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
-- [Query data using Advanced hunting](advanced-hunting.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
+- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md
index 757ad9858c..f7954f7a2e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md
@@ -1,7 +1,7 @@
 ---
 title: DeviceTvmSoftwareVulnerabilitiesKB  table in the Advanced hunting schema
-description: Learn about the DeviceTvmSoftwareVulnerabilitiesKB table in the Advanced hunting schema, such as CVE ID, CVSS score, exploit availability, vulnerability severity, last modified time, date the vulnerability was disclosed to public, and affected software in your network. 
-keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query software vulnerability inventory, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSoftwareVulnerabilitiesKB 
+description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the Advanced hunting schema. 
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB 
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -15,7 +15,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/27/2019
+ms.date: 11/12/2019
 ---
 
 # DeviceTvmSoftwareVulnerabilitiesKB 
@@ -28,24 +28,24 @@ ms.date: 10/27/2019
 
 [!include[Prerelease information](prerelease.md)]
 
-The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains information about the vulnerabilities Threat & Vulnerability Management assesses devices for. Use this reference along with DeviceTvmSoftwareInventoryVulnerabilities to construct queries that return information on the metadata related to the vulnerabilities in your inventory.
+The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table.
 
 For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
 
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
-| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system|
-| CvssScore | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS)|
-| IsExploitAvailable | boolean | Indicates whether exploit code for the vulnerability is publicly available|
-| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape|
-| LastModifiedTime | datetime | Date and time the item or related metadata was last modified|
-| PublishedDate | datetime | Date vulnerability was disclosed to public|
-| VulnerabilityDescription | string | Description of vulnerability and associated risks|
-| AffectedSoftware | string | List of all software products affected by the vulnerability|
+| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
+| CvssScore | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) |
+| IsExploitAvailable | boolean | Indicates whether exploit code for the vulnerability is publicly available |
+| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
+| LastModifiedTime | datetime | Date and time the item or related metadata was last modified |
+| PublishedDate | datetime | Date vulnerability was disclosed to public |
+| VulnerabilityDescription | string | Description of vulnerability and associated risks |
+| AffectedSoftware | string | List of all software products affected by the vulnerability |
 
 ## Related topics
 
-- [Advanced hunting overview](overview-hunting.md)
-- [All Advanced hunting tables](advanced-hunting-reference.md)
-- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
-- [Query data using Advanced hunting](advanced-hunting.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
+- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
index 2c44e8cfe9..7a3ea94c49 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
@@ -17,13 +17,13 @@ ms.topic: article
 ---
 
 # Alert resource type
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Represents an alert entity in Microsoft Defender ATP.
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-# Methods
-Method|Return Type |Description
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+## Methods
+Method |Return Type |Description
 :---|:---|:---
 [Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object.
 [List alerts](get-alerts.md) | [Alert](alerts.md) collection | List [alert](alerts.md) collection.
@@ -35,49 +35,95 @@ Method|Return Type |Description
 [Get related users](get-alert-related-user-info.md) | [User](user.md) | The [user](user.md) that is associated with the [alert](alerts.md).
 
 
-# Properties
+## Properties
 Property |	Type	|	Description
 :---|:---|:---
 id | String | Alert ID.
-incidentId | String | The [Incident](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) ID of the Alert. 
+title | String | Alert title.
+description | String | Alert description.
+alertCreationTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was created.
+lastEventTime | Nullable DateTimeOffset | The last occurrence of the event that triggered the alert on the same machine.
+firstEventTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that machine.
+lastUpdateTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that machine.
+resolvedTime | Nullable DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
+incidentId | Nullable Long | The [Incident](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) ID of the Alert. 
+investigationId | Nullable Long | The [Investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) ID related to the Alert. 
+investigationState | Nullable Enum | The current state of the [Investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
 assignedTo | String | Owner of the alert.
 severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
 status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
-investigationState | Nullable Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' .
 classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. 
 determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
-category| String | Category of the alert. Possible values are: 'Collection', 'Command and control', 'Credential access', 'Defense evasion', 'Discovery', 'Execution', 'Exfiltration', 'Exploit', 'Initial access', 'Lateral movement', 'Malware', 'Persistence', 'Privilege escalation', 'Ransomware', 'Suspicious activity', 'Unwanted software'. 
-detectionSource | string | Detection source.
-threatFamilyName | string | Threat family.
-title | string | Alert title.
-description | String | Description of the threat, identified by the alert.
-alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created.
-lastEventTime | DateTimeOffset | The last occurrence of the event that triggered the alert on the same machine.
-firstEventTime | DateTimeOffset | The first occurrence of the event that triggered the alert on that machine.
-resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
+category| String | Category of the alert.
+detectionSource | String | Detection source.
+threatFamilyName | String | Threat family.
 machineId | String | ID of a [machine](machine.md) entity that is associated with the alert.
+comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time.
+alertFiles | List of Alert Files | **This list will be populated on $expand option, see example below** Alert File is an object that contains: sha1, sha256, filePath and fileName. 
+alertIPs | List of Alert IPs | **This list will be populated on $expand option, see example below** Alert IP is an object that contains: ipAddress string field. 
+alertDomains | List of Alert Domains | **This list will be populated on $expand option, see example below** Alert Domain is an object that contains: host string field. 
+
+
+
+## JSON representation:
+
+- When querying for alert list the regular way (without expand option, e.g. /api/alerts) the expandable properties will not get populated (empty lists)
+- To expand expandable properties use $expand option (e.g. to expand all send /api/alerts?$expand=files,ips,domains).
+- When querying single alert all expandable properties will be expanded. 
+- Check out [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) for more OData examples. 
+
+### Response example for getting single alert:
 
-# JSON representation
 ```
+GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-292920499
+```
+
+```json
 {
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
-    "id": "121688558380765161_2136280442",
-	"incidentId": 7696,
-	"assignedTo": "secop@contoso.com",
-	"severity": "High",
-	"status": "New",
-	"classification": "TruePositive",
-	"determination": "Malware",
-	"investigationState": "Running",
-	"category": "MalwareDownload",
-	"detectionSource": "WindowsDefenderAv",
-	"threatFamilyName": "Mikatz",
-	"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-	"description": "Some description"
-	"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
-	"firstEventTime": "2018-11-26T16:17:50.0948658Z",
-	"lastEventTime": "2018-11-26T16:18:01.809871Z",
-	"resolvedTime": null,
-	"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+    "id": "da637084217856368682_-292920499",
+    "incidentId": 66860,
+    "investigationId": 4416234,
+    "assignedTo": "secop@contoso.com",
+    "severity": "Low",
+    "status": "New",
+    "classification": "TruePositive",
+    "determination": null,
+    "investigationState": "Running",
+    "detectionSource": "WindowsDefenderAtp",
+    "category": "CommandAndControl",
+    "threatFamilyName": null,
+    "title": "Network connection to a risky host",
+    "description": "A network connection was made to a risky host which has exhibited malicious activity.",
+    "alertCreationTime": "2019-11-03T23:49:45.3823185Z",
+    "firstEventTime": "2019-11-03T23:47:16.2288822Z",
+    "lastEventTime": "2019-11-03T23:47:51.2966758Z",
+    "lastUpdateTime": "2019-11-03T23:55:52.6Z",
+    "resolvedTime": null,
+    "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
+    "comments": [
+        {
+            "comment": "test comment for docs",
+            "createdBy": "secop@contoso.com",
+            "createdTime": "2019-11-05T14:08:37.8404534Z"
+        }
+    ],
+    "alertFiles": [
+        {
+            "sha1": "77e862797dd525fd3e9c3058153247945d0d4cfd",
+            "sha256": "c05823562aee5e6d000b0e041197d5b8303f5aa4eecb49820879b705c926e16e",
+            "filePath": "C:\\Users\\test1212\\AppData\\Local\\Temp\\nsf61D3.tmp.exe",
+            "fileName": "nsf61D3.tmp.exe"
+        }
+    ],
+    "alertDomains": [
+        {
+            "host": "login.bullguard.com"
+        }
+    ],
+    "alertIps": [
+        {
+            "ipAddress": "91.231.212.53"
+        }
+    ]
 }
 ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
index ce50cf47b1..26f0706b19 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
@@ -46,7 +46,7 @@ Read the walkthrough document provided with each attack scenario. Each document
 
    - **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and machine learning detection of malicious memory activity.
     
-   - **Scenario 3: Automated incident response** - triggers Automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity.
+   - **Scenario 3: Automated incident response** - triggers automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity.
 
 2. Download and read the corresponding walkthrough document provided with your selected scenario.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
index 6dd4b9f19f..8d2f79fd76 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
@@ -9,11 +9,12 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: levinec
-ms.author: ellevin
+author: denisebmsft
+ms.author: deniseb
 ms.date: 10/15/2018
 ms.reviewer: 
 manager: dansimp
+ms.custom: asr
 ---
 
 # Use attack surface reduction rules in Windows 10 Enterprise E3
@@ -42,7 +43,7 @@ The limited subset of rules that can be used in Windows 10 Enterprise E3 include
 - Block process creations originating from PSExec and WMI commands
 - Block untrusted and unsigned processes that run from USB
 
-For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard).
+For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md).
 
  ## Related topics
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index b5bd5c3d18..772ce99ae9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -10,10 +10,11 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
-author: levinec
-ms.author: ellevin
+author: denisebmsft
+ms.author: deniseb
 ms.reviewer: 
 manager: dansimp
+ms.custom: asr
 ---
 
 # Reduce attack surfaces with attack surface reduction rules
diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
index 8945fc0931..67192e12e8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -29,9 +29,6 @@ The action center consists of two main tabs:
 	- All commands ran and remediation actions applied in Live Response with ability to undo actions that support this capability.
 	- Remediation actions applied by Windows Defender AV with ability to undo actions that support this capability.
 
-
-
-
 Use the Customize columns drop-down menu to select columns that you'd like to show or hide. 
 
 From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 00a8b85828..28d3920de1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -1,5 +1,5 @@
 ---
-title: Use Automated investigations to investigate and remediate threats
+title: Use automated investigations to investigate and remediate threats
 description: View the list of automated investigations, its status, detection source and other details.
 keywords: automated, investigation, detection, source, threat types, id, tags, machines, duration, filter export
 search.product: eADQiWindows 10XVcnh
@@ -8,8 +8,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
+ms.author: deniseb
+author: denisebmsft
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
@@ -17,72 +17,70 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ---
 
-# Overview of Automated investigations
+# Overview of automated investigations
+
+Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, Microsoft Defender ATP uses automated investigation and remediation capabilities to significantly reduce the volume of alerts that must be investigated individually. 
+
+The automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when the investigation was initiated.
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
 
-The Microsoft Defender ATP service has a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address.
 
+## Understand the automated investigation flow
 
-To address this challenge, Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. 
+### How the automated investigation starts
 
-The Automated investigations list shows all the investigations that have been initiated automatically and shows other details such as its status, detection source, and the date for when the investigation was initiated.
-
-## Understand the Automated investigation flow
-
-### How the Automated investigation starts
-
-Entities are the starting point for Automated investigations. When an alert contains a supported entity for Automated investigation (for example, a file) that resides on a machine that has a supported operating system for Automated investigation then an Automated investigation can start.
+When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a machine. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other machines in the organization. Details from the investigation, including verdicts (Malicious, Suspicious, and Clean) are available during and after the automated investigation.
 
 >[!NOTE]
->Currently, Automated investigation only supports the following OS versions:
->- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441)) or later
->- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/en-us/help/4493464/windows-10-update-kb4493464)) or later
+>Currently, automated investigation only supports the following OS versions:
+>- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later
+>- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later
 >- Later versions of Windows 10
 
-The Automated investigation starts by analyzing the supported entities from the alert and also runs a generic machine playbook to see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in the Automated investigation view.
+### Details of an automated investigation
 
-### Details of an Automated investigation
+During and after an automated investigation, you can view details about the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Machines**, **Evidence**, **Entities**, and **Log** tabs.
 
-As the investigation proceeds, you'll be able to view the details of the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Machines**, **Threats**, **Entities**, and **Log** tabs.
+|Tab |Description |
+|--|--|
+|**Alerts**| Shows the alert that started the investigation.|
+|**Machines** |Shows where the alert was seen.|
+|**Evidence** |Shows the entities that were found to be malicious during the investigation.|
+|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *Clean*). |
+|**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.|
+|**Pending actions** |If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions. |
 
-In the **Alerts** tab, you'll see the alert that started the investigation. 
+> [!IMPORTANT]
+> Go to the **Action center** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions. 
 
-The **Machines** tab shows where the alert was seen.
+### How an automated investigation expands its scope
 
-The **Threats** tab shows the entities that were found to be malicious during the investigation.
+While an investigation is running, any other alerts generated from the machine are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added to the investigation.
 
-During an Automated investigation, details about each analyzed entity is categorized in the **Entities** tab. You'll be able to see the determination for each entity type, such as whether it was determined to be malicious, suspicious, or clean.
-
-The **Log** tab reflects the chronological detailed view of all the investigation actions taken on the alert.
-
-If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions. You can also go to the **Action center** to get an aggregated view all pending actions and manage remediaton actions. It also acts as an audit trail for all Automated investigation actions. 
-
-### How an Automated investigation expands its scope
-
-While an investigation is running, any other alert generated from the machine will be added to an ongoing Automated investigation until that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added to the investigation.
-
-If an incriminated entity is seen in another machine, the Automated investigation will expand the investigation to include that machine and a generic machine playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
+If an incriminated entity is seen in another machine, the automated investigation process will expand its scope to include that machine, and a general security playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
 
 ### How threats are remediated
 
-Depending on how you set up the machine groups and their level of automation, the Automated investigation will either require user approval (default) or automatically remediate threats.
+Depending on how you set up the machine groups and their level of automation, the automated investigation will either require user approval (default) or automatically remediate threats.
 
 You can configure the following levels of automation:
 
-Automation level | Description
-:---|:---
-Not protected | Machines will not get any automated investigations run on them.
-Semi - require approval for any remediation | This is the default automation level.

  An approval is needed for any remediation action. 
-Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders. 

 Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed.
-Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder. 

 Files or executables in all other folders will  automatically be remediated if needed.
-Full - remediate threats automatically | All remediation actions will be performed automatically.
+|Automation level | Description|
+|---|---|
+|Not protected | Machines do not get any automated investigations run on them. |
+|Semi - require approval for any remediation | This is the default automation level.

  An approval is needed for any remediation action. |
+|Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders. 

 Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed.|
+|Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder. 

 Files or executables in all other folders will  automatically be remediated if needed.|
+|Full - remediate threats automatically | All remediation actions will be performed automatically.|
 
-For more information on how to configure these automation levels, see [Create and manage machine groups](machine-groups.md).
+> [!TIP]
+> For more information on how to configure these automation levels, see [Create and manage machine groups](machine-groups.md).
 
-The default machine group is configured for semi-automatic remediation. This means that any malicious entity that needs to be remediated requires an approval and the investigation is added to the **Pending actions** section, this can be changed to fully automatic so that no user approval is needed. 
+The default machine group is configured for semi-automatic remediation. This means that any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** section. This can be changed to fully automatic so that no user approval is needed. 
 
 When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation.
 
-## Related topic
+## Next step
+
 - [Learn about the automated investigations dashboard](manage-auto-investigation.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
index 7adc0c6ece..2830d49f18 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
@@ -93,8 +93,8 @@ You'll need to ensure that traffic from the following are allowed:
 
 Service location | DNS record
 :---|:---
-Common URLs for all locations (Global location) | ```crl.microsoft.com```
```ctldl.windowsupdate.com```
```notify.windows.com```
-Microsoft Defender ATP GCC High specific | ```us4-v20.events.data.microsoft.com``` 
```winatp-gw-usgt.microsoft.com```
```winatp-gw-usgv.microsoft.com```
```*.blob.core.usgovcloudapi.net```
+Common URLs for all locations (Global location) | ```crl.microsoft.com```
```ctldl.windowsupdate.com```
```notify.windows.com```
```settings-win.data.microsoft.com``` 

 NOTE: ```settings-win.data.microsoft.com``` is only needed on Windows 10 machines running version 1803 or earlier.
+Microsoft Defender ATP GCC High specific | ```us4-v20.events.data.microsoft.com``` 
```winatp-gw-usgt.microsoft.com```
```winatp-gw-usgv.microsoft.com```
```*.blob.core.usgovcloudapi.net``` 
 
 
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
index 6a076bfb65..8be692ccbc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
@@ -64,6 +64,7 @@ See how you can [improve your security configuration](https://docs.microsoft.com
 >2. Key-in the security update KB number that you need to download, then click **Search**.  
 
 ## Related topics
+- [Supported operating systems and platforms](tvm-supported-os.md)
 - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 
 - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
@@ -72,3 +73,4 @@ See how you can [improve your security configuration](https://docs.microsoft.com
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
index fafeee5fd2..a5cb971e01 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
@@ -1,5 +1,5 @@
 ---
-title: Onboard Windows 10 machines using Group Policy to Microsoft Defender ATP
+title: Onboard Windows 10 devices to Microsoft Defender ATP via Group Policy
 description: Use Group Policy to deploy the configuration package on Windows 10 machines so that they are onboarded to the service.
 keywords: configure machines using group policy, machine management, configure Windows ATP machines, onboard Microsoft Defender Advanced Threat Protection machines, group policy
 search.product: eADQiWindows 10XVcnh
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index b268c9db63..5a8e0475ca 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -31,17 +31,19 @@ ms.date: 04/24/2018
 
 Microsoft Defender ATP supports non-persistent VDI session onboarding. There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario:
 
+- Instant early onboarding of a short-lived sessions, which must be onboarded to Microsoft Defender ATP prior to the actual provisioning.
+- The machine name is typically reused for new sessions.
 
-- Instant early onboarding of a short living session
-    - A session should be onboarded to Microsoft Defender ATP prior to the actual provisioning.
+VDI machines can appear in Microsoft Defender ATP portal as either:
 
-- Machine name persistence
-    - The machine names are typically reused for new sessions. One may ask to have them as a single machine entry while others may prefer to have multiple entries per machine name.
+- Single entry for each machine.  
+Note that in this case, the *same* machine name must be configured when the session is created, for example using an unattended answer file.
+- Multiple entries for each machine - one for each session.
 
-You can onboard VDI machines using a single entry or multiple entries for each machine. The following steps will guide you through onboarding VDI machines and will highlight steps for single and multiple entries.
+The following steps will guide you through onboarding VDI machines and will highlight steps for single and multiple entries.
 
 >[!WARNING]
-> For environments where there are low resource configurations, the VDI boot proceedure might slow the Microsoft Defender ATP sensor onboarding. 
+> For environments where there are low resource configurations, the VDI boot procedure might slow the Microsoft Defender ATP sensor onboarding. 
 
 1.  Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
index 69c4df40de..a97e8031a2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
@@ -48,7 +48,7 @@ For more information about optimizing ASR rule deployment in Microsoft 365 secur
 
 > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
 
-# Related topics
+## Related topics
 
 * [Ensure your machines are configured properly](configure-machines.md)
 * [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
index 484a763167..1f672b58a6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
@@ -61,7 +61,7 @@ For more information, [read about using Intune device configuration profiles to
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
 
-# Related topics
+## Related topics
 - [Ensure your machines are configured properly](configure-machines.md)
 - [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
 - [Optimize ASR rule deployment and detections](configure-machines-asr.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
index c51725fb99..a91141c30b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
@@ -97,7 +97,7 @@ Machine configuration management monitors baseline compliance only of Windows 10
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
 
-# Related topics
+## Related topics
 - [Ensure your machines are configured properly](configure-machines.md)
 - [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
 - [Optimize ASR rule deployment and detections](configure-machines-asr.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 45538af5d0..08b54bfbe4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -122,20 +122,7 @@ Once completed, you should see onboarded servers in the portal within an hour.
 ### Configure server proxy and Internet connectivity settings
  
 - Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the OMS Gateway.
-- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Microsoft Defender ATP service:
-
-Agent Resource    |    Ports 
-:---|:---
-|    *.oms.opinsights.azure.com    |    443    |
-|    *.blob.core.windows.net    |    443    |
-|    *.azure-automation.net    |    443    |
-|    *.ods.opinsights.azure.com    |    443    |
-|    winatp-gw-cus.microsoft.com     |    443    |
-|    winatp-gw-eus.microsoft.com    |    443    |
-|    winatp-gw-neu.microsoft.com    |    443    |
-|    winatp-gw-weu.microsoft.com    |    443    |
-|winatp-gw-uks.microsoft.com | 443 |
-|winatp-gw-ukw.microsoft.com | 443 | 
+- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
 
 
 ## Windows Server, version 1803 and Windows Server 2019
diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index eb5c9b65bb..b751dd036f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -1,5 +1,5 @@
 ---
-title: Help prevent ransomware and threats from encrypting and changing files
+title: Prevent ransomware and threats from encrypting and changing files
 description: Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware from encrypting your files.
 keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders
 search.product: eADQiWindows 10XVcnh
@@ -10,19 +10,20 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
-author: levinec
-ms.author: ellevin
+author: denisebmsft
+ms.author: deniseb
 audience: ITPro
 ms.date: 08/05/2019
 ms.reviewer: v-maave
 manager: dansimp
+ms.custom: asr
 ---
 
 # Protect important folders with controlled folder access
 
 **Applies to:**
 
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from the System Center Configuration Manager (SCCM) and Intune, for managed devices. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
 
@@ -65,15 +66,15 @@ You can review the Windows event log to see events that are created when control
 
 1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
 
-1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
 
-1. On the left panel, under **Actions**, click **Import custom view...**.
+3. On the left panel, under **Actions**, click **Import custom view...**.
 
-1. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views.md).
+4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views.md).
 
-1. Click **OK**.
+5. Click **OK**.
 
-1. This will create a custom view that filters to only show the following events related to controlled folder access:
+This will create a custom view that filters to only show the following events related to controlled folder access:
 
 Event ID | Description
 -|-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
index f4a2b266d9..3dbdf5372a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
@@ -18,11 +18,11 @@ ms.topic: article
 
 # Create alert from event API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
-Enables using event data, as obtained from the [Advanced Hunting](run-advanced-query-api.md) for creating a new alert entity.
+Create alert using event data, as obtained from [Advanced Hunting](run-advanced-query-api.md) for creating a new alert.
 
 ## Permissions
 
@@ -64,7 +64,7 @@ description | String | Description of the alert. **Required**.
 recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. **Required**.
 eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**.
 reportId | String | The reportId, as obtained from the advanced query. **Required**.
-category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and	'General'.
+category| String | Category of the alert. The property values are: "General", "CommandAndControl", "Collection", "CredentialAccess", "DefenseEvasion", "Discovery", "Exfiltration", "Exploit", "Execution", "InitialAccess", "LateralMovement", "Malware", "Persistence", "PrivilegeEscalation", "Ransomware", "SuspiciousActivity" **Required**.
 
 ## Response
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index e8692e242a..fb3a52f9f4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -23,7 +23,7 @@ ms.topic: article
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches.
+Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
 
 > [!NOTE]
 > To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
@@ -52,13 +52,25 @@ MiscEvents
 
 With the query in the query editor, select **Create detection rule** and specify the following alert details:
 
-- **Alert title**
-- **Severity**
-- **Category**
-- **Description**
-- **Recommended actions**
+- **Detection name** — name of the detection rule
+- **Frequency** — interval for running the query and taking action. [See additional guidance below](#rule-frequency)
+- **Alert title** — title displayed with alerts triggered by the rule
+- **Severity** — potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity)
+- **Category** — type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)
+- **Description** — more information about the component or activity identified by the rule 
+- **Recommended actions** — additional actions that responders might take in response to an alert 
 
-For more information about these alert details, [read about managing alerts](manage-alerts.md).
+For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md).
+
+#### Rule frequency
+When saved, custom detections rules immediately run. They then run again at fixed intervals based on the frequency you choose. Rules that run less frequently will have longer lookback durations:
+
+- **Every 24 hours** — checks data from the past 30 days
+- **Every 12 hours** — checks data from the past 24 hours
+- **Every 3 hours** — checks data from the past 6 hours
+- **Every hour** — checks data from the past 2 hours
+
+Whenever a rule runs, similar detections on the same machine could be aggregated into fewer alerts, so running a rule less frequently can generate fewer alerts. Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
 
 ### 3. Specify actions on files or machines.
 Your custom detection rule can automatically take actions on files or machines that are returned by the query.
@@ -116,3 +128,4 @@ You can also take the following actions on the rule from this page:
 - [Custom detections overview](overview-custom-detections.md)
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the Advanced hunting query language](advanced-hunting-query-language.md)
+- [View and organize alerts](alerts-queue.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
index 1c3591492a..703b8a3412 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
@@ -1,6 +1,6 @@
 ---
-title: Update data retention settings for Microsoft Defender Advanced Threat Protection
-description: Update data retention settings by selecting between 30 days to 180 days.
+title: Update how long data is stored by MDATP
+description: Update data retention settings for Microsoft Defender Advanced Threat Protection (MDATP) by selecting between 30 days to 180 days.
 keywords: data, storage, settings, retention, update
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
index 94b0798855..5e9a5f5e75 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
@@ -127,16 +127,24 @@ h. Select  **Manage > Assignments**. In the  **Include**  tab, select  *
 
 ## Enable the Insider program manually on a single machine
 
-In the command prompt, run:
+In terminal, run:
 
 ```bash
-    mdatp --edr --early-preview true
+    mdatp --edr --earlypreview true
  ```
 
+For versions earlier than 100.78.0, run:
+
+```bash
+    mdatp --edr --earlyPreview true
+```
+
 ## Troubleshooting
 
 ### Verify you are running the correct version
 
+To get the latest version of the Microsoft Defender ATP for Mac, set the Microsoft AutoUpdate to “Fast Ring”. To get “Microsoft AutoUpdate”, download it from [Release history for Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/officeupdates/release-history-microsoft-autoupdate).
+
 To verify you are running the correct version, run ‘mdatp --health’ on the machine.
 
 * The required version is 100.72.15 or later.
@@ -150,4 +158,4 @@ After a successful deployment and onboarding of the correct version, check that
 
 * Check that you enabled the early preview flag. In terminal run “mdatp –health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”.
 
-If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).
\ No newline at end of file
+If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
index 568f45096f..e47d2c93c1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
@@ -10,18 +10,19 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
-author: levinec
-ms.author: ellevin
+author: denisebmsft
+ms.author: deniseb
 ms.date: 04/02/2019
 ms.reviewer: 
 manager: dansimp
+ms.custom: asr
 ---
 
 # Protect devices from exploits
 
 **Applies to:**
 
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server 2016, version 1803.
 
@@ -39,7 +40,7 @@ You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how ex
 Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Exploit protection](emet-exploit-protection.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10.
 
 > [!IMPORTANT]
-> If you are currently using EMET you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+> If you are currently using EMET you should be aware that [EMET reached end of support on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
 
 > [!WARNING]
 > Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender.md) before deploying the configuration across a production environment or the rest of your network.
@@ -48,7 +49,7 @@ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](http
 
 Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
 
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how exploit protection settings could affect your environment.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how exploit protection settings could affect your environment.
 
 Here is an example query:
 
@@ -127,11 +128,11 @@ Validate image dependency integrity | [!include[Check mark yes](../images/svg/ch
 >
 > See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
 
-## Related topics
+## Related articles
 
-* [Protect devices from exploits](exploit-protection.md)
-* [Evaluate exploit protection](evaluate-exploit-protection.md)
-* [Enable exploit protection](enable-exploit-protection.md)
-* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
-* [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
+- [Protect devices from exploits](exploit-protection.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
+- [Enable exploit protection](enable-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
index b90c36d11c..e1397a16e7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
@@ -1,5 +1,5 @@
 ---
-title: Advanced Hunting API
+title: Advanced Hunting with Powershell API Guide
 ms.reviewer: 
 description: Use this API to run advanced queries
 keywords: apis, supported apis, advanced hunting, query
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
index 1c8dc327c6..c91de23386 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
@@ -1,5 +1,5 @@
 ---
-title: Supported Microsoft Defender Advanced Threat Protection query APIs  
+title: Supported Microsoft Defender Advanced Threat Protection APIs  
 ms.reviewer: 
 description: Learn about the specific supported Microsoft Defender Advanced Threat Protection entities where you can create API calls to. 
 keywords: apis, supported apis, actor, alerts, machine, user, domain, ip, file, advanced queries, advanced hunting
@@ -17,14 +17,11 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# Supported Microsoft Defender ATP query APIs 
+# Supported Microsoft Defender ATP APIs
 
-**Applies to:**
-- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-supportedapis-abovefoldlink) 
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 ## End Point URI and Versioning
 
@@ -42,7 +39,7 @@ ms.topic: article
 > 
 > To use a specific version, use this format: https://api.securitycenter.windows.com/api/{Version}. For example: https://api.securitycenter.windows.com/api/v1.0/alerts
 > 
-> If you don't specify any version (e.g., https://api.securitycenter.windows.com/api/alerts ) you will get to the latest version.
+> If you don't specify any version (e.g. https://api.securitycenter.windows.com/api/alerts ) you will get to the latest version.
 
 
 Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.
@@ -52,12 +49,14 @@ Learn more about the individual supported entities where you can run API calls t
 Topic | Description
 :---|:---
 Advanced Hunting | Run queries from API.
-Alerts | Run API calls such as get alerts, alert information by ID, alert related actor information, alert related IP information, and alert related machine information.
-Domain |Run API calls such as get domain related machines, domain related machines, statistics, and check if a domain is seen in your organization.
-File | Run API calls such as get file information, file related alerts, file related machines, and file statistics.
-IP | Run API calls such as get IP related alerts, IP related machines, IP statistics, and check if and IP is seen in your organization.
-Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID.
-User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines.
+Alerts | Run API calls such as get alerts, create alert, update alert and more.
+Domains | Run API calls such as get domain related machines, domain statistics and more.
+Files | Run API calls such as get file information, file related alerts, file related machines, and file statistics.
+IPs | Run API calls such as get IP related alerts and get IP statistics.
+Machines | Run API calls such as get machines, get machines by ID, information about logged on users, edit tags and more.
+Machine Actions | Run API call such as Isolation, Run anti-virus scan and more.
+Indicators | Run API call such as create Indicator, get Indicators and delete Indicators.
+Users | Run API calls such as get user related alerts and user related machines.
 
 ## Related topic
 - [Microsoft Defender ATP APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/files.md b/windows/security/threat-protection/microsoft-defender-atp/files.md
index 87b7a01359..2bb588f0ce 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/files.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/files.md
@@ -1,6 +1,6 @@
 ---
 title: File resource type
-description: Retrieves top recent alerts.
+description: Retrieves information associated with files alerts.
 keywords: apis, graph api, supported apis, get, alerts, recent
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -23,7 +23,7 @@ ms.topic: article
 
 Represent a file entity in Microsoft Defender ATP.
 
-# Methods
+## Methods
 Method|Return Type |Description
 :---|:---|:---
 [Get file](get-file-information.md) | [file](files.md) | Get a single file 
@@ -32,7 +32,7 @@ Method|Return Type |Description
 [file statistics](get-file-statistics.md) | Statistics summary | Retrieves the prevalence for the given file.
 
 
-# Properties
+## Properties
 Property |	Type	|	Description
 :---|:---|:---
 sha1 | String | Sha1 hash of the file content
@@ -50,4 +50,3 @@ signer | String | File signer.
 issuer | String | File issuer.
 signerHash | String | Hash of the signing certificate.
 isValidCertificate | Boolean | Was signing certificate successfully verified by  Microsoft Defender ATP agent.
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
index 56e4cf24a6..4f66d7199a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
@@ -38,8 +38,9 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
 
 >[!Note]
 > When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
+> - Response will include only machines that the user have access to based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+> - Response will include only machines that the user have access to based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
 
 ## HTTP request
 ```
@@ -57,7 +58,7 @@ Empty
 
 ## Response
 If successful and machines were found - 200 OK with list of the machines in the response body.
-If no machine found  - 404 Not Found.
+If no machine found - 404 Not Found.
 If the timestamp is not in the past 30 days - 400 Bad Request.
 
 ## Example
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
index 3f94ebab37..f33b29bd88 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
@@ -18,16 +18,15 @@ ms.topic: article
 
 # List alerts API
 
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 Retrieves a collection of Alerts.
 
 Supports [OData V4 queries](https://www.odata.org/documentation/).
 
-The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category".
+The OData's Filter query is supported on: "alertCreationTime", "incidentId", "InvestigationId", "status", "severity" and "category".
 
 See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
 
@@ -52,7 +51,8 @@ GET /api/alerts
 ```
 
 ## Optional query parameters
-Method supports $skip and $top query parameters.
+Method supports $top, $select, $filter, $expand and $skip query parameters.
+
$expand is available on Files, IPs and Domains. e.g. $expand=files,domains
 
 ## Request headers
 
@@ -74,18 +74,19 @@ If successful, this method returns 200 OK, and a list of [alert](alerts.md) obje
 
 Here is an example of the request.
 
-[!include[Improve request performance](improve-request-performance.md)]
-
 ```
 GET https://api.securitycenter.windows.com/api/alerts
 ```
 
+[!include[Improve request performance](improve-request-performance.md)]
+
+
 **Response**
 
 Here is an example of the response.
 
 >[!NOTE]
->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
+>The response list shown here may be truncated for brevity. All alerts will be returned from an actual call.
 
 
 ```json
@@ -93,45 +94,37 @@ Here is an example of the response.
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
     "value": [
         {
-            "id": "121688558380765161_2136280442",
-			"incidentId": 7696,
-			"assignedTo": "secop@contoso.com",
-			"severity": "High",
-			"status": "New",
-			"classification": "TruePositive",
-			"determination": "Malware",
-			"investigationState": "Running",
-			"category": "MalwareDownload",
-			"detectionSource": "WindowsDefenderAv",
-			"threatFamilyName": "Mikatz",
-			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-			"description": "Some description",
-			"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
-			"firstEventTime": "2018-11-26T16:17:50.0948658Z",
-			"lastEventTime": "2018-11-26T16:18:01.809871Z",
-			"resolvedTime": null,
-			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-        },
-        {
-            "id": "441688558380765161_2136280442",
-			"incidentId": 8633,
+            "id": "da637084217856368682_-292920499",
+			"incidentId": 66860,
+			"investigationId": 4416234,
 			"assignedTo": "secop@contoso.com",
 			"severity": "Low",
-			"status": "InProgress",
+			"status": "New",
 			"classification": "TruePositive",
-			"determination": "Malware",
+			"determination": null,
 			"investigationState": "Running",
-			"category": "MalwareDownload",
-			"detectionSource": "WindowsDefenderAv",
-			"threatFamilyName": "Mikatz",
-			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-			"description": "Some description",
-			"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
-			"firstEventTime": "2018-11-25T16:17:50.0948658Z",
-			"lastEventTime": "2018-11-25T16:18:01.809871Z",
+			"detectionSource": "WindowsDefenderAtp",
+			"category": "CommandAndControl",
+			"threatFamilyName": null,
+			"title": "Network connection to a risky host",
+			"description": "A network connection was made to a risky host which has exhibited malicious activity.",
+			"alertCreationTime": "2019-11-03T23:49:45.3823185Z",
+			"firstEventTime": "2019-11-03T23:47:16.2288822Z",
+			"lastEventTime": "2019-11-03T23:47:51.2966758Z",
+			"lastUpdateTime": "2019-11-03T23:55:52.6Z",
 			"resolvedTime": null,
-			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-        }
+			"machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
+			"comments": [
+				{
+					"comment": "test comment for docs",
+					"createdBy": "secop@contoso.com",
+					"createdTime": "2019-11-05T14:08:37.8404534Z"
+				}
+			],
+			"alertFiles": [],
+			"alertDomains": [],
+			"alertIps": []
+		}
 	]
 }
 ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
index 1b7847ce57..18ead32cb5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
@@ -123,4 +123,3 @@ Content-type: application/json
     ]
 }
 ```
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/isolate-machine.png b/windows/security/threat-protection/microsoft-defender-atp/images/isolate-machine.png
index d3f1166d66..09b816dd70 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/isolate-machine.png and b/windows/security/threat-protection/microsoft-defender-atp/images/isolate-machine.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
index 38b96e9451..174242a934 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
@@ -1,5 +1,5 @@
 ---
-title: Deploy exploit protection mitigations across your organization
+title: Import, export, and deploy exploit protection configurations
 keywords: Exploit protection, mitigations, import, export, configure, emet, convert, conversion, deploy, install
 description: Use Group Policy to deploy mitigations configuration. You can also convert an existing EMET configuration and import it as an Exploit protection configuration.
 search.product: eADQiWindows 10XVcnh
diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
index 16b8d8a428..7c6f7bbc93 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
@@ -26,7 +26,7 @@ ms.topic: article
 Initiate AutoIR investigation on a machine.
 
 >[!Note]
-> This page focuses on performing an automated investigation on a machine. See [Automated Investigation](automated-investigations.md) for more information.
+> This page focuses on performing an automated investigation on a machine. See [automated investigation](automated-investigations.md) for more information.
 
 ## Limitations
 1. The number of executions is limited (up to 5 calls per hour).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
index eada51bd1c..fe9095c926 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
@@ -54,7 +54,7 @@ The machine details section provides information such as the domain, OS, and hea
 Response actions run along the top of a specific machine page and include:
 
 - Manage tags
-- Initiate Automated Investigation
+- Initiate automated investigation
 - Initiate Live Response Session
 - Collect investigation package
 - Run antivirus scan
@@ -138,7 +138,7 @@ More details about certain events are provided in the **Additional information**
 - Active threat detected - the threat detection occurred while the threat was running
 - Remediation unsuccessful - an attempt to remediate the detected threat was invoked but failed
 - Remediation successful - the detected threat was stopped and cleaned
-- Warning bypassed by user - the SmartScreen warning was dismissed and overridden by a user
+- Warning bypassed by user - the Windows Defender SmartScreen warning was dismissed and overridden by a user
 - Suspicious script detected - a potentially malicious script was found running
 - The alert category - if the event led to the generation of an alert, the alert category  ("Lateral Movement", for example) is provided
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
index 0d0904ba75..c5b8407fc6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
@@ -1,6 +1,6 @@
 ---
 title: Set preferences for Microsoft Defender ATP for Mac
-description: Configure Microsoft Defender ATP for Mac in enterprises.
+description: Configure Microsoft Defender ATP for Mac in enterprise organizations.
 keywords: microsoft, defender, atp, mac, management, preferences, enterprise, intune, jamf, macos, catalina, mojave, high sierra
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -24,46 +24,48 @@ ms.topic: conceptual
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
 
 >[!IMPORTANT]
->This topic contains instructions for how to set preferences for Microsoft Defender ATP for Mac in enterprise environments. If you are interested in configuring the product on a device from the command-line, please refer to the [Resources](mac-resources.md#configuring-from-the-command-line) page.
+>This article contains instructions for how to set preferences for Microsoft Defender ATP for Mac in enterprise organizations. To configure Microsoft Defender ATP for Mac using the command-line interface, see the [Resources](mac-resources.md#configuring-from-the-command-line) page.
 
