From dc90e8ddde7012f009025936fdc54465b2d1a484 Mon Sep 17 00:00:00 2001
From: karthigb <karthigb@gmail.com>
Date: Tue, 23 Apr 2019 11:45:44 -0700
Subject: [PATCH 01/39] Update
 configure-windows-defender-smartscreen-shortdesc.md

---
 .../configure-windows-defender-smartscreen-shortdesc.md         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md
index 58dfd6be9a..ce0f753466 100644
--- a/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md
@@ -6,4 +6,4 @@ ms.prod: edge
 ms:topic: include
 ---
 
-Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default.  Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns off Windows Defender SmartScreen and prevent users from turning it on.  Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. 
\ No newline at end of file
+Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default.  Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns on Windows Defender SmartScreen and prevent users from turning it off.  Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. 

From 783fc36d3e55d39c1a9a7e4dcdc873a504476bbc Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Wed, 1 May 2019 19:08:57 +0500
Subject: [PATCH 02/39] cloud experience host information

Cloud experience host related information was missing in the document. Required information has been added.

Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3276
---
 .../hello-how-it-works-technology.md                   | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index d12e00c028..401dcdc382 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -39,6 +39,7 @@ ms.date: 10/08/2018
 - [Storage Root Key](#storage-root-key)
 - [Trust Type](#trust-type)
 - [Trusted Platform Module](#trusted-platform-module)
+- [Cloud Experience Host](#cloud-experience-host)
 <hr>
 
 ## Attestation Identity Keys
@@ -304,7 +305,16 @@ In a simplified manner, the TPM is a passive component with limited resources. I
 
 [Return to Top](hello-how-it-works-technology.md)
 
+## Cloud Experience Host
+In Windows 10 Enterprise edition, cloud experience host is a component that helps you join the workplace environment or Azure AD using your company provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you(including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. 
 
+### Related topics
+[Windows Hello for Business](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification), [Managed Windows Hello in Organization](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-in-organization)
+
+### More information
+- [Windows Hello for Business and Device Registration](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration)
+
+[Return to Top](hello-how-it-works-technology.md)
 
 
 

From 522bb702bb2177779c7b30dc037ee2df0e1f9cf7 Mon Sep 17 00:00:00 2001
From: Nicole Turner <39884432+nenonix@users.noreply.github.com>
Date: Wed, 1 May 2019 22:21:50 +0500
Subject: [PATCH 03/39] Update
 windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md

Co-Authored-By: joinimran <47118050+joinimran@users.noreply.github.com>
---
 .../hello-for-business/hello-how-it-works-technology.md         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 401dcdc382..6fb3df408c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -312,7 +312,7 @@ In Windows 10 Enterprise edition, cloud experience host is a component that help
 [Windows Hello for Business](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification), [Managed Windows Hello in Organization](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-in-organization)
 
 ### More information
-- [Windows Hello for Business and Device Registration](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration)
+- [Windows Hello for Business and Device Registration](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration)
 
 [Return to Top](hello-how-it-works-technology.md)
 

From 0ceb9f2a5e6fa6c0d1d8f7a5bfb8b5592c34dc44 Mon Sep 17 00:00:00 2001
From: Nicole Turner <39884432+nenonix@users.noreply.github.com>
Date: Wed, 1 May 2019 22:22:06 +0500
Subject: [PATCH 04/39] Update
 windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md

Co-Authored-By: joinimran <47118050+joinimran@users.noreply.github.com>
---
 .../hello-for-business/hello-how-it-works-technology.md         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 6fb3df408c..23acc75c13 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -306,7 +306,7 @@ In a simplified manner, the TPM is a passive component with limited resources. I
 [Return to Top](hello-how-it-works-technology.md)
 
 ## Cloud Experience Host
-In Windows 10 Enterprise edition, cloud experience host is a component that helps you join the workplace environment or Azure AD using your company provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you(including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. 
+In Windows 10 Enterprise edition, Cloud Experience Host is an application that helps you join the workplace environment or Azure AD using your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. 
 
 ### Related topics
 [Windows Hello for Business](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification), [Managed Windows Hello in Organization](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-in-organization)

From 53e037095bc9b0837f79c9d7c882b2dfc5883d4c Mon Sep 17 00:00:00 2001
From: Nicole Turner <39884432+nenonix@users.noreply.github.com>
Date: Wed, 1 May 2019 22:22:25 +0500
Subject: [PATCH 05/39] Update
 windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md

Co-Authored-By: joinimran <47118050+joinimran@users.noreply.github.com>
---
 .../hello-for-business/hello-how-it-works-technology.md         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 23acc75c13..5f740c9437 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -309,7 +309,7 @@ In a simplified manner, the TPM is a passive component with limited resources. I
 In Windows 10 Enterprise edition, Cloud Experience Host is an application that helps you join the workplace environment or Azure AD using your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. 
 
 ### Related topics
-[Windows Hello for Business](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification), [Managed Windows Hello in Organization](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-in-organization)
+[Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification), [Managed Windows Hello in Organization](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-manage-in-organization)
 
 ### More information
 - [Windows Hello for Business and Device Registration](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration)

From c68e5f808b4324e0d7b8c465732ae4d405fe761b Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Thu, 2 May 2019 12:52:36 +0500
Subject: [PATCH 06/39] Changes applied

Changes applied as suggested by copy/edit review.
---
 .../hello-how-it-works-technology.md          | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 5f740c9437..015c33f72a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -24,6 +24,7 @@ ms.date: 10/08/2018
 - [Azure AD Registered](#azure-ad-registered)
 - [Certificate Trust](#certificate-trust)
 - [Cloud Deployment](#cloud-deployment)
+- [Cloud Experience Host](#cloud-experience-host)
 - [Deployment Type](#deployment-type)
 - [Endorsement Key](#endorsement-key)
 - [Federated Environment](#federated-environment)
@@ -39,7 +40,6 @@ ms.date: 10/08/2018
 - [Storage Root Key](#storage-root-key)
 - [Trust Type](#trust-type)
 - [Trusted Platform Module](#trusted-platform-module)
-- [Cloud Experience Host](#cloud-experience-host)
 <hr>
 
 ## Attestation Identity Keys
@@ -100,6 +100,17 @@ The Windows Hello for Business Cloud deployment is exclusively for organizations
 [Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Deployment Type](#deployment-type), [Join Type](#join-type)
 
 [Return to Top](hello-how-it-works-technology.md)
+## Cloud Experience Host
+In Windows 10 Enterprise edition, Cloud Experience Host is an application that helps you join the workplace environment or Azure AD using your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. 
+
+### Related topics
+[Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification), [Managed Windows Hello in Organization](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-manage-in-organization)
+
+### More information
+- [Windows Hello for Business and Device Registration](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration)
+
+[Return to Top](hello-how-it-works-technology.md)
+
 ## Deployment Type
 Windows Hello for Business has three deployment models to accommodate the needs of different organizations.  The three deployment models include:
 - Cloud
@@ -305,17 +316,6 @@ In a simplified manner, the TPM is a passive component with limited resources. I
 
 [Return to Top](hello-how-it-works-technology.md)
 
-## Cloud Experience Host
-In Windows 10 Enterprise edition, Cloud Experience Host is an application that helps you join the workplace environment or Azure AD using your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. 
-
-### Related topics
-[Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification), [Managed Windows Hello in Organization](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-manage-in-organization)
-
-### More information
-- [Windows Hello for Business and Device Registration](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration)
-
-[Return to Top](hello-how-it-works-technology.md)
-
 
 
 

From 69b54b8d9640c97fc9fedf589dff4c622c995178 Mon Sep 17 00:00:00 2001
From: Jie RONG <jierong@microsoft.com>
Date: Fri, 3 May 2019 14:32:52 +0800
Subject: [PATCH 07/39] Update set-up-enterprise-mode-portal.md

In previous doc:
Step 3, following 10 of To create the website will change the connectionstring to like following:
<add connectionString="Server=ServerName;Database=DatabaseName;Integrated Security=true" name="LOBMergedEntities" providerName="System.Data.EntityClient" />

But for Model first connection string, it should be like following as displayed in Web.config in the project folder.
<add name="LOBMergedEntities" connectionString="metadata=res://*/EMIEDataModel.csdl|res://*/EMIEDataModel.ssdl|res://*/EMIEDataModel.msl;provider=System.Data.SqlClient;provider connection string=&quot;data source=jierong-srv;initial catalog=EMIEDatabase;integrated security=True;MultipleActiveResultSets=True;App=EntityFramework&quot;" providerName="System.Data.EntityClient"/>

This will introduce data access error, throwing "Keyword not supported: 'server'."

2. The fix is in step 1 - 6, just update server name and database name, then remove the manual setting steps in Step 2.
---
 .../set-up-enterprise-mode-portal.md           | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
index 47c4caf92b..c6c5cf099e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
@@ -43,7 +43,10 @@ You must download the deployment folder (**EMIEWebPortal/**), which includes all
 
    Installs the npm package manager and bulk adds all the third-party libraries back into your codebase.
 
-6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, and then build the entire solution.
+6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, open **Web.config** from **EMIEWebPortal/** folder, and replace MSIT-LOB-COMPAT with your server name hosting your database, replace LOBMerged with your database name, and build the entire solution.
+
+        >[!Note]
+        >Step 3 of this topic provides the steps to create your database.
 
 7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager.
 
@@ -105,17 +108,6 @@ Create a new Application Pool and the website, by using the IIS Manager.
     >[!Note]
     >You must also make sure that **Anonymous Authentication** is marked as **Enabled**.
 
-10. Return to the **<<i>website_name</i>> Home** pane, and double-click the **Connection Strings** icon.
-
-11. Open the **LOBMergedEntities Connection String** to edit: 
-
-    - **Data source.** Type the name of your local computer.
-
-    - **Initial catalog.** The name of your database.
-
-        >[!Note]
-        >Step 3 of this topic provides the steps to create your database.
-
 ## Step 3 - Create and prep your database
 Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables.
 
@@ -229,4 +221,4 @@ Register the EMIEScheduler tool and service for production site list changes.
 
 - [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)
 
-- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) 
\ No newline at end of file
+- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) 

From 2a6248937c504561c5e34d29e9e2074e03dcd851 Mon Sep 17 00:00:00 2001
From: Rona Song <38082753+qrscharmed@users.noreply.github.com>
Date: Fri, 3 May 2019 11:27:51 -0700
Subject: [PATCH 08/39] Update faq-wd-app-guard.md

---
 .../windows-defender-application-guard/faq-wd-app-guard.md  | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
index 8be213c70e..2e9c8a2adc 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
@@ -70,3 +70,9 @@ Answering frequently asked questions about Windows Defender Application Guard (A
 |**Q:** |What is the WDAGUtilityAccount local account?|
 |**A:** |This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware.|
 <br>
+
+| | |
+|---|----------------------------|
+|**Q:** |How do I trust a subdomain in my site list?|
+|**A:** |To trust a subdomain, you must precede your domain with two dots, for example: ..contoso.com.|
+<br>

From 79cc2eea39f66affaf700d8efa707b82b5d8eff7 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sat, 4 May 2019 17:21:18 +0500
Subject: [PATCH 09/39] update start-layout-troubleshoot.md

---
 windows/configuration/start-layout-troubleshoot.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md
index c29f399bba..bab10f57b6 100644
--- a/windows/configuration/start-layout-troubleshoot.md
+++ b/windows/configuration/start-layout-troubleshoot.md
@@ -280,7 +280,7 @@ Additionally, users may see blank tiles if logon was attempted without network c
 
 ### Symptom: Start Menu issues with Tile Data Layer corruption 
 
-**Cause**: Windows 10, version 1507 through the release of version 1607 uses a database for the Tile image information. This is called the Tile Data Layer database. 
+**Cause**: Windows 10, version 1507 through the release of version 1607 uses a database for the Tile image information. This is called the Tile Data Layer database (The feature was deprecated in [Windows 10 1703](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update)). 
 
 **Resolution** There are steps you can take to fix the icons, first is to confirm that is the issue that needs to be addressed.
 

From a37a05a2f0c48d518a7e5708b3f4f798f823b1b0 Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Mon, 6 May 2019 12:21:36 +0300
Subject: [PATCH 10/39] updated info about NDES server name

https://github.com/MicrosoftDocs/windows-itpro-docs/issues/2450
---
 .../hello-for-business/hello-hybrid-aadj-sso-cert.md            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index b571ee817f..a5d222346e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -425,7 +425,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 3. Under **MANAGE**, click **Application proxy**.
 4. Click **Configure an app**.
 5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**.  Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server.  Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL.
-6. Next to **Internal Url**, type the internal fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy.  For example, https://ndes.corp.mstepdemo.net).  This must match the internal DNS name of the NDES server and ensure you prefix the Url with **https**.
+6. Next to **Internal Url**, type the internal fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy.  For example, https://ndes.corp.mstepdemo.net).  This must match the primary hostname (AD Computer Account name) of the NDES server and ensure you prefix the Url with **https**.
 7. Under **Internal Url**, select **https://** from the first list.  In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy.  In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy.  It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
 ![Azure NDES Application Proxy Configuration](images/aadjcert/azureconsole-appproxyconfig.png)
 8. Select **Passthrough** from the **Pre Authentication** list.

From 3d6346be58ff3183923271ae7c7646c34e539fda Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Mon, 6 May 2019 12:49:49 +0300
Subject: [PATCH 11/39] removed obsolete information

https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3085
---
 ...policy-csp-localpoliciessecurityoptions.md | 131 ------------------
 1 file changed, 131 deletions(-)

diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index b1594d5d38..dc9a2c4e0c 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -24,12 +24,6 @@ ms.date: 06/26/2018
   <dd>
     <a href="#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts">LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</a>
   </dd>
-  <dd>
-    <a href="#localpoliciessecurityoptions-accounts-enableadministratoraccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</a>
-  </dd>
-  <dd>
-    <a href="#localpoliciessecurityoptions-accounts-enableguestaccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</a>
-  </dd>
   <dd>
     <a href="#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly">LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</a>
   </dd>
@@ -255,131 +249,6 @@ The following list shows the supported values:
 
 <hr/>
 
-<!--Policy-->
-<a href="" id="localpoliciessecurityoptions-accounts-enableadministratoraccountstatus"></a>**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-This security setting determines whether the local Administrator account is enabled or disabled.
-
-If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
-Disabling the Administrator account can become a maintenance issue under certain circumstances. 
-
-Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts.  If the computer is domain joined the disabled administrator will not be enabled.
-
-Default: Disabled.
-
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-<!--/Description-->
-<!--DbMapped-->
-GP Info:  
--   GP English name: *Accounts: Administrator account status*
--   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-<!--/DbMapped-->
-<!--SupportedValues-->
-Valid values:  
-- 0 - local Administrator account is disabled
-- 1 - local Administrator account is enabled
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="localpoliciessecurityoptions-accounts-enableguestaccountstatus"></a>**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-This security setting determines if the Guest account is enabled or disabled.
-
-Default: Disabled.
-
-Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
-
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-<!--/Description-->
-<!--DbMapped-->
-GP Info:  
--   GP English name: *Accounts: Guest account status*
--   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-<!--/DbMapped-->
-<!--SupportedValues-->
-Valid values:  
-- 0 - local Guest account is disabled
-- 1 - local Guest account is enabled
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
 <!--Policy-->
 <a href="" id="localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly"></a>**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**  
 

From 39a69c639722cab6c188230f9d80ab67f1c30cf9 Mon Sep 17 00:00:00 2001
From: Nicole Turner <39884432+nenonix@users.noreply.github.com>
Date: Tue, 7 May 2019 10:19:06 +0300
Subject: [PATCH 12/39] Update
 windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md

Co-Authored-By: VLG17 <41186174+VLG17@users.noreply.github.com>
---
 .../hello-for-business/hello-hybrid-aadj-sso-cert.md            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index a5d222346e..f3c76726c8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -425,7 +425,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 3. Under **MANAGE**, click **Application proxy**.
 4. Click **Configure an app**.
 5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**.  Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server.  Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL.
-6. Next to **Internal Url**, type the internal fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy.  For example, https://ndes.corp.mstepdemo.net).  This must match the primary hostname (AD Computer Account name) of the NDES server and ensure you prefix the Url with **https**.
+6. Next to **Internal Url**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy.  For example, https://ndes.corp.mstepdemo.net).  You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
 7. Under **Internal Url**, select **https://** from the first list.  In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy.  In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy.  It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
 ![Azure NDES Application Proxy Configuration](images/aadjcert/azureconsole-appproxyconfig.png)
 8. Select **Passthrough** from the **Pre Authentication** list.

From 6c67c066f897fc0875bf60fbaf1e7a3e68e0dfca Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Fri, 10 May 2019 10:15:30 +0500
Subject: [PATCH 13/39] Changed applied

Changed applied as suggested by @mapalko.
---
 .../hello-for-business/hello-how-it-works-technology.md         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 015c33f72a..99026497a4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -101,7 +101,7 @@ The Windows Hello for Business Cloud deployment is exclusively for organizations
 
 [Return to Top](hello-how-it-works-technology.md)
 ## Cloud Experience Host
-In Windows 10 Enterprise edition, Cloud Experience Host is an application that helps you join the workplace environment or Azure AD using your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. 
+In Windows 10, Cloud Experience Host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. 
 
 ### Related topics
 [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification), [Managed Windows Hello in Organization](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-manage-in-organization)

From 3f8aed8f7b7117226619b32b71b2f35501014996 Mon Sep 17 00:00:00 2001
From: Jose Ortega <jortega928@yahoo.com>
Date: Sat, 11 May 2019 03:22:18 -0500
Subject: [PATCH 14/39] added note for #874

---
 ...ndows-operating-system-components-to-microsoft-services.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 58d06760a9..c669ded36f 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -768,7 +768,9 @@ To remove the News app:
 - Right-click the app in Start, and then click **Uninstall**.
 
   -or-
-
+>[!IMPORTANT]
+> If you have any issue with this commands, go ahead a do a system reboot,and try the scripts again.
+>
 - Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
 
   -and-

From 7c2b0b98bdea9032629c8f45266e5f5bb13a4fe9 Mon Sep 17 00:00:00 2001
From: illfated <illfated@users.noreply.github.com>
Date: Sat, 27 Apr 2019 06:45:36 +0200
Subject: [PATCH 15/39] USMT ScanState Syntax: hidden unescaped characters

Asterisks, backslashes or combinations of asterisk and backslash
need to be escaped for the character to migrate properly to the
docs.microsoft.com site as visible text in HTML. Github shows the
characters well enough, but the migration process does not seem to
keep the special characters through the MarkDown-to-HTML conversion.

In this PR, I have made a "best effort" attempt to resolve the missing
or malformed command examples in the "USMT ScanState Syntax" page.