-In enterprise environments, Microsoft Defender ATP for Mac can be managed through a configuration profile. This profile is deployed from management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile.
+## Summary
 
-This topic describes the structure of this profile (including a recommended profile that you can use to get started) and instructions for how to deploy the profile.
+In enterprise organizations, Microsoft Defender ATP for Mac can be managed through a configuration profile that is deployed by using one of several management tools. Preferences that are managed by your security operations team take precedence over preferences that are set locally on the device. Users in your organization are not able to change preferences that are set through the configuration profile.
+
+This article describes the structure of the configuration profile, includes a recommended profile that you can use to get started, and provides instructions on how to deploy the profile.
 
 ## Configuration profile structure
 
-The configuration profile is a .plist file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can either be simple (such as a numerical value) or complex, such as a nested list of preferences.
+The configuration profile is a *.plist* file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can either be simple (such as a numerical value) or complex, such as a nested list of preferences.
 
 >[!CAUTION]
 >The layout of the configuration profile depends on the management console that you are using. The following sections contain examples of configuration profiles for JAMF and Intune.
 
-The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections.
+The top level of the configuration profile includes product-wide preferences and entries for subareas of Microsoft Defender ATP, which are explained in more detail in the next sections.
 
 ### Antivirus engine preferences
 
-The *antivirusEngine* section of the configuration profile is used to manage the preferences of the antivirus component of the product.
+The *antivirusEngine* section of the configuration profile is used to manage the preferences of the antivirus component of Microsoft Defender ATP.
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | antivirusEngine |
 | **Data type** | Dictionary (nested preference) |
 | **Comments** | See the following sections for a description of the dictionary contents. |
 
 #### Enable / disable real-time protection
 
-Whether real-time protection (scan files as they are accessed) is enabled or not.
+Specify whether to enable real-time protection, which scans files as they are accessed.
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | enableRealTimeProtection |
 | **Data type** | Boolean |
 | **Possible values** | true (default) 
 false |
 
 #### Enable / disable passive mode
 
-Whether the antivirus engine runs in passive mode or not. In passive mode:
+Specify whether the antivirus engine runs in passive mode. Passive mode has the following implications: 
 - Real-time protection is turned off
 - On-demand scanning is turned on
 - Automatic threat remediation is turned off
@@ -72,7 +74,7 @@ Whether the antivirus engine runs in passive mode or not. In passive mode:
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | passiveMode |
 | **Data type** | Boolean |
 | **Possible values** | false (default) 
 true |
@@ -80,69 +82,69 @@ Whether the antivirus engine runs in passive mode or not. In passive mode:
 
 #### Scan exclusions
 
-Entities that have been excluded from the scan. Exclusions can be specified by full paths, extensions, or file names.
+Specify entities excluded from being scanned. Exclusions can be specified by full paths, extensions, or file names.
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | exclusions |
 | **Data type** | Dictionary (nested preference) |
 | **Comments** | See the following sections for a description of the dictionary contents. |
 
-**Type of exclusion**
+##### Type of exclusion
 
-Specifies the type of content excluded from the scan.
+Specify content excluded from being scanned by type.
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | $type |
 | **Data type** | String |
 | **Possible values** | excludedPath 
 excludedFileExtension 
 excludedFileName |
 
-**Path to excluded content**
+##### Path to excluded content
 
-Used to exclude content from the scan by full file path.
+Specify content excluded from being scanned by full file path.
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | path |
 | **Data type** | String |
 | **Possible values** | valid paths |
 | **Comments** | Applicable only if *$type* is *excludedPath* |
 
-**Path type (file / directory)**
+##### Path type (file / directory)
 
-Indicates if the *path* property refers to a file or directory. 
+Indicate if the *path* property refers to a file or directory. 
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | isDirectory |
 | **Data type** | Boolean |
 | **Possible values** | false (default) 
 true |
 | **Comments** | Applicable only if *$type* is *excludedPath* |
 
-**File extension excluded from the scan**
+##### File extension excluded from the scan
 
-Used to exclude content from the scan by file extension.
+Specify content excluded from being scanned by file extension.
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | extension |
 | **Data type** | String |
 | **Possible values** | valid file extensions |
 | **Comments** | Applicable only if *$type* is *excludedFileExtension* |
 
-**Name of excluded content**
+##### Name of excluded content
 
-Used to exclude content from the scan by file name.
+Specify content excluded from being scanned by file name.
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | name |
 | **Data type** | String |
 | **Possible values** | any string |
@@ -150,39 +152,39 @@ Used to exclude content from the scan by file name.
 
 #### Allowed threats
 
-List of threats (identified by their name) that are not blocked by the product and are instead allowed to run.
+Specify threats by name that are not blocked by Microsoft Defender ATP for Mac. These threats will be allowed to run.
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | allowedThreats |
 | **Data type** | Array of strings |
 
 #### Threat type settings
 
-The *threatTypeSettings* preference in the antivirus engine is used to control how certain threat types are handled by the product.
+Specify how certain threat types are handled by Microsoft Defender ATP for Mac.
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | threatTypeSettings |
 | **Data type** | Dictionary (nested preference) |
 | **Comments** | See the following sections for a description of the dictionary contents. |
 
-**Threat type**
+##### Threat type
 
-Type of the threat for which the behavior is configured.
+Specify threat types.
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | key |
 | **Data type** | String |
 | **Possible values** | potentially_unwanted_application 
 archive_bomb |
 
-**Action to take**
+##### Action to take
 
-Action to take when coming across a threat of the type specified in the preceding section. Can be:
+Specify what action to take when a threat of the type specified in the preceding section is detected. Choose from the following options:
 
 - **Audit**: your device is not protected against this type of threat, but an entry about the threat is logged.
 - **Block**: your device is protected against this type of threat and you are notified in the user interface and the security console.
@@ -190,40 +192,40 @@ Action to take when coming across a threat of the type specified in the precedin
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | value |
 | **Data type** | String |
 | **Possible values** | audit (default) 
 block 
 off |
 
-### Cloud delivered protection preferences
+### Cloud-delivered protection preferences
 
-The *cloudService* entry in the configuration profile is used to configure the cloud driven protection feature of the product.
+Configure the cloud-driven protection features of Microsoft Defender ATP for Mac.
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | cloudService |
 | **Data type** | Dictionary (nested preference) |
 | **Comments** | See the following sections for a description of the dictionary contents. |
 
-#### Enable / disable cloud delivered protection
+#### Enable / disable cloud-delivered protection
 
-Whether cloud delivered protection is enabled on the device or not. To improve the security of your services, we recommend keeping this feature turned on.
+Specify whether to enable cloud-delivered protection the device or not. To improve the security of your services, we recommend keeping this feature turned on.
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | enabled |
 | **Data type** | Boolean |
 | **Possible values** | true (default) 
 false |
 
 #### Diagnostic collection level
 
-Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by the product to Microsoft.
+Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by Microsoft Defender ATP to Microsoft.
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | diagnosticLevel |
 | **Data type** | String |
 | **Possible values** | optional (default) 
 required |
@@ -234,55 +236,88 @@ Determines whether suspicious samples (that are likely to contain threats) are s
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | automaticSampleSubmission |
 | **Data type** | Boolean |
 | **Possible values** | true (default) 
 false |
 
 ### User interface preferences
 
-The *userInterface* section of the configuration profile is used to manage the preferences of the user interface of the product.
+Manage the preferences for the user interface of Microsoft Defender ATP for Mac.
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | userInterface |
 | **Data type** | Dictionary (nested preference) |
 | **Comments** | See the following sections for a description of the dictionary contents. |
 
 #### Show / hide status menu icon
 
-Whether the status menu icon (shown in the top-right corner of the screen) is hidden or not.
+Specify whether to show or hide the status menu icon in the top-right corner of the screen.
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | hideStatusMenuIcon |
 | **Data type** | Boolean |
 | **Possible values** | false (default) 
 true |
 
-### EDR preferences
+### Endpoint detection and response preferences
 
-The *edr* section of the configuration profile is used to manage the preferences of the EDR component of the product.
+Manage the preferences of the endpoint detection and response (EDR) component of Microsoft Defender ATP for Mac.
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | edr |
 | **Data type** | Dictionary (nested preference) |
 | **Comments** | See the following sections for a description of the dictionary contents. |
 
 #### Enable / disable early preview
 
-Whether EDR early preview features are enabled or not.
+Specify whether to enable EDR early preview features.
 
 |||
 |:---|:---|
-| **Domain** | com.microsoft.wdav |
+| **Domain** | `com.microsoft.wdav` |
 | **Key** | earlyPreview |
 | **Data type** | Boolean |
 | **Possible values** | true (default) 
 false |
 
+#### Device tags
+
+Specify a tag name and its value. 
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | tags |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+##### Type of tag
+
+Specifies the type of tag
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | key |
+| **Data type** | String |
+| **Possible values** | `GROUP` |
+
+##### Value of tag
+
+Specifies the value of tag
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | value |
+| **Data type** | String |
+| **Possible values** | any string |
+
 ## Recommended configuration profile
 
 To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
@@ -291,8 +326,8 @@ The following configuration profile will:
 - Enable real-time protection (RTP)
 - Specify how the following threat types are handled:
   - **Potentially unwanted applications (PUA)** are blocked
-  - **Archive bombs** (file with a high compression rate) are audited to the product logs
-- Enable cloud delivered protection
+  - **Archive bombs** (file with a high compression rate) are audited to Microsoft Defender ATP logs
+- Enable cloud-delivered protection
 - Enable automatic sample submission
 
 ### JAMF profile
@@ -414,7 +449,7 @@ The following configuration profile will:
 
 ## Full configuration profile example
 
-The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over the product.
+The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over Microsoft Defender ATP for Mac.
 
 ### JAMF profile
 
@@ -615,10 +650,10 @@ Once you've built the configuration profile for your enterprise, you can deploy
 
 ### JAMF deployment
 
-From the JAMF console, open **Computers** > **Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. Create an entry with *com.microsoft.wdav* as the preference domain and upload the .plist produced earlier.
+From the JAMF console, open **Computers** > **Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. Create an entry with `com.microsoft.wdav` as the preference domain and upload the .plist produced earlier.
 
 >[!CAUTION]
->You must enter the correct preference domain (*com.microsoft.wdav*), otherwise the preferences will not be recognized by the product.
+>You must enter the correct preference domain (`com.microsoft.wdav`); otherwise, the preferences will not be recognized by Microsoft Defender ATP.
 
 ### Intune deployment
 
@@ -626,18 +661,18 @@ From the JAMF console, open **Computers** > **Configuration Profiles**, navigate
 
 2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select Configure.
 
-3. Save the .plist produced earlier as **com.microsoft.wdav.xml**.
+3. Save the .plist produced earlier as `com.microsoft.wdav.xml`.
 
-4. Enter **com.microsoft.wdav** as the **custom configuration profile name**.
+4. Enter `com.microsoft.wdav` as the **custom configuration profile name**.
 
-5. Open the configuration profile and upload **com.microsoft.wdav.xml**. This file was created in step 3.
+5. Open the configuration profile and upload the `com.microsoft.wdav.xml` file. (This file was created in step 3.)
 
 6. Select **OK**.
 
 7. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
 
 >[!CAUTION]
->You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
+>You must enter the correct custom configuration profile name; otherwise, these preferences will not be recognized by Microsoft Defender ATP.
 
 ## Resources
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
index ad4bf7ef53..e35c4b95e5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
@@ -94,7 +94,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
 |Protection   |Do a full scan                             |`mdatp --scan --full`                                                  |
 |Protection   |Cancel an ongoing on-demand scan           |`mdatp --scan --cancel`                                                |
 |Protection   |Request a security intelligence update     |`mdatp --definition-update`                                            |
-|EDR          |Turn on/off EDR preview for Mac            |`mdatp --edr --early-preview [true/false]`                                   |
+|EDR          |Turn on/off EDR preview for Mac            |`mdatp --edr --early-preview [true/false]` OR `mdatp --edr --earlyPreview [true/false]` for versions earlier than 100.78.0                                |
 |EDR          |Add group tag to machine. EDR tags are used for managing machine groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` |
 |EDR          |Remove group tag from machine              |`mdatp --edr --remove-tag [name]`                                            |
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
index 22efe55158..adc8b53f70 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
@@ -34,21 +34,28 @@ Section | Description
 2 | Machine summary (current day)
  
  
- 
+## Machine trends 
 By default, the machine trends displays machine information from the 30-day period ending in the latest full day. To gain better perspective on trends occurring in your organization, you can fine-tune the reporting period by adjusting the time period shown. To adjust the time period, select a time range from the drop-down options:
  
 - 30 days
 - 3 months
 - 6 months
 - Custom
- 
-While the machines trends shows trending machine information, the machine summary shows machine information scoped to the current day.
+
+>[!NOTE]
+>These filters are only applied on the machine trends section. It doesn't affect the machine summary section.
+
+## Machine summary 
+While the machines trends shows trending machine information, the machine summary shows machine information scoped to the current day. 
+
+>[!NOTE]
+>The data reflected in the summary section is scoped to 180 days prior to the current date. For example if today's date is March 27, 2019, the data on the summary section will reflect numbers starting from September 28, 2018 to March 27, 2019.

+> The filter applied on the trends section is not applied on the summary section. 
  
 The machine trends section allows you to drill down to the machines list with the corresponding filter applied to it. For example, clicking on the Inactive bar in the Sensor health state card will bring you the machines list with results showing only machines whose sensor status is inactive. 
  
  
  
- 
 ## Machine attributes
 The report is made up of cards that display the following machine attributes:
  
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
index 3d3a959ecb..608409befc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
@@ -26,6 +26,9 @@ You can add tags on machines using the following ways:
 - Using the portal
 - Setting a registry key value
 
+>[!NOTE]
+>There may be some latency between the time a tag is added to a machine and its availability in the machines list and machine page.  
+
 To add machine tags using API, see [Add or remove machine tags API](add-or-remove-machine-tags.md).
 
 ## Add and manage machine tags using the portal
@@ -78,3 +81,4 @@ Use the following registry key entry to add a tag on a machine:
 
 >[!NOTE]
 >The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report.
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
index c7a7c7bf2b..a4227c1113 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@@ -21,7 +21,7 @@ ms.topic: article
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 
-# Methods
+## Methods
 Method|Return Type |Description
 :---|:---|:---
 [List machines](get-machines.md) | [machine](machine.md) collection | List set of [machine](machine.md) entities in the org.
@@ -31,7 +31,7 @@ Method|Return Type |Description
 [Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine.
 [Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP.
 
-# Properties
+## Properties
 Property |	Type	|	Description
 :---|:---|:---
 id | String | [machine](machine.md) identity.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md b/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md
index 9d587e1cfb..23f85143c5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md
@@ -1,11 +1,15 @@
 ---
+title: Perform a Machine Action via the Microsoft Defender ATP API
+description: This page focuses on performing a machine action via the Microsoft Defender Advanced Threat Protection (MDATP) API.
 ms.date: 08/28/2017
 ms.reviewer: 
 manager: dansimp
 ms.author: macapara
 author: mjcaparas
 ms.prod: w10
-title: Note
 ---
+
+# Perform a Machine Action via the Microsoft Defender ATP API
+
 >[!Note]
 > This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts.md) for more information about response actions functionality via Microsoft Defender ATP.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
index 1521bb3b89..87208d5142 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
@@ -18,7 +18,7 @@ ms.topic: conceptual
 ---
 
 # Learn about the automated investigations dashboard
-By default, the Automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range. 
+By default, the automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range. 
 
 >[!NOTE]
 >If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation. 
@@ -31,14 +31,14 @@ From this view, you can also download the entire list in CSV format using the **
 
  
 **Filters**

-You can use the following operations to customize the list of Automated investigations displayed:
+You can use the following operations to customize the list of automated investigations displayed:
 
 
 **Triggering alert**

-The alert the initiated the Automated investigation.
+The alert the initiated the automated investigation.
 
 **Status**

-An Automated investigation can be in one of the following status:
+An automated investigation can be in one of the following status:
 
 Status | Description
 :---|:---
@@ -57,26 +57,26 @@ Status | Description
 
 
 **Detection source**

-Source of the alert that initiated the Automated investigation. 
+Source of the alert that initiated the automated investigation. 
 
 **Threat**

-The category of threat detected during the Automated investigation.
+The category of threat detected during the automated investigation.
 
 
 **Tags**

-Filter using manually added tags that capture the context of an Automated investigation.
+Filter using manually added tags that capture the context of an automated investigation.
 
 **Machines**

-You can filter the Automated investigations list to zone in a specific machine to see other investigations related to the machine.
+You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine.
 
 **Machine groups**

 Apply this filter to see specific machine groups that you might have created.
 
 **Comments**

-Select between filtering the list between Automated investigations that have comments and those that don't.
+Select between filtering the list between automated investigations that have comments and those that don't.
 
-## Analyze Automated investigations 
-You can view the details of an Automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
+## Analyze automated investigations 
+You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
 
 In this view, you'll see the name of the investigation, when it started and ended. 
 
@@ -102,7 +102,7 @@ You'll also have access to the following sections that help you see details of t
 - Investigation graph
 - Alerts
 - Machines
-- Key findings
+- Evidence
 - Entities
 - Log
 - Pending actions
@@ -118,14 +118,14 @@ You'll also have access to the following sections that help you see details of t
 In any of the sections, you can customize columns to further expand to limit the details you see in a section.
 
 ### Investigation graph
-The investigation graph provides a graphical representation of an Automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
+The investigation graph provides a graphical representation of an automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
 
 ### Alerts
-Shows details such as a short description of the alert that initiated the Automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to. 
+Shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to. 
 
-Additional alerts seen on a machine can be added to an Automated investigation as long as the investigation is ongoing. 
+Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing. 
 
-Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, Automated investigation details, related machine, logged-on users, and comments and history. 
+Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related machine, logged-on users, and comments and history. 
 
 Clicking on an alert title brings you the alert page.
 
@@ -138,7 +138,7 @@ Selecting a machine using the checkbox brings up the machine details pane where
 
 Clicking on an machine name brings you the machine page.
 
-### Key findings
+### Evidence
 Shows details related to threats associated with this investigation. 
 
 ### Entities
@@ -158,11 +158,11 @@ This tab is only displayed when an investigation is complete and shows all pendi
 
 
 ## Pending actions
-If there are pending actions on an Automated investigation, you'll see a pop up similar to the following image. 
+If there are pending actions on an automated investigation, you'll see a pop up similar to the following image. 
 
 ![Image of pending actions](images/pending-actions.png)
 
-When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **Automated investigation** > **Action center**. For more information, see [Action center](auto-investigation-action-center.md).
+When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **automated investigation** > **Action center**. For more information, see [Action center](auto-investigation-action-center.md).
 
  
 ## Related topic
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
index d006defd48..ed62718fa4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
@@ -106,9 +106,8 @@ When you add an indicator hash for a file, you can choose to raise an alert and
 
 Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue.
 
-
-## Create indicators for IPs and URLs/domains
-Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs through SmartScreen for Microsoft browsers and Network Protection for non-Microsoft browsers and calls made outside the browser.
+## Create indicators for IPs and URLs/domains (preview)
+Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser.
 
 The threat intelligence data set for this has been managed by Microsoft.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md
index 1d178278d5..04bb26271d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md
@@ -27,13 +27,13 @@ There might be scenarios where you need to suppress alerts from appearing in the
 
 You can view a list of all the suppression rules and manage them in one place. You can also turn an alert suppression rule on or off.
 
-## Turn a suppression rule on or off
 
 1. In the navigation pane, select **Settings** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
 
 2. Select a rule by clicking on the check-box beside the rule name.
 
-3. Click **Turn rule on** or **Turn rule off**.
+3. Click **Turn rule on**, **Edit rule**, or  **Delete rule**. When making changes to a rule, you can choose to release alerts that it has already suppressed, regardless whether or not these alerts match the new criteria. 
+
 
 ## View details of a suppression rule
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
index c64de21b8c..6cad2a8034 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
@@ -23,7 +23,7 @@ ms.topic: conceptual
 This topic describes how to install, configure, update, and use Microsoft Defender ATP for Mac.
 
 > [!CAUTION]
-> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Mac is likely to lead to performance problems and unpredictable side effects.
+> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Mac is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of MDATP for Mac EDR functionality after configuring MDATP for Mac antivirus functionality to run in [Passive mode](mac-preferences.md#enable--disable-passive-mode).
 
 ## What’s new in the latest release
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index e9723fa61e..1625a62968 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -37,6 +37,7 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
 - Windows 10 Enterprise E5
 - Windows 10 Education E5
 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
+- Microsoft 365 A5 (M365 A5)
 
 
 For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
index eb4b64456b..6c0c0b5d21 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
@@ -10,22 +10,24 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
-author: levinec
-ms.author: ellevin
+author: denisebmsft
+ms.author: deniseb
 ms.date: 04/30/2019
 ms.reviewer: 
 manager: dansimp
+ms.custom: asr
+
 ---
 
 # Protect your network
 
 **Applies to:**
 
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
 
-It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
+Network protection expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
 
 Network protection is supported beginning with Windows 10, version 1709.
 
@@ -75,7 +77,8 @@ You can review the Windows event log to see events that are created when network
    1125 | Event when network protection fires in audit mode
    1126 | Event when network protection fires in block mode
 
-## Related topics
+## Related articles
 
-[Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created.
-[Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
+- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created.
+
+- [Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
index eecae45f38..98d455063a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -21,6 +21,8 @@ ms.topic: conceptual
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
+
 Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience. 
 
 It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
@@ -58,6 +60,7 @@ Microsoft Defender ATP’s Threat & Vulnerability Management allows security adm
 - Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
 
 ## Related topics
+- [Supported operating systems and platforms](tvm-supported-os.md)
 - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
 - [Configuration score](configuration-score.md)
@@ -66,3 +69,4 @@ Microsoft Defender ATP’s Threat & Vulnerability Management allows security adm
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
index ffdde6dfa0..c4263e9958 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
+++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
@@ -343,7 +343,7 @@
 ###### [Get access with user context](exposed-apis-create-app-nativeapp.md)
 
 ##### [APIs]()
-###### [Supported Microsoft Defender ATP query APIs](exposed-apis-list.md)
+###### [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
 ###### [Advanced Hunting](run-advanced-query-api.md)
 
 ###### [Alert]()
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
index eeaaedc402..f67f450978 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
@@ -15,6 +15,7 @@ ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
+ms.custom: asr
 ms.topic: conceptual
 ---
 
@@ -25,12 +26,12 @@ ms.topic: conceptual
 
 Reduce your attack surfaces by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
 
-Article | Description
--|-
-[Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites.
-[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run.
-[Exploit protection](./exploit-protection.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions.
-[Network protection](./network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) | 
-[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus)
-[Attack surface reduction](./attack-surface-reduction.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus)
-[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering.
+|Article | Description |
+|-------|------|
+|[Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. |
+|[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. |
+|[Exploit protection](./exploit-protection.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. |
+|[Network protection](./network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) | 
+|[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) |
+|[Attack surface reduction](./attack-surface-reduction.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus) |
+|[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering. |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
index 13b9cef73c..03e0f5ca62 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
@@ -25,7 +25,7 @@ ms.topic: conceptual
 
 With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured machines. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions.
 
-Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches.
+Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
 
 Custom detections provide:
 - Alerts for rule-based detections built from Advanced hunting queries
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prerelease.md b/windows/security/threat-protection/microsoft-defender-atp/prerelease.md
index db44e6fc9c..7d769b0dd4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/prerelease.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/prerelease.md
@@ -1,12 +1,15 @@
 ---
+title: Microsoft Defender ATP Pre-release Disclaimer
+description: Disclaimer for pre-release version of Microsoft Defender ATP.
 ms.date: 08/28/2017
 ms.reviewer: 
 manager: dansimp
 ms.author: macapara
 author: mjcaparas
 ms.prod: w10
-title: "Prerelease"
 ---
 
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+# Microsoft Defender ATP Pre-release Disclaimer
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index 6d4a1e101e..7173007d17 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -42,7 +42,7 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 ## Preview features
 The following features are included in the preview release:
 
-- [Endpoint detection and response for Mac devices](endpoint-detection-response-mac-preview.md). Recently, [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md) released. Expanding on the protection available in Microsoft Defender ATP for Mac, endpoint detection and response capabilities are now in preview. 
+ - [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) 
Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019.
 
 - [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) 
 You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).  
  
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
index 7f28e73b98..a617060626 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
@@ -1,5 +1,5 @@
 ---
-title: Stream Microsoft Defender Advanced Threat Protection events. 
+title: Stream Microsoft Defender Advanced Threat Protection events to Azure Event Hubs 
 description: Learn how to configure Microsoft Defender ATP to stream Advanced Hunting events to your Event Hub.
 keywords: raw data export, streaming API, API, Azure Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing
 search.product: eADQiWindows 10XVcnh
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
index 3b08db0a4f..f0c242ed3a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
@@ -1,5 +1,5 @@
 ---
-title: Stream Microsoft Defender Advanced Threat Protection events. 
+title: Stream Microsoft Defender Advanced Threat Protection events to your Storage account
 description: Learn how to configure Microsoft Defender ATP to stream Advanced Hunting events to your Storage account.
 keywords: raw data export, streaming API, API, Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing
 search.product: eADQiWindows 10XVcnh
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
index 34d1296ea7..b7fa2c549d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@@ -78,6 +78,10 @@ This action takes effect on machines with Windows 10, version 1703 or later, whe
     - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
     - **Search box** - select **File** from the drop–down menu and enter the file name
 
+
+    >[!NOTE]
+    >The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of machines, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file).
+
 2. Go to the top bar and select **Stop and Quarantine File**.
 
     ![Image of stop and quarantine file action](images/atp-stop-quarantine-file.png)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
index 5430c0d17a..6a3f13571d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
@@ -157,7 +157,7 @@ Depending on the severity of the attack and the sensitivity of the machine, you
 
 This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
 
-On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation').
+On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').
 
 >[!NOTE]
 >You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say **Release from isolation**, and then you take the same steps as isolating the machine.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
index 079a79034a..8dc833cda8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
@@ -19,15 +19,14 @@ ms.topic: article
 
 # Advanced hunting API
 
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-This API allows you to run programmatic queries that you are used to running from [Microsoft Defender ATP Portal](https://securitycenter.windows.com/hunting).
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 ## Limitations
-1. You can only run a query on data from the last 30 days
-2. The results will include a maximum of 10,000 rows
-3. The number of executions is limited (up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day)
+1. You can only run a query on data from the last 30 days.
+2. The results will include a maximum of 100,000 rows.
+3. The number of executions is limited per tenant: up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day.
 4. The maximal execution time of a single request is 10 minutes.
 
 ## Permissions
@@ -126,24 +125,7 @@ Content-Type: application/json​
 }
 ```
 
-## Troubleshoot issues
-
-- Error: (403) Forbidden / (401) Unauthorized
-
-
-~~~
-If you get this error when calling Microsoft Defender ATP API, your token might not include the necessary permission.
-
-Check [app permissions](exposed-apis-create-app-webapp.md#validate-the-token) or [delegated permissions](exposed-apis-create-app-nativeapp.md#validate-the-token) included in your token.
-
-If the 'roles' section in the token does not include the necessary permission: 
-
-- The necessary permission to your app might not have been granted. For more information, see [Access Microsoft Defender ATP without a user](exposed-apis-create-app-webapp.md#create-an-app) or [Access Microsoft Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md#create-an-app) or,
-- The app was not authorized in the tenant, see [Application consent](exposed-apis-create-app-webapp.md#application-consent).
-~~~
-
-
 ## Related topic
-- [Microsoft Defender ATP APIs](apis-intro.md)
+- [Microsoft Defender ATP APIs introduction](apis-intro.md)
 - [Advanced Hunting from Portal](advanced-hunting-query-language.md)
 - [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
index a5c71022b4..e33a799eb0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
@@ -1,5 +1,5 @@
 ---
-title: Advanced Hunting API
+title: Advanced Hunting with Powershell API Basics
 ms.reviewer: 
 description: Use this API to run advanced queries
 keywords: apis, supported apis, advanced hunting, query
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
index 69056ed0d0..f8b07f534c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
@@ -1,5 +1,5 @@
 ---
-title: Advanced Hunting API
+title: Advanced Hunting with Python API Guide
 ms.reviewer: 
 description: Use this API to run advanced queries
 keywords: apis, supported apis, advanced hunting, query
diff --git a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md
index 75423bc86d..1ac2ee7415 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md
@@ -184,10 +184,9 @@ You can take the following actions to increase the overall security score of you
 * Turn on  Microsoft Defender AG on compatible machines
 * Turn on managed mode
 
-
 For more information, see [Microsoft Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md).
 
-### Windows  Defender SmartScreen optimization
+### Windows Defender SmartScreen optimization
 
 A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender SmartScreen.
 
@@ -202,22 +201,22 @@ A well-configured machine complies to a minimum baseline configuration setting.
 The following settings must be configured with the following settings:
 
 * Check apps and files: **Warn** or **Block**
-* SmartScreen for Microsoft Edge: **Warn** or **Block**
-* SmartScreen for Microsoft store apps: **Warn** or **Off**
+* Microsoft Defender SmartScreen for Microsoft Edge: **Warn** or **Block**
+* Microsoft Defender SmartScreen for Microsoft store apps: **Warn** or **Off**
 
 You can take the following actions to increase the overall security score of your organization:
 
 - Set **Check app and files** to **Warn** or **Block**
-- Set **SmartScreen for Microsoft Edge** to **Warn** or **Block**
-- Set **SmartScreen for Microsoft store apps** to **Warn** or **Off**
+- Set **Windows Defender SmartScreen for Microsoft Edge** to **Warn** or **Block**
+- Set **Windows Defender SmartScreen for Microsoft store apps** to **Warn** or **Off**
 
 For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
 
 * Set **Check app and files** to **Warn** or **Block**
-* Set **SmartScreen for Microsoft Edge** to **Warn** or **Block**
-* Set **SmartScreen for Microsoft store apps** to **Warn** or **Off**
+* Set **Windows Defender SmartScreen for Microsoft Edge** to **Warn** or **Block**
+* Set **Windows Defender SmartScreen for Microsoft store apps** to **Warn** or **Off**
 
-For more information, see [Microsoft Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
+For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
 
 ### Windows Defender Firewall optimization
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index df00947476..4e6d6f4292 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -21,6 +21,10 @@ ms.topic: article
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
+
+[!include[Prerelease information](prerelease.md)]
+
 ## Before you begin
 Ensure that your machines:
 - Are onboarded to Microsoft Defender Advanced Threat Protection
@@ -179,6 +183,7 @@ ComputerName=any(ComputerName) by MachineId, AlertId
 ```
 
 ## Related topics
+- [Supported operating systems and platforms](tvm-supported-os.md)
 - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
 - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
@@ -189,3 +194,4 @@ ComputerName=any(ComputerName) by MachineId, AlertId
 - [Weaknesses](tvm-weaknesses.md)
 - [Advanced hunting overview](overview-hunting.md)
 - [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md
index 7a7e652415..8d109610de 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md
@@ -34,7 +34,7 @@ Section | Description
 1 | Alerts trends
 2 | Alert summary
 
-
+## Alert trends
 By default, the alert trends display alert information from the 30-day period ending in the latest full day. To gain better perspective on trends occurring in your organization, you can fine-tune the reporting period by adjusting the time period shown. To adjust the time period, select a time range from the drop-down options:
 
 - 30 days
@@ -42,11 +42,18 @@ By default, the alert trends display alert information from the 30-day period en
 - 6 months
 - Custom
 
+>[!NOTE]
+>These filters are only applied on the alert trends section. It doesn't affect the alert summary section.
+
+
+## Alert summary
 While the alert trends shows trending alert information, the alert summary shows alert information scoped to the current day.
 
  The alert summary allows you to drill down to a particular alert queue with the corresponding filter applied to it. For example, clicking on the EDR bar in the Detection sources card will bring you the alerts queue with results showing only alerts generated from EDR detections. 
 
-
+>[!NOTE]
+>The data reflected in the summary section is scoped to 180 days prior to the current date. For example if today's date is November 5, 2019, the data on the summary section will reflect numbers starting from May 5, 2019 to November 5, 2019.

+> The filter applied on the trends section is not applied on the summary section. 
 
 ## Alert attributes
 The report is made up of cards that display the following alert attributes:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
index 1c38ae5395..28e3bd225c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
@@ -32,7 +32,7 @@ Method|Return Type |Description
 
 For more information on creating indicators, see [Manage indicators](manage-indicators.md).
 
-# Properties
+## Properties
 Property |	Type	|	Description
 :---|:---|:---
 indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
index dc8f75b9f2..963402fe1d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
@@ -1,6 +1,6 @@
 ---
 title: Troubleshoot problems with attack surface reduction rules
-description: Check pre-requisites, use audit mode, add exclusions, or collect diagnostic data to help troubleshoot issues
+description: Check prerequisites, use audit mode, add exclusions, or collect diagnostic data to help troubleshoot issues
 keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -10,11 +10,12 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
 ms.date: 03/27/2019
 ms.reviewer: 
 manager: dansimp
+ms.custom: asr
 ---
 
 # Troubleshoot attack surface reduction rules
@@ -23,48 +24,56 @@ manager: dansimp
 
 * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-When you use [attack surface reduction rules](attack-surface-reduction.md) you may encounter issues, such as:
+When you use [attack surface reduction rules](attack-surface-reduction.md) you may run into issues, such as:
 
-* A rule blocks a file, process, or performs some other action that it should not (false positive)
-* A rule does not work as described, or does not block a file or process that it should (false negative)
+- A rule blocks a file, process, or performs some other action that it should not (false positive)
+
+- A rule does not work as described, or does not block a file or process that it should (false negative)
 
 There are four steps to troubleshooting these problems:
 
-1. Confirm prerequisites
-2. Use audit mode to test the rule
-3. Add exclusions for the specified rule (for false positives)
-4. Submit support logs
+1. [Confirm prerequisites](#confirm-prerequisites)
+
+2. [Use audit mode to test the rule](#use-audit-mode-to-test-the-rule)
+
+3. [Add exclusions for the specified rule](#add-exclusions-for-a-false-positive) (for false positives)
+
+4. [Submit support logs](#collect-diagnostic-data-for-file-submissions)
 
 ## Confirm prerequisites
 
 Attack surface reduction rules will only work on devices with the following conditions:
 
-> [!div class="checklist"]
-> * Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
-> * Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
-> * [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
-> * Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
+- Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
 
-If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
+- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+
+- [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
+
+- Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
+
+If these prerequisites have all been met, proceed to the next step to test the rule in audit mode.
 
 ## Use audit mode to test the rule
 
-You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only.
+You can visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only.
 
 Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with.
 
 1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run.
-2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
-3. [Review the attack surface reductio rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
 
->
->If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled.
->
->Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
+2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
+
+3. [Review the attack surface reduction rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
+
+If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled.
+
+Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
 
 If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation:
 
 1. If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive).
+
 2. If the attack surface reduction rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions).
 
 ## Add exclusions for a false positive
@@ -79,7 +88,7 @@ To add an exclusion, see [Customize Attack surface reduction](customize-attack-s
 
 ## Report a false positive or false negative
 
-Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md).
+Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With a Windows E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md).
 
 ## Collect diagnostic data for file submissions
 
@@ -97,10 +106,12 @@ When you report a problem with attack surface reduction rules, you are asked to
    mpcmdrun -getfiles
    ```
 
-3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
+3. By default, they are saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form.
 
-## Related topics
+## Related articles
 
-* [Attack surface reduction rules](attack-surface-reduction.md)
-* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+- [Attack surface reduction rules](attack-surface-reduction.md)
+
+- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+
+- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
index ae216de7bb..882df03a74 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
@@ -1,5 +1,5 @@
 ---
-title: Deploy exploit protection mitigations across your organization
+title: Troubleshoot exploit protection mitigations
 keywords: Exploit protection, mitigations, troubleshoot, import, export, configure, emet, convert, conversion, deploy, install
 description: Remove unwanted Exploit protection mitigations.
 search.product: eADQiWindows 10XVcnh
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
index af397987a0..8589345cbe 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
@@ -1,6 +1,6 @@
 ---
 title: Troubleshoot problems with Network protection
-description: Check pre-requisites, use audit mode, add exclusions, or collect diagnostic data to help troubleshoot issues
+description: Check prerequisites, use audit mode, add exclusions, or collect diagnostic data to help troubleshoot issues
 keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -61,12 +61,12 @@ You can enable network protection in audit mode and then visit a website that we
 1. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
 
 1. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
-   >
-   >If network protection is not blocking a connection that you are expecting it should block, enable the feature.
+   
+   If network protection is not blocking a connection that you are expecting it should block, enable the feature.
 
-```PowerShell
-Set-MpPreference -EnableNetworkProtection Enabled
-```
+   ```PowerShell
+   Set-MpPreference -EnableNetworkProtection Enabled
+   ```
 
 ## Report a false positive or false negative
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index 668b2a1cb4..07bd73d2d2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -52,9 +52,9 @@ Area | Description
 (1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities.
 (2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, **Software inventory**, and **Weaknesses**.
 **Dashboards**	| Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data.
-**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information.
+**Security recommendations** | See the list of security recommendations, their related components, whether the software in your network have reached their end-of-life, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information.
 **Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. See [Remediation and exception](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information.
-**Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information.
+**Software inventory** | See the list of software, versions, weaknesses, whether there’s an exploit found on the software, whether the software has reached its end-of-life, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information.
 **Weaknesses** | See the list of common vulnerabilities and exposures, the severity, its common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines are there. You can select each item in the list and it opens a flyout panel with the vulnerability description and other details. See [Weaknesses](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) for more information.
 (3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, and **Top exposed machines**.
 **Selected machine groups (#/#)**	| Filter the Threat & Vulnerability Management data that you want to see in the dashboard and widgets by machine groups. What you select in the filter applies throughout the Threat & Vulnerability management pages only. 
@@ -62,13 +62,17 @@ Area | Description
 **Organization Configuration score** | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. You can click the bars and it takes you to the **Security recommendation** page for details. See [Configuration score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score) for more information.
 **Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it takes you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, operating system platform, its health state, when it was last seen, and its tags. 
 **Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts ![Possible active alert](images/tvm_alert_icon.png), associated public exploits ![Threat insight](images/tvm_bug_icon.png), and recommendation insights ![Recommendation insight](images/tvm_insight_icon.png). You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list.
-**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable application list in the **Software inventory** page.
+**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
 **Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities, and active exceptions.
 **Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list.
 
+> [!NOTE]
+> Machines with no alerts seen in the last 30 days do not count towards the exposure score of Threat & Vulnerability Management.
+
 See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal.
 
 ## Related topics
+- [Supported operating systems and platforms](tvm-supported-os.md)
 - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
 - [Exposure score](tvm-exposure-score.md)
 - [Configuration score](configuration-score.md)
@@ -77,3 +81,4 @@ See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/t
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
index fca24b4b1f..aafd2f2e36 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@@ -38,6 +38,7 @@ Several factors affect your organization exposure score:
 Reduce the exposure score by addressing what needs to be remediated based on the prioritized security recommendations. See [Security recommendations](tvm-security-recommendation.md) for details.
 
 ## Related topics
+- [Supported operating systems and platforms](tvm-supported-os.md)
 - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 
 - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
 - [Configuration score](configuration-score.md)
@@ -46,3 +47,4 @@ Reduce the exposure score by addressing what needs to be remediated based on the
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index 99b1ae6759..1d7a8392e8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -21,6 +21,8 @@ ms.date: 04/11/2019
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
+
 >[!NOTE]
 >To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
 
@@ -29,7 +31,13 @@ After your organization's cybersecurity weaknesses are identified and mapped to
 You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
 
 ## Navigate through your remediation options 
-You'll see your remediation options when you select one of the security recommendation blocks from your **Top security recommendations** widget in the dashboard. 
+You can access the remediation page in a few places in the portal:
+- Security recommendation flyout panel
+- Remediation in the navigation menu
+- Top remediation activities widget in the dashboard
+
+*Security recommendation flyout page*
+
You'll see your remediation options when you select one of the security recommendation blocks from your **Top security recommendations** widget in the dashboard. 
 1. From the flyout panel, you'll see the security recommendation details including your next steps. Click **Remediation options**.
 2. In the **Remediation options** page, select **Open a ticket in Intune (for AAD joined devices)**. 
 
@@ -41,13 +49,20 @@ You'll see your remediation options when you select one of the security recommen
 
 If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
 
+*Remediation in the navigation menu*
+1. Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. You can filter your view based on remediation type, machine remediation progress, and exception justification. If you want to see the remediation activities of software which have reached their end-of-life, select **Software uninstall** from the **Remediation type** filter.  
+2. Select the remediation activity that you need to see or process.
+
+*Top remediation activities widget in the dashboard*
+1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top remediation activities** widget. The list is sorted and prioritized based on what is listed in the **Top security recommendations**. 
+2. Select the remediation activity that you need to see or process.
+
 ## How it works
 
 When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity. 
 
 It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation** page, and it also creates a remediation ticket in Microsoft Intune.
 
-
 The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task. 
 
 ## When to file for exception instead of remediating issues 
@@ -105,6 +120,7 @@ The exception impact shows on both the Security recommendations page column and
 ![Screenshot of where to find the exception impact](images/tvm-exception-impact.png)
 
 ## Related topics
+- [Supported operating systems and platforms](tvm-supported-os.md)
 - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 
 - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
@@ -113,5 +129,6 @@ The exception impact shows on both the Security recommendations page column and
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
 
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index ee75d061da..ace7b85957 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -21,6 +21,10 @@ ms.date: 04/11/2019
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
+
+[!include[Prerelease information](prerelease.md)]
+
 The cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact on the security recommendation list. Prioritized recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance.
 
 Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM). It is also dynamic in the sense that when the threat landscape changes, the recommendation also changes as it continuously collect information from your environment. 
@@ -49,7 +53,7 @@ You can click on each one of them and see the details, the description, the pote
 
 From that page, you can do any of the following depending on what you need to do:
 
-- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, and charts so you can see the exposure trend over time. 
+- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software end-of-life, and charts so you can see the exposure trend over time. 
 
 - Choose from remediation options - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
 
@@ -80,6 +84,7 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
 
 
 ## Related topics
+- [Supported operating systems and platforms](tvm-supported-os.md)
 - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 
 - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
@@ -88,3 +93,4 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md) 
+- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
index e1d39cdf5d..860a12a293 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -21,17 +21,21 @@ ms.date: 04/11/2019
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
+
+[!include[Prerelease information](prerelease.md)]
+
 Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it.
 
 ## Navigate through your software inventory
-1. Select **Software inventory** from the Threat & Vulnerability management navigation menu. 
-2. In the **Software inventory** page, select the application that you want to investigate and a flyout panel opens up with the software details, vendor information, prevalence in the organization, exposed machines, threat context, and its impact to your  organization's exposure score.   
-3. In the flyout panel, select **Open software page** to dive deeper into your software inventory. You will see how many weaknesses are discovered with the application, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified.
+1. Select **Software inventory** from the Threat & Vulnerability management navigation menu. The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact, tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software have reached their end-of-life.      
+2. In the **Software inventory** page, select the software that you want to investigate and a flyout panel opens up with the same details mentioned above but in a more compact view. You can either dive deeper into the investigation and select **Open software page** or flag any technical inconsistencies by selecting **Report inaccuracy**. 
+3. Select **Open software page** to dive deeper into your software inventory to see how many weaknesses are discovered in the software, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified.
 
 ## How it works
 In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment. 
 
-Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular application is connected to a live campaign. It also provides a link to a Threat Analytics report soon as it's available.
+Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available.
 
 ## Report inaccuracy
 
@@ -51,13 +55,14 @@ You can report a false positive when you see any vague, inaccurate version, inco
 
 5. Include your machine name for investigation context.
 
->[!NOTE]
-> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context. 
+    >[!NOTE]
+    > You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context. 
 
 6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
 
 
 ## Related topics
+- [Supported operating systems and platforms](tvm-supported-os.md)
 - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 
 - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
@@ -66,3 +71,4 @@ You can report a false positive when you see any vague, inaccurate version, inco
 - [Remediation and exception](tvm-remediation.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
new file mode 100644
index 0000000000..b1d1785787
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
@@ -0,0 +1,55 @@
+---
+title: Threat & Vulnerability Management supported operating systems
+description: Before you begin, ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your all devices are properly accounted for. 
+keywords: mdatp-tvm supported os, mdatp-tvm, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score    
+search.appverid: met150
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+# Threat & Vulnerability Management supported operating systems and platforms
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
+
+[!include[Prerelease information](prerelease.md)]
+
+Before you begin, ensure that you meet the following operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for.
+
+Operating system | Security assessment support
+:---|:---
+Windows 7 | Operating System (OS) vulnerabilities
+Windows 8.1 | Not supported
+Windows 10 1607-1703 | Operating System (OS) vulnerabilities
+Windows 10 1709+ |Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment 
+Windows Server 2008R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
+Windows Server 2012R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
+Windows Server 2016 | Operating System (OS) vulnerabilities
Software product vulnerabilities
+Windows Server 2019 | Operating System (OS) vulnerabilities
Software product vulnerabilities
+MacOS | Not supported (planned)
+Linux | Not supported (planned)
+
+Some of the above prerequisites might be different from the [Minimum requirements for Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements) list.
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation and exception](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
index 7eefec6595..490fd16270 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -19,7 +19,9 @@ ms.date: 10/31/2019
 ---
 # Weaknesses
 **Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
 
 [!include[Prerelease information](prerelease.md)]
 
@@ -33,7 +35,7 @@ The **Weaknesses** page lists down the vulnerabilities found in the infected sof
 >- RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
 >- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
 >- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
->
Downloading the above-mentioned security updates will be mandatory starting Patch Tuesday, October 8, 2019.
+
 
 ## Navigate through your organization's weaknesses page
 You can access the list of vulnerabilities in a few places in the portal:
@@ -121,6 +123,7 @@ You can report a false positive when you see any vague, inaccurate, missing, or
 
 
 ## Related topics
+- [Supported operating systems and platforms](tvm-supported-os.md)
 - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 
 - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
@@ -129,3 +132,4 @@ You can report a false positive when you see any vague, inaccurate, missing, or
 - [Remediation and exception](tvm-remediation.md)
 - [Software inventory](tvm-software-inventory.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
index 8d6c69ea8d..7a64b0d061 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
@@ -1,6 +1,6 @@
 ---
-title: Get alert information by ID API
-description: Retrieves an alert by its ID.
+title: Update alert entity API
+description: Retrieves a Microsoft Defender ATP alert by its ID.
 keywords: apis, graph api, supported apis, get, alert, information, id
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user.md b/windows/security/threat-protection/microsoft-defender-atp/user.md
index 78ca770fa9..2729130721 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user.md
@@ -1,5 +1,5 @@
 ---
-title: File resource type
+title: User resource type
 description: Retrieves top recent alerts.
 keywords: apis, graph api, supported apis, get, alerts, recent
 search.product: eADQiWindows 10XVcnh
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
index 658a41d9f0..7e542c0b65 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@@ -27,9 +27,11 @@ The following features are generally available (GA) in the latest release of Mic
 
 For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection).
 
-## November 2019
+## November-December 2019
 
-- [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md) 
 Microsoft Defender ATP for Mac brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices. ([Endpoint detection and response is currently in preview](preview.md).)
+- [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md) 
 Microsoft Defender ATP for Mac brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices, including [endpoint detection and response](endpoint-detection-response-mac-preview.md).
+ 
+- [Threat & Vulnerability Management application end-of-life tag](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) 
Applications which have reached their end-of-life are tagged or labeled as such so you are aware that they will no longer be supported, and can take action to either uninstall or replace. Doing so will help lessen the risks related to various vulnerability exposures due to unpatched applications.
 
 ## October 2019
 
diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
index a9b824cade..3e5cd564fb 100644
--- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
+++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
@@ -1,7 +1,7 @@
 ---
 manager: dansimp
 ms.author: dansimp
-title: Override Process Mitigation Options to help enforce app-related security policies (Windows 10)
+title: Override Process Mitigation Options (Windows 10)
 description: How to use Group Policy to override individual Process Mitigation Options settings and to help enforce specific app-related security policies.
 keywords: Process Mitigation Options, Mitigation Options, Group Policy Mitigation Options
 ms.prod: w10
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index 1198ca299a..355b58c60f 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -84,7 +84,7 @@ As an IT professional, you can ask application developers and software vendors t
 
 Windows Defender SmartScreen notifies users if they click on reported phishing and malware websites, and helps protect them against unsafe downloads or make informed decisions about downloads.
 
-For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection capability by integrating its app reputation abilities into the operating system itself, which allows SmartScreen to check the reputation of files downloaded from the Internet and warn users when they’re about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings.
+For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection capability by integrating its app reputation abilities into the operating system itself, which allows Windows Defender SmartScreen to check the reputation of files downloaded from the Internet and warn users when they’re about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, Windows Defender SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, Windows Defender SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings.
 
 For more information, see [Windows Defender SmartScreen overview](windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
 
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index f9421d02f6..8d134aaa46 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -11,7 +11,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 11/26/2018
+ms.date: 11/21/2019
 ms.reviewer: 
 ---
 
@@ -27,6 +27,7 @@ The SCT enables administrators to effectively manage their enterprise’s Group
 The Security Compliance Toolkit consists of:
 
 -   Windows 10 security baselines
+    -   Windows 10 Version 1909 (November 2019 Update)
     -   Windows 10 Version 1903 (May 2019 Update)
     -   Windows 10 Version 1809 (October 2018 Update)
     -   Windows 10 Version 1803 (April 2018 Update)
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
index 94c7732647..f6beb6795e 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
@@ -1,5 +1,5 @@
 ---
-title: Accounts Limit local account use of blank passwords to console logon only (Windows 10)
+title: Accounts Limit local account use of blank passwords (Windows 10)
 description: Describes the best practices, location, values, and security considerations for the Accounts Limit local account use of blank passwords to console logon only security policy setting.
 ms.assetid: a1bfb58b-1ae8-4de9-832b-aa889a6e64bd
 ms.reviewer: 
diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
index efc1e8ea6f..45bae7d793 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
@@ -1,5 +1,5 @@
 ---
-title: Devices Restrict CD-ROM access to locally logged-on user only (Windows 10)
+title: Restrict CD-ROM access to locally logged-on user (Windows 10)
 description: Describes the best practices, location, values, and security considerations for the Devices Restrict CD-ROM access to locally logged-on user only security policy setting.
 ms.assetid: 8b8f44bb-84ce-4f18-af30-ab89910e234d
 ms.reviewer: 
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
index 91a78717ea..0115f58fc6 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
@@ -1,5 +1,5 @@
 ---
-title: Domain controller Refuse machine account password changes (Windows 10)
+title: Refuse machine account password changes policy (Windows 10)
 description: Describes the best practices, location, values, and security considerations for the Domain controller Refuse machine account password changes security policy setting.
 ms.assetid: 5a7fa2e2-e1a8-4833-90f7-aa83e3b456a9
 ms.reviewer: 
diff --git a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
index 82dc9c1898..dcf829294a 100644
--- a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
+++ b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
@@ -1,5 +1,5 @@
 ---
-title: Enable computer and user accounts to be trusted for delegation (Windows 10)
+title: Trust computer and user accounts for delegation (Windows 10)
 description: Describes the best practices, location, values, policy management, and security considerations for the Enable computer and user accounts to be trusted for delegation security policy setting.
 ms.assetid: 524062d4-1595-41f3-8ce1-9c85fd21497b
 ms.reviewer: 
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
index 456a194ed3..c1da92162e 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
@@ -1,5 +1,5 @@
 ---
-title: Interactive logon Message text for users attempting to log on (Windows 10)
+title: Interactive Logon Message text (Windows 10)
 description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Message text for users attempting to log on security policy setting.
 ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e
 ms.reviewer: 
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
index a3a1d550e4..2f0c68363e 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
@@ -1,5 +1,5 @@
 ---
-title: Microsoft network client Send unencrypted password to third-party SMB servers (Windows 10)
+title: Microsoft network client Send unencrypted password (Windows 10)
 description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network client Send unencrypted password to third-party SMB servers security policy setting.
 ms.assetid: 97a76b93-afa7-4dd9-bb52-7c9e289b6017
 ms.reviewer: 
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
index 130fb31904..51a7a62dde 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
@@ -1,5 +1,5 @@
 ---
-title: Microsoft network server Attempt S4U2Self to obtain claim information (Windows 10)
+title: Microsoft network server Attempt S4U2Self (Windows 10)
 description: Describes the best practices, location, values, management, and security considerations for the Microsoft network server Attempt S4U2Self to obtain claim information security policy setting.
 ms.assetid: e4508387-35ed-4a3f-a47c-27f8396adbba
 ms.reviewer: 
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
index 42270f6a74..56ba9ce742 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
@@ -1,5 +1,5 @@
 ---
-title: Network access Do not allow anonymous enumeration of SAM accounts and shares (Windows 10)
+title: Network access Do not allow anonymous enumeration (Windows 10)
 description: Describes the best practices, location, values, and security considerations for the Network access Do not allow anonymous enumeration of SAM accounts and shares security policy setting.
 ms.assetid: 3686788d-4cc7-4222-9163-cbc7c3362d73
 ms.reviewer: 
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
index 3951aa3864..0e3279dc6e 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
@@ -1,5 +1,5 @@
 ---
-title: Network access Let Everyone permissions apply to anonymous users (Windows 10)
+title: Let Everyone permissions apply to anonymous users (Windows 10)
 description: Describes the best practices, location, values, policy management and security considerations for the Network access Let Everyone permissions apply to anonymous users security policy setting.
 ms.assetid: cdbc5159-9173-497e-b46b-7325f4256353
 ms.reviewer: 
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index 40dcdcacb1..af0955f3fe 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -30,7 +30,8 @@ Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Su
 
 When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
 
->**Note:**  The ability to link online IDs can be performed by anyone with an account that has standard user’s credentials through **Credential Manager**.
+> [!Note]
+> The ability to link online IDs can be performed by anyone with an account that has standard user’s credentials through **Credential Manager**.
  
 This policy is not configured by default on domain-joined devices. This would disallow the online identities to be able to authenticate to the domain-joined computers in Windows 7 and later.
 
@@ -40,6 +41,9 @@ This policy is not configured by default on domain-joined devices. This would di
 
     This will allow authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use on online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
 
+> [!Note]
+> KU2U is disabled by default on Windows Server. Remote desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device, or Hybrid Azure AD-joined domain member Windows 10 device, fails. To resolve this, enable PKU2U on the Server.
+
 -   **Disabled**
 
     This will prevent online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
index d3d0816760..c5496a79f8 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -1,5 +1,5 @@
 ---
-title: Network security Configure encryption types allowed for Kerberos Win7 only (Windows 10)
+title: Network security Configure encryption types allowed for Kerberos
 description: Describes the best practices, location, values and security considerations for the Network security Configure encryption types allowed for Kerberos Win7 only security policy setting.
 ms.assetid: 303d32cc-415b-44ba-96c0-133934046ece
 ms.reviewer: 
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
index ddad0a8565..c8d671e6b6 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
@@ -1,5 +1,5 @@
 ---
-title: Network security Restrict NTLM NTLM authentication in this domain (Windows 10)
+title: Network security Restrict NTLM in this domain (Windows 10)
 description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM NTLM authentication in this domain security policy setting.
 ms.assetid: 4c7884e9-cc11-4402-96b6-89c77dc908f8
 ms.reviewer: 
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
index c2a02e239d..0e229ebce6 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -1,5 +1,5 @@
 ---
-title: Network security Restrict NTLM Outgoing NTLM traffic to remote servers (Windows 10)
+title: Network security Restrict NTLM Outgoing traffic (Windows 10)
 description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Outgoing NTLM traffic to remote servers security policy setting.
 ms.assetid: 63437a90-764b-4f06-aed8-a4a26cf81bd1
 ms.reviewer: 
diff --git a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
index 6112d8f0f9..5836257990 100644
--- a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
@@ -1,5 +1,5 @@
 ---
-title: Advanced security audit policy settings (Windows 10)
+title: Advanced security audit policy settings in brief (Windows 10)
 description: Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.
 ms.assetid: 6BF9A642-DBC3-4101-94A3-B2316C553CE3
 ms.reviewer: 
diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
index e814cda2fd..b3e5bb9c6c 100644
--- a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
+++ b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
@@ -1,5 +1,5 @@
 ---
-title: Shutdown Clear virtual memory pagefile - security policy setting (Windows 10)
+title: Shutdown Clear virtual memory pagefile (Windows 10)
 description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Clear virtual memory pagefile security policy setting.
 ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9
 ms.reviewer: 
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
index fc1b6be023..f055b88d86 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
@@ -1,5 +1,5 @@
 ---
-title: SMBv1 Microsoft network client Digitally sign communications (always) (Windows 10)
+title: Always sign SMBv1 network client communications (Windows 10)
 description: For SMBv1 only, describes the best practices, location, values, policy management and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting.
 ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76
 ms.reviewer: 
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
index c6c7912ae9..92e19e7cda 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
@@ -1,5 +1,5 @@
 ---
-title: User Account Control Behavior of the elevation prompt for standard users (Windows 10)
+title: Behavior of the elevation prompt for standard users (Windows 10)
 description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Behavior of the elevation prompt for standard users security policy setting.
 ms.assetid: 1eae7def-8f6c-43b6-9474-23911fdc01ba
 ms.reviewer: 
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
index 7683b3beec..47e4c3b995 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
@@ -1,5 +1,5 @@
 ---
-title: User Account Control Only elevate UIAccess applications that are installed in secure locations (Windows 10)
+title: Only elevate UIAccess app installed in secure location (Windows 10)
 description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Only elevate UIAccess applications that are installed in secure locations security policy setting.
 ms.assetid: 4333409e-a5be-4f2f-8808-618f53abd22c
 ms.reviewer: 
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
index 6361e34ee2..9c85a319b8 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
@@ -1,5 +1,5 @@
 ---
-title: User Account Control Run all administrators in Admin Approval Mode (Windows 10)
+title: UAC Run all administrators in Admin Approval Mode (Windows 10)
 description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Run all administrators in Admin Approval Mode security policy setting.
 ms.assetid: b838c561-7bfc-41ef-a7a5-55857259c7bf
 ms.reviewer: 
diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index 51ff05189a..69291f7a17 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -573,6 +573,11 @@ Here are the minimum steps for WEF to operate:
     
     
   
+  
+    
+    
+  
+
 
 ```
 
@@ -654,5 +659,6 @@ You can get more info with the following links:
 -   [Event Queries and Event XML](https://msdn.microsoft.com/library/bb399427.aspx)
 -   [Event Query Schema](https://msdn.microsoft.com/library/aa385760.aspx)
 -   [Windows Event Collector](https://msdn.microsoft.com/library/windows/desktop/bb427443.aspx)
+-   [4625(F): An account failed to log on](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625)
 
 
diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md
index eede2665f7..6e9ba266d1 100644
--- a/windows/security/threat-protection/windows-10-mobile-security-guide.md
+++ b/windows/security/threat-protection/windows-10-mobile-security-guide.md
@@ -194,7 +194,7 @@ The table below outlines how Windows 10 Mobile mitigates specific malware threat
 
 
 
Users access a dangerous website without knowledge of the risk.

-
The SmartScreen URL Reputation feature prevents users from going to a malicious website that may try to exploit the browser and take control of the device.

+
The Windows Defender SmartScreen URL Reputation feature prevents users from going to a malicious website that may try to exploit the browser and take control of the device.

 
 
 
Malware exploits a vulnerability in a browser add-on.

diff --git a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md
index 3cb7596969..c4c23a9ddd 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
@@ -24,35 +25,35 @@ manager: dansimp
 
 This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV Assessment section in the Update Compliance add-in.
 
-Before attempting this process, ensure you have read [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md), met all require pre-requisites, and taken any other suggested troubleshooting steps.
+Before attempting this process, ensure you have read [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md), met all require prerequisites, and taken any other suggested troubleshooting steps.
 
-1. On at least two endpoints that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by following this process:
+On at least two endpoints that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by following this process:
 
-    1. Open an administrator-level version of the command prompt:
+1. Open an administrator-level version of the command prompt as follows:
         
-        1. Open the **Start** menu.
+    a. Open the **Start** menu.
+
+    b. Type **cmd**. Right-click on **Command Prompt** and click **Run as administrator**.
+
+    c. Enter administrator credentials or approve the prompt.
         
-        2. Type **cmd**. Right-click on **Command Prompt** and click **Run as administrator**.
+2. Navigate to the Windows Defender directory. By default, this is C:\Program Files\Windows Defender, as in the following example:
+
+    ```Dos
+    cd c:\program files\windows\defender
+    ```
+
+3. Enter the following command and press **Enter**
         
-        3. Enter administrator credentials or approve the prompt.
-        
-    2. Navigate to the Windows Defender directory. By default, this is C:\Program Files\Windows Defender, as in the following example:
-        
-        ```Dos
-        cd c:\program files\windows\defender
-        ```
+    ```Dos
+    mpcmdrun -getfiles
+    ```
     
-    3. Enter the following command and press **Enter**
-        
-        ```Dos
-        mpcmdrun -getfiles
-        ```
-    
-    4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt, but by default it will be in C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab.
+4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt, but by default it will be in C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab.
 
-2. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
+5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
 
-3. Send an email using the Update Compliance support email template, and fill out the template with the following information:
+6. Send an email using the Update Compliance support email template, and fill out the template with the following information:
   
     ```
     I am encountering the following issue when using Windows Defender Antivirus in Update Compliance:
@@ -64,7 +65,7 @@ Before attempting this process, ensure you have read [Troubleshoot Windows Defen
     Please contact me at:
     ```
 
-## Related topics
+## See also
 
 - [Troubleshoot Windows Defender Windows Defender Antivirus reporting](troubleshoot-reporting.md)
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
index 6832c65573..17897257a2 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
 ---
 title: Use the command line to manage Windows Defender Antivirus
-description: Run Windows Defender Antivirus scans and configure next gen protection with a dedicated command-line utility.
+description: Run Windows Defender Antivirus scans and configure next-generation protection with a dedicated command-line utility.
 keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.reviewer: 
 manager: dansimp
 ---
@@ -42,20 +43,20 @@ MpCmdRun.exe -scan -2
 
 | Command  | Description   |
 |:----|:----|
-| \-? **or** -h   | Displays all available options for this tool |
-| \-Scan [-ScanType [0\|1\|2\|3]] [-File \ [-DisableRemediation] [-BootSectorScan]] [-Timeout \] [-Cancel] | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan.   |
-| \-Trace [-Grouping #] [-Level #] | Starts diagnostic tracing   |
-| \-GetFiles | Collects support information   |
-| \-GetFilesDiagTrack  | Same as Getfiles but outputs to temporary DiagTrack folder |
-| \-RemoveDefinitions [-All]  | Restores the installed Security intelligence  to a previous backup copy or to the original default set |
-| \-RemoveDefinitions [-DynamicSignatures]   | Removes only the dynamically downloaded Security intelligence |
-| \-RemoveDefinitions [-Engine]   | Restores the previous installed engine   |
-| \-SignatureUpdate [-UNC \| -MMPC]  | Checks for new Security intelligence updates  |
-| \-Restore  [-ListAll \| [[-Name \] [-All] \| [-FilePath \]] [-Path \]]               | Restores or lists quarantined item(s)  |
-| \-AddDynamicSignature [-Path]  | Loads dynamic Security intelligence  |
-| \-ListAllDynamicSignatures  | Lists the loaded dynamic Security intelligence  |
-| \-RemoveDynamicSignature [-SignatureSetID]  | Removes dynamic Security intelligence   |
-| \-CheckExclusion -path \   | Checks whether a path is excluded  |
+| `-?` **or** `-h`   | Displays all available options for this tool |
+| `-Scan [-ScanType [0\|1\|2\|3]] [-File  [-DisableRemediation] [-BootSectorScan]] [-Timeout ] [-Cancel]` | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan. |
+| `-Trace [-Grouping #] [-Level #]` | Starts diagnostic tracing |
+| `-GetFiles` | Collects support information |
+| `-GetFilesDiagTrack`  | Same as `-GetFiles`, but outputs to temporary DiagTrack folder |
+| `-RemoveDefinitions [-All]` | Restores the installed Security intelligence  to a previous backup copy or to the original default set |
+| `-RemoveDefinitions [-DynamicSignatures]` | Removes only the dynamically downloaded Security intelligence |
+| `-RemoveDefinitions [-Engine]` | Restores the previous installed engine |
+| `-SignatureUpdate [-UNC \| -MMPC]` | Checks for new Security intelligence updates |
+| `-Restore  [-ListAll \| [[-Name ] [-All] \| [-FilePath ]] [-Path ]]` | Restores or lists quarantined item(s) |
+| `-AddDynamicSignature [-Path]` | Loads dynamic Security intelligence |
+| `-ListAllDynamicSignatures` | Lists the loaded dynamic Security intelligence |
+| `-RemoveDynamicSignature [-SignatureSetID]` | Removes dynamic Security intelligence |
+| `-CheckExclusion -path ` | Checks whether a path is excluded |
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
index 4d41c1529f..7bee1e3696 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
 ---
 title: Manage Windows Defender  in your business
-description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the comman line to manage Windows Defender AV
+description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Windows Defender AV
 keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
index bd6ba2bfb4..5d969e79a9 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 10/25/2018
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
index 0100d2bd05..47b2f1d42a 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -9,10 +9,11 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
 ms.reviewer: 
 manager: dansimp
+ms.custom: nextgen
 ---
 
 # Enable block at first sight
@@ -21,16 +22,12 @@ manager: dansimp
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Block at first sight is a feature of next gen protection that provides a way to detect and block new malware within seconds.
+Block at first sight is a feature of next-generation protection that provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention. 
 
-It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. 
-
-You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file.
-
-You can also [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL.
+You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL.
 
 >[!TIP]
->You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
+>Visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
 
 ## How it works
 
@@ -55,8 +52,8 @@ Block at first sight requires a number of settings to be configured correctly or
 
 1. In Intune, navigate to **Device configuration - Profiles > *Profile name* > Device restrictions > Windows Defender Antivirus**.
 
-> [!NOTE]
-> The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type.
+   > [!NOTE]
+   > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type.
 
 2. Verify these settings are configured as follows:
 
@@ -67,8 +64,8 @@ Block at first sight requires a number of settings to be configured correctly or
 
    ![Intune config](images/defender/intune-block-at-first-sight.png)
 
-> [!Warning]
-> Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus).
+   > [!WARNING]
+   > Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus).
 
 For more information about configuring Windows Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
 
@@ -77,18 +74,24 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev
 ### Enable block at first sight with SCCM
 
 1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**.
-1. Click **Home** > **Create Antimalware Policy**.
-1. Enter a name and a description, and add these settings:
+
+2. Click **Home** > **Create Antimalware Policy**.
+
+3. Enter a name and a description, and add these settings:
    - **Real time protection**
    - **Advanced**
    - **Cloud Protection Service**
-1. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
+
+4. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
    ![Enable real-time protection](images/defender/sccm-real-time-protection.png)
-1. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
+
+5. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
    ![Enable Advanced settings](images/defender/sccm-advanced-settings.png)
-1. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking malicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds.
+
+6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking malicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds.
    ![Enable Cloud Protection Service](images/defender/sccm-cloud-protection-service.png)
-1. Click **OK** to create the policy.
+
+7. Click **OK** to create the policy.
 
 
 ### Confirm block at first sight is enabled with Group Policy
@@ -97,25 +100,20 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev
 
 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-3. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** and configure the following Group Policies:
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**:
 
-   1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**.
+   -  Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**.
 
-   2. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following:
+   - Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**.
 
-      - Send safe samples (1)
-      - Send all samples (3)
+    > [!WARNING]
+    > Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function.
 
-        > [!WARNING]
-        > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means block at first sight will not function.
+4. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Windows Defender Antivirus** > **Real-time Protection**:
 
-   3. Click **OK**.
+    1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**, and then click **OK**.
 
-4. In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender Antivirus > Real-time Protection**:
-
-    1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**. Click **OK**.
-
-    2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**. Click **OK**.
+    2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**, and then click **OK**.
 
 If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered.
 
@@ -125,7 +123,7 @@ You can confirm that block at first sight is enabled in Windows Settings.
 
 Block at first sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on.
 
-**Confirm Block at First Sight is enabled on individual clients**
+### Confirm Block at First Sight is enabled on individual clients
 
 1. Open the Windows Security app by clicking the shield icon in the task bar.
 
@@ -136,7 +134,7 @@ Block at first sight is automatically enabled as long as **Cloud-based protectio
 3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
 
 > [!NOTE]
-> If the pre-requisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
+> If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
 
 ### Validate block at first sight is working
 
@@ -147,20 +145,20 @@ You can validate that the feature is working by following the steps outlined in
 > [!WARNING]
 > Disabling block at first sight will lower the protection state of the endpoint and your network.
 
-You may choose to disable block at first sight if you want to retain the pre-requisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
+You may choose to disable block at first sight if you want to retain the prerequisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
 
-**Disable block at first sight with Group Policy**
+### Disable block at first sight with Group Policy
 
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and then click **Edit**.
 
 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-3. Expand the tree through **Windows components > Windows Defender Antivirus > MAPS**.
+3. Expand the tree through **Windows components** > **Windows Defender Antivirus** > **MAPS**.
 
 4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**.
 
     > [!NOTE]
-    > Disabling block at first sight will not disable or alter the pre-requisite group policies.
+    > Disabling block at first sight will not disable or alter the prerequisite group policies.
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
index 7b99538868..1b9c177447 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
@@ -9,11 +9,13 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
+ms.custom: nextgen
 ---
 
 # Configure the cloud block timeout period
@@ -47,6 +49,6 @@ You can use Group Policy to specify an extended timeout for cloud checks.
 ## Related topics
 
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Use next-gen antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+- [Use next-generation antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
 - [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md)
 - [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
index d4eface258..47161748b2 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
index 21812cde6a..f6da565014 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
index c83644c873..a1020bef6f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 12/10/2018
 ms.reviewer: 
 manager: dansimp
@@ -25,26 +26,23 @@ manager: dansimp
 > [!IMPORTANT]
 > Windows Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender ATP [custom indicators](../microsoft-defender-atp/manage-indicators.md).
 
-You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists.
+## Exclusion lists
 
-Generally, you shouldn't need to apply exclusions. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
+You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
 
 > [!NOTE]
-> Automatic exclusions apply only to Windows Server 2016 and above. 
+> Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default.
 
->[!TIP]
->The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default.
-
-This topic describes how to configure exclusion lists for the following:
+This topic describes how to configure exclusion lists for the files and folders.
 
 Exclusion | Examples | Exclusion list
 ---|---|---
-Any file with a specific extension | All files with the .test extension, anywhere on the machine | Extension exclusions
-Any file under a specific folder | All files under the c:\test\sample folder | File and folder exclusions
-A specific file in a specific folder | The file c:\sample\sample.test only | File and folder exclusions
-A specific process | The executable file c:\test\process.exe | File and folder exclusions
+Any file with a specific extension | All files with the `.test` extension, anywhere on the machine | Extension exclusions
+Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions
+A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions
+A specific process | The executable file `c:\test\process.exe` | File and folder exclusions
 
-This means the exclusion lists have the following characteristics:
+Exclusion lists have the following characteristics:
 
 - Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.
 - File extensions will apply to any file name with the defined extension if a path or folder is not defined.
@@ -65,21 +63,23 @@ The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defen
 >
 >Changes made in the Windows Security app **will not show** in the Group Policy lists.
 
-By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in case of conflicts.
+By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence when there are conflicts.
 
 You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
 
 ## Configure the list of exclusions based on folder name or file extension
 
-**Use Intune to configure file name, folder, or file extension exclusions:**
+### Use Intune to configure file name, folder, or file extension exclusions
 
-See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
+See the following articles:
+- [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure)
+- [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus)
 
-**Use Configuration Manager to configure file name, folder, or file extension exclusions:**
+### Use Configuration Manager to configure file name, folder, or file extension exclusions
 
 See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
 
-**Use Group Policy to configure folder or file extension exclusions:**
+### Use Group Policy to configure folder or file extension exclusions
 
 >[!NOTE]
 >If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded.
@@ -112,7 +112,7 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
 
 
 
-**Use PowerShell cmdlets to configure file name, folder, or file extension exclusions:**
+### Use PowerShell cmdlets to configure file name, folder, or file extension exclusions
 
 Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender).
 
@@ -140,15 +140,15 @@ All files under a folder (including files in subdirectories), or a specific file
 >[!IMPORTANT]
 >If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
 
-For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the **.test** file extension:
+For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the `.test` file extension:
 
 ```PowerShell
 Add-MpPreference -ExclusionExtension ".test"
 ```
 
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
 
-**Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions:**
+### Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions
 
 Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
 
@@ -159,20 +159,18 @@ ExclusionPath
 
 The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
 
-See the following for more information and allowed parameters:
-
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
+For more information, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx).
 
 
 
-**Use the Windows Security app to configure file name, folder, or file extension exclusions:**
+### Use the Windows Security app to configure file name, folder, or file extension exclusions
 
 See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
 
 
 ## Use wildcards in the file name and folder path or extension exclusion lists
 
-You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages, so you should read this section to understand their specific limitations.
+You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations.
 
 >[!IMPORTANT]
 >There are key limitations and usage scenarios for these wildcards:
@@ -193,7 +191,7 @@ The following table describes how the wildcards can be used and provides some ex
     
         * (asterisk)
         Replaces any number of characters. 
Only applies to files in the last folder defined in the argument. 
-        Replaces a single folder. 
Use multiple * with folder slashes \ to indicate multiple, nested folders. 
After matching the number of wilcarded and named folders, all subfolders will also be included.
+        Replaces a single folder. 
Use multiple * with folder slashes \ to indicate multiple, nested folders. 
After matching the number of wild carded and named folders, all subfolders will also be included.
         
             
    
                 
  1. C:\MyData\*.txt
    2. 
@@ -227,7 +225,7 @@ The following table describes how the wildcards can be used and provides some ex
         
         
             Replaces a single character in a folder name. 
    
-            After matching the number of wilcarded and named folders, all subfolders will also be included.
+            After matching the number of wild carded and named folders, all subfolders will also be included.
         
         
             
      
@@ -264,15 +262,20 @@ The following table describes how the wildcards can be used and provides some ex
 >[!IMPORTANT]
 >If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
 >
->For example, you can exclude all files that start with "date" in the folders *c:\data\final\marked* and *c:\data\review\marked* by using the rule argument c:\data\\\*\marked\date*.\*.
+>For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument c:\data\\\*\marked\date*.\*.
 >
->This argument, however, will not match any files in **subfolders** under *c:\data\final\marked* or *c:\data\review\marked*.
+>This argument, however, will not match any files in **subfolders** under `c:\data\final\marked` or `c:\data\review\marked`.
 
 
 
 ## Review the list of exclusions
 
-You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), MpCmdRun, PowerShell, or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
+You can retrieve the items in the exclusion list using one of the following methods:
+- [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
+- [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings)
+- MpCmdRun
+- PowerShell
+- [Windows Security app](windows-defender-security-center-antivirus.md#exclusions)
 
 >[!IMPORTANT]
 >Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
@@ -284,7 +287,7 @@ If you use PowerShell, you can retrieve the list in two ways:
 - Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
 - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
 
-**Validate the exclusion list by using MpCmdRun:**
+### Validate the exclusion list by using MpCmdRun
 
 To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
 
@@ -295,7 +298,7 @@ MpCmdRun.exe -CheckExclusion -path 
 >[!NOTE]
 >Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
 
-**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:**
+### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell
 
 Use the following cmdlet:
 
@@ -307,9 +310,9 @@ In the following example, the items contained in the `ExclusionExtension` list a
 
 ![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png)
 
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
 
-**Retrieve a specific exclusions list by using PowerShell:**
+### Retrieve a specific exclusions list by using PowerShell
 
 Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
 
@@ -323,7 +326,7 @@ In the following example, the list is split into new lines for each use of the `
 
 ![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png)
 
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
 
 
 
@@ -331,15 +334,15 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use
 
 You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file.
 
-In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the .testing extension, replace *test.txt* with *test.testing*. If you are testing a path, ensure you run the cmdlet within that path.
+In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure you run the cmdlet within that path.
 
 ```PowerShell
 Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"
 ```
 
-If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html).
+If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html).
 
-You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating:
+You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating:
 
 ```PowerShell
 $client = new-object System.Net.WebClient
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
index 499df8dfac..c51a7da9ea 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
index d600158473..0bd81387b5 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 10/08/2018
 ms.reviewer: 
 manager: dansimp
@@ -24,9 +25,9 @@ manager: dansimp
 
 To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
 
-This topic lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. This will help ensure you receive the best protection from our cloud-delivered protection services.
+This article lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. Configuring your protection properly helps ensure that you receive the best value from your cloud-delivered protection services.
 
-See the Enterprise Mobility and Security blog post [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) for some details about network connectivity.
+See the blog post [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) for some details about network connectivity.
 