Closes #2388
---
 .../deployment/usmt/usmt-scanstate-syntax.md  | 34 +++++++++----------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md
index 3090160049..67c879d27a 100644
--- a/windows/deployment/usmt/usmt-scanstate-syntax.md
+++ b/windows/deployment/usmt/usmt-scanstate-syntax.md
@@ -455,9 +455,9 @@ By default, all users are migrated. The only way to specify which users to inclu
 <p>USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /<strong>ue</strong> or /<strong>uel</strong> options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /<strong>all</strong> option, you cannot also use the /<strong>ui</strong>, /<strong>ue</strong> or /<strong>uel</strong> options.</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>/<strong>ui</strong>:<em>&lt;DomainName&gt;</em>\<em>&lt;UserName&gt;</em></p>
+<td align="left"><p>/<strong>ui</strong>:<em>&lt;DomainName&gt;</em>\\<em>&lt;UserName&gt;</em></p>
 <p>or</p>
-<p>/<strong>ui</strong>:<em>&lt;ComputerName&gt;</em>\<em>&lt;LocalUserName&gt;</em></p></td>
+<p>/<strong>ui</strong>:<em>&lt;ComputerName&gt;</em>\\<em>&lt;LocalUserName&gt;</em></p></td>
 <td align="left"><p><strong>(User include)</strong></p>
 <p>Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /<strong>ue</strong> or /<strong>uel</strong> options. You can specify multiple /<strong>ui</strong> options, but you cannot use the /<strong>ui</strong> option with the /<strong>all</strong> option. <em>DomainName</em> and <em>UserName</em> can contain the asterisk (*) wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.</p>
 <div class="alert">
@@ -469,10 +469,10 @@ By default, all users are migrated. The only way to specify which users to inclu
 </div>
 <p>For example:</p>
 <ul>
-<li><p>To include only User2 from the Fabrikam domain, type:</p>
-<p><code>/ue:*\* /ui:fabrikam\user2</code></p></li>
-<li><p>To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:</p>
-<p><code>/uel:30 /ui:fabrikam\*</code></p>
+<p>To include only User2 from the Fabrikam domain, type:</p>
+<p><code>/ue:\*\\\* /ui:fabrikam\user2</code></p>
+<p>To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:</p>
+<p><code>/uel:30 /ui:fabrikam\\\*</code></p>
 <p>In this example, a user account from the Contoso domain that was last modified 2 months ago will not be migrated.</p></li>
 </ul>
 <p>For more examples, see the descriptions of the /<strong>ue</strong> and /<strong>ui</strong> options in this table.</p></td>
@@ -500,17 +500,17 @@ By default, all users are migrated. The only way to specify which users to inclu
 <li><p><strong>/uel:2002/1/15</strong> migrates users who have logged on or been modified January 15, 2002 or afterwards.</p></li>
 </ul>
 <p>For example:</p>
-<p><code>scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0</code></p></td>
+<p><code>scanstate /i:migapp.xml /i:migdocs.xml \\\server\share\migration\mystore /uel:0</code></p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>/<strong>ue</strong>:<em>&lt;DomainName&gt;</em>\<em>&lt;UserName&gt;</em></p>
+<td align="left"><p>/<strong>ue</strong>:<em>&lt;DomainName&gt;</em>\\<em>&lt;UserName&gt;</em></p>
 <p>-or-</p>
 <p></p>
-<p>/<strong>ue</strong>:<em>&lt;ComputerName&gt;</em>\<em>&lt;LocalUserName&gt;</em></p></td>
+<p>/<strong>ue</strong>:<em>&lt;ComputerName&gt;</em>\\<em>&lt;LocalUserName&gt;</em></p></td>
 <td align="left"><p><strong>(User exclude)</strong></p>
 <p>Excludes the specified users from the migration. You can specify multiple /<strong>ue</strong> options. You cannot use this option with the /<strong>all</strong> option. <em>&lt;DomainName&gt;</em> and <em>&lt;UserName&gt;</em> can contain the asterisk (*) wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.</p>
 <p>For example:</p>
-<p><code>scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /ue:contoso\user1</code></p></td>
+<p><code>scanstate /i:migdocs.xml /i:migapp.xml \\\server\share\migration\mystore /ue:contoso\user1</code></p></td>
 </tr>
 </tbody>
 </table>
@@ -548,15 +548,15 @@ The following examples apply to both the /**ui** and /**ue** options. You can re
 </tr>
 <tr class="even">
 <td align="left"><p>Exclude all domain users.</p></td>
-<td align="left"><p><code>/ue:Domain\*</code></p></td>
+<td align="left"><p><code>/ue:Domain\\\*</code></p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Exclude all local users.</p></td>
-<td align="left"><p><code>/ue:%computername%\*</code></p></td>
+<td align="left"><p><code>/ue:%computername%\\\*</code></p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Exclude users in all domains named User1, User2, and so on.</p></td>
-<td align="left"><p><code>/ue:*\user*</code></p></td>
+<td align="left"><p><code>/ue:\*\user\*</code></p></td>
 </tr>
 </tbody>
 </table>
@@ -586,23 +586,23 @@ The /**uel** option takes precedence over the /**ue** option. If a user has logg
 <tbody>
 <tr class="odd">
 <td align="left"><p>Include only User2 from the Fabrikam domain and exclude all other users.</p></td>
-<td align="left"><p><code>/ue:*\* /ui:fabrikam\user2</code></p></td>
+<td align="left"><p><code>/ue:\*\\\* /ui:fabrikam\user2</code></p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Include only the local user named User1 and exclude all other users.</p></td>
-<td align="left"><p><code>/ue:*\* /ui:user1</code></p></td>
+<td align="left"><p><code>/ue:\*\\\* /ui:user1</code></p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Include only the domain users from Contoso, except Contoso\User1.</p></td>
 <td align="left"><p>This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:</p>
 <ul>
-<li><p>On the <strong>ScanState</strong> command line, type: <code>/ue:*\* /ui:contoso\*</code></p></li>
+<li><p>On the <strong>ScanState</strong> command line, type: <code>/ue:\*\\\* /ui:contoso\*</code></p></li>
 <li><p>On the <strong>LoadState</strong> command line, type: <code>/ue:contoso\user1</code></p></li>
 </ul></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Include only local (non-domain) users.</p></td>
-<td align="left"><p><code>/ue:*\* /ui:%computername%\*</code></p></td>
+<td align="left"><p><code>/ue:\*\\\* /ui:%computername%\\\*</code></p></td>
 </tr>
 </tbody>
 </table>

From 0c29aa345115c4123bf56a0990cc79c8ea108645 Mon Sep 17 00:00:00 2001
From: illfated <illfated@users.noreply.github.com>
Date: Sat, 27 Apr 2019 07:39:02 +0200
Subject: [PATCH 16/39] Use ASCII character codes instead of backslash

- change from using backslashes as escape character
  to use &#92; as the direct character for backslash
- replace asterisks with &#42; where needed
---
 .../deployment/usmt/usmt-scanstate-syntax.md  | 30 +++++++++----------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md
index 67c879d27a..15e9ea1b2d 100644
--- a/windows/deployment/usmt/usmt-scanstate-syntax.md
+++ b/windows/deployment/usmt/usmt-scanstate-syntax.md
@@ -455,9 +455,9 @@ By default, all users are migrated. The only way to specify which users to inclu
 <p>USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /<strong>ue</strong> or /<strong>uel</strong> options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /<strong>all</strong> option, you cannot also use the /<strong>ui</strong>, /<strong>ue</strong> or /<strong>uel</strong> options.</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>/<strong>ui</strong>:<em>&lt;DomainName&gt;</em>\\<em>&lt;UserName&gt;</em></p>
+<td align="left"><p>/<strong>ui</strong>:<em>&lt;DomainName&gt;</em>&#92;<em>&lt;UserName&gt;</em></p>
 <p>or</p>
-<p>/<strong>ui</strong>:<em>&lt;ComputerName&gt;</em>\\<em>&lt;LocalUserName&gt;</em></p></td>
+<p>/<strong>ui</strong>:<em>&lt;ComputerName&gt;</em>&#92;<em>&lt;LocalUserName&gt;</em></p></td>
 <td align="left"><p><strong>(User include)</strong></p>
 <p>Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /<strong>ue</strong> or /<strong>uel</strong> options. You can specify multiple /<strong>ui</strong> options, but you cannot use the /<strong>ui</strong> option with the /<strong>all</strong> option. <em>DomainName</em> and <em>UserName</em> can contain the asterisk (*) wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.</p>
 <div class="alert">
@@ -470,9 +470,9 @@ By default, all users are migrated. The only way to specify which users to inclu
 <p>For example:</p>
 <ul>
 <p>To include only User2 from the Fabrikam domain, type:</p>
-<p><code>/ue:\*\\\* /ui:fabrikam\user2</code></p>
+<p><code>/ue:&#42;&#92;&#42; /ui:fabrikam\user2</code></p>
 <p>To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:</p>
-<p><code>/uel:30 /ui:fabrikam\\\*</code></p>
+<p><code>/uel:30 /ui:fabrikam&#92;&#42;</code></p>
 <p>In this example, a user account from the Contoso domain that was last modified 2 months ago will not be migrated.</p></li>
 </ul>
 <p>For more examples, see the descriptions of the /<strong>ue</strong> and /<strong>ui</strong> options in this table.</p></td>
@@ -500,17 +500,17 @@ By default, all users are migrated. The only way to specify which users to inclu
 <li><p><strong>/uel:2002/1/15</strong> migrates users who have logged on or been modified January 15, 2002 or afterwards.</p></li>
 </ul>
 <p>For example:</p>
-<p><code>scanstate /i:migapp.xml /i:migdocs.xml \\\server\share\migration\mystore /uel:0</code></p></td>
+<p><code>scanstate /i:migapp.xml /i:migdocs.xml &#92;&#92;server\share\migration\mystore /uel:0</code></p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>/<strong>ue</strong>:<em>&lt;DomainName&gt;</em>\\<em>&lt;UserName&gt;</em></p>
+<td align="left"><p>/<strong>ue</strong>:<em>&lt;DomainName&gt;</em>&#92;<em>&lt;UserName&gt;</em></p>
 <p>-or-</p>
 <p></p>
-<p>/<strong>ue</strong>:<em>&lt;ComputerName&gt;</em>\\<em>&lt;LocalUserName&gt;</em></p></td>
+<p>/<strong>ue</strong>:<em>&lt;ComputerName&gt;</em>&#92;<em>&lt;LocalUserName&gt;</em></p></td>
 <td align="left"><p><strong>(User exclude)</strong></p>
 <p>Excludes the specified users from the migration. You can specify multiple /<strong>ue</strong> options. You cannot use this option with the /<strong>all</strong> option. <em>&lt;DomainName&gt;</em> and <em>&lt;UserName&gt;</em> can contain the asterisk (*) wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.</p>
 <p>For example:</p>
-<p><code>scanstate /i:migdocs.xml /i:migapp.xml \\\server\share\migration\mystore /ue:contoso\user1</code></p></td>
+<p><code>scanstate /i:migdocs.xml /i:migapp.xml &#92;&#92;server\share\migration\mystore /ue:contoso\user1</code></p></td>
 </tr>
 </tbody>
 </table>
@@ -548,15 +548,15 @@ The following examples apply to both the /**ui** and /**ue** options. You can re
 </tr>
 <tr class="even">
 <td align="left"><p>Exclude all domain users.</p></td>
-<td align="left"><p><code>/ue:Domain\\\*</code></p></td>
+<td align="left"><p><code>/ue:Domain&#92;&#42;</code></p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Exclude all local users.</p></td>
-<td align="left"><p><code>/ue:%computername%\\\*</code></p></td>
+<td align="left"><p><code>/ue:%computername%&#92;&#42;</code></p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Exclude users in all domains named User1, User2, and so on.</p></td>
-<td align="left"><p><code>/ue:\*\user\*</code></p></td>
+<td align="left"><p><code>/ue:&#42;&#92;user&#42;</code></p></td>
 </tr>
 </tbody>
 </table>
@@ -586,23 +586,23 @@ The /**uel** option takes precedence over the /**ue** option. If a user has logg
 <tbody>
 <tr class="odd">
 <td align="left"><p>Include only User2 from the Fabrikam domain and exclude all other users.</p></td>
-<td align="left"><p><code>/ue:\*\\\* /ui:fabrikam\user2</code></p></td>
+<td align="left"><p><code>/ue:&#42;&#92;&#42; /ui:fabrikam\user2</code></p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Include only the local user named User1 and exclude all other users.</p></td>
-<td align="left"><p><code>/ue:\*\\\* /ui:user1</code></p></td>
+<td align="left"><p><code>/ue:&#42;&#92;&#42; /ui:user1</code></p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Include only the domain users from Contoso, except Contoso\User1.</p></td>
 <td align="left"><p>This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:</p>
 <ul>
-<li><p>On the <strong>ScanState</strong> command line, type: <code>/ue:\*\\\* /ui:contoso\*</code></p></li>
+<li><p>On the <strong>ScanState</strong> command line, type: <code>/ue:&#42;&#92;&#42; /ui:contoso&#92;&#42;</code></p></li>
 <li><p>On the <strong>LoadState</strong> command line, type: <code>/ue:contoso\user1</code></p></li>
 </ul></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Include only local (non-domain) users.</p></td>
-<td align="left"><p><code>/ue:\*\\\* /ui:%computername%\\\*</code></p></td>
+<td align="left"><p><code>/ue:&#42;&#92;&#42; /ui:%computername%&#92;&#42;</code></p></td>
 </tr>
 </tbody>
 </table>