 >[!TIP]
 >You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
@@ -37,7 +38,7 @@ See the Enterprise Mobility and Security blog post [Important changes to Microso
 
 ## Allow connections to the Windows Defender Antivirus cloud service
 
-The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides very important protection against malware on your endpoints and across your network.
+The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network.
 
 >[!NOTE]
 >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
@@ -46,19 +47,18 @@ See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender
 
 After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
 
-As a cloud service, it is required that computers have access to the internet and that the ATP machine learning services are reachable. The URL: "\*.blob.core.windows.net" should not be excluded from any kind of network inspection. The table below lists the services and their associated URLs. You should ensure there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL: "\*.blob.core.windows.net"). Below mention URLs are using port 443 for communication.
+Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication.
 
 
 | **Service**| **Description** |**URL** |
 | :--: | :-- | :-- |
-| *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|\*.wdcp.microsoft.com  \*.wdcpalt.microsoft.com  \*.wd.microsoft.com|
-| *Microsoft Update Service (MU)*|	Security intelligence and product updates	|\*.update.microsoft.com|
-| *Security intelligence updates Alternate Download Location (ADL)*|	Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)|	\*.download.microsoft.com|
-| *Malware submission storage*|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission	| ussus1eastprod.blob.core.windows.net   ussus1westprod.blob.core.windows.net   usseu1northprod.blob.core.windows.net   usseu1westprod.blob.core.windows.net   ussuk1southprod.blob.core.windows.net   ussuk1westprod.blob.core.windows.net   ussas1eastprod.blob.core.windows.net   ussas1southeastprod.blob.core.windows.net   ussau1eastprod.blob.core.windows.net   ussau1southeastprod.blob.core.windows.net |
-| *Certificate Revocation List (CRL)*|Used by Windows when creating the SSL connection to MAPS for updating the CRL	| http://www.microsoft.com/pkiops/crl/   http://www.microsoft.com/pkiops/certs  http://crl.microsoft.com/pki/crl/products   http://www.microsoft.com/pki/certs |
-| *Symbol Store*|Used by Windows Defender Antivirus to restore certain critical files during remediation flows	| https://msdl.microsoft.com/download/symbols |
-| *Universal Telemetry Client*| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes	| This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:   vortex-win.data.microsoft.com  settings-win.data.microsoft.com|
-
+| Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Windows Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com` 
       `*.wdcpalt.microsoft.com` 
       `*.wd.microsoft.com`|
+| Microsoft Update Service (MU)|	Security intelligence and product updates	|`*.update.microsoft.com`|
+|Security intelligence updates Alternate Download Location (ADL)|	Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)|	`*.download.microsoft.com`|
+| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission	| `ussus1eastprod.blob.core.windows.net` 
          `ussus1westprod.blob.core.windows.net` 
          `usseu1northprod.blob.core.windows.net` 
          `usseu1westprod.blob.core.windows.net` 
          `ussuk1southprod.blob.core.windows.net` 
          `ussuk1westprod.blob.core.windows.net` 
          `ussas1eastprod.blob.core.windows.net` 
          `ussas1southeastprod.blob.core.windows.net` 
          `ussau1eastprod.blob.core.windows.net` 
          `ussau1southeastprod.blob.core.windows.net` |
+| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL	| `https://www.microsoft.com/pkiops/crl/` 
       `https://www.microsoft.com/pkiops/certs` 
         `https://crl.microsoft.com/pki/crl/products` 
       `https://www.microsoft.com/pki/certs` |
+| Symbol Store|Used by Windows Defender Antivirus to restore certain critical files during remediation flows	| `https://msdl.microsoft.com/download/symbols` |
+| Universal Telemetry Client| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes	| This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:   `vortex-win.data.microsoft.com` 
         `settings-win.data.microsoft.com`|
 
 ## Validate connections between your network and the cloud
 
@@ -66,7 +66,7 @@ After whitelisting the URLs listed above, you can test if you are connected to t
 
 **Use the cmdline tool to validate cloud-delivered protection:**
 
-Use the following argument with the Windows Defender Antivirus command line utility (*mpcmdrun.exe*) to verify that your network can communicate with the Windows Defender Antivirus cloud service:
+Use the following argument with the Windows Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Windows Defender Antivirus cloud service:
 
 ```DOS
 "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
@@ -75,7 +75,7 @@ Use the following argument with the Windows Defender Antivirus command line util
 > [!NOTE]
 > You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher.
 
-See [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility.
+For more information, see [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md).
 
 **Attempt to download a fake malware file from Microsoft:**
 
@@ -112,16 +112,19 @@ You will also see a detection under **Quarantined threats** in the **Scan histor
     ![Screenshot of quarantined items in the Windows Security app](images/defender/wdav-quarantined-history-wdsc.png)
 
 >[!NOTE]
->Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Security app](windows-defender-security-center-antivirus.md) for more information about the differences between versions, and instructions on how to perform common tasks in the different interfaces.
+>Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Security app](windows-defender-security-center-antivirus.md).
 
 The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md).
 
 >[!IMPORTANT]
 >You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity.
 
-## Related topics
+## Related articles
 
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+
 - [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+
 - [Run an Windows Defender Antivirus scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md)
-- [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) 
+
+- [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
index 61c02f6a88..6bd6aeb7b2 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
index d2191e0488..36714d75c3 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 12/10/2018
 ms.reviewer: 
 manager: dansimp
@@ -52,15 +53,15 @@ You can [configure how locally and globally defined exclusions lists are merged]
 
 
 
-**Use Microsoft Intune to exclude files that have been opened by specified processes from scans:**
+### Use Microsoft Intune to exclude files that have been opened by specified processes from scans
 
 See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
 
-**Use System Center Configuration Manager to exclude files that have been opened by specified processes from scans:**
+### Use System Center Configuration Manager to exclude files that have been opened by specified processes from scans
 
 See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
 
-**Use Group Policy to exclude files that have been opened by specified processes from scans:**
+### Use Group Policy to exclude files that have been opened by specified processes from scans
 
 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
@@ -80,7 +81,7 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
 
 
 
-**Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:**
+### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans
 
 Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender).
 
@@ -109,7 +110,7 @@ Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
 
 See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Windows Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-**Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans:**
+### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans
 
 Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
 
@@ -125,7 +126,7 @@ See the following for more information and allowed parameters:
 
 
 
-**Use the Windows Security app to exclude files that have been opened by specified processes from scans:**
+### Use the Windows Security app to exclude files that have been opened by specified processes from scans
 
 See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
 
@@ -156,7 +157,7 @@ If you use PowerShell, you can retrieve the list in two ways:
 - Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
 - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
 
-**Validate the exclusion list by using MpCmdRun:**
+### Validate the exclusion list by using MpCmdRun
 
 To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
 
@@ -168,7 +169,7 @@ MpCmdRun.exe -CheckExclusion -path 
 >Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
 
 
-**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:**
+### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell
 
 Use the following cmdlet:
 
@@ -178,7 +179,7 @@ Get-MpPreference
 
 See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-**Retrieve a specific exclusions list by using PowerShell:**
+### Retrieve a specific exclusions list by using PowerShell
 
 Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
 
@@ -189,7 +190,7 @@ $WDAVprefs.ExclusionProcess
 
 See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-## Related topics
+## Related articles
 
 - [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
index c1495c80c6..8e6f966e08 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
index 90c2964d84..06ca413d66 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
@@ -9,11 +9,12 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
 ms.date: 11/13/2018
 ms.reviewer: 
 manager: dansimp
+ms.custom: nextgen
 ---
 
 # Enable and configure antivirus always-on protection and monitoring
@@ -43,7 +44,7 @@ To configure these settings:
 Location | Setting | Description | Default setting (if not configured)
 ---|---|---|---
 Real-time protection | Monitor file and program activity on your computer | The Windows Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled
-Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the SmartScreen filter, which scans files before and during downloading | Enabled
+Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition Windows Defender SmartScreen, which scans files before and during downloading | Enabled
 Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Windows Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled | Enabled
 Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled
 Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring | Enabled
@@ -59,7 +60,7 @@ Root | Allow antimalware service to remain running always | If protection update
 
 The main real-time protection capability is enabled by default, but you can disable it with Group Policy:
 
-**Use Group Policy to disable real-time protection:**
+### Use Group Policy to disable real-time protection
 
 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
@@ -69,7 +70,7 @@ The main real-time protection capability is enabled by default, but you can disa
 
 4. Double-click the **Turn off real-time protection** setting and set the option to **Enabled**. Click **OK**.
 
-## Related topics
+## Related articles
 
 - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
index 2b5bb82466..9702fdb478 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
index caae6efc4e..85b7b015a3 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
@@ -11,8 +11,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ---
 
 # Configure Windows Defender Antivirus exclusions on Windows Server
@@ -35,8 +36,6 @@ Custom exclusions take precedence over automatic exclusions.
 > [!TIP]
 > Custom and duplicate exclusions do not conflict with automatic exclusions.
 
-
-
 Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
 
 ## Opt out of automatic exclusions
@@ -54,7 +53,7 @@ In Windows Server 2016, the predefined exclusions delivered by Security intellig
 
 You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
 
-**Use Group Policy to disable the auto-exclusions list on Windows Server 2016:**
+### Use Group Policy to disable the auto-exclusions list on Windows Server 2016
 
 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
@@ -74,7 +73,7 @@ Set-MpPreference -DisableAutoExclusions $true
 
 See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-**Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016:**
+### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016
 
 Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
 
@@ -294,6 +293,7 @@ This section lists the exclusions that are delivered automatically when you inst
   - %systemroot%\System32\lsass.exe
 
 ### DHCP Server exclusions
+
 This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
 
 - *%systemroot%*\System32\DHCP\\*\\\*.mdb
@@ -307,6 +307,7 @@ This section lists the exclusions that are delivered automatically when you inst
 - *%systemroot%*\System32\DHCP\\*\\\*.edb
 
 ### DNS Server exclusions
+
 This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role.
 
 - File and folder exclusions for the DNS Server role:
@@ -324,6 +325,7 @@ This section lists the file and folder exclusions and the process exclusions tha
   - *%systemroot%*\System32\dns.exe
 
 ### File and Storage Services exclusions
+
 This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
 
 - *%SystemDrive%*\ClusterStorage
@@ -333,6 +335,7 @@ This section lists the file and folder exclusions that are delivered automatical
 - *%SystemDrive%*\mscs
 
 ### Print Server exclusions
+
 This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role.
 
 - File type exclusions:
@@ -350,6 +353,7 @@ This section lists the file type exclusions, folder exclusions, and the process
   - spoolsv.exe
 
 ### Web Server exclusions
+
 This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role.
 
 - Folder exclusions:
@@ -373,6 +377,7 @@ This section lists the folder exclusions and the process exclusions that are del
   - *%SystemDrive%*\PHP5433\php-cgi.exe
 
 ### Windows Server Update Services exclusions
+
 This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
 
 - *%systemroot%*\WSUS\WSUSContent
@@ -383,7 +388,7 @@ This section lists the folder exclusions that are delivered automatically when y
 
 - *%systemroot%*\SoftwareDistribution\Download
 
-## Related topics
+## Related articles
 
 - [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
index da95773da3..d771955c80 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
index a700977d08..4e5666fd45 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
index b95dce5844..ad4a8eee3e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
index 4371855830..9f668be613 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index 307d8fcd7d..b5a79ca055 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
@@ -42,11 +43,11 @@ This guide will show you how to configure your VMs for optimal protection and pe
 
 You can also download the whitepaper [Windows Defender Antivirus on Virtual Desktop Infrastructure](https://demo.wd.microsoft.com/Content/wdav-testing-vdi-ssu.pdf) which looks at the new shared security intelligence update feature, alongside performance testing and guidance on how you can test antivirus performance on your own VDI.
 
->[!IMPORTANT]
+> [!IMPORTANT]
 > While the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
 
 
->[!NOTE]
+> [!NOTE]
 > There are performance and feature improvements to the way in which Windows Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607.
 
 
@@ -88,7 +89,7 @@ Open the Intune management portal either by searching for Intune on https://port
 1. Click **Assignments**. The **Include** tab is automatically selected. In the drop-down menu, select **Selected Groups**, then click **Select groups to include**. Click the **VDI test VMs** group and then **Select**. 
 1. Click **Evaluate** to see how many users/devices will be impacted. If the number makes sense, click **Save**. If the number doesn’t make sense, go back to the groups blade and confirm the group contains the right users or devices.
 1. The profile will now be deployed to the impacted devices. Note that this may take some time.
-    
+
 #### Use Group Policy to enable the shared security intelligence feature:
 1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
 1. In the **Group Policy Management Editor** go to **Computer configuration**.
@@ -96,7 +97,7 @@ Open the Intune management portal either by searching for Intune on https://port
 1. Expand the tree to **Windows components > Windows Defender Antivirus > Security Intelligence Updates**
 1. Double-click Define security intelligence location for VDI clients and set the option to Enabled. A field automatically appears, enter *\\\wdav-update *(see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be). Click **OK**.
 1. Deploy the GPO to the VMs you want to test.
-    
+
 #### Use PowerShell to enable the shared security intelligence feature:
 Use the following cmdlet to enable the feature. You’ll need to then push this as you normally would push PowerShell-based configuration policies onto the VMs:
     
@@ -105,10 +106,10 @@ Set-MpPreference -SharedSignaturesPath \\\wdav-update
 ```
 
 See the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what the \ will be.
-    
+
 ### Download and unpackage the latest updates
 Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those).
-    
+
 ```PowerShell
 $vdmpathbase = 'c:\wdav-update\{00000000-0000-0000-0000-'
 $vdmpathtime = Get-Date -format "yMMddHHmmss"
@@ -176,8 +177,8 @@ Sometimes, Windows Defender Antivirus notifications may be sent to or persist ac
 
 This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as you've already scanned it when you created the base image).
 
->[!IMPORTANT]
->Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image.
+> [!IMPORTANT]
+> Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image.
 
 1. Expand the tree to **Windows components > Windows Defender > Signature Updates** and configure the following setting:
 
@@ -202,6 +203,6 @@ On Windows Server 2016, Windows Defender Antivirus will automatically deliver th
 
 ## Additional resources
 
-- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( http://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s)
+- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( https://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s)
 - [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS)
-- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript)
+- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
index 20f5db2632..0013143d29 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: detect
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 audience: ITPro
 ms.date: 10/02/2018
 ms.reviewer: 
@@ -51,9 +52,17 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium
 1. Under the **Services** section, you can toggle **Potentially unwanted app blocking** on or off
 
 > [!TIP]
-> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen demo pages.
+> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/).
 
-
+#### Blocking URLs with Windows Defender SmartScreen
+
+In Chromium-based Edge with PUA protection turned on, Windows Defender SmartScreen will protect you from PUA-associated URLs.
+
+Admins can  [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Windows Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows
+Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can
+[configure Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Windows Defender SmartScreen on or off.
+
+Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md#create-indicators-for-ips-and-urlsdomains-preview) in the Microsoft Defender ATP portal, Windows Defender SmartScreen will respect the new settings.
 
 ### Windows Defender Antivirus
 
@@ -85,9 +94,9 @@ See [Configure device restriction settings in Microsoft Intune](https://docs.mic
 
 ##### Use Configuration Manager to configure PUA protection
 
-PUA protection is enabled by default in the System Center Configuration Manager (current branch), starting with  version 1606.
+PUA protection is enabled by default in the System Center Configuration Manager (Current Branch), starting with  version 1606.
 
-See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring System Center Configuration Manager (current branch).
+See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring System Center Configuration Manager (Current Branch).
 
 For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA).
 
@@ -134,7 +143,7 @@ See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for det
 
 Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Windows Defender Antivirus.
 
-## Related topics
+## Related articles
 
-- [Next gen protection](windows-defender-antivirus-in-windows-10.md)
+- [Next-generation protection](windows-defender-antivirus-in-windows-10.md)
 - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
index c9aca52f0d..328b3fc5a0 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
@@ -9,10 +9,11 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
 ms.reviewer: 
 manager: dansimp
+ms.custom: nextgen
 ---
 
 # Enable cloud-delivered protection
@@ -42,7 +43,7 @@ There are specific network-connectivity requirements to ensure your endpoints ca
 2. Select **All services > Intune**.
 3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
 4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**.
-5. On the **Cloud-delivered protection** switch, select **Not configured**.
+5. On the **Cloud-delivered protection** switch, select **Enable**.
 6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. 
 7. In the **Submit samples consent** dropdown, select one of the following:
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
index 33b7f2e9ab..6173192baf 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
index a5cbbeb7a7..8285dbdc5e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
@@ -26,9 +27,9 @@ manager: dansimp
 
 Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device.
 
-It can only be enabled in certain situations. See [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md) for more information on when limited periodic scanning can be enabled, and how Windows Defender Antivirus works with other AV products.
+It can only be enabled in certain situations. For more information about limited periodic scanning and how Microsoft Defender Antivirus works with other antivirus products, see [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md).
 
-**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a very limited subset of the Windows Defender Antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively.
+**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a limited subset of the Windows Defender Antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively.
 
 ## How to enable limited periodic scanning
 
@@ -42,15 +43,15 @@ If another antivirus product is installed and working correctly, Windows Defende
 
 ![Windows Security app showing ContosoAV as the installed and running antivirus provider. There is a single link to open ContosoAV settings.](images/vtp-3ps.png)
 
-Underneath any 3rd party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning. 
+Underneath any third party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning. 
 
 ![The limited periodic option is a toggle to enable or disable **periodic scanning**](images/vtp-3ps-lps.png)
 
-Sliding the swtich to **On** will show the standard Windows Defender AV options underneath the 3rd party AV product. The limited periodic scanning option will appear at the bottom of the page.
+Sliding the switch to **On** will show the standard Windows Defender AV options underneath the third party AV product. The limited periodic scanning option will appear at the bottom of the page.
 
 ![When enabled, periodic scanning shows the normal Windows Defender Antivirus options](images/vtp-3ps-lps-on.png)
 
-## Related topics
+## Related articles
 
 - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
index 805f9c697f..c238f05823 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
@@ -28,7 +29,7 @@ Windows Defender Antivirus allows you to determine if updates should (or should
 
 You can use System Center Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Windows Defender Antivirus to check and download protection updates before running a scheduled scan.
 
-**Use Configuration Manager to check for protection updates before running a scan:**
+### Use Configuration Manager to check for protection updates before running a scan
 
 1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
 
@@ -36,23 +37,23 @@ You can use System Center Configuration Manager, Group Policy, PowerShell cmdlet
 
 3. Click **OK**.
 
-4.[Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+4. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
 
-**Use Group Policy to check for protection updates before running a scan:**
+### Use Group Policy to check for protection updates before running a scan
 
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
 
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
 
 3. Click **Policies** then **Administrative templates**.
 
-4. Expand the tree to **Windows components > Windows Defender Antivirus > Scan**.
+4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Scan**.
 
 5. Double-click **Check for the latest virus and spyware definitions before running a scheduled scan** and set the option to **Enabled**.
 
 6. Click **OK**.
 
-**Use PowerShell cmdlets to check for protection updates before running a scan:**
+### Use PowerShell cmdlets to check for protection updates before running a scan
 
 Use the following cmdlets:
 
@@ -60,9 +61,9 @@ Use the following cmdlets:
 Set-MpPreference -CheckForSignaturesBeforeRunningScan
 ```
 
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index).
 
-**Use Windows Management Instruction (WMI) to check for protection updates before running a scan**
+### Use Windows Management Instruction (WMI) to check for protection updates before running a scan
 
 Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
 
@@ -70,20 +71,19 @@ Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com
 CheckForSignaturesBeforeRunningScan
 ```
 
-See the following for more information:
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
+For more information, see [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
 
 ## Check for protection updates on startup
 
 You can use Group Policy to force Windows Defender Antivirus to check and download protection updates when the machine is started.
 
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
 
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
 
 3. Click **Policies** then **Administrative templates**.
 
-4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
+4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**.
 
 5. Double-click **Check for the latest virus and spyware definitions on startup** and set the option to **Enabled**. 
 
@@ -91,21 +91,21 @@ You can use Group Policy to force Windows Defender Antivirus to check and downlo
 
 You can also use Group Policy, PowerShell, or WMI to configure Windows Defender Antivirus to check for updates at startup even when it is not running.
 
-**Use Group Policy to download updates when Windows Defender Antivirus is not present:**
+### Use Group Policy to download updates when Windows Defender Antivirus is not present
 
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
 
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
+2. Using the **Group Policy Management Editor**, go to **Computer configuration**.
 
 3. Click **Policies** then **Administrative templates**.
 
-4. Expand the tree to **Windows components > Windows Defender Antivirus > Security Intelligence Updates**.
+4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Security Intelligence Updates**.
 
 5. Double-click **Initiate security intelligence update on startup** and set the option to **Enabled**.
 
 6. Click **OK**.
 
-**Use PowerShell cmdlets to download updates when Windows Defender Antivirus is not present:**
+### Use PowerShell cmdlets to download updates when Windows Defender Antivirus is not present
 
 Use the following cmdlets:
 
@@ -113,43 +113,44 @@ Use the following cmdlets:
 Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine
 ```
 
-See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+For more information, see [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-**Use Windows Management Instruction (WMI) to download updates when Windows Defender Antivirus is not present:**
+### Use Windows Management Instruction (WMI) to download updates when Windows Defender Antivirus is not present
 
-Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
+Use the [**Set** method of the **MSFT_MpPreference**](https://docs.microsoft.com/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
 
 ```WMI
 SignatureDisableUpdateOnStartupWithoutEngine
 ```
 
-See the following for more information:
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
+For more information, see [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
 
 
 
 ## Allow ad hoc changes to protection based on cloud-delivered protection
 
-Windows Defender AV can make changes to its protection based on cloud-delivered protection. This can occur outside of normal or scheduled protection updates.
+Windows Defender AV can make changes to its protection based on cloud-delivered protection. Such changes can occur outside of normal or scheduled protection updates.
 
 If you have enabled cloud-delivered protection, Windows Defender AV will send files it is suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Windows Defender AV to automatically receive that protection update. Other important protection updates can also be applied.
 
-**Use Group Policy to automatically download recent updates based on cloud-delivered protection:**
+### Use Group Policy to automatically download recent updates based on cloud-delivered protection
 
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
 
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
 
 3. Click **Policies** then **Administrative templates**.
 
-4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following:
-    1. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
-    2. Double-click **Allow notifications to disable definitions based reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
+4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**.
+
+5. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**.
+
+6. **Allow notifications to disable definitions-based reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**.
     
 > [!NOTE]
 > "Allow notifications to disable definitions based reports" enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work.
 
-## Related topics
+## Related articles
 
 - [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
 - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
index ca75fa1e6f..fabe399119 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
@@ -32,7 +33,7 @@ When the user returns to work and logs on to their PC, Windows Defender Antiviru
 
 If Windows Defender Antivirus did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-windows-defender-antivirus.md).
 
-**Use Configuration Manager to configure catch-up protection updates:**
+### Use Configuration Manager to configure catch-up protection updates
 
 1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
 
@@ -45,7 +46,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie
 
 4.	[Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
 
-**Use Group Policy to enable and configure the catch-up update feature:**
+### Use Group Policy to enable and configure the catch-up update feature
 
 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
@@ -59,7 +60,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie
 
 6. Click **OK**.
 
-**Use PowerShell cmdlets to configure catch-up protection updates:**
+### Use PowerShell cmdlets to configure catch-up protection updates
 
 Use the following cmdlets:
 
@@ -69,7 +70,7 @@ Set-MpPreference -SignatureUpdateCatchupInterval
 
 See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-**Use Windows Management Instruction (WMI) to configure catch-up protection updates:**
+### Use Windows Management Instruction (WMI) to configure catch-up protection updates
 
 Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
 
@@ -81,13 +82,11 @@ See the following for more information and allowed parameters:
 - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
 
 
-
-
 ## Set the number of days before protection is reported as out-of-date
 
 You can also specify the number of days after which Windows Defender Antivirus protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender Antivirus to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source.
 
-**Use Group Policy to specify the number of days before protection is considered out-of-date:**
+### Use Group Policy to specify the number of days before protection is considered out-of-date
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
@@ -106,8 +105,6 @@ You can also specify the number of days after which Windows Defender Antivirus p
     4. Click **OK**.
 
 
-
-
 ## Set up catch-up scans for endpoints that have not been scanned for a while
 
 You can set the number of consecutive scheduled scans that can be missed before Windows Defender Antivirus will force a scan.
@@ -120,7 +117,7 @@ The process for enabling this feature is:
 
 This feature can be enabled for both full and quick scans.
 
-**Use Group Policy to enable and configure the catch-up scan feature:**
+### Use Group Policy to enable and configure the catch-up scan feature
 
 1.  Ensure you have set up at least one scheduled scan.
 
@@ -140,7 +137,7 @@ This feature can be enabled for both full and quick scans.
 > [!NOTE]
 > The Group Policy setting title refers to the number of days. The setting, however, is applied to the number of scans (not days) before the catch-up scan will be run.
 
-**Use PowerShell cmdlets to configure catch-up scans:**
+### Use PowerShell cmdlets to configure catch-up scans
 
 Use the following cmdlets:
 
@@ -152,7 +149,7 @@ Set-MpPreference -DisableCatchupQuickScan
 
 See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-**Use Windows Management Instruction (WMI) to configure catch-up scans:**
+### Use Windows Management Instruction (WMI) to configure catch-up scans
 
 Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
 
@@ -165,7 +162,7 @@ See the following for more information and allowed parameters:
 - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
 
 
-**Use Configuration Manager to configure catch-up scans:**
+### Use Configuration Manager to configure catch-up scans
 
 1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
 
@@ -175,8 +172,7 @@ See the following for more information and allowed parameters:
 
 4.	[Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
 
-
-## Related topics
+## Related articles
 
 - [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
 - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
index 146b92de6f..0185b12a58 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
@@ -10,8 +10,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
@@ -33,7 +34,7 @@ You can schedule updates for your endpoints by:
 
 You can also randomize the times when each endpoint checks and downloads protection updates. See the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic for more information.
 
-**Use Configuration Manager to schedule protection updates:**
+## Use Configuration Manager to schedule protection updates
 
 1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
 
@@ -47,7 +48,7 @@ You can also randomize the times when each endpoint checks and downloads protect
 
 5.	[Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
 
-**Use Group Policy to schedule protection updates:**
+## Use Group Policy to schedule protection updates
 
 > [!IMPORTANT]
 > By default, Windows Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default.
@@ -65,8 +66,7 @@ You can also randomize the times when each endpoint checks and downloads protect
     3. Double-click the **Specify the time to check for security intelligence updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.
 
 
-
-**Use PowerShell cmdlets to schedule protection updates:**
+## Use PowerShell cmdlets to schedule protection updates
 
 Use the following cmdlets:
 
@@ -78,7 +78,7 @@ Set-MpPreference -SignatureUpdateInterval
 
 See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-**Use Windows Management Instruction (WMI) to schedule protection updates:**
+## Use Windows Management Instruction (WMI) to schedule protection updates
 
 Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
 
@@ -92,7 +92,7 @@ See the following for more information and allowed parameters:
 - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
 
 
-## Related topics
+## Related articles
 
 - [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
 - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
index e5efd9c691..775068abed 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
@@ -24,6 +25,7 @@ manager: dansimp
 
 There are two types of updates related to keeping Windows Defender Antivirus up to date:
 1. Protection updates
+
 2. Product updates
 
 You can also apply [Windows security baselines](https://technet.microsoft.com/itpro/windows/keep-secure/windows-security-baselines) to quickly bring your endpoints up to a uniform level of protection.
@@ -34,7 +36,6 @@ Windows Defender Antivirus uses both [cloud-delivered protection](utilize-micros
 
 The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. 
 
-
 ## Product updates
 
 Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
index 179c55aac4..94b9e04752 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
@@ -46,7 +47,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
 2. Use a VBScript to create a script, then run it on each computer in your network.
 3. Manually opt-in every computer on your network through the **Settings** menu.
 
-**Use Group Policy to opt-in to Microsoft Update:**
+### Use Group Policy to opt-in to Microsoft Update
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
@@ -54,18 +55,17 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
 
 4.  Click **Policies** then **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
+5.  Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**.
 
 6.  Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**.
 
 
-**Use a VBScript to opt-in to Microsoft Update**
+### Use a VBScript to opt-in to Microsoft Update
 
 1.  Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript.
 2.  Run the VBScript you created on each computer in your network.
 
-
-**Manually opt-in to Microsoft Update**
+### Manually opt-in to Microsoft Update
 
 1.  Open **Windows Update** in **Update & security** settings on the computer you want to opt-in.
 2.  Click **Advanced** options.
@@ -75,7 +75,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
 
 You can configure Windows Defender Antivirus to only download protection updates when the PC is connected to a wired power source. 
 
-**Use Group Policy to prevent security intelligence updates on battery power:**
+### Use Group Policy to prevent security intelligence updates on battery power
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
@@ -89,10 +89,7 @@ You can configure Windows Defender Antivirus to only download protection updates
     2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power.
 
 
-
-
-
-## Related topics
+## Related articles
 
 - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
 - [Update and manage Windows Defender Antivirus in Windows 10](deploy-manage-report-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index acfa9717f3..817ec8cbb1 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -14,6 +14,7 @@ ms.localizationpriority: medium
 audience: ITPro
 author: denisebmsft
 ms.author: deniseb
+ms.custom: nextgen
 ---
 
 # Protect security settings with Tamper Protection
@@ -123,6 +124,19 @@ If you are an organization using [Microsoft Defender ATP E5](https://www.microso
 
 Your regular group policy doesn’t apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on.
 
+
+>[!NOTE]
+>A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Windows Defender Antivirus features protected by Tamper Protection. 
+To avoid any potential delays, it is recommended to remove settings that control Windows Defender Antivirus related behavior from GPO and simply allow Tamper Protection to protect Windows Defender Antivirus settings. 

      
+> Sample Windows Defender Antivirus settings:
      
+> Turn off Windows Defender Antivirus 
      
+> Computer Configuration\Administrative Templates\Windows Components\Windows Defender\
+Value DisableAntiSpyware = 0 

      
+>Turn off real-time protection
      
+Computer Configuration\Administrative Templates\Windows Components\Windows Defender Antivirus\Real-time Protection\
+Value DisableRealtimeMonitoring = 0
+
+
 ### For Microsoft Defender ATP E5, is configuring Tamper Protection in Intune targeted to the entire organization only?
 
 Configuring Tamper Protection in Intune can be targeted to your entire organization as well as to devices and user groups with Intune.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
index 583e4365b4..8f6ebb3c64 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
@@ -34,52 +35,49 @@ With the setting set to **Enabled**:
 
 With the setting set to **Disabled** or not configured:
 
-![Scheenshot of Windows Security showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png)
+![Screenshot of Windows Security showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png)
 
 >[!NOTE]
->Hiding the interface will also prevent Windows Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+>Hiding the interface will also prevent Windows Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
 
+In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app."
 
-In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning "Your system administrator has restricted access to this app.":
+![Warning message when headless mode is enabled in Windows 10, versions earlier than 1703](images/defender/wdav-headless-mode-1607.png)
 
-![Warning message when headless mode is enabled in Windows 10, versions earlier than 1703 that says Your system administrator has restricted access to this app](images/defender/wdav-headless-mode-1607.png)
+## Use Group Policy to hide the Windows Defender AV interface from users
 
-**Use Group Policy to hide the Windows Defender AV interface from users:**
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+3. Click **Administrative templates**.
 
-4.  Click **Administrative templates**.
+4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
 
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
+5. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**. 
 
-6. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**. 
-
-
-Also see the [Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topic for more options on preventing users form modifying protection on their PCs.
+See [Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) for more options on preventing users form modifying protection on their PCs.
 
 ## Prevent users from pausing a scan
 
-You can prevent users from pausing scans. This can be helpful to ensure scheduled or on-demand scans are not interrupted by users.
+You can prevent users from pausing scans, which can be helpful to ensure scheduled or on-demand scans are not interrupted by users.
 
+### Use Group Policy to prevent users from pausing a scan
 
-**Use Group Policy to prevent users from pausing a scan:**
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+3. Click **Administrative templates**.
 
-4.  Click **Administrative templates**.
+4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Scan**.
 
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Scan**.
-
-6. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**. 
-
-
-## Related topics
+5. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**. 
 
+## Related articles
 
 - [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+
 - [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)
+
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
index 41a8f3094f..16f606bbae 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
 ---
 title: Monitor and report on Windows Defender Antivirus protection
-description: Use Configuration Manager or SIEM tools to consume reports, and monitor Windows Defender AV with PowerShell and WMI.
+description: Use Configuration Manager or security information and event management (SIEM) tools to consume reports, and monitor Windows Defender AV with PowerShell and WMI.
 keywords: siem, monitor, report, windows defender av
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
@@ -22,24 +23,22 @@ manager: dansimp
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-There are a number of ways you can review protection status and alerts, depending on the management tool you are using for Windows Defender Antivirus.
-
-You can use System Center Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).  
+With Windows Defender Antivirus, you have several options for reviewing protection status and alerts. You can use System Center Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).  
 
 Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender Antivirus issues, including protection updates and real-time protection settings.
 
+If you have a third-party security information and event management (SIEM) server, you can also consume [Windows Defender client events](https://msdn.microsoft.com/library/windows/desktop/aa964766(v=vs.85).aspx). 
 
-If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client events](https://msdn.microsoft.com/library/windows/desktop/aa964766(v=vs.85).aspx). 
+Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security auditing](/windows/device-security/auditing/security-auditing-overview) topic) and  [Windows Defender events](troubleshoot-windows-defender-antivirus.md). 
 
-Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security audting](/windows/device-security/auditing/security-auditing-overview) topic) and  [Windows Defender events](troubleshoot-windows-defender-antivirus.md). 
-
-These events can be centrally aggregated using the [Windows event collector](https://msdn.microsoft.com/library/windows/desktop/bb427443(v=vs.85).aspx). It is common practice for SIEMs to have connectors for Windows events. This technique allows for correlation of all security events from the machine in the SIEM. 
+These events can be centrally aggregated using the [Windows event collector](https://msdn.microsoft.com/library/windows/desktop/bb427443(v=vs.85).aspx). Often, SIEM servers have connectors for Windows events, allowing you to correlate all security events in your SIEM server. 
 
 You can also [monitor malware events using the Malware Assessment solution in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-malware).
 
 For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, management, and reporting options table)](deploy-manage-report-windows-defender-antivirus.md#ref2).
 
-## Related topics
+## Related articles
 
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+
 - [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
index 68c4accc82..f99aa7584f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 11/16/2018
 ms.reviewer: 
 manager: dansimp
@@ -32,7 +33,7 @@ If Windows Defender Antivirus is configured to detect and remediate threats on y
 > [!NOTE]
 > You can also use the dedicated command-line tool [mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to restore quarantined files in Windows Defender AV.
 
-## Related topics
+## Related articles
 
 - [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
 - [Review scan results](review-scan-results-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
index 1c07b37c51..78fed4d5d4 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
@@ -25,18 +26,17 @@ manager: dansimp
 After an Windows Defender Antivirus scan completes, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results. 
 
 
-**Use Microsoft Intune to review scan results:**
+## Use Microsoft Intune to review scan results
 
 1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
 
 2. Click the scan results in **Device actions status**.
 
-**Use Configuration Manager to review scan results:**
+## Use Configuration Manager to review scan results
 
 See [How to monitor Endpoint Protection status](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection).
 
-
-**Use the Windows Security app to review scan results:**
+## Use the Windows Security app to review scan results
 
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
@@ -45,10 +45,7 @@ See [How to monitor Endpoint Protection status](https://docs.microsoft.com/sccm/
     - Click **See full history** for any of the sections to see previous detections and the action taken. You can also clear the list.
     - Information about the last scan is displayed at the bottom of the page.
 
-
-
-
-**Use PowerShell cmdlets to review scan results:**
+## Use PowerShell cmdlets to review scan results
 
 The following cmdlet will return each detection on the endpoint. If there are multiple detections of the same threat, each detection will be listed separately, based on the time of each detection:
 
@@ -70,15 +67,12 @@ Get-MpThreat
 
 See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-**Use Windows Management Instruction (WMI) to review scan results:**
+## Use Windows Management Instruction (WMI) to review scan results
 
 Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) classes.
 
 
-
-
-
-## Related topics
+## Related articles
 
 - [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
index 4c62952e60..66db88455e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
@@ -38,49 +39,40 @@ A full scan can be useful on endpoints that have encountered a malware threat to
 >[!NOTE]
 >By default, quick scans run on mounted removable devices, such as USB drives.
 
-**Use Configuration Manager to run a scan:**
+## Use Configuration Manager to run a scan
 
 See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
 
-**Use the mpcmdrun.exe command-line utility to run a scan:**
+## Use the mpcmdrun.exe command-line utility to run a scan
 
 Use the following `-scan` parameter:
 
 ```DOS
 mpcmdrun.exe -scan -scantype 1
 ```
-
-
-
 See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths.
 
-
-
-**Use Microsoft Intune to run a scan:**
+## Use Microsoft Intune to run a scan
 
 1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
 
 2. Select **...More** and then select **Quick Scan** or **Full Scan**.
 
 
-**Use the Windows Security app to run a scan:**
+## Use the Windows Security app to run a scan
 
 See [Run a scan in the Windows Security app](windows-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints.
 
-
-
-**Use PowerShell cmdlets to run a scan:**
+## Use PowerShell cmdlets to run a scan
 
 Use the following cmdlet:
 
 ```PowerShell
 Start-MpScan
 ```
-
-
 See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-**Use Windows Management Instruction (WMI) to run a scan:**
+## Use Windows Management Instruction (WMI) to run a scan
 
 Use the [**Start** method of the **MSFT_MpScan**](https://msdn.microsoft.com/library/dn455324(v=vs.85).aspx#methods) class.
 
@@ -88,8 +80,7 @@ See the following for more information and allowed parameters:
 - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
 
 
-## Related topics
-
+## Related articles
 
 - [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md)
 - [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
index bf6852066d..e49771c6ae 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 12/10/2018
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
index f8a9335f5f..e6b6bf10d0 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
@@ -9,11 +9,12 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
+ms.custom: nextgen
 ---
 
 # Specify the cloud-delivered protection level
@@ -27,9 +28,7 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi
 >[!NOTE]
 >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
 
-
-
-**Use Intune to specify the level of cloud-delivered protection:**
+## Use Intune to specify the level of cloud-delivered protection
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
 2. Select **All services > Intune**.
@@ -46,13 +45,15 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi
 For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles)
   
 
-**Use Configuration Manager to specify the level of cloud-delivered protection:**
+## Use Configuration Manager to specify the level of cloud-delivered protection
 
-1.  See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
+See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
 
-**Use Group Policy to specify the level of cloud-delivered protection:**
+## Use Group Policy to specify the level of cloud-delivered protection
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx).
+
+2. Right-click the Group Policy Object you want to configure, and then click **Edit**.
 
 3.  In the **Group Policy Management Editor** go to **Computer configuration**. 
 
@@ -60,20 +61,19 @@ For more information about Intune device profiles, including how to create and c
 
 5.  Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**.
 
-1.  Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:  
-    1.  **Default Windows Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files.  
-    2.  **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives).
-    3. **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives).
-    4. **Zero tolerance blocking level** blocks all unknown executables.
+6.  Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
+    - **Default Windows Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files.
+    - **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives).
+    - **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives).
+    - **Zero tolerance blocking level** blocks all unknown executables.
+    
+    > [!WARNING]
+    > While unlikely, setting this switch to **High** or **High +** may cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection).
 
-        > [!WARNING]
-        > While unlikely, setting this switch to **High** or **High +** may cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection).
-6. Click **OK**.
+7. Click **OK**.
 
   
-
-
-## Related topics
+## Related articles
 
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
 - [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
index 787e3d4728..d123f26a35 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.reviewer: 
 manager: dansimp
 ---
@@ -34,7 +35,7 @@ For common error codes and event IDs related to the Windows Defender Antivirus s
 
 There are three steps to troubleshooting these problems:
 
-1. Confirm that you have met all pre-requisites
+1. Confirm that you have met all prerequisites
 2. Check your connectivity to the Windows Defender cloud-based service
 3. Submit support logs
 
@@ -42,9 +43,9 @@ There are three steps to troubleshooting these problems:
 >It typically takes 3 days for devices to start appearing in Update Compliance.
 
 
-## Confirm pre-requisites
+## Confirm prerequisites
 
-In order for devices to properly show up in Update Compliance, you have to meet certain pre-requisites for both the Update Compliance service and for Windows Defender Antivirus:
+In order for devices to properly show up in Update Compliance, you have to meet certain prerequisites for both the Update Compliance service and for Windows Defender Antivirus:
 
 >[!div class="checklist"]
 >- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](windows-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance.
@@ -55,7 +56,7 @@ In order for devices to properly show up in Update Compliance, you have to meet
 
 “You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal (https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options"
 
-If the above pre-requisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us.
+If the above prerequisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us.
 
 > [!div class="nextstepaction"]
 > [Collect diagnostic data for Update Compliance troubleshooting](collect-diagnostic-data-update-compliance.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
index a371aaca96..8b02e56f61 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/11/2018
 ms.reviewer: 
 manager: dansimp
@@ -46,7 +47,7 @@ You can directly view the event log, or if you have a third-party security infor
 
 The table in this section lists the main Windows Defender Antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error. 
 
-**To view a Windows Defender Antivirus event**
+## To view a Windows Defender Antivirus event
 
 1.  Open **Event Viewer**.
 2.  In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender Antivirus**.
@@ -54,9 +55,6 @@ The table in this section lists the main Windows Defender Antivirus event IDs an
 4.  In the details pane, view the list of individual events to find your event.
 5.  Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
 
-
-
-
 
@@ -361,7 +359,7 @@ Message:
 Description:
 
@@ -760,7 +758,7 @@ Description:
 
@@ -2452,7 +2450,7 @@ Message:
 Description:
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
index b7114cd1fd..84d8ca6968 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
@@ -26,22 +27,21 @@ You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85).
 
 In general, you can use the following procedure to configure or change Windows Defender Antivirus group policy settings:
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
 
-4.  Click **Administrative templates**.
+3. Click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Antivirus**.
+4. Expand the tree to **Windows components** > **Windows Defender Antivirus**.
 
-6. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.
+5. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.
 
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). 
+6. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). 
 
 The following table in this topic lists the Group Policy settings available in Windows 10, version 1703, and provides links to the appropriate topic in this documentation library (where applicable).
 
-
-Location | Setting | Documented in topic
+Location | Setting | Article
 ---|---|---
 Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
 Client interface | Display additional text to clients when they need to perform an action | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
@@ -88,10 +88,10 @@ Reporting | Configure time out for detections requiring additional action | Not
 Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
 Root | Turn off Windows Defender Antivirus | Not used (This setting must be set to **Not configured** to ensure any installed third-party antivirus apps work correctly)
 Root | Define addresses to bypass proxy server | Not used
-Root | Define proxy auto-config (.pac) for connecting to the network | Not used
+Root | Define proxy autoconfig (.pac) for connecting to the network | Not used
 Root | Define proxy server for connecting to the network | Not used
 Root | Configure local administrator merge behavior for lists | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Root | Allow antimalware service to startup with normal priority | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
+Root | Allow antimalware service to start up with normal priority | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
 Root | Allow antimalware service to remain running always | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
 Root | Turn off routine remediation | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
 Root | Randomize scheduled task times | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
@@ -126,7 +126,7 @@ Scan | Specify the time of day to run a scheduled scan | [Configure scheduled sc
 Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
 Security intelligence updates | Allow security intelligence updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
 Security intelligence updates | Allow security intelligence updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
-Security intelligence updates | Allow notifications to disable definitions based repots to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+Security intelligence updates | Allow notifications to disable definitions-based reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
 Security intelligence updates | Allow real-time security intelligence updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
 Security intelligence updates | Check for the latest virus and spyware definitions on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
 Security intelligence updates | Define file shares for downloading security intelligence updates | [Manage Windows Defender Antivirus protection and security intelligence updates](manage-protection-updates-windows-defender-antivirus.md)
@@ -143,12 +143,8 @@ Threats | Specify threat alert levels at which default action should not be take
 Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
 
 
-
-
-
-
-
-## Related topics
+## Related articles
 
 - [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
index 0a6c5dc31a..6ed604307a 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
@@ -31,7 +32,7 @@ See the [Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use
 For Microsoft Intune, consult the [Microsoft Intune library](https://docs.microsoft.com/intune/introduction-intune) and [Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
 
 
-## Related topics
+## Related articles
 
 - [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
index bd4a22592f..326511d75c 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
@@ -38,7 +39,7 @@ You can [configure which settings can be overridden locally with local policy ov
 PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
 
 
-**Use Windows Defender Antivirus PowerShell cmdlets:**
+## Use Windows Defender Antivirus PowerShell cmdlets
 
 1. Click **Start**, type **powershell**, and press **Enter**.
 2. Click **Windows PowerShell** to open the interface. 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
index c0e86e1a2b..0e88dfd58b 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
index 5553e762b8..e1d2d9c8e9 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -9,10 +9,11 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
 ms.reviewer: 
 manager: dansimp
+ms.custom: nextgen
 ---
 
 # Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection
@@ -21,7 +22,7 @@ manager: dansimp
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Microsoft next-gen technologies in Windows Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.  
+Microsoft next-generation technologies in Windows Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.  
 
 Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
 ![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)  
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 717e08d7d4..369ebfe876 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
index 6327898e26..d1ec034818 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
@@ -14,6 +14,7 @@ ms.author: deniseb
 ms.date: 10/14/2019
 ms.reviewer: 
 manager: dansimp
+ms.custom: nextgen
 ---
 
 # Next-generation protection in Windows 10 and Windows Server 2016
@@ -33,8 +34,7 @@ Next-generation protection includes services that use machine learning together
 >- [Cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
 >- Fast learning (including [block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md))
 >- [Potentially unwanted application blocking](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
-
-> [!NOTE]
+> 
 > For more information regarding what's new in each Windows version, please refer to [What's new in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp).
 
 ## Minimum system requirements
@@ -44,7 +44,7 @@ Windows Defender Antivirus is your main vehicle for next-generation protection,
 - [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
 - [Hardware component guidelines](https://docs.microsoft.com/windows-hardware/design/component-guidelines/components)
 
-## Configuring Next-generation services
+## Configuring next-generation services
 
 You can use the following to configure and manage next-generation services in Windows 10 while running Windows Defender Antivirus:
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
index e106d82384..4187645c2e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
@@ -28,7 +29,7 @@ You can use Windows Defender Offline if you suspect a malware infection, or you
 
 In Windows 10, Windows Defender Offline can be run with one click directly from the [Windows Security app](windows-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
 
-## Pre-requisites and requirements
+## prerequisites and requirements
 
 Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10. 
 
@@ -92,7 +93,7 @@ You can run a Windows Defender Offline scan with the following:
 
 
 
-**Use PowerShell cmdlets to run an offline scan:**
+### Use PowerShell cmdlets to run an offline scan
 
 Use the following cmdlets:
 
@@ -102,7 +103,7 @@ Start-MpWDOScan
 
 See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-**Use Windows Management Instruction (WMI) to run an offline scan:**
+### Use Windows Management Instruction (WMI) to run an offline scan
 
 Use the [**MSFT_MpWDOScan**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class to run an offline scan.
 
@@ -116,7 +117,7 @@ See the following for more information:
 - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
 
 
-**Use the Windows Defender Security app to run an offline scan:**
+### Use the Windows Defender Security app to run an offline scan
 
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
@@ -135,7 +136,7 @@ See the following for more information:
 Windows Defender Offline scan results will be listed in the [Scan history section of the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). 
 
 
-## Related topics
+## Related articles
 
 - [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
index 6333dad0ae..5935c90319 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
@@ -9,8 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
 ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
@@ -40,7 +41,7 @@ See the [Windows Security topic](/windows/threat-protection/windows-defender-sec
 >[!NOTE]
 >The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
 
-**Review virus and threat protection settings in the Windows Security app:**
+## Review virus and threat protection settings in the Windows Security app
 
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
@@ -66,7 +67,6 @@ Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | De
 4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Windows Defender Offline scan
 5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 and later, you can run custom and full scans under the **Advanced scan** option
 
-
 ## Common tasks
 
 This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the Windows Security app.
@@ -75,7 +75,9 @@ This section describes how to perform some of the most common tasks when reviewi
 > If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured.
 
 
-**Run a scan with the Windows Security app**
+
+### Run a scan with the Windows Security app
+
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
@@ -85,7 +87,9 @@ This section describes how to perform some of the most common tasks when reviewi
 4. Click **Run a new advanced scan** to specify different types of scans, such as a full scan.
 
 
-**Review the security intelligence update version and download the latest updates in the Windows Security app**
+
+### Review the security intelligence update version and download the latest updates in the Windows Security app
+
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
@@ -97,8 +101,7 @@ This section describes how to perform some of the most common tasks when reviewi
 4. Click **Check for updates** to download new protection updates (if there are any).
 
 
-
-**Ensure Windows Defender Antivirus is enabled in the Windows Security app**
+### Ensure Windows Defender Antivirus is enabled in the Windows Security app
 
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
@@ -114,7 +117,9 @@ This section describes how to perform some of the most common tasks when reviewi
 
 
 
-**Add exclusions for Windows Defender Antivirus in the Windows Security app**
+
+### Add exclusions for Windows Defender Antivirus in the Windows Security app
+
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
@@ -126,7 +131,8 @@ This section describes how to perform some of the most common tasks when reviewi
 5. Click the plus icon to choose the type and set the options for each exclusion. 
 
 
-**Review threat detection history in the Windows Defender Security Center app**
+
+### Review threat detection history in the Windows Defender Security Center app
 1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
  
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
@@ -136,7 +142,9 @@ This section describes how to perform some of the most common tasks when reviewi
 4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**).
  
 
-**Set ransomware protection and recovery options**
+
+### Set ransomware protection and recovery options
+
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
@@ -147,8 +155,7 @@ This section describes how to perform some of the most common tasks when reviewi
 
 5. To set up ransomware recovery options, click **Set up** under **Ransomware data recovery** and follow the instructions for linking or setting up your OneDrive account so you can easily recover from a ransomware attack.
 
-
-## Related topics
+## Related articles
 
 - [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md)
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index d1fde8548c..2d37313936 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -27,7 +27,7 @@ Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intu
 
 With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from “every app is Microsoft-verified" to “every app is verified by Microsoft or your organization”. 
 
-# Policy Authorization Process
+## Policy Authorization Process
 ![Policy Authorization](images/wdac-intune-policy-authorization.png)
 The general steps for expanding the S mode base policy on your devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups.
 1. Generate a supplemental policy with WDAC tooling
@@ -54,6 +54,11 @@ The general steps for expanding the S mode base policy on your devices are to ge
         Set-RuleOption -FilePath "\SupplementalPolicy.xml>" -Option 3 –Delete
         ```
         This deletes the ‘audit mode’ qualifier.
+    -  Since you'll be signing your policy, you must authorize the signing certificate you will use to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. For more information, refer to Section 2, Sign policy. Use Add-SignerRule to add the signing certificate to the WDAC policy: 
+       
+        ```powershell
+        Add-SignerRule -FilePath  -CertificatePath  -User -Update`
+        ```
     - Convert to .bin using [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps)
 
         ```powershell
@@ -64,12 +69,7 @@ The general steps for expanding the S mode base policy on your devices are to ge
     
     Supplemental S mode policies must be digitally signed. To sign your policy, you can choose to use the Device Guard Signing Service or your organization's custom Public Key Infrastructure (PKI). Refer to [Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) for guidance on using DGSS and [Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) for guidance on signing using an internal CA.
 
-    Once your policy is signed, you must authorize the signing certificate you used to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. Use Add-SignerRule to add the signing certificate to the WDAC policy: 
-       
-    ```powershell
-    Add-SignerRule -FilePath  -CertificatePath  -User -Update`
-    ```
-    Rename your policy to "{PolicyID}.p7b" after you've signed it. PolicyID can be found by inspecting the Supplemental Policy XML
+    Rename your policy to "{PolicyID}.p7b" after you've signed it. PolicyID can be found by inspecting the Supplemental Policy XML.
 
 3. Deploy the signed supplemental policy using Microsoft Intune
 
@@ -78,11 +78,11 @@ The general steps for expanding the S mode base policy on your devices are to ge
 > [!Note]
 > When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](https://docs.microsoft.com/powershell/module/configci/set-cipolicyversion?view=win10-ps) for information on setting the version number.
 
-# Standard Process for Deploying Apps through Intune
+## Standard Process for Deploying Apps through Intune
 ![Deploying Apps through Intune](images/wdac-intune-app-deployment.png)
 Refer to [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management)  for guidance on the existing procedure of packaging signed catalogs and app deployment.
 
-# Optional: Process for Deploying Apps using Catalogs
+## Optional: Process for Deploying Apps using Catalogs
 ![Deploying Apps using Catalogs](images/wdac-intune-app-catalogs.png)
 Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you don’t want to allow as well.
 
@@ -93,7 +93,7 @@ The basic process is to generate a catalog file for each app using Package Inspe
 > [!Note] 
 > Every time an app updates, you will need to deploy an updated catalog. Because of this, IT Pros should try to avoid using catalog files for applications that auto-update and direct users not to update applications on their own.
 
-# Sample Policy
+## Sample policy
 Below is a sample policy that allows kernel debuggers, PowerShell ISE, and Registry Editor. It also demonstrates how to specify your organization's code signing and policy signing certificates.
 ```xml
 
@@ -176,7 +176,7 @@ Below is a sample policy that allows kernel debuggers, PowerShell ISE, and Regis
   
 
 ```
-# Policy Removal
+## Policy removal
 > [!Note]
 > This feature currently has a known a policy deletion bug, with a fix expected in the 2D update in late February 2020. Devices of users who are unenrolled will still have their WDAC policies removed. In the mentime, IT Pros are recommended to update their policy with the below 'empty' policy which makes no changes to S mode.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md
index 02767f2f29..7275492629 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.md
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@@ -5,20 +5,23 @@
 ### Design and create your WDAC policy
 #### [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md)
 #### [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md)
-#### [Create an initial default policy](create-initial-default-policy.md)
-#### [Microsoft recommended block rules](microsoft-recommended-block-rules.md)
+##### [Authorize apps deployed with a WDAC managed installer](use-windows-defender-application-control-with-managed-installer.md)
+##### [Authorize reputable apps with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
+#### [Example WDAC base policies](example-wdac-base-policies.md)
+#### [Use multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md)
+#### [Common WDAC deployment scenarios](types-of-devices.md)
+##### [Create a WDAC policy for lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md)
+##### [Create a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md)
+##### [Create a WDAC policy for fixed-workload devices](create-initial-default-policy.md)
+##### [Microsoft recommended block rules](microsoft-recommended-block-rules.md)
 
 
 
 ## [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md)
-### [Types of devices](types-of-devices.md)
 ### [Audit WDAC policies](audit-windows-defender-application-control-policies.md)
 ### [Merge WDAC policies](merge-windows-defender-application-control-policies.md)
-### [Deploy multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md)
 ### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md)
 ### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md)
-### [Deploy WDAC with a managed installer](use-windows-defender-application-control-with-managed-installer.md)
-### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
 ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
 ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
 ### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index 039a888196..7591c17136 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -1,5 +1,5 @@
 ---
-title: Allow COM object registration in a Windows Defender Application Control policy (Windows 10)
+title: Allow COM object registration in a WDAC policy (Windows 10)
 description: You can allow COM object registration in a Windows Defender Application Control policy.
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
index 3b75aaec82..099c30bac7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
@@ -1,5 +1,5 @@
 ---
-title: Determine which apps are digitally signed on a reference device (Windows 10)
+title: Find digitally signed apps on a reference device (Windows 10)
 description: This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
 ms.assetid: 24609a6b-fdcb-4083-b234-73e23ff8bcb8
 ms.reviewer: 
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
index 44a181aa71..0e40237b7b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
@@ -1,5 +1,5 @@
 ---
-title: Document the Group Policy structure and AppLocker rule enforcement (Windows 10)
+title: Document Group Policy structure & AppLocker rule enforcement (Windows 10)
 description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.
 ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5
 ms.reviewer: 
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
index a866996a6f..b86dfe2687 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
@@ -1,6 +1,6 @@
 ---
-title: Audit Windows Defender Application Control (WDAC) policies (Windows 10)
-description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+title: Audit Windows Defender Application Control policies (Windows 10)
+description: Windows Defender Application Control (WDAC) restricts which applications users are allowed to run and the code that runs in the system core.
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
index 9f2f505f65..bf0bb97074 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
@@ -1,11 +1,8 @@
 ---
-title: Create a Windows Defender Application Control policy from a reference computer (Windows 10)
+title: Create a WDAC policy for fixed-workload devices using a reference computer (Windows 10)
 description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer: 
-manager: dansimp
-ms.author: dansimp
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -20,14 +17,15 @@ manager: dansimp
 ms.date: 05/03/2018
 ---
 
-# Create a Windows Defender Application Control policy from a reference computer
+# Create a WDAC policy for fixed-workload devices using a reference computer
 
 **Applies to:**
 
 -   Windows 10
--   Windows Server 2016
+-   Windows Server 2016 and above
+
+This section outlines the process to create a WDAC policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc...
 
-This section outlines the process to create a WDAC policy with Windows PowerShell. 
 For this example, you must initiate variables to be used during the creation process or use the full file paths in the command. 
 Then create the WDAC policy by scanning the system for installed applications. 
 The policy file is converted to binary format when it gets created so that Windows can interpret it.
@@ -52,24 +50,24 @@ You can remove or disable such software on the reference computer.
 
 To create a WDAC policy, copy each of the following commands into an elevated Windows PowerShell session, in order:
 
-1. Initialize variables that you will use. The following example commands use **InitialScan.xml** and **DeviceGuardPolicy.bin** for the names of the files that will be created:
+1. Initialize variables that you will use.
 