From 4841ee484624fccc9d8d0145a51e48ab0e9046d0 Mon Sep 17 00:00:00 2001
From: illfated <illfated@users.noreply.github.com>
Date: Fri, 10 May 2019 23:38:20 +0200
Subject: [PATCH 17/39] Microsoft Accounts: small typo correction

Change proposed: change the typo
 "a mean of identifying a user"
 to
  `a means of identifying a user`

Closes #3601
---
 .../identity-protection/access-control/microsoft-accounts.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/access-control/microsoft-accounts.md b/windows/security/identity-protection/access-control/microsoft-accounts.md
index 38c26d9546..18d956384e 100644
--- a/windows/security/identity-protection/access-control/microsoft-accounts.md
+++ b/windows/security/identity-protection/access-control/microsoft-accounts.md
@@ -22,7 +22,7 @@ ms.date: 10/13/2017
 
 This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for users, and how you can manage this consumer account type in your organization.
 
-Microsoft sites, services, and properties, as well as computers running Windows 10, can use a Microsoft account as a mean of identifying a user. Microsoft account was previously called Windows Live ID. It has user-defined secrets, and consists of a unique email address and a password.
+Microsoft sites, services, and properties, as well as computers running Windows 10, can use a Microsoft account as a means of identifying a user. Microsoft account was previously called Windows Live ID. It has user-defined secrets, and consists of a unique email address and a password.
 
 When a user signs in with a Microsoft account, the device is connected to cloud services. Many of the user's settings, preferences, and apps can be shared across devices.
 

From 5b409467b1ef06aeeaaa6c6d221931236db7c141 Mon Sep 17 00:00:00 2001
From: Nicole Turner <39884432+nenonix@users.noreply.github.com>
Date: Sat, 11 May 2019 14:21:14 +0200
Subject: [PATCH 18/39] Update advanced-security-audit-policy-settings.md

Typo line 93 fixes https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3587
---
 .../auditing/advanced-security-audit-policy-settings.md         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index 842cb0b7bb..6ce2b1bc64 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -90,7 +90,7 @@ Logon/Logoff security policy settings and audit events allow you to track attemp
 
 ## Object Access
 
-Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.
+Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate Object Access auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.
 
 Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#global-object-access-auditing).
 

From 4ff728b4c6f1025ad8413725522693400c7fcea9 Mon Sep 17 00:00:00 2001
From: Jose Ortega <jortega928@yahoo.com>
Date: Sat, 11 May 2019 12:09:40 -0500
Subject: [PATCH 19/39] @Illfated corrections

---
 ...windows-operating-system-components-to-microsoft-services.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index c669ded36f..2c21af8eba 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -769,7 +769,7 @@ To remove the News app:
 
   -or-
 >[!IMPORTANT]
-> If you have any issue with this commands, go ahead a do a system reboot,and try the scripts again.
+> If you have any issue with these commands, go ahead a do a system reboot, and try the scripts again.
 >
 - Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
 

From 7c787e3a2c8fe1754a18470c91cc3d0669dbb033 Mon Sep 17 00:00:00 2001
From: Jose Gabriel Ortega Castro <jortega@faboit.com>
Date: Sat, 11 May 2019 14:47:53 -0500
Subject: [PATCH 20/39] More Illfated corrections

:) thank you

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
 ...windows-operating-system-components-to-microsoft-services.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 2c21af8eba..67e8c2419e 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -769,7 +769,7 @@ To remove the News app:
 
   -or-
 >[!IMPORTANT]
-> If you have any issue with these commands, go ahead a do a system reboot, and try the scripts again.
+> If you have any issues with these commands, do a system reboot and try the scripts again.
 >
 - Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
 

From 36ad8a02943d2ffd1f48afacc1edc1ff613d3d50 Mon Sep 17 00:00:00 2001
From: sccmentor <pwinstanley@gmail.com>
Date: Sun, 12 May 2019 11:18:47 +0100
Subject: [PATCH 21/39] Update waas-manage-updates-wufb.md

---
 windows/deployment/update/waas-manage-updates-wufb.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index be96b68e59..19a38e1f89 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -85,13 +85,13 @@ Starting with Windows 10, version 1709, the Windows Update for Business settings
 | Manage Windows Insider Preview builds | System/AllowBuildPreview | Update/ManagePreviewBuilds |
 | Manage when updates are received | Select when Feature Updates are received |	Select when Preview Builds and Feature Updates are received (Update/BranchReadinessLevel) |
 
-## Managing Windows Update for Business with Software Center Configuration Manager
+## Managing Windows Update for Business with System Center Configuration Manager
 
-Starting with Windows 10, version 1709, you can assign a collection of devices to have dual scan enabled and manage that collection with Windows Update for Business policies. Starting with Windows 10, version 1809, you can set a collection of devices to receive the Windows Insider Preview Feature Updates from Windows Update from within Software Center Configuration Manager.
+Starting with Windows 10, version 1709, you can assign a collection of devices to have dual scan enabled and manage that collection with Windows Update for Business policies. Starting with Windows 10, version 1809, you can set a collection of devices to receive the Windows Insider Preview Feature Updates from Windows Update from within System Center Configuration Manager.
 
 | Action | Windows 10 versions between 1709 and 1809 | Windows 10 versions after 1809 |
 | --- | --- | --- |
-| Manage Windows Update for Business in Configuration Manager | Manage Feature or Quality Updates with Windows Update for Business via Dual Scan | Manage Insider pre-release builds with Windows Update for Business within Software Center Configuration Manager |
+| Manage Windows Update for Business in Configuration Manager | Manage Feature or Quality Updates with Windows Update for Business via Dual Scan | Manage Insider pre-release builds with Windows Update for Business within System Center Configuration Manager |
 
 ## Managing Windows Update for Business with Windows Settings options
 Windows Settings includes options to control certain Windows Update for Business features:

From 12147107edb489af66f821a83bf816fdfafa1258 Mon Sep 17 00:00:00 2001
From: Lindsay <45809756+lindspea@users.noreply.github.com>
Date: Mon, 13 May 2019 07:18:18 +0200
Subject: [PATCH 22/39] Update
 appv-creating-and-managing-virtualized-applications.md

Updated extensions.
---
 ...reating-and-managing-virtualized-applications.md | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
index dca1b3b048..a2e9327cb3 100644
--- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
+++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
@@ -93,20 +93,11 @@ The following table lists the supported shell extensions:
 
 Copy on write (CoW) file extensions allow App-V to dynamically write to specific locations contained in the virtual package while it is being used.
 