-   `$CIPolicyPath=$env:userprofile+"\Desktop\"`
-
-   `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
-
-   `$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
+   ```powershell
+   $PolicyPath=$env:userprofile+"\Desktop\"
+   $PolicyName="FixedWorkloadPolicy_Audit"
+   $WDACPolicy=$PolicyPath+$PolicyName+".xml"
+   $WDACPolicyBin=$PolicyPath+$PolicyName+".bin"
 
 2. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to create a new WDAC policy by scanning the system for installed applications:
 
    ```powershell
-   New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt 
+   New-CIPolicy -Level PcaCertificate -FilePath $WDACPolicy –UserPEs 3> CIPolicyLog.txt 
    ```
 
    > [!Note]
    > 
    > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. 
-   > 
+   > - You can add the **-MultiplePolicyFormat** parameter when creating policies which will be deployed to computers which are running Windows build 1903+. For more information about multiple policies, see [Deploy multiple Windows Defender Application Control policies](deploy-multiple-windows-defender-application-control-policies.md).
    > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](select-types-of-rules-to-create.md).
    > 
    > - To specify that the WDAC policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned.
@@ -79,10 +77,10 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi
 3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
 
    ```powershell
-   ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
+   ConvertFrom-CIPolicy $WDACPolicy $WDACPolicyBin
    ```
 
-After you complete these steps, the WDAC binary file (DeviceGuardPolicy.bin) and original .xml file (InitialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security.
+After you complete these steps, the WDAC binary file ($WDACPolicyBin) and original .xml file ($WDACPolicy) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security.
 
 > [!NOTE]
 > We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
new file mode 100644
index 0000000000..93758237b0
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
@@ -0,0 +1,168 @@
+---
+title: Create a WDAC policy for fully-managed devices (Windows 10)
+description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+keywords: whitelisting, security, malware
+ms.topic: conceptual
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: isbrahm
+ms.author: dansimp
+manager: dansimp
+ms.date: 11/20/2019
+---
+
+# Create a WDAC policy for fully-managed devices
+
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016 and above
+
+This section outlines the process to create a WDAC policy for **fully-managed devices** within an organization. The key difference between this scenario and [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully-managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager (MEM). Additionally, users on fully-managed devices should ideally run as standard user and only authorized IT pros have administrative access.
+
+> [!NOTE]
+> Some of the WDAC options described in this topic are only available on Windows 10 version 1903 and above. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
+
+As described in [common WDAC deployment scenarios](types-of-devices.md), we will use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
+
+**Alice Pena** is the IT team lead tasked with the rollout of WDAC.
+
+Alice previously created a policy for the organization's lightly-managed devices. Some devices, however, are more tightly managed and can benefit from a more constrained policy. In particular, certain job functions such as administrative staff and task-workers are not granted administrator level access to their devices. Similarly, shared kiosks are configured only with a managed set of apps and all users of the device except IT run as standard user. On these devices, all apps are deployed and installed by IT.
+
+## Define the "circle-of-trust" for fully-managed devices
+
+Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully-managed devices:
+
+- All clients are running Windows 10 version 1903 or above;
+- All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune;
+
+> [!NOTE]
+> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM) 
+
+- Most, but not all, apps are deployed using MEMCM;
+- Sometimes, IT staff install apps directly to these devices without using MEMCM;
+- All users except IT are standard users on these devices.
+
+Alice's team develops a simple console application, called *LamnaITInstaller.exe*, which will become the authorized way for IT staff to install apps directly to devices. *LamnaITInstaller.exe* allows the IT pro to launch another process, such as an app installer. Alice will configure *LamnaITInstaller.exe* as an additional managed installer for WDAC and allows her to remove the need for filepath rules.
+
+Based on the above, Alice defines the pseudo-rules for the policy:
+
+1. **“Windows works”** rules which authorizes:
+   - Windows
+   - WHQL (3rd party kernel drivers)
+   - Windows Store signed apps
+
+2. **"MEMCM works”** rules which includes signer and hash rules for MEMCM components to properly function
+3. **Allow Managed Installer** (MEMCM and *LamnaITInstaller.exe* configured as a managed installer)
+
+The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are:
+
+- Removal of the Intelligent Security Graph (ISG) option; and
+- Removal of filepath rules.
+
+## Create a custom base policy using an example WDAC base policy
+
+Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's fully-managed devices. She decides to use MEMCM to create the initial base policy and then customize it to meet Lamna's needs.
+
+Alice follows these steps to complete this task:
+
+> [!NOTE]
+> If you do not use MEMCM or prefer to use a different [example WDAC base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the MEMCM policy path with your preferred example base policy.
+
+1. [Use MEMCM to create and deploy an audit policy](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above.
+
+2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
+
+      ```powershell
+      $PolicyName= "Lamna_FullyManagedClients_Audit"
+      $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
+      $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
+      ```
+
+3. Copy the policy created by MEMCM to the desktop:
+
+      ```powershell
+      cp $MEMCMPolicy $LamnaPolicy
+      ```
+
+4. Give the new policy a unique ID, descriptive name, and initial version number:
+
+      ```powershell
+      Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
+      Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
+      ```
+
+5. Modify the copied policy to set policy rules:
+
+      ```powershell
+      Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode
+      Set-RuleOption -FilePath $LamnaPolicy -Option 6 # Unsigned Policy
+      Set-RuleOption -FilePath $LamnaPolicy -Option 9 # Advanced Boot Menu
+      Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
+      Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
+      Set-RuleOption -FilePath $LamnaPolicy -Option 16 # No Reboot
+      Set-RuleOption -FilePath $LamnaPolicy -Option 17 # Allow Supplemental
+      Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
+      ```
+
+6. If appropriate, add additional signer or file rules to further customize the policy for your organization.
+
+7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
+
+    > [!NOTE]
+    > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file.
+
+   ```powershell
+   $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin"
+   ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
+   ```
+
+8. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
+
+At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
+
+## Security considerations of this fully-managed policy
+
+Alice has defined a policy for Lamna's fully-managed devices that makes some trade-offs between security and manageability for apps. Some of the trade-offs include:
+
+- **Users with administrative access**
      
+    Although applying to fewer users, Lamna still allows some IT staff to log in to its fully-managed devices as administrator. This allows these admin users (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+
+   Possible mitigations:
+  - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
+  - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
+  - Use device attestation to detect the configuration state of WDAC at boot time and use that information to condition access to sensitive corporate resources.
+- **Unsigned policies**
      
+    Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
+
+   Existing mitigations applied:
+  - Limit who can elevate to administrator on the device.
+
+   Possible mitigations:
+  - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
+- **Managed installer**
      
+    See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer)
+
+   Existing mitigations applied:
+  - Limit who can elevate to administrator on the device.
+
+   Possible mitigations:
+  - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
+- **Supplemental policies**
      
+    Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
+
+   Possible mitigations:
+  - Use signed WDAC policies which allow authorized signed supplemental policies only.
+  - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
+
+## Up next
+
+- [Create a WDAC policy for fixed-workload devices using a reference computer](create-initial-default-policy.md)
+- [Prepare to deploy WDAC policies](windows-defender-application-control-deployment-guide.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
new file mode 100644
index 0000000000..6fc44116aa
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -0,0 +1,184 @@
+---
+title: Create a WDAC policy for lightly-managed devices (Windows 10)
+description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+keywords: whitelisting, security, malware
+ms.topic: conceptual
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: isbrahm
+ms.author: dansimp
+manager: dansimp
+ms.date: 11/15/2019
+---
+
+# Create a WDAC policy for lightly-managed devices
+
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016 and above
+
+This section outlines the process to create a WDAC policy for **lightly-managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC managed devices as described in later topics.
+
+> [!NOTE]
+> Some of the WDAC options described in this topic are only available on Windows 10 version 1903 and above. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
+
+As in the [previous topic](types-of-devices.md), we will use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
+
+**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing where Lamna is starting from, with very loose application usage policies and a culture of maximum app flexibility for users, Alice knows that she will need to take an incremental approach to application control and use different policies for different workloads.
+
+For the majority of users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value.
+
+## Define the "circle-of-trust" for lightly-managed devices
+
+Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's lightly-managed devices, which currently includes most end-user devices:
+
+- All clients are running Windows 10 version 1903 or above;
+- All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune;
+
+> [!NOTE]
+> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM) 
+
+- Some, but not all, apps are deployed using MEMCM;
+- Most users are local administrators on their devices;
+- Some teams may need additional rules to authorize specific apps that don't apply generally to all other users.
+
+Based on the above, Alice defines the pseudo-rules for the policy:
+
+1. **“Windows works”** rules which authorizes:
+   - Windows
+   - WHQL (3rd party kernel drivers)
+   - Windows Store signed apps
+
+2. **"MEMCM works”** rules which includes signer and hash rules for MEMCM components to properly function
+3. **Allow Managed Installer** (MEMCM configured as a managed installer)
+4. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
+5. **Admin-only path rules** for the following locations:
+   - C:\Program Files\*
+   - C:\Program Files (x86)\*
+   - %windir%\*
+
+## Create a custom base policy using an example WDAC base policy
+
+Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly-managed devices. She decides to use MEMCM to create the initial base policy and then customize it to meet Lamna's needs.
+
+Alice follows these steps to complete this task:
+
+> [!NOTE]
+> If you do not use MEMCM or prefer to use a different [example WDAC base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the MEMCM policy path with your preferred example base policy.
+
+1. [Use MEMCM to create and deploy an audit policy](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above.
+
+2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
+
+      ```powershell
+      $PolicyName= "Lamna_LightlyManagedClients_Audit"
+      $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
+      $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
+      ```
+
+3. Copy the policy created by MEMCM to the desktop:
+
+      ```powershell
+      cp $MEMCMPolicy $LamnaPolicy
+      ```
+
+4. Give the new policy a unique ID, descriptive name, and initial version number:
+
+      ```powershell
+      Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
+      Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
+      ```
+
+5. Modify the copied policy to set policy rules:
+
+      ```powershell
+      Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode
+      Set-RuleOption -FilePath $LamnaPolicy -Option 6 # Unsigned Policy
+      Set-RuleOption -FilePath $LamnaPolicy -Option 9 # Advanced Boot Menu
+      Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
+      Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
+      Set-RuleOption -FilePath $LamnaPolicy -Option 14 # ISG
+      Set-RuleOption -FilePath $LamnaPolicy -Option 16 # No Reboot
+      Set-RuleOption -FilePath $LamnaPolicy -Option 17 # Allow Supplemental
+      Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
+      ```
+
+6. Add rules to allow windir and Program Files directories:
+
+      ```powershell
+      $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
+      $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
+      $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
+      Merge-CIPolicy -OutputFilePath = $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
+      ```
+
+7. If appropriate, add additional signer or file rules to further customize the policy for your organization.
+
+8. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
+
+    > [!NOTE]
+    > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file.
+
+   ```powershell
+   $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin"
+   ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
+   ```
+
+9. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
+
+At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
+
+## Security considerations of this lightly-managed policy
+
+In order to minimize user productivity impact, Alice has defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include:
+
+- **Users with administrative access**
      
+    By far the most impactful security trade-off, this allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+
+    Possible mitigations:
+  - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
+  - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
+  - Use device attestation to detect the configuration state of WDAC at boot time and use that information to condition access to sensitive corporate resources.
+- **Unsigned policies**
      
+    Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
+
+    Possible mitigations:
+  - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
+  - Limit who can elevate to administrator on the device.
+- **Managed installer**
      
+    See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer)
+
+    Possible mitigations:
+  - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
+  - Limit who can elevate to administrator on the device.
+- **Intelligent Security Graph (ISG)**
      
+    See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-intelligent-security-graph)
+
+    Possible mitigations:
+  - Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature based rules.
+  - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
+- **Supplemental policies**
      
+    Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
+
+    Possible mitigations:
+  - Use signed WDAC policies which allow authorized signed supplemental policies only.
+  - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
+- **FilePath rules**
      
+    See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
+
+    Possible mitigations:
+  - Limit who can elevate to administrator on the device.
+  - Migrate from filepath rules to managed installer or signature-based rules.
+
+## Up next
+
+- [Create a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md)
+- [Prepare to deploy WDAC policies](windows-defender-application-control-deployment-guide.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index d70793409e..13547435c1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -1,5 +1,5 @@
 ---
-title: Deploy multiple Windows Defender Application Control Policies  (Windows 10)
+title: Use multiple Windows Defender Application Control Policies  (Windows 10)
 description: Windows Defender Application Control supports multiple code integrity policies for one device.
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -17,7 +17,7 @@ manager: dansimp
 ms.date: 05/17/2019
 ---
 
-# Deploy multiple Windows Defender Application Control Policies 
+# Use multiple Windows Defender Application Control Policies
 
 **Applies to:**
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
index 7bbbc5f8e5..781b9fd9be 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
@@ -1,6 +1,6 @@
 ---
-title: Deploy Windows Defender Application Control (WDAC) policies by using Group Policy (Windows 10)
-description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+title: Deploy WDAC policies via Group Policy (Windows 10)
+description: Windows Defender Application Control (WDAC) restricts which applications users are allowed to run and the code that runs in the system core.
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
new file mode 100644
index 0000000000..e51e5b06af
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@@ -0,0 +1,39 @@
+---
+title: Example WDAC base policies (Windows 10)
+description: When creating a WDAC policy for an organization, start from one of the many available example base policies.
+keywords: whitelisting, security, malware
+ms.topic: article
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: isbrahm
+ms.author: dansimp
+manager: dansimp
+ms.date: 11/15/2019
+---
+
+# Windows Defender Application Control example base policies
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 and above
+
+When creating policies for use with Windows Defender Application Control (WDAC), it is recommended to start from an existing base policy and then add or remove rules to build your own custom policy XML files. Windows includes several example policies which can be used, or organizations which use the Device Guard Signing Service can download a starter policy from that service.
+
+## Example Base Policies
+
+| **Example Base Policy** | **Description** | **Where it can be found** |
+|----------------------------|---------------------------------------------------------------|--------|
+| **DefaultWindows.xml** | This example policy is available in either audit or enforce mode. It includes the rules necessary to ensure that Windows, 3rd party hardware and software kernel drivers, and Windows Store apps will run. Used as the basis for all [Microsoft Endpoint Manager(MEM)](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
+| **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
+| **AllowAll.xml** | This example policy is useful when creating a block list policy. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
+| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://docs.microsoft.com/windows/security/threat-protection/device-guard/memory-integrity) (also known as hypervisor-protected code integrity) using WDAC. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
+| **DenyAllAudit.xml** | This example policy should only be deployed in audit mode and can be used to audit all binaries running on critical systems or to comply with regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
+| **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [DGSS in the Microsoft Store for Business](https://businessstore.microsoft.com/manage/settings/devices) |
+| **MEM Configuration Manager** | Customers who use MEM Configuration Manager (MEMCM), formerly known as System Center Configuration Manager, can deploy a policy to a device using MEMCM's built-in integration with WDAC and then copy the resulting policy XML to use as a custom base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint |
diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
index e6b57b9722..022007f730 100644
--- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
@@ -1,6 +1,6 @@
 ---
-title: Manage packaged apps with Windows Defender Application Control  (Windows 10)
-description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+title: Manage packaged apps with WDAC  (Windows 10)
+description: Windows Defender Application Control (WDAC) restricts which applications users are allowed to run and the code that runs in the system core.
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
index 01d8f1abb4..ef1a7fdc46 100644
--- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
@@ -1,6 +1,6 @@
 ---
-title: Merge Windows Defender Application Control (WDAC) policies (Windows 10)
-description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+title: Merge Windows Defender Application Control policies (Windows 10)
+description: Windows Defender Application Control (WDAC) restricts which applications users are allowed to run and the code that runs in the system core.
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
index 2d05216e90..f58c81c02c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
@@ -1,6 +1,6 @@
 ---
-title: Plan for Windows Defender Application Control policy management  (Windows 10)
-description: Plan for Windows Defender Application Control policy management. 
+title: Plan for WDAC policy management (Windows 10)
+description: How to plan for Windows Defender Application Control (WDAC) policy management. 
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
index 183701e0a9..22a50b0c24 100644
--- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
+++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
@@ -1,5 +1,5 @@
 ---
-title: Querying Application Control events centrally using Advanced hunting   (Windows 10)
+title: Query Application Control events with Advanced Hunting (Windows 10)
 description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet.
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 6e77768954..9633a7cf60 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -1,6 +1,6 @@
 ---
-title: Select the types of rules to create  (Windows 10)
-description: Select the types of rules to create. 
+title: Understand WDAC policy rules and file rules (Windows 10)
+description: Windows Defender Application Control (WDAC) provides control over a computer running Windows 10 by using policies that specify whether a driver or application is trusted and can be run. A policy includes *policy rules* that control options.
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.prod: w10
@@ -54,7 +54,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
 | **2 Required:WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. |
 | **3 Enabled:Audit Mode (Default)** | Enables the execution of binaries outside of the WDAC policy but logs each occurrence in the CodeIntegrity event log, which can be used to update the existing policy before enforcement. To begin enforcing a WDAC policy, delete this option. |
 | **4 Disabled:Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flighted builds. |
-| **5 Enabled:Inherit Default Policy** | This option is not currently supported. |
+| **5 Enabled:Inherit Default Policy** | This option is reserved for future use. |
 | **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. |
 | **7 Allowed:Debug Policy Augmented** | This option is not currently supported. |
 | **8 Required:EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All future Windows 10 and later drivers will meet this requirement. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
index 6a955009ea..d6e8fa89a5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
@@ -1,5 +1,5 @@
 ---
-title: Types of devices (Windows 10)
+title: Common WDAC deployment scenarios (Windows 10)
 description: Typically, deployment of Windows Defender Application Control happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices.
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -21,21 +21,32 @@ ms.date: 03/01/2018
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016
+-   Windows Server 2016 and above
 
-Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization.
+Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It is very common for organizations to have device use cases across each of the categories described.
+
+## Types of devices
 
 | **Type of device**                 | **How WDAC relates to this type of device**  | 
 |------------------------------------|------------------------------------------------------|
-| **Fixed-workload devices**: Perform same tasks every day.
      Lists of approved applications rarely change.
      Examples: kiosks, point-of-sale systems, call center computers. | WDAC can be deployed fully, and deployment and ongoing administration are relatively straightforward.
      After WDAC deployment, only approved applications can run. This is because of protections offered by WDAC. | 
-| **Fully managed devices**: Allowed software is restricted by IT department.
      Users can request additional software, or install from a list of applications provided by IT department.
      Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.
      WDAC policies are supported by the HVCI service. | 
 | **Lightly managed devices**: Company-owned, but users are free to install software.
      Devices are required to run organization's antivirus solution and client management tools. | WDAC can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | 
-| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | 
+| **Fully managed devices**: Allowed software is restricted by IT department.
      Users can request additional software, or install from a list of applications provided by IT department.
      Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.
      WDAC policies are supported by the HVCI service. | 
+| **Fixed-workload devices**: Perform same tasks every day.
      Lists of approved applications rarely change.
      Examples: kiosks, point-of-sale systems, call center computers. | WDAC can be deployed fully, and deployment and ongoing administration are relatively straightforward.
      After WDAC deployment, only approved applications can run. This is because of protections offered by WDAC. | 
+| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a block-list only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. | 
 
+## An introduction to Lamna Healthcare Company
 
-## Related topics
+In the next set of topics, we will explore each of the above scenarios using a fictional organization called Lamna Healthcare Company.
 
-- [Windows Defender Application Control Design Guide](windows-defender-application-control-design-guide.md)
-- [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md)
+Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the United States. Lamna employs thousands of people, from doctors and nurses to accountants, in-house lawyers, and IT technicians. Their device use cases are varied and include single-user workstations for their professional staff, shared kiosks used by doctors and nurses to access patient records, dedicated medical devices such as MRI scanners, and many others. Additionally, Lamna has a relaxed, bring-your-own-device policy for many of their professional staff.
 
+Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) (MEM) in hybrid mode with both Configuration Manager (MEMCM) and Intune. Although they use MEM to deploy many applications, Lamna has always had very relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (MDATP) for better endpoint detection and response.
 
+> [!NOTE]
+> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM) 
+
+Recently, Lamna experienced a ransomware event that required an expensive recovery process and may have included data exfiltration by the unknown attacker. Part of the attack included installing and running malicious binaries that evaded detection by Lamna's antivirus solution but would have been blocked by an application control policy. In response, Lamna's executive board has authorized a number of new security IT responses, including tightening policies for application use and introducing application control.
+
+## Up next
+
+- [Create a WDAC policy for lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 62085ad482..22df45d2a2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -1,5 +1,5 @@
 ---
-title: Deploy Windows Defender Application Control with Intelligent Security Graph (ISG) (Windows 10)
+title: Authorize reputable apps with the Intelligent Security Graph (ISG) (Windows 10)
 description: Automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation.
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -17,12 +17,12 @@ manager: dansimp
 ms.date: 06/14/2018
 ---
 
-# Use Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph 
+# Authorize reputable apps with the Intelligent Security Graph (ISG) 
 
 **Applies to:**
 
 -   Windows 10
--   Windows Server 2016
+-   Windows Server 2016 and above
 
 Application execution control can be difficult to implement in enterprises that do not have processes to effectively control the deployment of applications centrally through an IT managed system. 
 In such environments, users are empowered to acquire the applications they need for work, making accounting for all the applications that would need to be authorized for execution control a daunting task.  
@@ -89,7 +89,7 @@ appidtel start
 
 For WDAC policies deployed over MDM using the AppLocker CSP this step is not required as the CSP will enable the necessary components. ISG enabled through the SCCM WDAC UX will not need this step but if custom policies are being deployed outside of the WDAC UX through SCCM then this step is required.   
 
-## Security considerations with using the Intelligent Security Graph 
+## Security considerations with the Intelligent Security Graph 
 
 Since the ISG is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. It is best suited for deployment to systems where each user is configured as a standard user and there are other monitoring systems in place like Windows Defender Advanced Threat Protection to help provide optics into what users are doing. 
 
@@ -99,7 +99,7 @@ Users with administrator privileges or malware running as an administrator user
 
 Since the ISG relies on identifying executables as being known good, there are cases where it may classify legitimate executables as unknown, leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate trusted in the WDAC policy or by deployment through a WDAC managed installer. Typically, this is due to an installer or application using a dynamic file as part of execution. These files do not tend to build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG.  
 
-Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business. it is straightforward to authorize modern apps with signer rules in the WDAC policy.
+Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business, it is straightforward to authorize modern apps with signer rules in the WDAC policy.
 
 The ISG heuristic does not authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.  
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
index aac3df82fc..e22de90c86 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
@@ -1,5 +1,5 @@
 ---
-title: Deploy Managed Installer for Windows Defender Device Guard (Windows 10)
+title: Authorize apps deployed with a WDAC managed installer (Windows 10)
 description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as System Center Configuration Manager. 
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -17,12 +17,12 @@ manager: dansimp
 ms.date: 06/13/2018
 ---
 
-# Deploy Managed Installer for Windows Defender Application Control
+# Authorize apps deployed with a WDAC managed installer
 
 **Applies to:**
 
 -   Windows 10
--   Windows Server 2016
+-   Windows Server 2016 and above
 
 
 Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Windows Defender Application Control (WDAC). 
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
index 605383ec22..36a49771c4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
@@ -41,8 +41,8 @@ Once these business factors are in place, you are ready to begin planning your W
 
 | Topic | Description |
 | - | - |
-| [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
-| [Select the types of rules to create](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. |
 | [Plan for WDAC policy management](plan-windows-defender-application-control-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. |
+| [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
+| [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. |
  
 After planning is complete, the next step is to deploy WDAC. The [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index b05ffe98c6..ba4929c2f6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -10,11 +10,12 @@ ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 ms.collection: M365-security-compliance
-author: jsuther1974
+author: denisebmsft
 ms.reviewer: isbrahm
-ms.author: dansimp
+ms.author: deniseb
 manager: dansimp
 ms.date: 01/08/2019
+ms.custom: asr
 ---
 
 # Application Control
@@ -79,18 +80,21 @@ AppLocker policies can be deployed using Group Policy or MDM.
 
 Although either AppLocker or WDAC can be used to control application execution on Windows 10 clients, the following factors can help you decide when to use each of the technologies. 
 
-**WDAC is best when:**
+### WDAC is best when:
+
 -   You are adopting application control primarily for security reasons.
 -   Your application control policy can be applied to all users on the managed computers.
 -   All of the devices you wish to manage are running Windows 10.
 
-**AppLocker is best when:**
+### AppLocker is best when:
+
 -   You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS.
 -   You need to apply different policies for different users or groups on a shared computer.
 -   You are using application control to help users avoid running unapproved software, but you do not require a solution designed as a security feature.
 -   You do not wish to enforce application control on application files such as DLLs or drivers.
 
-**When to use both WDAC and AppLocker together**
+## When to use both WDAC and AppLocker together
+
 AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps.
 As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
 
diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
index 3f9f335b8f..7826641e1f 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
@@ -6,16 +6,18 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
 ms.date: 10/17/2017
 ms.reviewer: 
 manager: dansimp
+ms.custom: asr
 ---
 
 # Configure Windows Defender Application Guard policy settings
 
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** 
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain.
 
@@ -26,9 +28,7 @@ Application Guard uses both network isolation and application-specific settings.
 These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
 
 >[!NOTE]
->You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. 
-
->Proxy servers must be a neutral resource listed in the "Domains categorized as both work and personal" policy.
+>You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the "Domains categorized as both work and personal" policy.
 
 
  
@@ -42,25 +42,25 @@ These settings, located at **Computer Configuration\Administrative Templates\Net
 
 |Value|Number of dots to the left|Meaning|
 |-----|--------------------------|-------|
-|contoso.com|0|Trust only the literal value of **contoso.com**.|
-|www.contoso.com|0|Trust only the literal value of **www.contoso.com**.|
-|.contoso.com|1|Trust any domain that ends with the text **contoso.com**. Matching sites include **spearphishingcontoso.com**, **contoso.com**, and **www.contoso.com**.|
-|..contoso.com|2|Trust all levels of the domain hierarchy that are to the left of the dot. Matching sites include **shop.contoso.com**, **us.shop.contoso.com**, **www.us.shop.contoso.com**, but NOT **contoso.com** itself.|
+|`contoso.com`|0|Trust only the literal value of `contoso.com`.|
+|`www.contoso.com`|0|Trust only the literal value of `www.contoso.com`.|
+|`.contoso.com`|1|Trust any domain that ends with the text `contoso.com`. Matching sites include `spearphishingcontoso.com`, `contoso.com`, and `www.contoso.com`.|
+|`..contoso.com`|2|Trust all levels of the domain hierarchy that are to the left of the dot. Matching sites include `shop.contoso.com`, `us.shop.contoso.com`, `www.us.shop.contoso.com`, but NOT `contoso.com` itself.|
 
 ## Application-specific settings
 These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard.
 
 |Name|Supported versions|Description|Options|
 |-----------|------------------|-----------|-------|
-|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

      Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
      • Disable the clipboard functionality completely when Virtualization Security is enabled.
      • Enable copying of certain content from Application Guard into Microsoft Edge.
      • Enable copying of certain content from Microsoft Edge into Application Guard.

        **Important**
        Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
      **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
-|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

      Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
      • Enable Application Guard to print into the XPS format.
      • Enable Application Guard to print into the PDF format.
      • Enable Application Guard to print to locally attached printers.
      • Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
      **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
-|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

      **Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
-|Allow Persistence|Windows 10 Enterprise, 1709 or higher

      Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

      **Disabled or not configured.** All user data within Application Guard is reset between sessions.

      **Note**
      If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
      **To reset the container:**
      1. Open a command-line program and navigate to Windows/System32.
      2. Type `wdagtool.exe cleanup`.
        The container environment is reset, retaining only the employee-generated data.
      3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
        The container environment is reset, including discarding all employee-generated data.
      |
-|Turn on Windows Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device. Available options:
      • Enable Windows Defender Application Guard only for Microsoft Edge;
      • Enable Windows Defender Application Guard only for Microsoft Office;
      • Enable Windows Defender Application Guard for both Microsoft Edge and Microsoft Office.
      **Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.|
+|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

      Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
      -Disable the clipboard functionality completely when Virtualization Security is enabled.
      - Enable copying of certain content from Application Guard into Microsoft Edge.
      - Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

      **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
+|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

      Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
      - Enable Application Guard to print into the XPS format.
      - Enable Application Guard to print into the PDF format.
      - Enable Application Guard to print to locally attached printers.
      - Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

      **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
+|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container. **Note:** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

      **Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
+|Allow Persistence|Windows 10 Enterprise, 1709 or higher

      Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

      **Disabled or not configured.** All user data within Application Guard is reset between sessions.

      **Note**
      If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
      **To reset the container:**
      1. Open a command-line program and navigate to `Windows/System32`.
      2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
      3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
+|Turn on Windows Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device. Available options:
      - Enable Windows Defender Application Guard only for Microsoft Edge
      - Enable Windows Defender Application Guard only for Microsoft Office
      - Enable Windows Defender Application Guard for both Microsoft Edge and Microsoft Office

      **Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.|
 |Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.

      **Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.|
-|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, 1803 or higher

      Windows 10 Pro, 1803 or higher|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.

        **Important**
        Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

      **Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
-|Allow camera and microphone access in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher

      Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Windows Defender Application Guard.|**Enabled.** Applications inside Windows Defender Application Guard are able to access the camera and microphone on the user's device.

      **Important**
      Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

      **Disabled or not configured.** Applications inside Windows Defender Application Guard are unable to access the camera and microphone on the user's device.|
-|Allow Windows Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

      Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Windows Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

      **Disabled or not configured.** Certificates are not shared with Windows Defender Application Guard.|
-|Allow users to trust files that open in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.

      **Disabled or not configured.** Users are unable to manually trust files and files continue to open in Windows Defender Application Guard.|
+|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, 1803 or higher

      Windows 10 Pro, 1803 or higher|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

      **Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
+|Allow camera and microphone access in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher

      Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Windows Defender Application Guard.|**Enabled.** Applications inside Windows Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

      **Disabled or not configured.** Applications inside Windows Defender Application Guard are unable to access the camera and microphone on the user's device.|
+|Allow Windows Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

      Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Windows Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

      **Disabled or not configured.** Certificates are not shared with Windows Defender Application Guard.|
+|Allow users to trust files that open in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.

      **Disabled or not configured.** Users are unable to manually trust files and files continue to open in Windows Defender Application Guard.|
 
 
diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
index c2b8dc832a..0684b674b2 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
@@ -1,17 +1,17 @@
 ---
-title: Frequently asked questions - Windows Defender Application Guard (Windows 10)
+title: FAQ - Windows Defender Application Guard (Windows 10)
 description: Learn about the commonly asked questions and answers for Windows Defender Application Guard.
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-ms.date: 03/28/2019
+author: denisebmsft
+ms.author: deniseb
+ms.date: 12/04/2019
 ms.reviewer: 
 manager: dansimp
-
+ms.custom: asr
 ---
 
 # Frequently asked questions - Windows Defender Application Guard 
@@ -22,106 +22,73 @@ Answering frequently asked questions about Windows Defender Application Guard (A
 
 ## Frequently Asked Questions
 
-|        |                                                                                                                                                                                                      |
-|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Q:** |                                                                  Can I enable Application Guard on machines equipped with 4GB RAM?                                                                   |
-| **A:** | We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. |
-|        |                                                         HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount       - Default is 4 cores.                                                          |
-|        |                                                           HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB            - Default is 8GB.                                                           |
-|        |                                                             HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.                                                             |
+### Can I enable Application Guard on machines equipped with 4GB RAM?                                                                   |
+We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
 
-
      
+`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is 4 cores.)                                                   
 
+`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8GB.)
 
-|        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Q:** |                                                                                                                                                                                              Can employees download documents from the Application Guard Edge session onto host devices?                                                                                                                                                                                               |
-| **A:** | In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy.

      In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. |
+`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5GB.)
 
-
      
+### Can employees download documents from the Application Guard Edge session onto host devices? 
 
+In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy.
 
-|        |                                                                                                                                    |
-|--------|------------------------------------------------------------------------------------------------------------------------------------|
-| **Q:** |                    Can employees copy and paste between the host device and the Application Guard Edge session?                    |
-| **A:** | Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. |
+In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. 
 
-
      
+### Can employees copy and paste between the host device and the Application Guard Edge session? 
 
+Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. 
 
-|        |                                                                                                                                                                                             |
-|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Q:** |                                                       Why don't employees see their Favorites in the Application Guard Edge session?                                                        |
-| **A:** | To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device. |
+### Why don't employees see their Favorites in the Application Guard Edge session?
 
-
      
+To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device. 
 
+### Why aren’t employees able to see their Extensions in the Application Guard Edge session?
 
-|        |                                                                                                                                       |
-|--------|---------------------------------------------------------------------------------------------------------------------------------------|
-| **Q:** |                       Why aren’t employees able to see their Extensions in the Application Guard Edge session?                        |
-| **A:** | Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this. |
+Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this. 
 
-
      
+### How do I configure Windows Defender Application Guard to work with my network proxy (IP-Literal Addresses)? 
 
+Windows Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. 
 
-|        |                                                                                                                                                                                                                                                                                                                      |
-|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Q:** |                                                                                                                    How do I configure Windows Defender Application Guard to work with my network proxy (IP-Literal Addresses)?                                                                                                                     |
-| **A:** | Windows Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.  |
+### Which Input Method Editors (IME) in 19H1 are not supported? 
 
-
      
+The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Windows Defender Application Guard.
+- Vietnam Telex keyboard
+- Vietnam number key-based keyboard
+- Hindi phonetic keyboard
+- Bangla phonetic keyboard
+- Marathi phonetic keyboard
+- Telugu phonetic keyboard
+- Tamil phonetic keyboard
+- Kannada phonetic keyboard
+- Malayalam phonetic keyboard
+- Gujarati phonetic keyboard
+- Odia phonetic keyboard
+- Punjabi phonetic keyboard
 
+### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? 
 
-|        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Q:** |                                                                                                                                                                                                           Which Input Method Editors (IME) in 19H1 are not supported?                                                                                                                                                                                                           |
-| **A:** | The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Windows Defender Application Guard.
      Vietnam Telex keyboard
      Vietnam number key-based keyboard
      Hindi phonetic keyboard
      Bangla phonetic keyboard
      Marathi phonetic keyboard
      Telugu phonetic keyboard
      Tamil phonetic keyboard
      Kannada phonetic keyboard
      Malayalam phonetic keyboard
      Gujarati phonetic keyboard
      Odia phonetic keyboard
      Punjabi phonetic keyboard |
+This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and we’ll work with you to enable the feature.
 
-
      
+### What is the WDAGUtilityAccount local account? 
 
+This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware.
 
-|        |                                                                                                                                                                                                                                                                                                  |
-|--------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Q:** |                                                                       I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?                                                                        |
-| **A:** | This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and we’ll work with you to enable the feature. |
+### How do I trust a subdomain in my site list?                          
 
-
      
+To trust a subdomain, you must precede your domain with two dots, for example: `..contoso.com` will ensure `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted.
 
+### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? 
 
-|        |                                                                                                                                                                                                                                                                              |
-|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Q:** |                                                                                                                What is the WDAGUtilityAccount local account?                                                                                                                 |
-| **A:** | This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware. |
+When using Windows Pro and Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). 
 
-
      
+### Is there a size limit to the domain lists that I need to configure?
 
+Yes, both the Enterprise Resource domains hosted in the cloud and the Domains categorized as both work and personal have a 16383B limit.
 
-|        |                                                                                               |
-|--------|-----------------------------------------------------------------------------------------------|
-| **Q:** | How do I trust a subdomain in my site list?                          |
-| **A:** | To trust a subdomain, you must precede your domain with two dots, for example: ..contoso.com will ensure mail.contoso.com or news.contoso.com are trusted. The first dot represents the strings for the subdomain name (mail or news), the second dot recognizes the start of the domain name (contoso.com). This prevents sites such as fakesitecontoso.com from being trusted.|
-
-
      
-
-|        |                                                                                                                                                                                                                                                                              |
-|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Q:** |                                                                                                                Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?                                                          |
-| **A:** | When using Windows Pro and Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard).  |
-
-
      
-
-|        |                                                                                               |
-|--------|-----------------------------------------------------------------------------------------------|
-| **Q:** | Is there a size limit to the domain lists that I need to configure?                                                          |
-| **A:** | Yes, both the Enterprise Resource domains hosted in the cloud and the Domains categorized as both work and personal have a 16383B limit.|
-
-
      
-
-|        |                                                                                               |
-|--------|-----------------------------------------------------------------------------------------------|
-| **Q:** | Why does my encryption driver break Windows Defender Application Guard?                                                          |
-| **A:** | Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work. |
-
-
      
+### Why does my encryption driver break Windows Defender Application Guard?
 
+Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT"). 
diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
index dc6820bd94..11045f435f 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
@@ -6,11 +6,12 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
 ms.date: 02/19/2019
 ms.reviewer: 
 manager: dansimp
+ms.custom: asr
 ---
 
 # Prepare to install Windows Defender Application Guard
@@ -24,9 +25,6 @@ See [System requirements for Windows Defender Application Guard](https://docs.mi
 >[!NOTE]
 >Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
 
-
-
-
 ## Prepare for Windows Defender Application Guard 
 Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode.
 
diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
index fc5d4ec5eb..9496c86d29 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
@@ -6,11 +6,12 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
 ms.date: 11/09/2017
 ms.reviewer: 
 manager: dansimp
+ms.custom: asr
 ---
 
 # System requirements for Windows Defender Application Guard
diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
index 7bd4873234..6f9c6ff4ff 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
@@ -1,28 +1,31 @@
 ---
-title: Testing scenarios using Windows Defender Application Guard in your business or organization (Windows 10)
+title: Testing scenarios with Windows Defender Application Guard (Windows 10)
 description: Suggested testing scenarios for Windows Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
 ms.date: 03/15/2019
 ms.reviewer: 
 manager: dansimp
+ms.custom: asr
 ---
 
 # Application Guard testing scenarios
 
 
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** 
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 
 We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
 
 
 ## Application Guard in standalone mode
+
 You can see how an employee would use standalone mode with Application Guard.
 
 **To test Application Guard in Standalone mode**
@@ -43,9 +46,11 @@ You can see how an employee would use standalone mode with Application Guard.
     ![Untrusted website running in Application Guard](images/appguard-visual-cues.png)
 
 ## Application Guard in Enterprise-managed mode 
+
 How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode.
 
 ### Install, set up, and turn on Application Guard
+
 Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings.
 
 1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard#install-application-guard).
@@ -90,6 +95,7 @@ Before you can use Application Guard in enterprise mode, you must install Window
    ![Untrusted website running in Application Guard](images/appguard-visual-cues.png)
 
 ### Customize Application Guard
+
 Application Guard lets you specify your configuration, allowing you to create the proper balance between isolation-based security and productivity for your employees.
 
 Application Guard provides the following default behavior for your employees:
@@ -163,7 +169,7 @@ You have the option to change each of these settings to work with your enterpris
     The previously added site should still appear in your **Favorites** list.
 
     >[!NOTE]
-    >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

      If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

      **To reset the container:**
      1. Open a command-line program and navigate to Windows/System32.
      2. Type `wdagtool.exe cleanup`.
        The container environment is reset, retaining only the employee-generated data.
      3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
        The container environment is reset, including discarding all employee-generated data.
      
+    >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

      If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

      **To reset the container, follow these steps:**
      1. Open a command-line program and navigate to Windows/System32.
      2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
      3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.
     
 **Applies to:**
 - Windows 10 Enterpise edition, version 1803
diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
index 7e4be68ec5..aa8c80886a 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
@@ -6,11 +6,12 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: denisebmsft
+ms.author: deniseb
 ms.date: 03/28/2019
 ms.reviewer: 
 manager: dansimp
+ms.custom: asr
 ---
 
 # Windows Defender Application Guard overview
@@ -20,6 +21,7 @@ manager: dansimp
 Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. 
 
 ## What is Application Guard and how does it work?
+
 Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.
 
 If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.
@@ -27,21 +29,22 @@ If an employee goes to an untrusted site through either Microsoft Edge or Intern
 ![Hardware isolation diagram](images/appguard-hardware-isolation.png)
 
 ### What types of devices should use Application Guard?
+
 Application Guard has been created to target several types of systems:
 
 - **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
 
 - **Enterprise mobile laptops.** These laptops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.
 
-- **Bring your own device (BYOD) mobile laptops.** These personally-owned laptops are not domain-joined, but are managed by your organization through tools like Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home.
+- **Bring your own device (BYOD) mobile laptops.** These personally-owned laptops are not domain-joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home.
 
 - **Personal devices.** These personally-owned desktops or mobile laptops are not domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside.
 
-## Related topics
+## Related articles
 
-|Topic |Description |
+|Article |Description |
 |------|------------|
-|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the pre-requisites necessary to install and use Application Guard.|
+|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.|
 |[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
 |[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
 |[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.|
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
index 7dbb40b803..2ab6468f1e 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
@@ -1,7 +1,7 @@
 ---
 title: Account protection in the Windows Security app
 description: Use the Account protection section to manage security for your account and sign in to Microsoft.
-keywords: account protection, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
+keywords: account protection, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide, Windows Defender SmartScreen, SmartScreen Filter, Windows SmartScreen
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
index 1a7b1eae79..939db827c5 100644
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
@@ -1,7 +1,7 @@
 ---
 title: Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows 10)
 description: A list of all available setttings for Windows Defender SmartScreen using Group Policy and mobile device management (MDM) settings.
-keywords: SmartScreen Filter, Windows SmartScreen
+keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
@@ -35,12 +35,12 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
       
-
+
-
+
@@ -60,23 +60,23 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
 
-
+
-
+
-
+
       
 
      
 Event ID: 1000
 
-For more information please see the following:
+For more information, see the following:
 
      
 
      Name: <Threat name>
      
 
      ID: <Threat ID>
      
@@ -434,7 +432,7 @@ Message:
 Description:
 
      		
 
-Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:
+Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information, see the following:
 
      
 
      User: <Domain>\<User>
      
 
      Name: <Threat name>
      
@@ -452,7 +450,7 @@ Windows Defender Antivirus has taken action to protect this machine from malware
 
    1. Quarantine: The resource was quarantined
      2. 
 
    2. Remove: The resource was deleted
      3. 
 
    3. Allow: The resource was allowed to execute/exist
      4. 
-
    4. User defined: User defined action which is normally one from this list of actions that the user has specified
      5. 
+
    5. User defined: User-defined action that is normally one from this list of actions that the user has specified
      6. 
 
    6. No action: No action
      7. 
 
    7. Block: The resource was blocked from executing
      8. 
 
@@ -486,7 +484,7 @@ Message:
 Description:
 
      		
 
-Windows Defender Antivirus has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
+Windows Defender Antivirus has encountered an error when taking action on malware or other potentially unwanted software. For more information, see the following:
 
      
 
      User: <Domain>\<User>
      
 
      Name: <Threat name>
      
@@ -505,7 +503,7 @@ Windows Defender Antivirus has encountered an error when taking action on malwar
 
    8. Quarantine: The resource was quarantined
      9. 
 
    9. Remove: The resource was deleted
      10. 
 
    10. Allow: The resource was allowed to execute/exist
      11. 
-
    11. User defined: User defined action which is normally one from this list of actions that the user has specified
      12. 
+
    12. User defined: User-defined action that is normally one from this list of actions that the user has specified
      13. 
 
    13. No action: No action
      14. 
 
    14. Block: The resource was blocked from executing
      15. 
 
@@ -545,7 +543,7 @@ Message:
 Description:
 
      		
 
-Windows Defender Antivirus has restored an item from quarantine. For more information please see the following:
+Windows Defender Antivirus has restored an item from quarantine. For more information, see the following:
 
      
 
      Name: <Threat name>
      
 
      ID: <Threat ID>
      
@@ -589,7 +587,7 @@ Message:
 Description:
 
      		
 
-Windows Defender Antivirus has encountered an error trying to restore an item from quarantine. For more information please see the following:
+Windows Defender Antivirus has encountered an error trying to restore an item from quarantine. For more information, see the following:
 
      
 
      Name: <Threat name>
      
 
      ID: <Threat ID>
      
@@ -636,7 +634,7 @@ Message:
 Description:
 
      		
 
-Windows Defender Antivirus has deleted an item from quarantine.
      For more information please see the following:
+Windows Defender Antivirus has deleted an item from quarantine.
      For more information, see the following:
 
      
 
      Name: <Threat name>
      
 
      ID: <Threat ID>
      
@@ -680,7 +678,7 @@ Description:
 
      		
 
 Windows Defender Antivirus has encountered an error trying to delete an item from quarantine.
-For more information please see the following:
+For more information, see the following:
 
      
 
      Name: <Threat name>
      
 
      ID: <Threat ID>
      
@@ -729,7 +727,7 @@ Description:
 
      		
 Windows Defender Antivirus has removed history of malware and other potentially unwanted software.
 
      
-
      Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
      
+
      Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
      
 
      User: <Domain>\<User>
      
 
      
       		
 Windows Defender Antivirus has encountered an error trying to remove history of malware and other potentially unwanted software.
 
      
-
      Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
      
+
      Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
      
 
      User: <Domain>\<User>
      
 
      Error Code: <Error code>
 Result code associated with threat status. Standard HRESULT values. 
      
@@ -793,7 +791,7 @@ Message:
 Description:
 
      		
 
-Windows Defender Antivirus has detected a suspicious behavior.
      For more information please see the following:
+Windows Defender Antivirus has detected a suspicious behavior.
      For more information, see the following:
 
      
 
      Name: <Threat name>
      
 
      ID: <Threat ID>
      
@@ -870,7 +868,7 @@ Message:
 Description:
 
      		
 
-Windows Defender Antivirus has detected malware or other potentially unwanted software.
      For more information please see the following:
+Windows Defender Antivirus has detected malware or other potentially unwanted software.
      For more information, see the following:
 
      
 
      Name: <Threat name>
      
 
      ID: <Threat ID>
      
@@ -951,7 +949,7 @@ Message:
 Description:
 
      		
 
-Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
      For more information please see the following:
+Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
      For more information, see the following:
 
      
 
      Name: <Threat name>
      
 
      ID: <Threat ID>
      
@@ -999,7 +997,7 @@ UAC
 
    15. Quarantine: The resource was quarantined
      16. 
 
    16. Remove: The resource was deleted
      17. 
 
    17. Allow: The resource was allowed to execute/exist
      18. 
-
    18. User defined: User defined action which is normally one from this list of actions that the user has specified
      19. 
+
    19. User defined: User-defined action that is normally one from this list of actions that the user has specified
      20. 
 
    20. No action: No action
      21. 
 
    21. Block: The resource was blocked from executing
      22. 
 
@@ -1012,7 +1010,7 @@ Description of the error. 
 
      Signature Version: <Definition version>
      
 
      Engine Version: <Antimalware Engine version>
      
 NOTE:
-Whenever Windows Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:
        
+Whenever Windows Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services that the malware might have changed:
          
 
        • Default Internet Explorer or Microsoft Edge setting
          • 
 
        • User Access Control settings
          • 
 
        • Chrome settings
          • 
@@ -1078,7 +1076,7 @@ Message:
 Description:
 
      		
 
-Windows Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.
      For more information please see the following:
+Windows Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.
      For more information, see the following:
 
      
 
      Name: <Threat name>
      
 
      ID: <Threat ID>
      
@@ -1126,7 +1124,7 @@ UAC
 
    22. Quarantine: The resource was quarantined
      23. 
 
    23. Remove: The resource was deleted
      24. 
 
    24. Allow: The resource was allowed to execute/exist
      25. 
-
    25. User defined: User defined action which is normally one from this list of actions that the user has specified
      26. 
+
    26. User defined: User-defined action that is normally one from this list of actions that the user has specified
      27. 
 
    27. No action: No action
      28. 
 
    28. Block: The resource was blocked from executing
      29. 
 
@@ -1173,7 +1171,7 @@ Message:
 Description:
 
      		
 
-Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
      For more information please see the following:
+Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
      For more information, see the following:
 
      
 
      Name: <Threat name>
      
 
      ID: <Threat ID>
      
@@ -1221,7 +1219,7 @@ UAC
 
    29. Quarantine: The resource was quarantined
      30. 
 
    30. Remove: The resource was deleted
      31. 
 
    31. Allow: The resource was allowed to execute/exist
      32. 
-
    32. User defined: User defined action which is normally one from this list of actions that the user has specified
      33. 
+
    33. User defined: User-defined action that is normally one from this list of actions that the user has specified
      34. 
 
    34. No action: No action
      35. 
 
    35. Block: The resource was blocked from executing
      36. 
 
@@ -1323,7 +1321,7 @@ Windows Defender Antivirus client is up and running in a healthy state.
 
      
 
 
-
      Note  This event will only be logged if the following policy is set: ThreatFileHashLogging     unsigned.
      
+
      Note: This event will only be logged if the following policy is set: ThreatFileHashLogging     unsigned.
      
 
       
      
       		
 
      
 
      
-Windows Defender Antivirus configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
+Windows Defender Antivirus configuration has changed. If this is an unexpected event, you should review the settings as this may be the result of malware.
 
      
 
      Old value: <Old value number>
 Old antivirus configuration value.
      
@@ -2893,7 +2891,7 @@ Run a full system scan.
 
      		
 This error indicates that an offline scan is required. 
 
      Resolution
-Run offline Windows Defender Antivirus. You can read about how to do this in the offline Windows Defender Antivirus article.
+Run offline Windows Defender Antivirus. You can read about how to do this in the offline Windows Defender Antivirus article.
 
 
      
 
      
 Windows 10, version 1703:
      Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen
      Windows 10, Version 1607 and earlier:
      Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen
      		
 At least Windows Server 2012, Windows 8 or Windows RTThis policy setting turns on Windows Defender SmartScreen.
      If you enable this setting, it turns on Windows Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).
      If you disable this setting, it turns off Windows Defender SmartScreen and your employees are unable to turn it on.
      If you don't configure this setting, your employees can decide whether to use Windows Defender SmartScreen.
      		This policy setting turns on Windows Defender SmartScreen.
      If you enable this setting, it turns on Windows Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Windows Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).
      If you disable this setting, it turns off Windows Defender SmartScreen and your employees are unable to turn it on.
      If you don't configure this setting, your employees can decide whether to use Windows Defender SmartScreen.
      		
 
      
 
      
 Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control
 Windows 10, version 1703This setting helps protect PCs by allowing users to install apps only from the Microsoft Store. SmartScreen must be enabled for this feature to work properly.
      If you enable this setting, your employees can only install apps from the Microsoft Store.
      If you disable this setting, your employees can install apps from anywhere, including as a download from the Internet.
      If you don't configure this setting, your employees can choose whether they can install from anywhere or only from Microsoft Store.
      		This setting helps protect PCs by allowing users to install apps only from the Microsoft Store. Windows Defender SmartScreen must be enabled for this feature to work properly.
      If you enable this setting, your employees can only install apps from the Microsoft Store.
      If you disable this setting, your employees can install apps from anywhere, including as a download from the Internet.
      If you don't configure this setting, your employees can choose whether they can install from anywhere or only from Microsoft Store.
      		
 
      
 
      
 Windows 10, version 1703:
      Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen
      Windows 10, Version 1607 and earlier:
      Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen
      
 Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen Filter
 Internet Explorer 9 or laterThis policy setting prevents the employee from managing SmartScreen Filter.
      If you enable this policy setting, the employee isn't prompted to turn on SmartScreen Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee.
      If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on SmartScreen Filter during the first-run experience.
      		This policy setting prevents the employee from managing Windows Defender SmartScreen.
      If you enable this policy setting, the employee isn't prompted to turn on Windows Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee.
      If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Windows Defender SmartScreen during the first-run experience.
      		
 
      
 
      
 Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings
 Internet Explorer 8 or laterThis policy setting determines whether an employee can bypass warnings from SmartScreen Filter.
      If you enable this policy setting, SmartScreen Filter warnings block the employee.
      If you disable or don't configure this policy setting, the employee can bypass SmartScreen Filter warnings.
      		This policy setting determines whether an employee can bypass warnings from Windows Defender SmartScreen.
      If you enable this policy setting, Windows Defender SmartScreen warnings block the employee.
      If you disable or don't configure this policy setting, the employee can bypass Windows Defender SmartScreen warnings.
      		
 
      
 
      
 Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet
 Internet Explorer 9 or laterThis policy setting determines whether the employee can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the employee about executable files that Internet Explorer users do not commonly download from the Internet.
      If you enable this policy setting, SmartScreen Filter warnings block the employee.
      If you disable or don't configure this policy setting, the employee can bypass SmartScreen Filter warnings.
      		This policy setting determines whether the employee can bypass warnings from Windows Defender SmartScreen. Windows Defender SmartScreen warns the employee about executable files that Internet Explorer users do not commonly download from the Internet.
      If you enable this policy setting, Windows Defender SmartScreen warnings block the employee.
      If you disable or don't configure this policy setting, the employee can bypass Windows Defender SmartScreen warnings.
      		
 
      
 
      
 
 ## MDM settings
 If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices.  

       
-For SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer).
+For Windows Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer).
 
@@ -115,8 +115,8 @@ For SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplor
 
    36. URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
    37. Data type. Integer
    38. Allowed values:
        
-
      • 0 . Turns off SmartScreen in Windows for app and file execution.
        • 
-
      • 1. Turns on SmartScreen in Windows for app and file execution.
      39. 
+
    39. 0 . Turns off Windows Defender SmartScreen in Windows for app and file execution.
      40. 
+
    40. 1. Turns on Windows Defender SmartScreen in Windows for app and file execution.
      41. 
@@ -127,8 +127,8 @@ For SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplor
 
    41. URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
    42. Data type. Integer
    43. Allowed values:
        
-
      • 0 . Employees can ignore SmartScreen warnings and run malicious files.
        • 
-
      • 1. Employees can't ignore SmartScreen warnings and run malicious files.
      44. 
+
    44. 0 . Employees can ignore Windows Defender SmartScreen warnings and run malicious files.
      45. 
+
    45. 1. Employees can't ignore Windows Defender SmartScreen warnings and run malicious files.
      46. 
@@ -139,8 +139,8 @@ For SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplor
 
    46. URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
    47. Data type. Integer
    48. Allowed values:
        
-
      • 0 . Employees can ignore SmartScreen warnings.
        • 
-
      • 1. Employees can't ignore SmartScreen warnings.
      49. 
+
    49. 0 . Employees can ignore Windows Defender SmartScreen warnings.
      50. 
+
    50. 1. Employees can't ignore Windows Defender SmartScreen warnings.
      51. 
@@ -151,8 +151,8 @@ For SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplor
 
    51. URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
    52. Data type. Integer
    53. Allowed values:
        
-
      • 0 . Employees can ignore SmartScreen warnings for files.
        • 
-
      • 1. Employees can't ignore SmartScreen warnings for files.
      54. 
+
    54. 0 . Employees can ignore Windows Defender SmartScreen warnings for files.
      55. 
+
    55. 1. Employees can't ignore Windows Defender SmartScreen warnings for files.
      56. 
 
      
 Setting
 
 
 
 
      
 
      
 
 
 
 
      
 
      
 
 
 
 
      
 
      
 
 
 
 
      
 
      
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
index 475ce2cff3..d22f241c9b 100644
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
@@ -1,7 +1,7 @@
 ---
 title: Windows Defender SmartScreen overview (Windows 10)
 description: Conceptual info about Windows Defender SmartScreen.
-keywords: SmartScreen Filter, Windows SmartScreen
+keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
@@ -10,7 +10,7 @@ author: mjcaparas
 ms.author: macapara
 audience: ITPro
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 11/27/2019
 ms.reviewer: 
 manager: dansimp
 ---
@@ -24,34 +24,34 @@ manager: dansimp
 
 Windows Defender SmartScreen protects against phishing or malware websites, and the downloading of potentially malicious files.
 
-**SmartScreen determines whether a site is potentially malicious by:**
+**Windows Defender SmartScreen determines whether a site is potentially malicious by:**
 
-- Analyzing visited webpages, looking for indications of suspicious behavior. If SmartScreen determines that a page is suspicious, it will show a warning page to advise caution.
+- Analyzing visited webpages looking for indications of suspicious behavior. If Windows Defender Smartscreen determines that a page is suspicious, it will show a warning page to advise caution.
 
-- Checking visited sites against a dynamic list of reported phishing and malicious software sites. If SmartScreen finds a match, it will show a warning indicating that the site might be malicious.
+- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Windows Defender SmartScreen shows a warning to let the user know that the site might be malicious.
 
-**SmartScreen determines whether a downloaded app or app installer is potentially malicious by:**
+**Windows Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious by:**
 
-- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If SmartScreen finds a match, it will show a warning indicating that the site might be malicious.
+- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, Windows Defender SmartScreen shows a warning to let the user know that the site might be malicious.
 
-- Checking downloaded files against a list of files that are well-known and downloaded by many Windows users. If the file isn't on that list, SmartScreen shows a warning, advising caution.
+- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Windows Defender SmartScreen shows a warning, advising caution.
 
-    > [!NOTE]
-    > Before Windows 10, version 1703, this feature was called _the SmartScreen Filter_ when used within the browser and _Windows SmartScreen_ when used outside of the browser.
+    >[!NOTE]
+    >Before Windows 10, version 1703, this feature was called _the SmartScreen filter_ when used within the browser and _Windows SmartScreen_ when used outside of the browser.
 
 ## Benefits of Windows Defender SmartScreen
 
 Windows Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are:
 
-- **Anti-phishing and anti-malware support.** SmartScreen helps to protect your employees from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Microsoft SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97)
+- **Anti-phishing and anti-malware support.** Windows Defender SmartScreen helps to protect your employees from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Windows Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97)
 
-- **Reputation-based URL and app protection.** SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, your employees won't see any warnings. If however there's no reputation, the item is marked as a higher risk and presents a warning to the employee.
+- **Reputation-based URL and app protection.** Windows Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, your employees won't see any warnings. If however there's no reputation, the item is marked as a higher risk and presents a warning to the employee.
 
-- **Operating system integration.** SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run.
+- **Operating system integration.** Windows Defender SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run.
 
-- **Improved heuristics and diagnostic data.** SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files.
+- **Improved heuristics and diagnostic data.** Windows Defender SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files.
 
-- **Management through Group Policy and Microsoft Intune.** SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md).
+- **Management through Group Policy and Microsoft Intune.** Windows Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md).
 
 - **Blocking URLs associated with potentially unwanted applications.** In the next major version of Microsoft Edge (based on Chromium), SmartScreen will blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md).
 
@@ -59,20 +59,27 @@ Windows Defender SmartScreen provide an early warning system against websites th
 
 When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx).
 
-## Viewing Windows event logs for SmartScreen
+## Viewing Windows event logs for Windows Defender SmartScreen
+Windows Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer.
 
-SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer.
+Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it:
+
+```
+wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true
+```
 
 > [!NOTE]
 > For information on how to use the Event Viewer, see [Windows Event Viewer](https://docs.microsoft.com/host-integration-server/core/windows-event-viewer1).
 
+
 EventID | Description
 -|-
-1000 | Application SmartScreen Event
-1001 | Uri SmartScreen Event
-1002 | User Decision SmartScreen Event
+1000 | Application Windows Defender SmartScreen Event
+1001 | Uri Windows Defender SmartScreen Event
+1002 | User Decision Windows Defender SmartScreen Event
 
 ## Related topics
+- [Windows Defender SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx)
 
 - [SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx)
 - [Threat protection](../index.md)
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
index ca7c0039c1..9d10a82e3a 100644
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
@@ -1,7 +1,7 @@
 ---
 title: Set up and use Windows Defender SmartScreen on individual devices (Windows 10)
 description: Steps about what happens when an employee tries to run an app, how employees can report websites as safe or unsafe, and how employees can use the Windows Security to set Windows Defender SmartScreen for individual devices.
-keywords: SmartScreen Filter, Windows SmartScreen
+keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
@@ -39,28 +39,28 @@ Starting with Windows 10, version 1703 your employees can use Windows Security t
 
        - **Warn.** Warns employees that the apps and files being downloaded from the web are potentially dangerous, but allows the action to continue.
 
-       - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files.
+       - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files.
 
-   - In the **SmartScreen for Microsoft Edge** area:
+   - In the **Windows Defender SmartScreen for Microsoft Edge** area:
     
        - **Block.** Stops employees from downloading and running unrecognized apps and files from the web, while using Microsoft Edge.
         
        - **Warn.** Warns employees that sites and downloads are potentially dangerous, but allows the action to continue while running in Microsoft Edge.
         
-       - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files.    
+       - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files.    
 
-   - In the **SmartScreen from Microsoft Store apps** area:
+   - In the **Windows Defender SmartScreen from Microsoft Store apps** area:
         
      - **Warn.** Warns employees that the sites and downloads used by Microsoft Store apps are potentially dangerous, but allows the action to continue.
         
-     - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files.
+     - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files.
 
-       ![Windows Security, SmartScreen controls](images/windows-defender-smartscreen-control.png)
+       ![Windows Security, Windows Defender SmartScreen controls](images/windows-defender-smartscreen-control.png)
 
-## How SmartScreen works when an employee tries to run an app
-Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, SmartScreen can warn the employee or block the app from running entirely, depending on how you've configured the feature to run in your organization.
+## How Windows Defender SmartScreen works when an employee tries to run an app
+Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Windows Defender SmartScreen can warn the employee or block the app from running entirely, depending on how you've configured the feature to run in your organization.
 
-By default, your employees can bypass SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended).
+By default, your employees can bypass Windows Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended).
 
 ## How employees can report websites as safe or unsafe
 You can configure Windows Defender SmartScreen to warn employees from going to a potentially dangerous site. Employees can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11.
diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
index 4cbc411cdd..a7def9d5fd 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -1,5 +1,5 @@
 ---
-title: Windows Defender System Guard How a hardware-based root of trust helps protect Windows 10 (Windows 10)
+title: How a Windows Defender System Guard helps protect Windows 10
 description: Windows Defender System Guard in Windows 10 uses a hardware-based root of trust to securely protect systems against firmware exploits.
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.reviewer: 
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md
index 816c7d49b0..d91fbb98a5 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -1,18 +1,19 @@
 ---
-title: Windows Defender System Guard How a hardware-based root of trust helps protect Windows 10 (Windows 10)
+title: How Windows Defender System Guard protect Windows 10 from firmware exploits
 description: Windows Defender System Guard in Windows 10 uses a hardware-based root of trust to securely protect systems against firmware exploits.
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.reviewer: 
 manager: dansimp
-ms.author: dansimp
+ms.author: deniseb
+author: denisebmsft
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
 ms.date: 03/01/2019
+ms.custom: asr
 ---
 
 
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index be6c791392..5b92c4240f 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -54,6 +54,9 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** >
 
 ![Secure Launch Registry](images/secure-launch-registry.png)
 
+> [!IMPORTANT]
+> If System Guard is enabled with a registry key, standard hardware security is not available for the Intel i5 7200U processor.
+
 ## How to verify System Guard Secure Launch is configured and running
 
 To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
index 02be1db95f..49d318d5fe 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
@@ -1,6 +1,6 @@
 ---
-title: Checklist Creating Rules for Clients of a Standalone Isolated Server Zone (Windows 10)
-description: Checklist Creating Rules for Clients of a Standalone Isolated Server Zone
+title: Create Rules for Standalone Isolated Server Zone Clients (Windows 10)
+description: Checklist for when creating rules for clients of a Standalone Isolated Server Zone
 ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
index ea78e8de16..537198bd08 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
@@ -54,3 +54,6 @@ To complete these procedures, you must be a member of the Domain Administrators
         -   To create a log entry when Windows Defender Firewall allows an inbound connection, change **Log successful connections** to **Yes**.
 
     6.  Click **OK** twice.
+
+### Troubleshooting Slow Log Ingestion
+If logs are slow to appear in Sentinel, you can turn down the log file size. Just beware that this will result in more resource usage due to the increased resource usage for log rotation. 
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
index 5dae7a9636..61f12fe05d 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
@@ -1,5 +1,5 @@
 ---
-title: Configure the Workstation Authentication Certificate Template (Windows 10)
+title: Configure the Workstation Authentication Template (Windows 10)
 description: Configure the Workstation Authentication Certificate Template
 ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6
 ms.reviewer: 
diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
index 83f35fe206..d67461d012 100644
--- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
+++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
@@ -1,6 +1,6 @@
 ---
-title: Designing a Windows Defender Firewall with Advanced Security Strategy (Windows 10)
-description: Designing a Windows Defender Firewall Strategy
+title: Designing a Windows Defender Firewall Strategy (Windows 10)
+description: Designing a Windows Defender Firewall with Advanced Security Strategy
 ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
index 992c8390e8..0c27975e1b 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
@@ -1,5 +1,5 @@
 ---
-title: Gathering Information about Your Current Network Infrastructure (Windows 10)
+title: Gathering Info about Your Network Infrastructure (Windows 10)
 description: Gathering Information about Your Current Network Infrastructure
 ms.assetid: f98d2b17-e71d-4ffc-b076-118b4d4782f9
 ms.reviewer: 
diff --git a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
index 9bdbf322d4..5e3a16c452 100644
--- a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
+++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
@@ -1,6 +1,6 @@
 ---
-title: Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals (Windows 10)
-description: Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals
+title: Identify Goals for your WFAS Deployment (Windows 10)
+description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) Deployment Goals
 ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
index 126a5f0dc2..b055c8d636 100644
--- a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
+++ b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
@@ -1,5 +1,5 @@
 ---
-title: Modify GPO Filters to Apply to a Different Zone or Version of Windows (Windows 10)
+title: Modify GPO Filters (Windows 10)
 description: Modify GPO Filters to Apply to a Different Zone or Version of Windows
 ms.assetid: 24ede9ca-a501-4025-9020-1129e2cdde80
 ms.reviewer: 
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
index 9e395fc16f..bce220a506 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
@@ -1,5 +1,5 @@
 ---
-title: Open the Group Policy Management Console to Windows Defender Firewall (Windows 10)
+title: Open a GPO to Windows Defender Firewall (Windows 10)
 description: Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security
 ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760
 ms.reviewer: 
diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
index 8909c58454..e8ec3acdbe 100644
--- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
@@ -1,5 +1,5 @@
 ---
-title: Planning to Deploy Windows Defender Firewall with Advanced Security (Windows 10)
+title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows 10)
 description: Planning to Deploy Windows Defender Firewall with Advanced Security
 ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e
 ms.reviewer: 
diff --git a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
index 1a0ea617b9..26796b6814 100644
--- a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
+++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
@@ -1,6 +1,6 @@
 ---
-title: Understanding the Windows Defender Firewall with Advanced Security Design Process (Windows 10)
-description: Understanding the Windows Defender Firewall with Advanced Security Design Process
+title: Understand WFAS Deployment (Windows 10)
+description: Resources for helping you understand the Windows Defender Firewall with Advanced Security (WFAS) Design Process
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
index 05befcbc72..d91723c3d2 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
@@ -1,5 +1,5 @@
 ---
-title: Windows Defender Firewall with Advanced Security Deployment Guide (Windows 10)
+title: Deploy Windows Defender Firewall with Advanced Security (Windows 10)
 description: Windows Defender Firewall with Advanced Security Deployment Guide
 ms.assetid: 56b51b97-1c38-481e-bbda-540f1216ad56
 ms.reviewer: 
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
index 0bd3b08e43..3261e0545f 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
@@ -6,14 +6,15 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dansimp
+author: denisebmsft
+ms.author: deniseb
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 10/13/2017
 ms.reviewer: 
-ms.author: dansimp
+ms.custom: asr
 ---
 
 # Windows Defender Firewall with Advanced Security
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/TOC.md b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md
index 4d844ddf4c..10de1f0c1c 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/TOC.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md
@@ -1,11 +1,5 @@
-# [Windows security guidance for enterprises](windows-security-compliance.md)
+# Windows security guidance for enterprises
 
 ## [Windows security baselines](windows-security-baselines.md)
 ### [Security Compliance Toolkit](security-compliance-toolkit-10.md)
-### [Get support](get-support-for-security-baselines.md)
-## [Windows security configuration framework](windows-security-configuration-framework.md)
-### [Level 1 enterprise basic security](level-1-enterprise-basic-security.md)
-### [Level 2 enterprise enhanced security](level-2-enterprise-enhanced-security.md)
-### [Level 3 enterprise high security](level-3-enterprise-high-security.md)
-### [Level 4 enterprise dev/ops workstation](level-4-enterprise-devops-security.md)
-### [Level 5 enterprise administrator workstation](level-5-enterprise-administrator-security.md)
+### [Get support](get-support-for-security-baselines.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
index f2f806c37f..6ef956ed10 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -1,5 +1,5 @@
 ---
-title: Get support
+title: Get support for Windows security baselines
 description: This article, and the articles it links to, answers frequently asked question on how to get support for Windows baselines, the Security Compliance Toolkit (SCT), and related topics in your organization
 keywords: virtualization, security, malware
 ms.prod: w10
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md
deleted file mode 100644
index 87a52c4dd8..0000000000
--- a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md
+++ /dev/null
@@ -1,358 +0,0 @@
----
-title: Level 1 enterprise basic security configuration
-description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 1 enterprise security configuration.
-keywords: virtualization, security, malware
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.author: cjacks
-author: appcompatguy
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 05/29/2019
----
-
-# Level 1 Enterprise Basic Security configuration 
-
-**Applies to**  
-
--   Windows 10
-
-Level 1 is the minimum security configuration for an enterprise device.
-Microsoft recommends the following configuration for level 1 devices.
-
-## Hardware
-
-Devices targeting Level 1 should support the following hardware features:
-
-- [Trusted Platform Module (TPM) 2.0](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-tpm)
-- [Bitlocker Drive Encryption](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-bitlocker)
-- [UEFI Secure Boot](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-secure-boot)
-- Drivers and Firmware Distributed through Windows Update
-
-## Policies
-
-The policies in level 1 enforce a reasonable security level while minimizing the impact to users or to applications. 
-Microsoft recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and controls, noting that the timeline can generally be short given the limited potential impact of the security controls.
-
-### Security Template Policies
-
-| Feature                 | Policy Setting                                                                                   | Policy Value                                            | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-|-------------------------|--------------------------------------------------------------------------------------------------|---------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Account Lockout | Account Lockout Duration | 15 | The number of minutes a locked-out account remains locked out before automatically becoming unlocked. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. |
-| Account Lockout | Account Lockout Threshold | 10 | The number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. |
-| Account Lockout | Reset account lockout counter after | 15 | The number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. |
-| Password Policy | Enforce password history | 24 | The number of unique new passwords that must be associated with a user account before an old password can be reused. |
-| Password Policy | Minimum password length | 14 | The least number of characters that a password for a user account may contain. |
-| Password Policy | Password must meet complexity requirements | Enabled | Determines whether passwords must meet complexity requirements:
      1) Not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither check is case sensitive.
      The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
      2) Contain characters from three of the following categories:
      - Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
      - Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
      -  Base 10 digits (0 through 9)
      -Non-alphanumeric characters (special characters):
      (~!@#$%^&*_-+=`\|\\(){}[]:;"'<>,.?/)
      Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting.
      - Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. |
-| Password Policy | Store passwords using reversible encryption | Disabled | Determines whether the operating system stores passwords using reversible encryption. |
-| Security Options | Accounts: Limit local account use of blank passwords to console logon only  | Enabled  | This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.  |
-| Security Options | Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings | Enabled  | Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category level, and existing Group Policy may override the subcategory settings of new machines as they are joined to the domain or upgraded. To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool. |
-| Security Options | Domain member: Digitally encrypt or sign secure channel data (always)  | Enabled  | This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. This setting determines whether all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
      - Domain member: Digitally encrypt secure channel data (when possible)
      - Domain member: Digitally sign secure channel data (when possible)  |
-| Security Options | Domain member: Digitally encrypt secure channel data (when possible)  | Enabled  | This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.  |
-| Security Options | Domain member: Digitally sign secure channel data (when possible)  | Enabled  | This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed, which ensures that it cannot be tampered with in transit.  |
-| Security Options | Domain member: Disable machine account password changes | Disabled | Determines whether a domain member periodically changes its computer account password. |
-| Security Options | Domain member: Maximum machine account password age | 30 | Determines how often a domain member will attempt to change its computer account password |
-| Security Options | Domain member: require strong (Windows 2000 or later) session key | Enabled | Determines whether 128-bit key strength is required for encrypted secure channel data |
-| Security Options | Interactive logon: Machine inactivity limit | 900 | The number of seconds of inactivity before the session is locked |
-| Security Options | Interactive logon: Smart card removal behavior  | Lock Workstation  | This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. If you click **Lock Workstation** in the **Properties** for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart cards with them, and still maintain protected sessions. For this setting to work beginning with Windows Vista, the Smart Card Removal Policy service must be started.  |
-| Security Options | Microsoft network client: Digitally sign communications (always)  | Enabled  | This security setting determines whether packet signing is required by the SMB client component.  |
-| Security Options | Microsoft network client: Send unencrypted password to third party SMB servers| Disabled | If this security setting is enabled, the Server Message Block (SMB) redirector can send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk. |
-| Security Options | Microsoft network server: Digitally sign communications (always)  | Enabled  | This security setting determines whether packet signing is required by the SMB server component.  |
-| Security Options | Network access: Allow anonymous SID/Name translation | Disabled | This security setting determines if an anonymous user can request security identifier (SID) attributes for another user. If this policy is enabled, a user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. |
-| Security Options | Network access: Do not allow anonymous enumeration of SAM accounts  | Enabled  | This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows: Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.  |
-| Security Options | Network access: Do not allow anonymous enumeration of SAM accounts and shares  | Enabled  | This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.  |
-| Security Options | Network access: Restrict anonymous access to Named Pipes and Shares  | Enabled  | When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
      - Network access: Named pipes that can be accessed anonymously
      - Network access: Shares that can be accessed anonymously  |
-| Security Options | Network access: Restrict clients allowed to make remote calls to SAM | O:BAG:BAD:(A;;RC;;;BA) | This policy setting allows you to restrict remote RPC connections to SAM. If not selected, the default security descriptor will be used. |
-| Security Options | Network security: Allow LocalSystem NULL session fallback | Disabled | Allow NTLM to fall back to NULL session when used with LocalSystem |
-| Security Options | Network security: Do not store LAN Manager hash value on next password change | Enabled | This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. |
-| Security Options | Network security: LAN Manager authentication level | Send NTLMv2 response only. Refuse LM & NTLM | This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send NTLMv2 response only\\refuse LM & NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). |
-| Security Options | Network security: LDAP client signing requirements  | Negotiate signing  | This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows: Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\\SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller.  |
-| Security Options | Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Require NTLMv2 session security and Require 128-bit encryption | This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. |
-| Security Options | Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Require NTLMv2 session security and Require 128-bit encryption | This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. |
-| Security Options | System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)  | Enabled  | This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. If this policy is enabled, the default DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify shared objects that they did not create.  |
-| Security Options | User Account Control: Admin approval mode for the built-in administrator | Enabled | The built-in Administrator account uses Admin Approval Mode - any operation that requires elevation of privilege will prompt to user to approve that operation |
-| Security Options | User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent on the secure desktop | When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. |
-| Security Options | User Account Control: Detect application installations and prompt for elevation | Enabled | When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. |
-| Security Options | User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled | This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\\Program Files\\, including subfolders - …\\Windows\\system32\\ - …\\Program Files (x86)\\, including subfolders for 64-bit versions of Windows |
-| Security Options | User Account Control: Run all Administrators in admin approval mode | Enabled | This policy must be enabled, and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. |
-| Security Options | User Account Control: Virtualize file and registry write failures to per-user locations | Enabled | This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software. |
-| User Rights Assignments | Access Credential Manager as a trusted caller | No One (blank) | This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities.|
-| User Rights Assignment | Access this computer from the network | Administrators; Remote Desktop Users | This user right determines which users and groups can connect to the computer over the network. Remote Desktop Services are not affected by this user right. |
-| User Rights Assignments | Act as part of the operating system | No One (blank) | This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
-| User Rights Assignments | Allow log on locally | Administrators; Users | Determines which users can log on to the computer |
-| User Rights Assignments | Back up files and directories | Administrators | Determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system |
-| User Rights Assignments | Create a pagefile | Administrators | Determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file |
-| User Rights Assignments | Create a token object | No One (blank) | Determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. |
-| User Rights Assignments | Create global objects | Administrators; LOCAL SERVICE; NETWORK SERVICE; SERVICE | This security setting determines whether users can create global objects that are available to all sessions. |
-| User Rights Assignments | Create permanent shared objects | No One (blank) | Determines which accounts can be used by processes to create a directory object using the object manager |
-| User Rights Assignments | Debug programs | Administrators | Determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. |
-| User Rights Assignment | Enable computer and user accounts to be trusted for delegation | No One (blank) | This security setting determines which users can set the Trusted for Delegation setting on a user or computer object. |
-| User Rights Assignments | Force shutdown from a remote system  | Administrators | Determines which users can shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. |
-| User Rights Assignment | Impersonate a client after authentication | Administrators, SERVICE, Local Service, Network Service | Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. |
-| User Rights Assignments | Load and unload device drivers | Administrators | Determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
-| User Rights Assignment | Lock pages in memory | No One (blank) | Determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random-access memory (RAM). |
-| User Rights Assignments | Manage auditing and security log | Administrators | Determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. |
-| User Rights Assignments | Modify firmware environment variables  | Administrators | Determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. |
-| User Rights Assignment | Perform volume maintenance tasks | Administrators | This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. |
-| User Rights Assignment | Profile single process | Administrators | This security setting determines which users can use performance monitoring tools to monitor the performance of non-system processes. |
-| User Rights Assignments | Restore files and directories | Administrators | Determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object |
-| User Rights Assignments | Take ownership of files or other objects | Administrators | Determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads |
-
-### Advanced Audit Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|---------|----------------|--------------|-------------|
-| Account Logon | Audit Credential Validation | Success and Failure | Audit events generated by validation tests on user account logon credentials. Occurs only on the computer that is authoritative for those credentials. |
-| Account Management | Audit Security Group Management | Success | Audit events generated by changes to security groups, such as creating, changing or deleting security groups, adding or removing members, or changing group type. |
-| Account Management | Audit User Account Management | Success and Failure | Audit changes to user accounts. Events include creating, changing, deleting user accounts; renaming, disabling, enabling, locking out, or unlocking accounts; setting or changing a user account’s password; adding a security identifier (SID) to the SID History of a user account; configuring the Directory Services Restore Mode password; changing permissions on administrative user accounts; backing up or restoring Credential Manager credentials |
-| Detailed Tracking | Audit PNP Activity | Success | Audit when plug and play detects an external device |
-| Detailed Tracking | Audit Process Creation | Success | Audit events generated when a process is created or starts; the name of the application or user that created the process is also audited |
-| Logon/ Logoff | Audit Account Lockout | Failure | Audit events generated by a failed attempt to log on to an account that is locked out |
-| Logon/ Logoff | Audit Group Membership | Success | Audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. |
-| Logon/ Logoff | Audit Logon | Success and Failure | Audit events generated by user account logon attempts on the computer |
-| Logon/ Logoff | Audit Other Logon / Logoff Events | Success and Failure | Audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting, such as Terminal Services session disconnections, new Terminal Services sessions locking and unlocking a workstation, invoking or dismissing a screen saver, detection of a Kerberos replay attack, or access to a wireless network granted to a user or computer account |
-| Logon/ Logoff | Audit Special Logon | Success | Audit events generated by special logons such as the use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level, or a logon by a member of a Special Group (Special Groups enable you to audit events generated when a member of a certain group has logged on to your network) |
-| Object Access | Audit Detailed File Share | Failure | Audit attempts to access files and folders on a shared folder; the Detailed File Share setting logs an event every time a file or folder is accessed |
-| Object Access | Audit File Share | Success and Failure | Audit attempts to access a shared folder; an audit event is generated when an attempt is made to access a shared folder |
-| Object Access | Audit Other Object Access Events | Success and Failure | Audit events generated by the management of task scheduler jobs or COM+ objects |
-| Object Access | Audit Removable Storage | Success and Failure | Audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. |
-| Policy Change | Audit Audit Policy Change | Success | Audit changes in the security audit policy settings |
-| Policy Change | Audit Authentication Policy Change | Success | Audit events generated by changes to the authentication policy |
-| Policy Change | Audit MPSSVC Rule-Level Policy Change | Success and Failure | Audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. |
-| Policy Change | Audit Other Policy Change Events | Failure | Audit events generated by other security policy changes that are not audited in the policy change category, such as Trusted Platform Module (TPM) configuration changes, kernel-mode cryptographic self tests, cryptographic provider operations, cryptographic context operations or modifications, applied Central Access Policies (CAPs) changes, or boot Configuration Data (BCD) modifications |
-| Privilege Use | Audit Sensitive Privilege Use | Success and Failure | Audit events generated when sensitive privileges (user rights) are used |
-| System | Audit Other System Events | Success and Failure | Audit any of the following events: Startup and shutdown of the Windows Firewall service and driver, security policy processing by the Windows Firewall Service, cryptography key file and migration operations. |
-| System | Audit Security State Change | Success | Audit events generated by changes in the security state of the computer such as startup and shutdown of the computer, change of system time, recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. |
-| System | Audit Security System Extension | Success | Audit events related to security system extensions or services |
-| System | Audit System Integrity | Success and Failure | Audit events that violate the integrity of the security subsystem |
-
-### Windows Defender Firewall Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|---------|----------------|--------------|-------------|
-| Domain Profile / State | Firewall State | On | Enables the firewall when connected to the domain profile |
-| Domain Profile / State | Inbound Connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the domain profile |
-| Domain Profile / State | Outbound Connections | Allow | Outbound connections for which there is no rule blocking the connection will be allowed in the domain profile |
-| Domain Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the domain profile |
-| Domain Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a domain connection |
-| Domain Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a domain connection |
-| Domain Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a domain connection |
-| Private Profile / State | Firewall State | On | Enables the firewall when connected to the private profile |
-| Private Profile / State | Inbound Connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the private profile |
-| Private Profile / State | Outbound Connections | Allow | Outbound connections for which there is no rule blocking the connection will be allowed in the private profile |
-| Private Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the private profile |
-| Private Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a private connection |
-| Private Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a private connection |
-| Private Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a private connection |
-| Public Profile / State | Firewall State | On | Enables the firewall when connected to the public profile |
-| Public Profile / State | Inbound Connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the public profile |
-| Public Profile / State | Outbound Connections | Allow | Outbound connections for which there is no rule blocking the connection will be allowed in the public profile |
-| Public Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the public profile |
-| Public Profile / Settings | Apply local firewall rules | No  | Users cannot create new firewall rules |
-| Public Profile / Settings | Apply local connection security rules | No  | Ensures local connection rules will not be merged with Group Policy settings in the domain |
-| Public Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a public connection |
-| Public Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a public connection |
-| Public Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a public connection |
-
-### Computer Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|---------|----------------|--------------|-------------|
-| LAPS | Enable local admin password management | Enabled | Activates LAPS for the device |
-| MS Security Guide | Apply UAC restrictions to local accounts on network logon | Enabled | Filters the user account token for built-in administrator accounts for network logons |
-| MS Security Guide | Configure SMB v1 client driver  | Disable driver (recommended) | Configure the startup mode for the kernel mode driver that implements client-side SMBv1 processing (MrxSmb10). This setting includes a dropdown that is activated when the Enabled radio button is selected and that controls the “Start” registry value in HKLM\\SYSTEM\\CurrentControlSet\\Services\\MrxSmb10. |
-| MS Security Guide | Configure SMB v1 server | Disabled | Disable or enable server-side processing of the SMBv1 protocol |
-| MS Security Guide | Enabled Structured Exception Handling Overwrite Protection (SEHOP)| Enabled | This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option. We recommend that Windows users who are running any of the above operating systems enable this feature to improve the security profile of their systems. |
-| MS Security Guide | NetBT NodeType Configuration | P-node (recommended) | The NetBT NodeType setting determines what methods NetBT uses to register and resolve names:
      - A B-node computer uses broadcasts.
      - A P-node computer uses only point-to-point name queries to a name server (WINS).
      - An M-node computer broadcasts first, and then queries the name server.
      - An H-node computer queries the name server first, and then broadcasts.
      Resolution through LMHOSTS or DNS follows these methods. If the NodeType value is present, it overrides any DhcpNodeType value.
      If neither NodeType nor DhcpNodeType is present, the computer uses B-node if there are no WINS servers configured for the network, or H-node if there is at least one WINS server configured. |
-| MS Security Guide | WDigest Authentication | Disabled | When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. WDigest is disabled by default in Windows 10. This setting ensures this is enforced. |
-| MSS | MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (Protects against packet spoofing) | Highest Protection, source routing is completely disabled | Allowing source routed network traffic allows attackers to obscure their identity and location. |
-| MSS | MSS: (DisableIPSourceRouting) IP source routing protection level (Protects against packet spoofing) | Highest Protection, source routing is completely disabled | Allowing source routed network traffic allows attackers to obscure their identity and location. |
-| MSS | MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes | Disabled | Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via shortest path first. |
-| MSS | MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers | Enabled | Prevents a denial-of-service (DoS) attack against a WINS server. The DoS consists of sending a NetBIOS Name Release Request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability. |
-| Network / DNS Client | Turn off multicast name resolution | Enabled | Specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
      LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible.
      If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.
      If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters.|
-| Network / Lanman Workstation | Enable insecure guest logons | Disabled | Determines if the SMB client will allow insecure guest logons to an SMB server |
-| Network / Network Connections | Prohibit use of Internet Connection Sharing on your DNS domain network | Enabled | Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. |
-| Network / Network Provider | Hardened UNC Paths | \\\\\*\\SYSVOL and \\\\\*\\NETLOGON RequireMutualAuthentication = 1, RequireIntegrity = 1 | This policy setting configures secure access to UNC paths. If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. |
-| Network / Windows Connection Manager | Prohibit connection to non-domain networks when connected to domain authenticated network | Enabled | This policy setting prevents computers from connecting to both a domain-based network and a non-domain-based network at the same time. |
-| System / Credentials Delegation | Encryption Oracle Remediation | Force Updated Clients | Encryption Oracle Remediation |
-| System / Credentials Delegation | Remote host allows delegation of non-exportable credentials | Enabled | When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode. |
-| System / Device Installation / Device Installation Restrictions  | Prevent installation of devices that match any of these device IDs  | [[[main setting]]] = Enabled 
       Also apply to matching devices that are already installed = True 
       1 = PCI\CC_0C0A  | This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. if you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in a list that you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.  |
-| System / Device Installation / Device Installation Restrictions  | Prevent installation of devices using drivers that match these device setup classes | [[[main setting]]] = Enabled 
       Also apply to matching devices that are already installed = True 
       1 = {d48179be-ec20-11d1-b6b8-00c04fa372a7}  | This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. if you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.  |
-| System / Early Launch Antimalware | Boot-Start Driver Initialization Policy | Good, unknown and bad but critical | Allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:
      - Good: The driver has been signed and has not been tampered with.
      - Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.
      - Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
      - Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver.
      If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started.
      If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.
      If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. |
-| System / Group Policy | Configure registry policy processing | Process even if the Group Policy objects have not changed = True
      Do not apply during periodic background processing = False | Determines when registry policies are updated.
      This policy setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when it was installed.
      If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.
      The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. 
      The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. |
-| System / Internet Communication Management / Internet Communication settings| Turn off Internet download for Web publishing and online ordering wizards | Enabled | This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. |
-| System / Kernel DMA Protection | Enumeration policy for external devices incompatible with Kernel DMA Protection | Block all | Enumeration policy for external DMA-capable devices incompatible with DMA remapping. This policy only takes effect when Kernel DMA Protection is enabled and supported by the system. Note: this policy does not apply to 1394, PCMCIA or ExpressCard devices. |
-| System / Power Management / Sleep Settings | Require a password when a computer wakes (on battery) | Enabled | Specifies whether the user is prompted for a password when the system resumes from sleep |
-| System / Power Management / Sleep Settings | Require a password when a computer wakes (plugged in) | Enabled | Specifies whether the user is prompted for a password when the system resumes from sleep |
-| System / Remote Procedure Call | Restrict Unauthenticated RPC clients | Authenticated | Controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. |
-| System / Service Control Manager Settings / Security Settings | Enable svchost.exe mitigation options | Enabled | Enables process mitigation options on svchost.exe processes.
      If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code.
      If you disable or do not configure this policy setting, these stricter security settings will not be applied. |
-| Windows Components / App runtime | Allow Microsoft accounts to be optional | Enabled | Lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. |
-| Windows Components / AutoPlay Policies | Disallow Autoplay for non-volume devices | Enabled | Disallows AutoPlay for MTP devices like cameras or phones. |
-| Windows Components / AutoPlay Policies | Set the default behavior for AutoRun | Do not execute any autorun commands | Sets the default behavior for Autorun commands. |
-| Windows Components / AutoPlay Policies | Turn off Autoplay | All Drives | Allows you to turn off the Autoplay feature. |
-| Windows Components / Biometrics / Facial Features | Configure enhanced anti-spoofing | Enabled | Determines whether enhanced anti-spoofing is required for Windows Hello face authentication |
-| Windows Components / BitLocker Drive Encryption | Disable new DMA devices when this computer is locked | Enabled | Allows you to block direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user logs into Windows |
-| Windows Components / BitLocker Drive Encryption / Operating System Drives | Allow enhanced PINs for startup | Enabled | Allows you to configure whether enhanced startup PINs are used with BitLocker |
-| Windows Components / Event Log Service / Application | Specify the maximum log file size (KB) | 32768 | Specifies the maximum size of the log file in kilobytes. |
-| Windows Components / Event Log Service / Security | Specify the maximum log file size (KB) | 196608 | Specifies the maximum size of the log file in kilobytes. |
-| Windows Components / Event Log Service / System | Specify the maximum log file size (KB) | Enabled: 32768 | Specifies the maximum size of the log file in kilobytes. |
-| Windows Components / File Explorer | Configure Windows Defender SmartScreen | [[[main setting]]] = Enabled 
       Pick one of the following settings = Warn and prevent bypass | Configure whether to turn on Windows Defender SmartScreen to provide warning messages to help protect your employees from potential phishing scams and malicious software|
-| Windows Components / Internet Explorer | Prevent managing SmartScreen Filter | On | Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. |
-| Windows Components / Internet Explorer | Specify use of ActiveX Installer Service for installation of ActiveX controls | Enabled | This policy setting allows you to specify how ActiveX controls are installed. If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls. If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, are installed through the standard installation process. |
-| Windows Components / Internet Explorer | Turn off the Security Settings Check feature | Disabled | This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk. If you enable this policy setting, the feature is turned off. If you disable or do not configure this policy setting, the feature is turned on. |
-| Windows Components / Internet Explorer / Internet Control Panel | Prevent ignoring certificate errors | Enabled | This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer. |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Allow software to run or install even if the signature is invalid | Disabled | This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file. |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Check for server certificate revocation | Enabled | Allows you to manage whether Internet Explorer will check revocation status of servers' certificates |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Check for signatures on downloaded programs | Enabled | This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs. |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn off encryption support | Use TLS 1.1 and TLS 1.2 | This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page | Turn on certificate address mismatch warning | Enabled | This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Access data sources across domains | Disable | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow cut copy or paste operations from the clipboard via script | Disable | This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow drag and drop or copy and paste files | Disable | This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow loading of XAML files  | Disable | This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow only approved domains to use ActiveX controls without prompt  | Enable  | This policy setting controls whether the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow only approved domains to use the TDC ActiveX control  | Enable  | This policy setting controls whether the user can run the TDC ActiveX control on websites. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow scripting of Internet Explorer WebBrowser controls  | Disable | This policy setting determines whether a page can control embedded WebBrowser controls via script.  |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow script-initiated windows without size or position constraints  | Disable | This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.  |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow scriptlets  | Disable | This policy setting allows you to manage whether the user can run scriptlets.  |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow updates to status bar via script  | Disable | This policy setting allows you to manage whether script can update the status bar within the zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow VBScript to run in Internet Explorer | Disable | This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Automatic prompting for file downloads | Disable | This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Don't run antimalware programs against ActiveX controls | Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Download unsigned ActiveX controls | Disable | This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Enable dragging of content from different domains across windows | Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Enable dragging of content from different domains within a window | Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Include local path when user is uploading files to a server | Disable | This policy setting controls whether local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Initialize and script ActiveX controls not marked as safe | Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Java permissions | Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Launching applications and files in an IFRAME | Disable | This policy setting allows you to manage whether applications may be run, and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Logon options | Prompt for user name and password | This policy setting allows you to manage settings for logon options. Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Navigate windows and frames across different domains  | Disable | This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.  |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Run .NET Framework-reliant components not signed with Authenticode | Disable | This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Run .NET Framework-reliant components signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Show security warning for potentially unsafe files | Prompt | This policy setting controls whether the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on Cross-Site Scripting Filter | Enabled: Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on Protected Mode | Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on SmartScreen Filter scan | Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Use Pop-up Blocker | Enabled: Enable | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Userdata persistence | Disable | This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Web sites in less privileged Web content zones can navigate into this zone  | Disable | This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Java permissions | Enabled: High Safety | Allows you to manage permissions for Java applets. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone | Don't run antimalware programs against ActiveX controls | Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone | Java permissions | Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-down Internet Zone | Turn on SmartScreen Filter scan | Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Intranet Zone | Java permissions | Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Local Machine Zone | Java permissions | Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Java permissions | Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Trusted Sites Zone | Java permissions | Disable Java | Allows you to configure policy settings according to the default for the selected security level, such Low, Medium, or High. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Access data sources across domains | Enabled: Disable | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow active scripting | Disable | This policy setting allows you to manage whether script code on pages in the zone is run. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow binary and script behaviors | Disable | This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow cut copy or paste operations from the clipboard via script | Enabled: Disable | This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow drag and drop or copy and paste files | Disable | This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow file downloads | Disable | This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow loading of XAML files | Disable | This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow META REFRESH | Disable | This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow only approved domains to use ActiveX controls without prompt | Enable | This policy setting controls whether the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow only approved domains to use the TDC ActiveX control | Enable | This policy setting controls whether the user can run the TDC ActiveX control on websites. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow scripting of Internet Explorer WebBrowser controls | Disable | This policy setting determines whether a page can control embedded WebBrowser controls via script. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow script-initiated windows without size or position constraints | Enabled: Disable | This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow scriptlets | Disable | This policy setting allows you to manage whether the user can run scriptlets. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow updates to status bar via script | Disable | This policy setting allows you to manage whether script can update the status bar within the zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow VBScript to run in Internet Explorer | Disable | This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Automatic prompting for file downloads | Disable | This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Don't run antimalware programs against ActiveX controls | Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Download signed ActiveX controls | Disable | This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Download unsigned ActiveX controls | Disable | This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Enable dragging of content from different domains across windows | Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Enable dragging of content from different domains within a window | Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Include local path when user is uploading files to a server | Disable | This policy setting controls whether local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Initialize and script ActiveX controls not marked as safe | Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Java permissions | Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Launching applications and files in an IFRAME | Disable | This policy setting allows you to manage whether applications may be run, and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Logon options | Anonymous logon | This policy setting allows you to manage settings for logon options. Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Navigate windows and frames across different domains | Enabled: Disable | This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run .NET Framework-reliant components not signed with Authenticode | Disable | This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run .NET Framework-reliant components signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run ActiveX controls and plugins | Enabled: Disable | This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Script ActiveX controls marked safe for scripting | Disable | This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Scripting of Java applets | Disable | This policy setting allows you to manage whether applets are exposed to scripts within the zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Show security warning for potentially unsafe files | Disable | This policy setting controls whether the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). If you disable this policy setting, these files do not open. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Cross-Site Scripting Filter | Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Protected Mode | Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Use Pop-up Blocker | Enable      | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Userdata persistence | Disable | This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Web sites in less privileged Web content zones can navigate into this zone | Disable | This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Don't run antimalware programs against ActiveX controls | Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Initialize and script ActiveX controls not marked as safe | Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Java permissions | High Safety | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. High Safety enables applets to run in their sandbox. |
-| Windows Components / Internet Explorer / Security Features | Allow fallback to SSL 3.0 (Internet Explorer) | No sites | Allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails. |
-| Windows Components / Internet Explorer / Security Features / Add-on Management | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer | Enabled | This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer. |
-| Windows Components / Internet Explorer / Security Features / Add-on Management | Turn off blocking of outdated ActiveX controls for Internet Explorer | Disabled | This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. |
-| Windows Components / Internet Explorer / Security Features / Consistent Mime Handling | Internet Explorer Processes | Enabled | Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension. If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files. |
-| Windows Components / Internet Explorer / Security Features / Mime Sniffing Safety Feature | Internet Explorer Processes | Enabled | This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. |
-| Windows Components / Internet Explorer / Security Features / MK Protocol Security Restriction | Internet Explorer Processes | Enabled | The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail. If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. |
-| Windows Components / Internet Explorer / Security Features / Notification Bar | Internet Explorer Processes | Enabled | This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes. If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes. |
-| Windows Components / Internet Explorer / Security Features / Protection from Zone Elevation | Internet Explorer Processes | Enabled | Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context. If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. |
-| Windows Components / Internet Explorer / Security Features / Restrict ActiveX Install | Internet Explorer Processes | Enabled | This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes. |
-| Windows Components / Internet Explorer / Security Features / Restrict File Download | Internet Explorer Processes | Enabled | This policy setting enables blocking of file download prompts that are not user initiated. If you enable this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes. |
-| Windows Components / Internet Explorer / Security Features / Scripted Window Security Restrictions | Internet Explorer Processes | Enabled | Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars. If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. |
-| Windows Components / Microsoft Edge | Configure Windows Defender SmartScreen | Enabled | Configures whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on. If you enable this setting, Windows Defender SmartScreen is turned on and employees can't turn it off. If you disable this setting, Windows Defender SmartScreen is turned off and employees can't turn it on. If you don't configure this setting, employees can choose whether to use Windows Defender SmartScreen. |
-| Windows Components / Microsoft Edge | Prevent certificate error overrides | Enabled | Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. If enabled, overriding certificate errors are not allowed. If disabled or not configured, overriding certificate errors are allowed. |
-| Windows Components / Remote Desktop Services / Remote Desktop Connection Client | Do not allow passwords to be saved | Enabled | Controls whether passwords can be saved on this computer from Remote Desktop Connection. |
-| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Always prompt for password upon connection | Enabled | This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. |
-| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Require secure RPC communication | Enabled | Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. |
-| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Set client connection encryption level | High Level | Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. |
-| Windows Components / RSS Feeds | Prevent downloading of enclosures | Enabled | This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. if you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs. If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. |
-| Windows Components / Search | Allow indexing of encrypted files | Disabled | This policy setting allows encrypted items to be indexed. if you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores. This policy setting is not configured by default. If you do not configure this policy setting the local setting configured through Control Panel will be used. By default, the Control Panel setting is set to not index encrypted content. When this setting is enabled or disabled the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. |
-| Windows Components / Windows Defender Antivirus / MAPS | Join Microsoft MAPS | Advanced MAPS | Allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. |
-| Windows Components / Windows Defender Antivirus | Turn off Windows Defender Antivirus | Disabled | Turns off Windows Defender Antivirus |
-| Windows Components / Windows Defender Antivirus / MAPS | Send file samples when further analysis is required | Enabled: Send safe samples | Configures behavior of samples submission when opt-in for MAPS telemetry is set |
-| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn off real-time protection | Disabled | Turns off real-time protection prompts for known malware detection |
-| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn on behavior monitoring | Enabled | Allows you to configure behavior monitoring. |
-| Windows Components / Windows Defender Antivirus / Scan | Scan removable drives | Enabled | Allows you to manage whether to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. |
-| Windows Components / Windows Defender Antivirus / Scan | Specify the interval to run quick scans per day | 24 | Allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). |
-| Windows Components / Windows Defender SmartScreen / Explorer | Configure Windows Defender SmartScreen | [[[main setting]]] = Enabled 
       Pick one of the following settings = Warn and prevent bypass | Turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. If you enable this policy, SmartScreen will be turned on for all users.  Its behavior can be controlled by the following options: 
      - Warn and prevent bypass
      - Warn
      If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app. If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway.  SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app. If you disable this policy, SmartScreen will be turned off for all users.  Users will not be warned if they try to run suspicious apps from the Internet. If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings. |
-| Windows Components / Windows Defender SmartScreen / Microsoft Edge | Configure Windows Defender SmartScreen | Enabled | Turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. If you enable this policy, SmartScreen will be turned on for all users. |
-| Windows Components / Windows Ink Workspace | Allow Windows Ink Workspace | On, but disallow access above lock | Allow Windows Ink Workspace |
-| Windows Components / Windows Installer | Allow user control over installs | Disabled | Permits users to change installation options that typically are available only to system administrators |
-| Windows Components / Windows Installer | Always install with elevated privileges | Disabled | Directs Windows Installer to use elevated permissions when it installs any program on the system |
-| Windows Components / Windows Logon Options | Sign-in last interactive user automatically after a system-initiated restart | Disabled | Controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system |
-| Windows Components / Windows PowerShell | Turn on PowerShell Script Block Logging | Enabled | This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. |
-| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Allow Basic authentication | Disabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. |
-| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Allow unencrypted traffic | Disabled | Manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network |
-| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Disallow Digest authentication | Enabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication. |
-| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Allow Basic authentication | Disabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. |
-| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Allow unencrypted traffic | Disabled | Manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. |
-| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Disallow WinRM from storing RunAs credentials | Enabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. |
-
-
-## Controls
-
-The controls enabled in level 1 enforce a reasonable security level while minimizing the impact to users and applications. 
-
-| Feature                           | Config                              | Description        |
-|-----------------------------------|-------------------------------------|--------------------|
-| [Local Admin Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899) | Deployed to all devices | Generates a unique local admin password to devices, mitigating many lateral traversal attacks. |
-| [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response)          | Deployed to all devices             | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step.      |
-| [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard)                 | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates).  |   
-| [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/)                    | Default browser                     | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates).   |
-| [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware      | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
-| [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) | Configure and enforce Network Protection              | Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). There is a risk to application compatibility, as a result of false positives in flagged sites. Microsoft recommends deploying using the Audit / Enforce Methodology. |
-
-
-## Behaviors
-
-The behaviors recommended in level 1 enforce a reasonable security level while minimizing the impact to users or to applications.
-
-| Feature | Config            | Description |
-|---------|-------------------|-------------|
-| OS security updates | Deploy Windows Quality Updates within 7 days of release | As the time between the release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, a critical aspect of security hygiene is having an engineering process that quickly validates and deploys Quality Updates that address security vulnerabilities. |
-
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md
deleted file mode 100644
index f66320e362..0000000000
--- a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md
+++ /dev/null
@@ -1,130 +0,0 @@
----
-title: Level 2 enterprise enhanced security configuration
-description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 2 enterprise security configuration.
-keywords: virtualization, security, malware
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.author: cjacks
-author: appcompatguy
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 05/29/2019
----
-
-# Level 2 enterprise enhanced security configuration
-
-**Applies to**  
-
--   Windows 10
-
-Level 2 is the security configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. While targeting high levels of security, these recommendations do not assume a large staff of highly skilled security practitioners, and therefore should be accessible to most enterprise organizations.
-A level 2 configuration should include all the configurations from level 1 and add the following security policies, controls, and organizational behaviors.
-
-## Hardware
-
-Devices targeting level 2 should support all level 1 features, and add the following hardware features:
-
-- [Virtualization and HVCI Enabled](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-vbs)
-- [Drivers and Apps HVCI-Ready](https://docs.microsoft.com/windows-hardware/test/hlk/testref/driver-compatibility-with-device-guard)
-- [Windows Hello](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements)
-- [DMA I/O Protection](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) 
-
-## Policies
-
-The policies enforced in level 2 include all of the policies recommended for level 1 and adds the
-below policies to implement more controls and a more sophisticated security
-configuration than level 1. While they may have a slightly higher impact to
-users or to applications, they enforce a level of security more commensurate
-with the risks facing users with access to sensitive information. Microsoft
-recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and
-controls, with a moderate timeline that is anticipated to be slightly longer
-than the process in level 1.
-
-### Security Template Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|---------|----------------|--------------|-------------|
-| Security Options | User Account Control: Behavior of the elevation prompt for standard users  | Automatically deny elevation requests | This policy setting controls the behavior of the elevation prompt for standard users. Automatically deny elevation requests: When an operation requires elevation of privilege, an access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.  |
-| User Rights Assignments | Deny access to this computer from the network | NT AUTHORITY\\Local Account | Determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. |
-| User Rights Assignments | Deny log on through Remote Desktop Services | NT AUTHORITY\\Local Account | Determines which users and groups are prohibited from logging on as a Remote Desktop Services client. |
-
-### Computer Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|---------|----------------|--------------|-------------|
-| Control Panel / Personalization | Prevent enabling lock screen camera | Enabled | Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings and the camera cannot be invoked on the lock screen. |
-| Network / WLAN Service / WLAN Settings | Allow Windows to automatically connect to suggested open hotspots to networks shared by contacts and to hotspots offering paid services | Disabled | This policy setting determines whether users can enable the following WLAN settings: "Connect to suggested open hotspots," "Connect to networks shared by my contacts," and "Enable paid services". |
-| System / Device Guard | Turn on Virtualization Based Security | - [[[main setting]]] = Enabled 
       - Virtualization Based Protection of Code Integrity = Enabled with UEFI lock 
       - Credential Guard Configuration = Enabled with UEFI lock 
       - Select Platform Security Level = Secure Boot 
       - Secure Launch Configuration = Enabled 
       - Require UEFI Memory Attributes Table = False | Specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices. |
-| System / Internet Communication Management / Internet Communication settings | Turn off downloading of print drivers over HTTP | Enabled | This policy setting specifies whether to allow this client to download print driver packages over HTTP. To set up HTTP printing non-inbox drivers need to be downloaded over HTTP. Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally. if you enable this policy setting, print drivers cannot be downloaded over HTTP. If you disable or do not configure this policy setting, users can download print drivers over HTTP. |
-| System / Logon | Turn on convenience PIN sign-in | Disabled | This policy setting allows you to control whether a domain user can sign in using a convenience PIN. |
-| System / Remote Assistance | Configure Solicited Remote Assistance | - [[[main setting]]] = Disabled 
       - Maximum ticket time (value) = [[[delete]]] 
       - Maximum ticket time (units) = [[[delete]]] 
       - Method for sending email invitations = [[[delete]]] 
       - Permit remote control of this computer = [[[delete]]] | This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. |
-| Windows Components / App Privacy | Let Windows apps activate with voice while the system is locked | Force Deny | Specifies whether Windows apps can be activated by voice while the system is locked. If you choose the "User is in control" option, employees in your organization can decide whether users can interact with applications using speech while the system is locked by using Settings > Privacy on the device. If you choose the "Force Allow" option, users can interact with applications using speech while the system is locked and employees in your organization cannot change it. If you choose the "Force Deny" option, users cannot interact with applications using speech while the system is locked and employees in your organization cannot change it. If you disable or do not configure this policy setting, employees in your organization can decide whether users can interact with applications using speech while the system is locked by using Settings > Privacy on the device. This policy is applied to Windows apps and Cortana. It takes precedence of the Allow Cortana above lock policy. This policy is applicable only when Allow voice activation policy is configured to allow applications to be activated with voice. |
-| Windows Components / BitLocker Drive Encryption / Removable Data Drives | Deny write access to removable drives not protected by BitLocker  | Enabled  | This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed, it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting. If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. Note: This policy setting can be overridden by the policy settings under User Configuration\\Administrative Templates\\System\\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled, this policy setting will be ignored. |
-| Windows Components / Internet Explorer | Prevent bypassing SmartScreen Filter warnings | Enabled | This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious. |
-| Windows Components / Internet Explorer | Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet | Enabled | This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet. |
-| Windows Components / Internet Explorer  | Prevent per-user installation of ActiveX controls | Enabled | This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis. If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis. |
-| Windows Components / Internet Explorer | Security Zones: Do not allow users to add/delete sites | Enabled | Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level. If you enable this policy, the site management settings for security zones are disabled. |
-| Windows Components / Internet Explorer | Security Zones: Do not allow users to change policies | Enabled | Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level. If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled. |
-| Windows Components / Internet Explorer | Security Zones: Use only machine settings | Enabled | Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level. If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer. |
-| Windows Components / Internet Explorer | Turn off Crash Detection | Enabled | This policy setting allows you to manage the crash detection feature of add-on Management. If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely, to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Download signed ActiveX controls | Disable | This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. |
-| Windows Components / Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for files | Enabled | This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. If you enable this setting, employees can't ignore Windows Defender SmartScreen warnings and they are blocked from downloading the unverified files. If you disable or don't configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue the download process. |
-| Windows Components / Windows Defender SmartScreen / Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for sites | Enabled | Lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites |
-| Windows Components / Remote Desktop Services / Remote Desktop  | Do not allow drive redirection | Enabled | This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format \ on \. You can use this policy setting to override this behavior. if you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions and Clipboard file copy redirection is not allowed on computers running Windows Server 2003 Windows 8 and Windows XP. If you disable this policy setting client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed. If you do not configure this policy setting client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. |
-| Windows Components / Windows Defender Antivirus | Configure detection for potentially unwanted applications | Enabled: Audit | Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. |
-| Windows Components / Windows Game Recording and Broadcasting | Enables or disables Windows Game Recording and Broadcasting | Disabled | This setting enables or disables the Windows Game Recording and Broadcasting features. If you disable this setting, Windows Game Recording will not be allowed. |
-
-### User Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|---------|----------------|--------------|-------------|
-| Start Menu and Taskbar / Notifications | Turn off toast notifications on the lock screen | Enabled | Turns off toast notifications on the lock screen. |
-| Windows Components / Cloud Content | Do not suggest third-party content in the Windows spotlight | Enabled | Windows spotlight features like lock screen spotlight, suggested apps in Start menu or Windows tips will no longer suggest apps and content from third-party software publishers |
-
-### Services
-
-Microsoft recommends disabling the following services when their use is not required for a user to perform their work.
-
-| Type | Name | Description |
-|------|------|-------------|
-| Scheduled Task | XblGameSaveTask                   | Syncs save data for Xbox Live save-enabled games                                  |
-| Services       | Xbox Accessory Management Service | Manages connected Xbox accessories                                                |
-| Services       | Xbox Game Monitoring              | Monitors Xbox games currently being played                                        |
-| Services       | Xbox Live Auth Manager            | Provides authentication and authorization services for interactive with Xbox Live |
-| Services       | Xbox Live Game Save               | Syncs save data for Xbox live save enabled games                                  |
-| Services       | Xbox Live Networking Service      | Supports the Windows.Networking.XboxLive API                                      |
-
-## Controls
-
-The controls enforced in level 2 implement more controls and a more sophisticated security
-configuration than level 1. While they may have a slightly higher impact to
-users or to applications, they enforce a level of security more commensurate
-with the risks facing users with access to sensitive information. Microsoft
-recommends using the Audit/Enforce methodology for controls with an Audit mode,
-and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do not, with a moderate timeline that
-is anticipated to be slightly longer than the process in level 1.
-
-| Feature Set                                                 | Feature                                               | Description    |
-|-------------------------------------------------------------|-------------------------------------------------------|----------------|
-| [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification) | Configure and enforce Windows Hello for Business | In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. Windows Hello addresses the following problems with passwords: 
      - Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
      - Server breaches can expose symmetric network credentials (passwords).
      - Passwords are subject to replay attacks.
      - Users can inadvertently expose their passwords due to phishing attacks. |
-| [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/) | Configure and enforce Conditional Access rules based on 
       - Application Risk 
       - Session Risk | With conditional access, you can implement automated access control decisions for accessing your cloud apps that are based on conditions. Conditional access policies are enforced after the first-factor authentication has been completed. Therefore, conditional access is not intended as a first line defense for scenarios like denial-of-service (DoS) attacks, but can utilize signals from these events (e.g. the sign-in risk level, location of the request, and so on) to determine access. |
-| [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) | Enforce memory protection for OS-level controls: 
      - Control flow guard (CFG)
      - Data Execution Protection (DEP)
      - Mandatory ASLR
      - Bottom-Up ASLR
      - High-entropy ASLR
      - Validate Exception Chains (SEHOP)
      - Validate heap integrity     | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at either the operating system level, or at the individual app level. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. dynamically generating code without marking memory as executable). Microsoft recommends gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates).        |        
-| [Attack Surface Reduction (ASR)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)| Configure and enforce [Attack Surface Reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules)| Attack surface reduction controls help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. an Office application spawning a child process). Each control has an Audit mode, and as such, Microsoft recommends the Audit / Enforce Methodology (repeated here):
      1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
      2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
      3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode |
-| [Controlled Folder Access (CFA)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) | Configure and audit [Controlled Folder Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) | Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. Controlled folder access works best with Microsoft Defender Advanced Threat Protection, which gives you detailed reporting into controlled folder access events and blocks as part of the usual alert investigation scenarios. 
       All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder. 
       Microsoft recommends the Audit / Enforce Methodology (repeated here):
      1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
      2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
      3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode
-
-## Behaviors
-
-The behaviors recommended in level 2 implement a more sophisticated security process. While they may require a more sophisticated organization, they enforce
-a level of security more commensurate with the risks facing users with access to
-sensitive information.
-
-| Feature Set| Feature  | Description  |
-|------------|----------|--------------|
-| Antivirus  | Configure Protection Updates to failover to retrieval from Microsoft | Sources for Windows Defender Antivirus Protection Updates can be provided in an ordered list. If you are using internal distribution, such as SCCM or WSUS, configure Microsoft Update lower in the list as a failover.  |
-| OS Security Updates | Deploy Windows Quality Updates within 4 days | As the time between release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, engineering a process that provides the ability to validate and deploy quality updates addressing known security vulnerabilities is a critical aspect of security hygiene.|
-| Helpdesk| 1:1 Administration| A simple and common model for helpdesk support is to add the Helpdesk group as a permanent member of the Local Administrators group of every device. If any device is compromised and helpdesk can connect to it, then these credentials can be used to obtain privilege on any / all other devices. Design and implement a strategy to provide helpdesk support without providing 1:all admin access – constraining the value of these Helpdesk credentials |
-
-
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md
deleted file mode 100644
index 640af6ba59..0000000000
--- a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: Level 3 enterprise high security configuration
-description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 3 enterprise VIP security configuration.
-keywords: virtualization, security, malware
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.author: cjacks
-author: appcompatguy
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 05/29/2019
----
-
-# Level 3 enterprise high security configuration
-
-**Applies to**  
-
--   Windows 10
-
-Level 3 is the security configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described here.
-A level 3 configuration should include all the configurations from level 2 and level 1 and add the following security policies, controls, and organizational behaviors.
-
-## Hardware
-
-Devices targeting Level 3 should support all Level 2 and Level 1 features, and add the following hardware features:
-
-- [System Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows)
-- [Modern Standby](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby)
-
-## Policies
-
-The policies enforced in level 3 include all of the policies recommended for levels 2 and 1, and adds the below policies to
-implement strict security configuration and controls. They can have a potentially significant impact to users or to applications, enforcing
-a level of security commensurate with the risks facing targeted organizations. Microsoft recommends disciplined testing and deployment using
-[the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates).
-
-### Computer Policies
-
-| Feature  | Policy Setting  | Policy Value  | Description  |
-|----------|-----------------|---------------|--------------|
-| Control Panel / Personalization | Prevent enabling lock screen slide show | Enabled | Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. if you enable this setting, users will no longer be able to modify slide show settings in PC Settings and no slide show will ever start. |
-| System / Logon | Enumerate local users on domain-joined computers | Disabled | This policy setting allows local users to be enumerated on domain-joined computers. if you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers. |
-| System / Power Management / Sleep Settings  | Allow standby states (S1-S3) when sleeping (on battery) | Disabled | This policy setting manages whether Windows can use standby states when putting the computer in a sleep state. If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sleep state. If you disable this policy setting standby states (S1-S3) are not allowed. |
-| System / Power Management / Sleep Settings | Allow standby states (S1-S3) when sleeping (plugged in) | Disabled | This policy setting manages whether Windows can use standby states when putting the computer in a sleep state. If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sleep state. If you disable this policy setting standby states (S1-S3) are not allowed. |
-| Windows Components / Cloud Content | Turn off Microsoft consumer experiences | Enabled | This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. if you enable this policy setting, users will no longer see personalized recommendations from Microsoft and notifications about their Microsoft account. If you disable or do not configure this policy setting, users may see suggestions from Microsoft and notifications about their Microsoft account. Note: This setting only applies to Enterprise and Education SKUs. |
-| Windows Components / Credential User Interface | Enumerate administrator accounts on elevation | Disabled | This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. if you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. If you disable this policy setting users will always be required to type a user name and password to elevate. |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled | Enabled | This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode. |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | Enabled | This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows. |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn on Enhanced Protected Mode | Enabled | Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page | Intranet Sites: Include all network paths (UNCs) | Disabled | This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. |
-| Windows Components / Microsoft Edge | Configure Password Manager | Disabled | This policy setting lets you decide whether employees can save their passwords locally using Password Manager. By default, Password Manager is turned on. if you enable this setting, employees can use Password Manager to save their passwords locally. If you disable this setting employees can't use Password Manager to save their passwords locally. If you don't configure this setting employees can choose whether to use Password Manager to save their passwords locally. |
-
-### User Policies
-| Feature  | Policy Setting  | Policy Value  | Description  |
-|----------|-----------------|---------------|--------------|
-| Windows Components / Internet Explorer | Turn on the auto-complete feature for user names and passwords on forms | Disabled | This AutoComplete feature can remember and suggest User names and passwords on Forms. If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords". If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. |
-
-## Controls
-
-The controls enforced in level 3 implement complex security configuration and controls. 
-They are likely to have a higher impact to users or to applications,
-enforcing a level of security commensurate with the risks facing the most targeted organizations. 
-Microsoft recommends using the Audit/Enforce methodology for controls with audit mode, and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do
-not.
-
-| Feature Set  | Feature  | Description  |
-|--------------|----------|--------------|
-| Exploit protection  | Enable exploit protection | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at the individual app level.  |
-| Windows Defender Application Control (WDAC) *or* AppLocker | Configure devices to use application whitelisting using one of the following approaches:
      [AaronLocker](https://blogs.msdn.microsoft.com/aaron_margosis/2018/10/11/aaronlocker-update-v0-91-and-see-aaronlocker-in-action-on-channel-9/) (admin writeable areas) when software distribution is not always centralized
      *or*
      [Managed installer](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) when all software is pushed through software distribution
      *or*
      [Explicit control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy) when the software on a device is static and tightly controlled  | Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. Application Control can help mitigate these types of security threats by restricting the applications that users can run and the code that runs in the System Core (kernel). WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs in [Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/). |
-
-## Behaviors
-
-The behaviors recommended in level 3 represent the most sophisticated security
-configuration. Removing admin rights can be difficult, but it is essential to
-achieve a level of security commensurate with the risks facing the most targeted
-organizations.
-
-| Feature Set  | Feature  | Description  |
-|--------------|----------|--------------|
-| Remove Admin Rights | Remove as many users as possible from the local Administrators group, targeting 0. Microsoft recommends removing admin rights role by role. Some roles are more challenging, including:
      - Developers, who often install rapidly iterating software which is difficult to package using current software distribution systems
      - Scientists/ Doctors, who often must install and operate specialized hardware devices
      - Remote locations with slow web links, where administration is delegated
      It is typically easier to address these roles later in the process.
      Microsoft recommends identifying the dependencies on admin rights and systematically addressing them:
      - Legitimate use of admin rights: crowdsourced admin, where a new process is needed to complete that workflow
      - Illegitimate use of admin rights: app compat dependency, where app remediation is the best path. The [Desktop App Assure](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-is-Desktop-App-Assure/ba-p/270232) program can assist with these app issues | Running as non-admin limits your exposure. When you are an admin, every program you run has unlimited access to your computer. If malicious code finds its way to one of those programs, it also gains unlimited access. When an exploit runs with admin privileges, its ability to compromise your system is much greater, its ability to do so without detection is much greater, and its ability to attack others on your network is greater than it would be with only User privileges. If you’re running as admin, an exploit can:
      - install kernel-mode rootkits and/or keyloggers
      - install and start services
      - install ActiveX controls, including IE and shell add-ins
      - access data belonging to other users
      - cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
      - replace OS and other program files with trojan horses
      - disable/uninstall anti-virus
      - cover its tracks in the event log
      - render your machine unbootable |
-
-
-
-
-
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-devops-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-devops-security.md
deleted file mode 100644
index fbcf933ccc..0000000000
--- a/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-devops-security.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-title: Level 4 enterprise dev/ops security workstation configuration
-description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 4 enterprise dev/ops security configuration.
-keywords: virtualization, security, malware
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 06/11/2019
-ms.reviewer: 
----
-
-# Level 4 enterprise dev/ops workstation security configuration
- 
-**Applies to**  
-
--   Windows 10
-
-We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. A level 4 configuration should include all the configurations from levels 3, 2, and 1 and additional controls. We are planning recommendations for the additional controls now, so check back soon for level 4 enterprise dev/ops security configuration guidance!
-
-
-
-
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-administrator-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-administrator-security.md
deleted file mode 100644
index 8b9d1f63c3..0000000000
--- a/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-administrator-security.md
+++ /dev/null
@@ -1,26 +0,0 @@
----
-title: Level 5 enterprise administrator workstation security
-description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 1 enterprise administrator security configuration.
-keywords: virtualization, security, malware
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 06/11/2019
-ms.reviewer: 
----
-
-# Level 5 enterprise administrator workstation security configuration
-
-**Applies to**  
-
--   Windows 10
-
-
-Administrators (particularly of identity or security systems) present the highest risk to the organization−through data theft, data alteration, or service disruption. 
-A level 5 configuration should include all the configurations from levels 4, 3, 2, and 1 and adds additional controls. We are planning recommendations for the additional controls now, so check back soon for level 5 enterprise administrator security configuration guidance!
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index 10ee86e0c0..d944485086 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -1,5 +1,5 @@
 ---
-title: Microsoft Security Compliance Toolkit 1.0
+title: Microsoft Security Compliance Toolkit 1.0 Guide
 description: This article describes how to use the Security Compliance Toolkit in your organization
 keywords: virtualization, security, malware
 ms.prod: w10
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
index 34891356ab..723c0bfe49 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
@@ -1,5 +1,5 @@
 ---
-title: Windows security baselines
+title: Windows security baselines guide
 description: This article, and the articles it links to, describe how to use Windows security baselines in your organization
 keywords: virtualization, security, malware
 ms.prod: w10
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md
deleted file mode 100644
index 9ebaf00d93..0000000000
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md
+++ /dev/null
@@ -1,29 +0,0 @@
----
-title: Windows security guidance for enterprises
-description: This article describes how to use Windows security baselines in your organization
-keywords: virtualization, security, malware
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/05/2018
-ms.reviewer: 
----
-
-# Windows security guidance for enterprises
-
-**Applies to**  
-
--   Windows 10
-
-The topics in this section provide security configuration guidelines for enterprises. You can use these guidelines to deploy security configuration settings and to ensure that user and device settings comply with enterprise policies.  
-
-| Capability | Description |
-|------------|-------------|
-| [Windows security baselines](windows-security-baselines.md) | Microsoft-recommended configuration settings and their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.   |
-| [Windows security configuration framework](windows-security-configuration-framework.md) | Five distinct security configurations for more granular control over productivity devices and privileged access workstations. |
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md
deleted file mode 100644
index 824b53c0f6..0000000000
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-title: Windows security configuration framework
-description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework.
-keywords: virtualization, security, malware
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 06/11/2019
-ms.reviewer: 
----
-
-# Introducing the security configuration framework
-
-**Applies to**  
-
--   Windows 10
-
-Security configuration is complex. When hardening your deployment of Windows 10, how should you prioritize the hardware you buy, policies you enforce, controls you configure, and behavior your staff exhibit?
-
-Even when configuring policies, with thousands of policies available in Windows, choosing the “best” setting is difficult. It’s not always obvious which permutations of policies are required to implement a complete scenario, and there are often unintended consequences of security lockdowns. Because of this, with each release of Windows, Microsoft publishes [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines), an industry-standard configuration that is broadly known and well-tested. However, many organizations have discovered that this baseline sets a very high bar for some scenarios.
-
-To help you prioritize your endpoint hardening work, Microsoft is introducing a new taxonomy for security configurations for Windows 10. In this initial preview, we are simply listing recommended hardware, policies, controls, and behaviors in order to gather feedback from more customers and security experts in order to refine the framework and prioritize opportunities to automate.
-
-This new security configuration framework, which we affectionately nickname the SecCon framework (remember "WarGames"?), organizes devices into one of 5 distinct security configurations.
-
-![SECCON Framework](images/seccon-framework.png)
-
-- [Level 1 enterprise basic security](level-1-enterprise-basic-security.md) – We recommend this configuration as the minimum security configuration for an enterprise device. Recommendations for this level are generally straightforward and are designed to be deployable within 30 days.
-- [Level 2 enterprise enhanced security](level-2-enterprise-enhanced-security.md) – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compat, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this level are generally accessible to most organizations and are designed to be deployable within 90 days.
-- [Level 3 enterprise high security](level-3-enterprise-high-security.md) – We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days.
-- [Level 4 DevOps workstation](level-4-enterprise-devops-security.md) – We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. Level 4 guidance is coming soon!
-- [Level 5 administrator workstation](level-5-enterprise-administrator-security.md) – Administrators (particularly of identity or security systems) present the highest risk to the organization, through data theft, data alteration, or service disruption. Level 5 guidance is coming soon!
-
-
-The security configuration framework divides configuration into Productivity Devices and Privileged Access Workstations. This document will focus on Productivity Devices
-(Levels 1, 2, and 3). 
-Microsoft’s current guidance on [Privileged Access Workstations](https://aka.ms/privsec) are part of the [Securing Privileged Access roadmap](https://aka.ms/privsec).
-
-Microsoft recommends reviewing and categorizing your devices, and then configuring them using the prescriptive guidance for that level. 
-Level 1 should be considered the minimum baseline for an enterprise device, and Microsoft recommends increasing the protection based on both threat environment and risk appetite.
-
-## Security control classification
-
-The recommendations are grouped into four categories.
-
-| Hardware | Policies | Controls | Behaviors |
-|----------|----------|----------|-----------|
-| Microsoft recommends acquiring hardware that supports the specified hardware features, in order to support Windows security features | Microsoft recommends enforcing the configuration of the specified policies in the manner described, to harden Windows to the designated level of security | Microsoft recommends enabling the security controls specified in the manner described, to provide protections appropriate to the designated level of security. | Microsoft recommends changing organizational behavior towards the endpoints in the manner described. |
-
-## Security control deployment methodologies
-
-The way Microsoft recommends implementing these controls depends on the
-auditability of the control–there are two primary methodologies.
-
-### Rings
-
-Security controls which don't support an audit mode should be deployed gradually. A typical deployment methodology:
-
-1. Test ring - deploy to a lab to validate "must test" apps prior to enforcement of any configuration
-2. Pilot ring - deploy to a representative sample of 2-5% of the environment
-3. Fast ring - deploy to the next 25% of the environment
-4. Slow ring - deploy to the remainder of the organization
-
-### Audit / Enforce
-
-Security controls which support an audit mode can be deployed using the following methodology:
-
-1. Audit - enable the control in audit mode, and gather audit data in a centralized location
-2. Review - review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
-3. Enforce - deploy the configuration of any exemptions and convert the control to enforce mode
diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md
index fa56ce48c7..a0a0ac2708 100644
--- a/windows/whats-new/TOC.md
+++ b/windows/whats-new/TOC.md
@@ -1,4 +1,5 @@
 # [What's new in Windows 10](index.md)
+## [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md)
 ## [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md)
 ## [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md)
 ## [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md)
diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md
index b4809b546b..bad28a358c 100644
--- a/windows/whats-new/index.md
+++ b/windows/whats-new/index.md
@@ -18,6 +18,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec
 
 ## In this section
 
+- [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md)
 - [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md)
 - [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md)
 - [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md)
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index d5949e5781..45feb23e75 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -70,7 +70,7 @@ With this release, Windows Defender ATP extends discovery and protection of sens
 
 ### Security configuration framework
 
-With this release of Windows 10, Microsoft is introducing a [new taxonomy for security configurations](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework), called the **SECCON framework**, comprised of 5 device security configurations.
+With this release of Windows 10, Microsoft is introducing a [new taxonomy for security configurations](https://github.com/microsoft/SecCon-Framework/blob/master/windows-security-configuration-framework.md), called the **SECCON framework**, comprised of 5 device security configurations.
 
 ### Security baseline for Windows 10 and Windows Server
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
new file mode 100644
index 0000000000..a9384caf8b
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -0,0 +1,142 @@
+---
+title: What's new in Windows 10, version 1909
+description: New and updated IT Pro content about new features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update).
+keywords: ["What's new in Windows 10", "Windows 10", "November 2019 Update"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+manager: laurawi
+ms.localizationpriority: high
+ms.topic: article
+---
+
+# What's new in Windows 10, version 1909 IT Pro content
+
+**Applies to**
+-   Windows 10, version 1909
+
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 1909, also known as the Windows 10 November 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1903. 
+
+## Servicing
+
+Windows 10, version 1909 is a scoped set of features for select performance improvements, enterprise features and quality enhancements.
+
+To deliver these updates in an optimal fashion, we are providing this feature update in a new way: using servicing technology. Users that are already running Windows 10, version 1903 (the May 2019 Update) will receive this update similar to how they receive monthly updates. If you are running version 1903, then updating to the new release will have a much faster update experience because the update will install like a monthly update.
+
+If you are updating from an older version of Windows 10 (version 1809 or earlier), the process of updating to the current version will be the same as it has been for previous Windows 10 feature updates. For more information, see [Evolving Windows 10 servicing and quality: the next steps](https://blogs.windows.com/windowsexperience/2019/07/01/evolving-windows-10-servicing-and-quality-the-next-steps/#rl2G5ETPhkhMvDeX.97).
+
+**Note**: Devices running the Enterprise, IoT Enterprise, or Education editions of Windows 10, version 1909 receive 30 months of support. For more information about the Windows servicing lifecycle, please see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet).
+
+### Windows Server Update Services (WSUS)
+
+Pre-release Windows 10 feature updates are now available to IT administrators using WSUS. System Center Configuration Manager version 1906 or later is required. For more information, see [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054).
+
+The Windows 10, version 1909 enablement package will be available on WSUS as [KB4517245](https://support.microsoft.com/kb/4517245), which can be deployed on existing deployments of Windows 10, version 1903. 
+
+### Windows Update for Business (WUfB)
+
+If you are using WUfB, you will receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy.
+
+## Security
+
+### Windows Defender Credential Guard
+
+[Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
+
+### Microsoft BitLocker
+
+BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive.
+
+### Key-rolling and Key-rotation
+
+Windows 10, version 1909 also includes two new features called **Key-rolling** and **Key-rotation** enables secure rolling of Recovery passwords on MDM managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
+
+### Transport Layer Security (TLS)
+
+An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 is not built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/platform/status/tls13/).
+
+## Virtualization
+
+### Containers on Windows
+
+This update includes 5 fixes to allow the host to run down-level containers on up-level for process (Argon) isolation. Previously [Containers on Windows](https://docs.microsoft.com/virtualization/windowscontainers/) required matched host and container version. This limited Windows containers from supporting mixed-version container pod scenarios.
+
+### Windows Sandbox
+
+[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849) is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature is available in Windows 10, version 1903. In Windows 10, version 1909 you have even more control over the level of isolation.
+
+## Windows Virtual Desktop
+
+[Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) (WVD) is now generally available globally!
+
+Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It’s the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Office 365 ProPlus, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, as well as an Azure tenant.
+
+## Deployment
+
+#### Microsoft Endpoint Manager
+
+Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now are [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
+
+### Windows 10 Pro and Enterprise in S mode
+
+ You can now deploy and run traditional Win32 (desktop) apps without leaving the security of S mode by configuring the Windows 10 in S mode policy to support Win32 apps, and deploy them with Mobile Device Management (MDM) software such as Microsoft Intune. For more information, see [Allow Line-of-Business Win32 Apps on Intune-Managed S Mode Devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/lob-win32-apps-on-s).
+
+### SetupDiag
+
+[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) version 1.6.0.42 is available.
+
+SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.        .
+
+### Windows Assessment and Deployment Toolkit (ADK)
+
+A new [Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) will **not be released** for Windows 10, version 1909. You can use the Windows ADK for Windows 10, version 1903 to deploy Windows 10, version 1909.
+
+## Desktop Analytics
+
+[Desktop Analytics](https://docs.microsoft.com/configmgr/desktop-analytics/overview) is now generally available globally! Desktop Analytics is a cloud-connected service, integrated with Configuration Manager, which gives you data-driven insights to the management of your Windows endpoints. It provides insight and intelligence that you can use to make more informed decisions about the update readiness of your Windows endpoints. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
+
+## Microsoft Connected Cache
+
+Together with Delivery Optimization, [Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Introducing-Microsoft-Connected-Cache-Microsoft-s-cloud-managed/ba-p/963898) installed on Windows Server or Linux can seamlessly offload your traffic to local sources, caching content efficiently at the byte range level. Connected Cache is configured as a “configure once and forget it” solution that transparently caches content that your devices on your network need.
+
+## Accessibility
+
+This release adds the ability for Narrator and other assistive technologies to read and learn where the FN key is located on keyboards and what state it is in (locked versus unlocked).
+
+## Processor requirements and enhancements
+
+### Requirements
+
+[Windows Processor Requirements](https://docs.microsoft.com/windows-hardware/design/minimum/windows-processor-requirements) have been updated for this version of Windows.
+
+### Favored CPU Core Optimization
+
+This version of Windows 10 will include optimizations to how instructions are processed by the CPU in order to increase the performance and reliability of the operating system and its applications.
+
+When a CPU is manufactured, not all of the cores are created equal. Some of the cores may have slightly different voltage and power characteristics that could allow them to get a "boost" in performance. These cores are called "favored cores" as they can offer better performance than the other cores on the die.
+
+With Intel Turbo Boost Max Technology 3.0, an operating system will use information stored in the CPU to identify which cores are the fastest and then push more of the CPU intensive tasks to those cores. According to Intel, this technology "delivers more than 15% better single-threaded performance".
+
+### Debugging
+
+Additional debugging capabilities for newer Intel processors have been added in this release. This is only relevant for hardware manufacturers.
+
+### Efficiency
+
+General battery life and power efficiency improvements for PCs with certain processors have been added in this release.
+
+## See Also
+
+[What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
      
+[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
      
+[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
      
+[What Windows 10, version 1909 Means for Developers](https://blogs.windows.com/windowsdeveloper/2019/10/16/what-windows-10-version-1909-means-for-developers/): New and updated features in Windows 10 that are of interest to developers.
      
+[What's new in Windows 10, version 1909 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-1909): This list also includes consumer focused new features.
      
+[Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
      
+[Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
      
+[How to get the Windows 10 November 2019 Update](https://aka.ms/how-to-get-1909): John Cable blog.
      
+[How to get Windows 10, Version 1909: Enablement Mechanics](https://aka.ms/1909mechanics): Mechanics blog.
      
+[What’s new for IT pros in Windows 10, version 1909](https://aka.ms/whats-new-in-1909): Windows IT Pro blog.