-The following table displays the file types that can exist in a virtual package under the VFS directory, but cannot be updated on the computer running the App-V client. All other files and directories can be modified.
+The following table displays the file types that can exist in a virtual package under the VFS directory, since App-V 5.1, but cannot be updated on the computer running the App-V client. All other files and directories can be modified.
 
 | File Type||||||
 |---|---|---|---|---|---|
-| .acm | .asa | .asp | .aspx | .ax | .bat |
-| .cer  | .chm  | .clb | .cmd  | .cnt  | .cnv  |
-| .com | .cpl | .cpx  | .crt | .dll | .drv |
-| .esc | .exe  | .fon  | .grp | .hlp | .hta |
-| .ime | .inf  | .ins  | .isp | .its | .js |
-| .jse | .lnk | .msc | .msi | .msp | .mst |
-| .mui | .nls | .ocx  | .pal | .pcd | .pif |
-| .reg  | .scf | .scr | .sct | .shb | .shs  |
-| .sys  | .tlb  | .tsp | .url | .vb | .vbe |
-| .vbs  | .vsmacros | .ws  | .wsf | .wsh  |  |
+| .com | .exe | .dll | .ocx |  |
 
 ## Modifying an existing virtual application package
 

From 412888018f32607672f3e3a839a30e579cee5b26 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Mon, 13 May 2019 17:08:19 +0500
Subject: [PATCH 23/39] update microsoft-store-for-business-overview.md

---
 store-for-business/microsoft-store-for-business-overview.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md
index 0bf1fdc2d4..f6afc25250 100644
--- a/store-for-business/microsoft-store-for-business-overview.md
+++ b/store-for-business/microsoft-store-for-business-overview.md
@@ -28,8 +28,8 @@ Organizations or schools of any size can benefit from using Microsoft Store for
 - **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts or Office 365 accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate Microsoft Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
 - **Bulk app acquisition** - Acquire apps in volume from Microsoft Store for Business.
 - **Centralized management** – Microsoft Store provides centralized management for inventory, billing, permissions, and order history. You can use Microsoft Store to view, manage and distribute items purchased from:
-    - **Microsoft Store for Business** – Apps and subscriptions
-    - **Microsoft Store for Education** – Apps and subscriptions
+    - **Microsoft Store for Business** – Apps acquired from Microsoft Store for Business
+    - **Microsoft Store for Education** – Apps acquired from Microsoft Store for Education
     - **Office 365** – Subscriptions
     - **Volume licensing** - Apps purchased with volume licensing
 - **Private store** - Create a private store for your business that’s easily available from any Windows 10 device. Your private store is available from Microsoft Store on Windows 10, or with a browser on the Web. People in your organization can download apps from your organization's private store on Windows 10 devices. 

From bc4f9a20eb45721386f3bfb236894d72c009c331 Mon Sep 17 00:00:00 2001
From: Lindsay <45809756+lindspea@users.noreply.github.com>
Date: Mon, 13 May 2019 18:09:47 +0200
Subject: [PATCH 24/39] Update
 windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
 .../appv-creating-and-managing-virtualized-applications.md      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
index a2e9327cb3..9a68fb9338 100644
--- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
+++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
@@ -93,7 +93,7 @@ The following table lists the supported shell extensions:
 
 Copy on write (CoW) file extensions allow App-V to dynamically write to specific locations contained in the virtual package while it is being used.
 
-The following table displays the file types that can exist in a virtual package under the VFS directory, since App-V 5.1, but cannot be updated on the computer running the App-V client. All other files and directories can be modified.
+The following table displays the file types that can exist in a virtual package under the VFS directory, since App-V 5.1, but which cannot be updated on the computer running the App-V client. All other files and directories can be modified.
 
 | File Type||||||
 |---|---|---|---|---|---|

From da0b5bab3173f4f76393ebb99c18ee787d942890 Mon Sep 17 00:00:00 2001
From: Deland-Han <delhan@microsoft.com>
Date: Tue, 14 May 2019 15:59:53 +0800
Subject: [PATCH 25/39] finish

---
 ...windows-10-device-automatically-using-group-policy.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index 24e4a9039a..b79c6c1219 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -108,6 +108,15 @@ Requirements:
 - Ensure that PCs belong to same computer group.
 
 1.	Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
+    >[!Note] 
+    >If you do not see the policy, it may be caused because you don’t have the ADMX installed for Windows 10, version 1803. To fix the issue, follow these steps:        
+    >   1. Download [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)
+](https://www.microsoft.com/en-us/download/details.aspx?id=56880).
+    >   2. Install the package on the Primary Domain Controller.
+    >   3. Navigate to the folder **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**.
+    >   4. Copy policy definitions folder to **C:\Windows\SYSVOL\domain\Policies**.
+    >   5. Restart the Primary Domain Controller for the policy to be available.
+
 2.	Create a Security Group for the PCs.
 3.	Link the GPO.
 4.	Filter using Security Groups.

From 66ad8d2fe9ff84666a9d27b17066f79756ab32e0 Mon Sep 17 00:00:00 2001
From: Nicole Turner <39884432+nenonix@users.noreply.github.com>
Date: Wed, 15 May 2019 02:24:51 +0200
Subject: [PATCH 26/39] Typos

Typos fixed, "prerequistes" and a few others
---
 .../hello-for-business/feature-multifactor-unlock.md   |  2 +-
 .../hello-cert-trust-validate-ad-prereq.md             |  2 +-
 .../hello-cert-trust-validate-deploy-mfa.md            |  2 +-
 .../hello-how-it-works-provisioning.md                 | 10 +++++-----
 .../hello-how-it-works-tech-deep-dive.md               |  2 +-
 .../hello-for-business/hello-hybrid-aadj-sso-base.md   |  2 +-
 .../hello-for-business/hello-hybrid-aadj-sso-cert.md   | 10 +++++-----
 .../hello-hybrid-cert-new-install.md                   |  4 ++--
 .../hello-hybrid-cert-trust-devreg.md                  |  4 ++--
 .../hello-hybrid-cert-trust-prereqs.md                 |  6 +++---
 .../hello-for-business/hello-hybrid-cert-trust.md      |  4 ++--
 .../hello-hybrid-cert-whfb-provision.md                |  6 +++---
 .../hello-hybrid-cert-whfb-settings-ad.md              |  2 +-
 .../hello-hybrid-cert-whfb-settings-adfs.md            |  2 +-
 .../hello-hybrid-cert-whfb-settings-dir-sync.md        |  2 +-
 .../hello-hybrid-cert-whfb-settings-pki.md             |  2 +-
 .../hello-hybrid-cert-whfb-settings-policy.md          |  2 +-
 .../hello-hybrid-cert-whfb-settings.md                 |  2 +-
 .../hello-for-business/hello-hybrid-key-new-install.md |  4 ++--
 .../hello-hybrid-key-trust-devreg.md                   |  2 +-
 .../hello-hybrid-key-trust-dirsync.md                  |  2 +-
 .../hello-hybrid-key-trust-prereqs.md                  |  6 +++---
 .../hello-for-business/hello-hybrid-key-trust.md       |  4 ++--
 .../hello-hybrid-key-whfb-settings-ad.md               |  2 +-
 .../hello-hybrid-key-whfb-settings-dir-sync.md         |  2 +-
 .../hello-hybrid-key-whfb-settings-policy.md           |  2 +-
 .../hello-hybrid-key-whfb-settings.md                  |  2 +-
 ...ecurity-and-windows-defender-application-control.md |  2 +-
 28 files changed, 47 insertions(+), 47 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index 1f39421330..f2be2a30e9 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -252,7 +252,7 @@ Contains numeric value ranging from 0 to 100 to represent the wireless network's
 <sig_quality>80</sig_quality>
 ```
  
-### Sample Trusted Signal Congfigurations
+### Sample Trusted Signal Configurations
 
 These examples are wrapped for readability.  Once properly formatted, the entire XML contents must be a single line.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 18164a1c75..5f3098ebca 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -66,7 +66,7 @@ Sign-in a domain controller or management workstation with domain administrator
 
 The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases.  You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group.  This provides them the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate.
 
-Sign-in a domain controller or management workstation with domain administrator equivalent credentials.
+Sign into a domain controller or management workstation with domain administrator equivalent credentials.
 
 1.	Open **Active Directory Users and Computers**.
 2.	Click **View** and click **Advanced Features**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index ac2f4ba332..a60c81e9c1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -42,7 +42,7 @@ A lab or proof-of-concept environment does not need high-availability or scalabi
 Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server. 
 
 >[!IMPORTANT]
->Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use instllation instructions provided in the article.
+>Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use installation instructions provided in the article.
 
 Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md).
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index f07f4f199a..2956967c1f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -66,7 +66,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 |C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.|
 |D | Azure AD Connect requests updates on its next synchronization cycle.  Azure Active Directory sends the user's public key that was securely registered through provisioning.  AAD Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory.|
 > [!IMPORTANT]
-> The newly provisionied user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory.
+> The newly provisioned user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory.
 
 
 
@@ -86,7 +86,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 |H | The application receives the newly issued certificate and installs the it into the Personal store of the user.  This signals the end of provisioning.|    
 |F | Azure AD Connect requests updates on its next synchronization cycle.  Azure Active Directory sends the user's public key that was securely registered through provisioning.  AAD Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory.|
 > [!IMPORTANT]
-> The newly provisionied user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory.
+> The newly provisioned user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory.
 
 
 [Return to top](#windows-hello-for-business-provisioning)
@@ -103,12 +103,12 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 |F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
 |G | The application receives the newly issued certificate and installs the it into the Personal store of the user.  This signals the end of provisioning.|    
 > [!IMPORTANT]
-> Synchronous certificate enrollment does not depend on Azure AD Connect to syncrhonize the user's public key to issue the Windows Hello for Business authentication certificate.  Users can sign-in using the certificate immediately after provisioning completes.  Azure AD Connect continues to synchronize the public key to Active Directory, but is not show in this flow.
+> Synchronous certificate enrollment does not depend on Azure AD Connect to synchronize the user's public key to issue the Windows Hello for Business authentication certificate.  Users can sign-in using the certificate immediately after provisioning completes.  Azure AD Connect continues to synchronize the public key to Active Directory, but is not shown in this flow.
 
 
 [Return to top](#windows-hello-for-business-provisioning)
 ## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment
-![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Fedeerated environment](images/howitworks/prov-haadj-instant-certtrust-federated.png)
+![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](images/howitworks/prov-haadj-instant-certtrust-federated.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
@@ -120,7 +120,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 |F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
 |G | The application receives the newly issued certificate and installs the it into the Personal store of the user.  This signals the end of provisioning.| 
 > [!IMPORTANT]
-> Synchronous certificate enrollment does not depend on Azure AD Connect to syncrhonize the user's public key to issue the Windows Hello for Business authentication certificate.  Users can sign-in using the certificate immediately after provisioning completes.  Azure AD Connect continues to synchronize the public key to Active Directory, but is not show in this flow.
+> Synchronous certificate enrollment does not depend on Azure AD Connect to synchronize the user's public key to issue the Windows Hello for Business authentication certificate.  Users can sign-in using the certificate immediately after provisioning completes.  Azure AD Connect continues to synchronize the public key to Active Directory, but is not shown in this flow.
 
 [Return to top](#windows-hello-for-business-provisioning)
 ## Domain joined provisioning in an On-premises Key Trust deployment
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
index e3304e2432..db2d7fb8c4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
@@ -43,6 +43,6 @@ Provision can occur automatically through the out-of-box-experience (OOBE) on Az
 
 ## Authentication
 
-Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment.  With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN.  PIN is the most common gesture and is avaiable on most computers and devices.  Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential.  The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device.  It is user provided entropy when performing operations that use the private portion of the credential.
+Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment.  With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN.  PIN is the most common gesture and is available on most computers and devices.  Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential.  The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device.  It is user provided entropy when performing operations that use the private portion of the credential.
 
 [How Windows Hello for Business authentication works](hello-how-it-works-authentication.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index d231dc9a9c..9b7f3e1490 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -283,7 +283,7 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted
 3. In the **Create profle** blade, type **Enterprise Root Certificate** in **Name**.  Provide a description.  Select **Windows 10 and later** from the **Platform** list.  Select **Trusted certificate** from the **Profile type** list.  Click **Configure**.
 4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate).  Click **OK**.  Click **Create**.
 ![Intune Trusted Certificate Profile](images/aadj/intune-create-trusted-certificate-profile.png)
-5. In the **Enterprise Root Certificate** blade, click **Assignmnets**.  In the **Include** tab, select **All Devices** from the **Assign to** list.  Click **Save**.
+5. In the **Enterprise Root Certificate** blade, click **Assignments**.  In the **Include** tab, select **All Devices** from the **Assign to** list.  Click **Save**.
 ![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png)
 6. Sign out of the Microsoft Azure Portal.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 5ea3bbbae9..6dd3b3879d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -69,8 +69,8 @@ To include the on-premises distinguished name in the certificate's subject, Azur
 ### Verify AAD Connect version
 Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_.
 
-1. Open **Syncrhonization Services** from the **Azure AD Connect** folder.
-2. In the **Syncrhonization Service Manager**, click **Help** and then click **About**.
+1. Open **Synchronization Services** from the **Azure AD Connect** folder.
+2. In the **Synchronization Service Manager**, click **Help** and then click **About**.
 3. If the version number is not **1.1.819** or later, then upgrade Azure AD Connect to the latest version.
 
 ### Verify the onPremisesDistinguishedName attribute is synchronized
@@ -172,7 +172,7 @@ You must prepare the public key infrastructure and the issuing certificate autho
 When deploying certificates using Microsoft Intune, you have the option of providing the validity period in the SCEP certificate profile rather than relying on the validity period in the certificate template.  If you need to issue the same certificate with different validity periods, it may be advantageous to use the SCEP profile, given the limited number of certificates a single NDES server can issue.
 
 > [!NOTE]
-> Skip this step if you do not want to enable Microsoft Intune to specify the validity period of the certificate.  Without this configuiration, the certificate request uses the validity period configured in the certificate template.
+> Skip this step if you do not want to enable Microsoft Intune to specify the validity period of the certificate.  Without this configuration, the certificate request uses the validity period configured in the certificate template.
 
 Sign-in to the issuing certificate authority with access equivalent to _local administrator_.
 
@@ -222,7 +222,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq
 The certificate authority may only issue certificates for certificate templates that are published to that certificate authority.  If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
 
 > [!Important]
-> Ensure you publish the **AADJ WHFB Authentication** certificate templates to the certificate authority that Microsoft Intune uses by way of the NDES servers. The NDES configuration asks you to choose a certificate authority from which it requests certificates.  You need to publish that cerificate templates to that issuing certificate authority.  The **NDES-Intune Authentication** certificate is directly enrolled and can be published to any certificate authority.
+> Ensure you publish the **AADJ WHFB Authentication** certificate templates to the certificate authority that Microsoft Intune uses by way of the NDES servers. The NDES configuration asks you to choose a certificate authority from which it requests certificates.  You need to publish that certificate templates to that issuing certificate authority.  The **NDES-Intune Authentication** certificate is directly enrolled and can be published to any certificate authority.
 
 Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
 
@@ -373,7 +373,7 @@ where **registryValueName** is one of the three value names from the above table
 5. Close the command prompt.
 
 > [!IMPORTANT]
-> Use the **name** of the certificate template; not the **display name**.  The certificate template name does not include spaces.  You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certifcates Templates** management console (certtmpl.msc).
+> Use the **name** of the certificate template; not the **display name**.  The certificate template name does not include spaces.  You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (certtmpl.msc).
 
 ### Create a Web Application Proxy for the internal NDES URL.
 Certificate enrollment for Azure AD joined devices occurs over the Internet.  As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy.  Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
index 4b487da424..bace383b95 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
@@ -128,7 +128,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation
 > * Review the overview and uses of Azure Multifactor Authentication.
 > * Review your Azure Active Directory subscription for Azure Multifactor Authentication.
 > * Create an Azure Multifactor Authentication Provider, if necessary.
-> * Configure Azure Multufactor Authentiation features and settings.
+> * Configure Azure Multufactor Authentication features and settings.
 > * Understand the different User States and their effect on Azure Multifactor Authentication.
 > * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server 2016 Active Directory Federation Services, if necessary.
 
@@ -141,7 +141,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation
 
 ## Follow the Windows Hello for Business hybrid certificate trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
 3. New Installation Baseline (*You are here*)
 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index cfbf292815..8cf161f09d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -34,7 +34,7 @@ Use this three phased approach for configuring device registration.
 3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices)
 
 > [!NOTE]
-> Before proceeding, you should familiarize yourself with device regisration concepts such as:
+> Before proceeding, you should familiarize yourself with device registration concepts such as:
 > * Azure AD registered devices
 > * Azure AD joined devices
 > * Hybrid Azure AD joined devices
@@ -514,7 +514,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
 
 ## Follow the Windows Hello for Business hybrid certificate trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
 4. Configure Azure Device Registration (*You are here*)
 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index 6f443cff4f..86f9428c11 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -27,7 +27,7 @@ Hybrid environments are distributed systems that enable organizations to use on-
 
 The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure.  High-level pieces of the infrastructure include:
 * [Directories](#directories)
-* [Public Key Infrastucture](#public-key-infrastructure)
+* [Public Key Infrastructure](#public-key-infrastructure)
 * [Directory Synchronization](#directory-synchronization)
 * [Federation](#federation)
 * [MultiFactor Authentication](#multifactor-authentication)
@@ -96,7 +96,7 @@ The AD FS farm used with Windows Hello for Business must be Windows Server 2016
 ## Multifactor Authentication ##
 Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords.  The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor. but needs a second factor of authentication.
 
-Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2016 Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS.
+Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provided by Windows Server 2016 Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS.
 
 ### Section Review 
 > [!div class="checklist"]
@@ -119,7 +119,7 @@ Hybrid certificate trust deployments need the device write back feature.  Authen
 <br>
 
 ### Next Steps ###
-Follow the Windows Hello for Business hybrid certificate trust deployment guide.  For proof-of-concepts, labs, and new installations, choose the **New Installation Basline**.  
+Follow the Windows Hello for Business hybrid certificate trust deployment guide.  For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**.  
 
 If your environment is already federated, but does not include Azure device registration, choose **Configure Azure Device Registration**. 
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
index 317a2481b3..707804cb1e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
@@ -40,7 +40,7 @@ The federated baseline helps organizations that have completed their federation
 Regardless of the baseline you choose, you’re next step is to familiarize yourself with the prerequisites needed for the deployment.  Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates.
 
 > [!div class="nextstepaction"]
-> [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
+> [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
 
 <br><br>
 
@@ -48,7 +48,7 @@ Regardless of the baseline you choose, you’re next step is to familiarize your
 
 ## Follow the Windows Hello for Business hybrid certificate trust deployment guide
 1. Overview (*You are here*)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
 4. [Device Registration](hello-hybrid-cert-trust-devreg.md)
 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 461d86ca82..5b8eeaa4b4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -55,11 +55,11 @@ The remainder of the provisioning includes Windows Hello for Business requesting
 > The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).
 
 > The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. 
-> **This synchronization latency delays the user's ability to authenticate and use on-premises resouces until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
+> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
 > Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
 
 > [!NOTE]
-> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning.  With this update, users no longer need to wait for Azure AD Connect to sync their  public key on-premises.  Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. 
+> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning.  With this update, users no longer need to wait for Azure AD Connect to sync their  public key on-premises.  Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. 
   
 After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate.  Windows send the certificate request to the AD FS server for certificate enrollment.
   
@@ -73,7 +73,7 @@ The certificate authority validates the certificate was signed by the registrati
 
 ## Follow the Windows Hello for Business hybrid certificate trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
 5. [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings-policy.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
index 4f7dca8320..eb3982f0a0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
@@ -74,7 +74,7 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva
 
 ## Follow the Windows Hello for Business hybrid certificate trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
 5. Configure Windows Hello for Business settings: Active Directory (*You are here*)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index fb95263ea4..d0d53c38be 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -73,7 +73,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 
 ## Follow the Windows Hello for Business hybrid certificate trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
 5. Configure Windows Hello for Business settings: AD FS (*You are here*)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index 559462a9db..6636ae0234 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -79,7 +79,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 
 ## Follow the Windows Hello for Business hybrid certificate trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
 5. Configure Windows Hello for Business settings: Directory Synchronization (*You are here*)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 56921a06b0..335e5d03a8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -203,7 +203,7 @@ Sign-in to the certificate authority or management workstation with _Enterprise
 
 ## Follow the Windows Hello for Business hybrid certificate trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
 5. Configure Windows Hello for Business settings: PKI (*You are here*)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
index 0ffc39e4d5..9545b7a3d5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
@@ -197,7 +197,7 @@ Users must receive the Windows Hello for Business group policy settings and have
 
 ## Follow the Windows Hello for Business hybrid certificate trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
 5. Configure Windows Hello for Business policy settings (*You are here*)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
index 49af90f1e4..d104942f9a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
@@ -44,7 +44,7 @@ For the most efficient deployment, configure these technologies in order beginni
 
 ## Follow the Windows Hello for Business hybrid certificate trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
 5. Configure Windows Hello for Business settings (*You are here*)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index 27ed68512f..aa4c140647 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -135,7 +135,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation
 > * Review the overview and uses of Azure Multifactor Authentication.
 > * Review your Azure Active Directory subscription for Azure Multifactor Authentication.
 > * Create an Azure Multifactor Authentication Provider, if necessary.
-> * Configure Azure Multifactor Authentiation features and settings.
+> * Configure Azure Multifactor Authentication features and settings.
 > * Understand the different User States and their effect on Azure Multifactor Authentication.
 > * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server Active Directory Federation Services, if necessary.
 
@@ -148,7 +148,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation
 
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
 1. [Overview](hello-hybrid-key-trust.md)
-2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
 3. New Installation Baseline (*You are here*)
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
index baf9a0401a..a6d97c2a94 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
@@ -47,7 +47,7 @@ Next, follow the guidance on the [How to configure hybrid Azure Active Directory
 
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. Configure Azure Device Registration (*You are here*)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
index 3e829f4aa7..0776c5d001 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
@@ -38,7 +38,7 @@ Next, you need to synchronizes the on-premises Active Directory with Azure Activ
 
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
 1. [Overview](hello-hybrid-key-trust.md)
-2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-key-new-install.md)
 4. Configure Directory Synchronization (*You are here*)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 1993139da7..7842b51890 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -27,7 +27,7 @@ Hybrid environments are distributed systems that enable organizations to use on-
 
 The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure.  High-level pieces of the infrastructure include:
 * [Directories](#directories)
-* [Public Key Infrastucture](#public-key-infastructure)
+* [Public Key Infrastructure](#public-key-infastructure)
 * [Directory Synchronization](#directory-synchronization)
 * [Federation](#federation)
 * [MultiFactor Authentication](#multifactor-authentication)
@@ -118,9 +118,9 @@ Organizations wanting to deploy hybrid key trust need their domain joined device
 <br>
 
 ### Next Steps ###
-Follow the Windows Hello for Business hybrid key trust deployment guide.  For proof-of-concepts, labs, and new installations, choose the **New Installation Basline**.  
+Follow the Windows Hello for Business hybrid key trust deployment guide.  For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**.  
 
-For environments transitioning from on-premises to hybrid, start with  **Configure Azure Directory Syncrhonization**. 
+For environments transitioning from on-premises to hybrid, start with  **Configure Azure Directory Synchronization**. 
 
 For federated and non-federated environments, start with **Configure Windows Hello for Business settings**.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index 6759f1e112..2e64fd7d0d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -37,7 +37,7 @@ This baseline provides detailed procedures to move your environment from an on-p
 You’re next step is to familiarize yourself with the prerequisites needed for the deployment.  Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates.
 
 > [!div class="nextstepaction"]
-> [Prerequistes](hello-hybrid-key-trust-prereqs.md)
+> [Prerequisites](hello-hybrid-key-trust-prereqs.md)
 
 <br><br>
 
@@ -45,7 +45,7 @@ You’re next step is to familiarize yourself with the prerequisites needed for
 
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
 1. Overview (*You are here*)
-2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-key-new-install.md)
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
index 1e1d1effdc..4ce94c6052 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
@@ -58,7 +58,7 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva
 
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-key-new-install.md)
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
index 4ef86bfee8..a48c241c05 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
@@ -55,7 +55,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-key-new-install.md)
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index 9f081c920a..10f01e4e9e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -168,7 +168,7 @@ Users must receive the Windows Hello for Business group policy settings and have
 
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-key-new-install.md)
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
index 448963dfbd..c3371c4ac5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
@@ -45,7 +45,7 @@ For the most efficient deployment, configure these technologies in order beginni
 
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-key-new-install.md)
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index b56a7a46b9..bdf572c022 100644
--- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -23,7 +23,7 @@ Using configurable code integrity to restrict devices to only authorized apps ha
 
 1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run. 
 2. Configurable code integrity allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows. 
-3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker with administrative privledge, or malicious software that managed to gain administrative privilege, to alter the application control policy. 
+3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy. 
 4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution.
 
 ## (Re-)Introducing Windows Defender Application Control

From 118c3215eab98b99fe82b67acf6a9d0627bc1010 Mon Sep 17 00:00:00 2001
From: Nicole Turner <39884432+nenonix@users.noreply.github.com>
Date: Wed, 15 May 2019 02:55:52 +0200
Subject: [PATCH 27/39] Update hello-hybrid-cert-whfb-provision.md

removed line
---
 .../hello-for-business/hello-hybrid-cert-whfb-provision.md       | 1 -
 1 file changed, 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index fa59e2717a..22b4bd30cd 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -60,7 +60,6 @@ The remainder of the provisioning includes Windows Hello for Business requesting
 
 > [!NOTE]
 > Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning.  With this update, users no longer need to wait for Azure AD Connect to sync their  public key on-premises.  Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers.
-
   
 After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate.  Windows send the certificate request to the AD FS server for certificate enrollment.
   

From e19752e6f07d15011894adb03c83a306d99018b0 Mon Sep 17 00:00:00 2001
From: Reece Peacock <49645174+Reeced40@users.noreply.github.com>
Date: Wed, 15 May 2019 10:24:12 +0200
Subject: [PATCH 28/39] Update
 configure-block-at-first-sight-windows-defender-antivirus.md

Added note relating to new screenshot.
---
 ...configure-block-at-first-sight-windows-defender-antivirus.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
index 0cc19e576d..5a53eca835 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -122,7 +122,7 @@ Block at first sight is automatically enabled as long as **Cloud-based protectio
 
 1. Open the Windows Security app by clicking the shield icon in the task bar.
 
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Virus & threat protection settings**:
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Manage Settings** under **Virus & threat protection settings**:
 
  ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
 

From 62061a1afd91b905235c6d2207ec8157b59bd6e8 Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Wed, 15 May 2019 12:09:40 +0300
Subject: [PATCH 29/39] updated information about CB and CBB

https://github.com/MicrosoftDocs/windows-itpro-docs/issues/2652
---
 .../deployment/planning/windows-10-deployment-considerations.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
index bb0ad7f659..12f13ad7ac 100644
--- a/windows/deployment/planning/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -111,7 +111,7 @@ In either of these scenarios, you can make a variety of configuration changes to
 ## Stay up to date
 
 
-For computers already running Windows 10 on the Current Branch or Current Branch for Business, new upgrades will periodically be deployed, approximately two to three times per year. You can deploy these upgrades by using a variety of methods:
+For computers already running Windows 10 on the Semi-Annual Channel (Targeted) or Semi-Annual Channel, new upgrades will periodically be deployed, approximately two to three times per year. You can deploy these upgrades by using a variety of methods:
 
 -   Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet.
 

From 71c1b34e98ef1eefc03ead095413c1811a419a23 Mon Sep 17 00:00:00 2001
From: Reece Peacock <49645174+Reeced40@users.noreply.github.com>
Date: Wed, 15 May 2019 14:39:07 +0200
Subject: [PATCH 30/39] Update advanced-security-audit-policy-settings.md

Added Note + link.
---
 .../auditing/advanced-security-audit-policy-settings.md         | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index 842cb0b7bb..a75b11f5ac 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -63,6 +63,8 @@ Detailed Tracking security policy settings and audit events can be used to monit
 -   [Audit Process Termination](audit-process-termination.md)
 -   [Audit RPC Events](audit-rpc-events.md)
 
+> **Note:**  For more information, see [Security Monitoring](https://blogs.technet.microsoft.com/nathangau/2018/01/25/security-monitoring-a-possible-new-way-to-detect-privilege-escalation/)
+
 ## DS Access
 
 DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events are logged only on domain controllers. This category includes the following subcategories:

From a2cdd0a2f15c78ed4ce3e95b9985a6d8acd2ddb6 Mon Sep 17 00:00:00 2001
From: Shaun Evans <shevan@microsoft.com>
Date: Wed, 15 May 2019 10:21:43 -0500
Subject: [PATCH 31/39] Changed to 26.1 instead of 27.1 after 26.

---
 ...windows-operating-system-components-to-microsoft-services.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 58d06760a9..6bc36f1958 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -158,7 +158,7 @@ The following table lists management options for each setting, beginning with Wi
 | &nbsp;&nbsp;&nbsp;&nbsp;[24.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
-| &nbsp;&nbsp;&nbsp;&nbsp;[27.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |  | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[26.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |  | |
 | [27. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | |
 

From a994177de95c31e1d3e9ca5351fdda050c006513 Mon Sep 17 00:00:00 2001
From: Jose Ortega <jortega928@yahoo.com>
Date: Wed, 15 May 2019 10:53:01 -0500
Subject: [PATCH 32/39] Fixing format of the article Issue #909 Confirmed

---
 .../upgrade/windows-error-reporting.md        | 43 ++++++++++---------
 1 file changed, 22 insertions(+), 21 deletions(-)

diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index 1b021674ca..aa0ab353aa 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -18,15 +18,15 @@ ms.topic: article
 -   Windows 10
 
 >[!NOTE]
->This is a 300 level topic (moderately advanced).<br>
->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
+> This is a 300 level topic (moderately advanced).  
+> See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
 
 
 When Windows Setup fails, the result and extend code are recorded as an informational event in the Application log by Windows Error Reporting as event 1001. The event name is **WinSetupDiag02**.  You can use Event Viewer to review this event, or you can use Windows PowerShell.
 
 To use Windows PowerShell, type the following commands from an elevated Windows PowerShell prompt:
 
-```
+```Powershell
 $events = Get-WinEvent -FilterHashtable @{LogName="Application";ID="1001";Data="WinSetupDiag02"}
 $event = [xml]$events[0].ToXml()
 $event.Event.EventData.Data
@@ -40,19 +40,20 @@ To use Event Viewer:
 Note: For legacy operating systems, the Event Name was WinSetupDiag01. 
 
 Ten parameters are listed in the event:
-<br>
-<table border="0">
-<tr><td>P1: The Setup Scenario (1=Media,5=WindowsUpdate,7=Media Creation Tool)</td></tr>
-<tr><td>P2: Setup Mode (x=default,1=Downlevel,5=Rollback)</td></tr>
-<tr><td>P3: New OS Architecture (x=default,0=X86,9=AMD64)</td></tr>
-<tr><td>P4: Install Result (x=default,0=Success,1=Failure,2=Cancel,3=Blocked)</td></tr>
-<tr><td><b>P5: Result Error Code</b>  (Ex: 0xc1900101)</td></tr>
-<tr><td><b>P6: Extend Error Code</b>  (Ex: 0x20017)</td></tr>
-<tr><td>P7: Source OS build (Ex: 9600)</td></tr>
-<tr><td>P8: Source OS branch (not typically available)</td></tr>
-<tr><td>P9: New OS build (Ex: 16299}</td></tr>
-<tr><td>P10: New OS branch (Ex: rs3_release}</td></tr>
-</table>
+
+| First Header  | 
+| ------------- | 
+|P1: The Setup Scenario (1=Media,5=WindowsUpdate,7=Media Creation Tool)   | 
+|P2: Setup Mode (x=default,1=Downlevel,5=Rollback)   | 
+|P3: New OS Architecture (x=default,0=X86,9=AMD64)   | 
+|P4: Install Result (x=default,0=Success,1=Failure,2=Cancel,3=Blocked)   | 
+|**P5: Result Error Code**  (Ex: 0xc1900101)   | 
+|**P6: Extend Error Code**  (Ex: 0x20017)   | 
+|P7: Source OS build (Ex: 9600)   | 
+|P8: Source OS branch (not typically available)   | 
+|P9: New OS build (Ex: 16299}   | 
+|P10: New OS branch (Ex: rs3_release}   | 
+
 
 The event will also contain links to log files that can be used to perform a detailed diagnosis of the error.  An example of this event from a successful upgrade is shown below.
 
@@ -60,8 +61,8 @@ The event will also contain links to log files that can be used to perform a det
 
 ## Related topics
 
-[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
-<br>[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
-<br>[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
-<br>[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
-<br>[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
+[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)  
+[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)  
+[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)  
+[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)  
+[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)  

From 1909addbbb67b1982474fd31067755aa4ddad285 Mon Sep 17 00:00:00 2001
From: Jose Ortega <jortega928@yahoo.com>
Date: Wed, 15 May 2019 11:10:40 -0500
Subject: [PATCH 33/39] Added important note for #909

---
 windows/deployment/upgrade/windows-error-reporting.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index aa0ab353aa..701b84e1eb 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
 ms.topic: article
 ---
 
-# Windows error reporting
+# Windows Error Reporting
 
 **Applies to**
 -   Windows 10
@@ -26,6 +26,9 @@ When Windows Setup fails, the result and extend code are recorded as an informat
 
 To use Windows PowerShell, type the following commands from an elevated Windows PowerShell prompt:
 
+>[!IMPORTANT]
+>}The following source will be available only if you have done an update from a previous version of windows 10 into a new version. If you installed the current version and have not done any update, the source named **WinSetupDiag02** will be unavailable.
+
 ```Powershell
 $events = Get-WinEvent -FilterHashtable @{LogName="Application";ID="1001";Data="WinSetupDiag02"}
 $event = [xml]$events[0].ToXml()

From 862414a3c9e6d42f1b0cf1afeb2d1b3fecfdb66b Mon Sep 17 00:00:00 2001
From: Jose Ortega <jortega928@yahoo.com>
Date: Wed, 15 May 2019 11:19:14 -0500
Subject: [PATCH 34/39] Correction Header title at the table

---
 windows/deployment/upgrade/windows-error-reporting.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index 701b84e1eb..1de90936ad 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -44,7 +44,7 @@ Note: For legacy operating systems, the Event Name was WinSetupDiag01.
 
 Ten parameters are listed in the event:
 
-| First Header  | 
+| Parameters  | 
 | ------------- | 
 |P1: The Setup Scenario (1=Media,5=WindowsUpdate,7=Media Creation Tool)   | 
 |P2: Setup Mode (x=default,1=Downlevel,5=Rollback)   | 

From 02ae20c1eb8d7e418126cd3881f7c3dd4f83ab1d Mon Sep 17 00:00:00 2001
From: Shaun Evans <shevan@microsoft.com>
Date: Wed, 15 May 2019 14:39:25 -0500
Subject: [PATCH 35/39] Corrected additional 26.1 - 27.1 Error

---
 ...ndows-operating-system-components-to-microsoft-services.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 6bc36f1958..77c5e51250 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -186,7 +186,7 @@ See the following table for a summary of the management settings for Windows Ser
 | [20. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [24. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
-| &nbsp;&nbsp;&nbsp;&nbsp;[27.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |  | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[26.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |  | |
 | [28. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 
 ### Settings for Windows Server 2016 Server Core
@@ -268,7 +268,7 @@ See the following table for a summary of the management settings for Windows Ser
 | &nbsp;&nbsp;&nbsp;&nbsp;[24.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
-| &nbsp;&nbsp;&nbsp;&nbsp;[27.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |  | |
+| &nbsp;&nbsp;&nbsp;&nbsp;[26.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |  | |
 | [27. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | |
 

From 2e4951a16783dca63267c35989b7765095aa0fee Mon Sep 17 00:00:00 2001
From: Jose Gabriel Ortega Castro <jortega@faboit.com>
Date: Wed, 15 May 2019 14:58:04 -0500
Subject: [PATCH 36/39] Update
 windows/deployment/upgrade/windows-error-reporting.md

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
 windows/deployment/upgrade/windows-error-reporting.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index 1de90936ad..3b2cb8c678 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -27,7 +27,7 @@ When Windows Setup fails, the result and extend code are recorded as an informat
 To use Windows PowerShell, type the following commands from an elevated Windows PowerShell prompt:
 
 >[!IMPORTANT]
->}The following source will be available only if you have done an update from a previous version of windows 10 into a new version. If you installed the current version and have not done any update, the source named **WinSetupDiag02** will be unavailable.
+>}The following source will be available only if you have updated from a previous version of Windows 10 to a new version. If you installed the current version and have not updated, the source named **WinSetupDiag02** will be unavailable.
 
 ```Powershell
 $events = Get-WinEvent -FilterHashtable @{LogName="Application";ID="1001";Data="WinSetupDiag02"}

From d6bf30adb21081661d1530d59a7bd8ec7a6a876a Mon Sep 17 00:00:00 2001
From: martyav <v-maave@microsoft.com>
Date: Wed, 15 May 2019 16:02:45 -0400
Subject: [PATCH 37/39] replaced whitespace char that displayed incorrectly

---
 .../machine-tags-windows-defender-advanced-threat-protection.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md
index 61d6e8a22e..7f42138a1b 100644
--- a/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md
@@ -33,7 +33,7 @@ You can add tags on machines using the following ways:
 - By setting a registry key value
 - By using the portal
 
-## Add machine tags by setting a registry key value
+## Add machine tags by setting a registry key value
 Add tags on machines which can be used as a filter in Machines list view. You can limit the machines in the list by selecting the Tag filter on the Machines list.
 
 >[!NOTE]

From 7c5591de2f123503c080cf07ac4b5e5ea0af8865 Mon Sep 17 00:00:00 2001
From: Richard Howard <50245233+v-rihow@users.noreply.github.com>
Date: Wed, 15 May 2019 13:41:51 -0700
Subject: [PATCH 38/39] Fixed "how configure" to "how to configure"

---
 browsers/edge/group-policies/index.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/browsers/edge/group-policies/index.yml b/browsers/edge/group-policies/index.yml
index 6e7a2ccb42..7ee2caf174 100644
--- a/browsers/edge/group-policies/index.yml
+++ b/browsers/edge/group-policies/index.yml
@@ -92,7 +92,7 @@ sections:
 
     - href:  https://docs.microsoft.com/microsoft-edge/deploy/group-policies/developer-settings-gp
 
-      html: <p>Learn how configure Microsoft Edge for development and testing.</p>
+      html: <p>Learn how to configure Microsoft Edge for development and testing.</p>
 
       image:
 

From 041a0d7edc3d1e6d3532d87f740890d1304a921a Mon Sep 17 00:00:00 2001
From: Liza Poggemeyer <elizapo@microsoft.com>
Date: Wed, 15 May 2019 14:38:17 -0700
Subject: [PATCH 39/39] Removed reference to "targeted".

---
 .../deployment/planning/windows-10-deployment-considerations.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
index 12f13ad7ac..99f0aa2457 100644
--- a/windows/deployment/planning/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -111,7 +111,7 @@ In either of these scenarios, you can make a variety of configuration changes to
 ## Stay up to date
 
 
-For computers already running Windows 10 on the Semi-Annual Channel (Targeted) or Semi-Annual Channel, new upgrades will periodically be deployed, approximately two to three times per year. You can deploy these upgrades by using a variety of methods:
+For computers already running Windows 10 on the Semi-Annual Channel, new upgrades will periodically be deployed, approximately two to three times per year. You can deploy these upgrades by using a variety of methods:
 
 -   Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet.