Merge remote-tracking branch 'refs/remotes/origin/master' into jdhello

browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md

@@ -10,7 +10,6 @@ title: Deprecated document modes and Internet Explorer 11 (Internet Explorer 11
 ms.sitesec: library
 ---
 
-
 # Deprecated document modes and Internet Explorer 11
 
 **Applies to:**
@@ -25,8 +24,8 @@ Windows Internet Explorer 8 introduced document modes as a way to move from the
 
 This means that while Internet Explorer 11 will continue to support document modes, Microsoft Edge won’t. And because of that, it also means that if you want to use Microsoft Edge, you’re going to have to update your legacy webpages and apps to support modern features, browsers, and devices.
 
-**Note**<br>
-For specific details about the technologies and APIs that are no longer supported in Microsoft Edge, see [A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent](https://go.microsoft.com/fwlink/p/?LinkId=615953).
+>**Note**<br>
+>For specific details about the technologies and APIs that are no longer supported in Microsoft Edge, see [A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent](https://go.microsoft.com/fwlink/p/?LinkId=615953).
 
 ## What is document mode?
 Each release after Internet Explorer 8 has helped with the transition by introducing additional document modes that emulated previously supported versions, while also introducing support for features defined by industry standards. During this time, numerous websites and apps were updated to the latest and greatest industry standards, while many other sites and apps continued to simply rely on document modes to work properly.
@@ -41,7 +40,8 @@ The compatibility improvements made in IE11 lets older websites just work in the
 ## Document mode selection flowchart
 This flowchart shows how IE11 works when document modes are used.
 
-![Flowchart detailing how document modes are chosen in IE11](images/docmodeflow2.png)
+![Flowchart detailing how document modes are chosen in IE11](images/docmode-decisions-sm.png)<br>
+[Click this link to enlarge image](img-ie11-docmode-lg.md)
 
 ## Known Issues with Internet Explorer 8 document mode in Enterprise Mode
 The default document mode for Enterprise Mode is Internet Explorer 8. While this mode provides a strong emulation of that browser, it isn’t an exact match. For example, Windows Internet Explorer 9 fundamentally changed how document modes work with iframes and document modes can’t undo architectural changes. It’s also a known issue that Windows 10 supports GDI font rendering while using Enterprise Mode, but uses natural metrics once outside of Enterprise Mode.

browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md

@@ -0,0 +1,11 @@
+---
+description: A full-sized view of how document modes are chosen in IE11.
+title: Full-sized flowchart detailing how document modes are chosen in IE11
+---
+
+Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)<br>
+
+<p style="overflow: auto;">
+	<img src="images/docmode-decisions-lg.png" alt="Full-sized flowchart detailing how document modes are chosen in IE11" width="1355" height="1625" style="max-width:none;">
+</p>
+

devices/hololens/TOC.md

@@ -1,7 +1,7 @@
 # [Microsoft HoloLens](index.md)
 ## [HoloLens in the enterprise: requirements](hololens-requirements.md)
 ## [Set up HoloLens](hololens-setup.md)
-## [Upgrade to Windows Holographic Enterprise](hololens-upgrade-enterprise.md) 
+## [Unlock Windows Holographic Enterprise features](hololens-upgrade-enterprise.md) 
 ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
 ## [Set up HoloLens in kiosk mode](hololens-kiosk.md)
 ## [Configure HoloLens using a provisioning package](hololens-provisioning.md)

devices/hololens/hololens-upgrade-enterprise.md

@@ -1,5 +1,5 @@
 ---
-title: Upgrade to Windows Holographic Enterprise (HoloLens)
+title: Unlock Windows Holographic Enterprise features (HoloLens)
 description: HoloLens provides extra features designed for business when you upgrade to Windows Holographic Enterprise.
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -8,7 +8,7 @@ ms.sitesec: library
 author: jdeckerMS
 ---
 
-# Upgrade to Windows Holographic Enterprise
+# Unlock Windows Holographic Enterprise features
 
 Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://developer.microsoft.com/windows/holographic/release_notes#introducing_microsoft_hololens_commercial_suite), which provides extra features designed for business. 
 

devices/hololens/index.md

@@ -21,7 +21,7 @@ author: jdeckerMS
 | --- | --- |
 | [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management |
 | [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time  |
-| [Upgrade to Windows Holographic Enterprise](hololens-upgrade-enterprise.md) | How to upgrade your Development Edition HoloLens to Windows Holographic Enterprise|
+| [Unlock Windows Holographic Enterprise features](hololens-upgrade-enterprise.md)  | How to upgrade your Development Edition HoloLens to Windows Holographic Enterprise|
 | [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft InTune |
 | [Set up HoloLens in kiosk mode](hololens-kiosk.md) | Enable kiosk mode for HoloLens, which limits the user's ability to launch new apps or change the running app  |
 | [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging |

devices/surface-hub/admin-group-management-for-surface-hub.md

@@ -74,7 +74,7 @@ If your organization is using AD or Azure AD, we recommend you either domain joi
 |---------------------------------------------------|-----------------------------------------|-------|
 | Create a local admin account                      | None                                    | The user name and password specified during first run |
 | Domain join to Active Directory (AD)              | Your organization uses AD               | Any AD user from a specific security group in your domain |
-| Azure Active Directory (Azure AD) join the device | Your organization uses Azure AD Basic   | Global administators only |
+| Azure Active Directory (Azure AD) join the device | Your organization uses Azure AD Basic   | Global administrators only |
 |                                              | Your organization uses Azure AD Premium or Enterprise Mobility Suite (EMS) | Global administrators and additional administrators |
 
 

devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md

@@ -1620,7 +1620,7 @@ In the following cmdlets, `$strPolicy` is the name of the ActiveSync policy, and
 
 Note that in order to run the cmdlets, you need to set up a remote PowerShell session and:
 
--   Your admin account must be remote-PowerShell-enabled. This allows the admin to use the PowerShell cmdlets that are needed by the script. (This permission can be set using set-user `$admin -RemotePowerShellEnabled $true`)
+-   Your admin account must be remote-PowerShell-enabled. This allows the admin to use the PowerShell cmdlets that are needed by the script. (This permission can be set using `set-user $admin -RemotePowerShellEnabled $true`)
 -   Your admin account must have the "Reset Password" role if you plan to run the creation scripts. This allows the admin to change the password of the account, which is needed for the script. The Reset Password Role can be enabled using the Exchange Admin Center.
 
 Create the policy.
@@ -1667,7 +1667,7 @@ This retrieves device information for every device that the account has been pro
 For a device account to automatically accept or decline meeting requests based on its availability, the **AutomateProcessing** attribute must be set to **AutoAccept**. This is recommended as to prevent overlapping meetings.
 
 ```PowerShell
-Set-CalendarProcessing $ strRoomUpn -AutomateProcessing AutoAccept
+Set-CalendarProcessing $strRoomUpn -AutomateProcessing AutoAccept
 ```
 
 ### <a href="" id="accept-ext-meetings-cmdlet"></a>Accepting external meeting requests

devices/surface-hub/change-history-surface-hub.md

@@ -18,6 +18,7 @@ This topic lists new and updated topics in the [Surface Hub Admin Guide]( surfac
 
 | New or changed topic | Description|
 | --- | --- |
+| [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) | Added information about Bluetooth accessories. |
 | [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) | Updated example procedures to include screenshots. |
 
 ## November 2016

devices/surface-hub/connect-and-display-with-surface-hub.md

@@ -13,7 +13,7 @@ localizationpriority: medium
 # Connect other devices and display with Surface Hub
 
 
-You can connect other devices to your Microsoft Surface Hub to display content. This topic describes the Guest Mode, Replacement PC Mode, and Video Out functionality available through wired connections.
+You can connect other devices to your Microsoft Surface Hub to display content. This topic describes the Guest Mode, Replacement PC Mode, and Video Out functionality available through wired connections, and also lists accessories that you can connect to Surface Hub using [Bluetooth](#bluetooth-accessories).
 
 ## Which method should I choose?
 
@@ -470,3 +470,14 @@ Video Out port on the 84" Surface Hub
 </tbody>
 </table>
 
+## Bluetooth accessories
+
+You can connect the following accessories to Surface Hub using Bluetooth:
+
+- Mice
+- Keyboards
+- Headsets
+- Speakers
+
+>[!NOTE]
+>After you connect a Bluetooth headset or speaker, you might need to change the [default microphone and speaker settings](local-management-surface-hub-settings.md).

devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md

@@ -53,7 +53,7 @@ Use this procedure if you use Exchange on-prem.
     ```ps1
     Set-ExecutionPolicy Unrestricted
     $cred=Get-Credential -Message "Please use your Office 365 admin credentials"
-    $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://outlook.office365.com/ps1-liveid/' -Credential $cred -Authentication Basic -AllowRedirection
+    $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://ps.outlook.com/powershell' -Credential $cred -Authentication Basic -AllowRedirection
     Import-PSSession $sess
     ```
 

devices/surface-hub/manage-windows-updates-for-surface-hub.md

@@ -94,7 +94,7 @@ Once you've determined deployment rings for your Surface Hubs, configure update
 
 ## Use Windows Server Update Services
 
-You can connect Surface Hub to your indows Server Update Services (WSUS) server to manage updates. Updates will be controlled through approvals or automatic deployment rules configured in your WSUS server, so new upgrades will not be deployed until you choose to deploy them.
+You can connect Surface Hub to your Windows Server Update Services (WSUS) server to manage updates. Updates will be controlled through approvals or automatic deployment rules configured in your WSUS server, so new upgrades will not be deployed until you choose to deploy them.
 
 **To manually connect a Surface Hub to a WSUS server:**
 1. Open **Settings** on your Surface Hub.

devices/surface-hub/online-deployment-surface-hub-device-accounts.md

@@ -103,7 +103,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
     -   You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
     -   If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).
     -   Your tenant users must have Exchange mailboxes.
-    -   Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
+    -   Your device account needs a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
 
     <!-- -->
 
@@ -139,7 +139,8 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
     -   In the **Assign licenses** section, you need to select Skype for Business (Plan 2) or Skype for Business (Plan 3), depending on your licensing and what you've decided in terms of needing Enterprise Voice. You'll have to use a Plan 3 license if you want to use Enterprise Voice on your Surface Hub.
     -   Click **Save** and you're done.
 
->**Note**: It's also possible to use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
+>[!NOTE]
+>It's also possible to use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
 
 For validation, you should be able to use any Skype for Business client (PC, Android, etc) to log in to this account.
 

devices/surface/change-history-for-surface.md

@@ -11,6 +11,13 @@ author: jdeckerMS
 
 This topic lists new and updated topics in the Surface documentation library.
 
+## December 2016
+
+|New or changed topic | Description |
+| --- | --- |
+|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)  | Added driver info for Surface Studio; updated info for Surface Book and Surface Pro 4 (Windows 10 .zip cumulative update), Surface Pro 3 (Windows8.1-KB2969817-x64.msu), and Surface 3 (UEFI Asset Tag management tool)|
+
+
 ## November 2016
 
 |New or changed topic | Description |

devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md

@@ -35,14 +35,21 @@ Recent additions to the downloads for Surface devices provide you with options t
 
 >**Note:**  A battery charge of 40% or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](https://support.microsoft.com/en-us/kb/2909710) for more information.
 
- 
+## Surface Studio
+
+Download the following updates for [Surface Studio from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=54311).
+
+* SurfaceStudio_Win10_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
+
 
 ## Surface Book
 
 
 Download the following updates [for Surface Book from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49497).
 
--   SurfaceBook\_Win10\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
+-   SurfaceBook_Win10_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
+
+-	SurfaceBook_Win10_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
 
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 
@@ -51,7 +58,9 @@ Download the following updates [for Surface Book from the Microsoft Download Cen
 
 Download the following updates for [Surface Pro 4 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49498).
 
--   SurfacePro4\_Win10\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
+-   SurfacePro4_Win10_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
+
+-	SurfacePro4_Win10_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
 
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 
@@ -60,26 +69,22 @@ Download the following updates for [Surface Pro 4 from the Microsoft Download Ce
 
 Download the following updates [for Surface Pro 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=38826).
 
--   SurfacePro3\_Win10\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
+-   SurfacePro3_Win10_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
 
--   SurfacePro3\_Win10\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
+-   SurfacePro3_Win10_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
 
--   SurfacePro3\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1 Pro
+-   SurfacePro3_Win8x_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1 Pro
 
--   SurfacePro3\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro
+-   SurfacePro3_Win8x_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro
 
 -   Surface Firmware Tool.msi – Firmware tools for UEFI management
 
--   Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
-
--   Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
-
 -   Surface Pro 3 AssetTag.zip – UEFI Asset Tag management tool
 
--   Surface Pro 3 Driver Set.ppkg – Deployment Asset Provisioning Package for Windows 10
-
 -   Surface Pro 3 KB2978002.zip – Update for Quick Note-Taking Experience feature in Windows 8.1
 
+-   Windows8.1-KB2969817-x64.msu – Fixes an issue that causes Surface devices to reboot twice after firmware updates are installed on all supported x64-based versions of Windows 8.1
+
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 
 ## Surface 3
@@ -87,15 +92,15 @@ Download the following updates [for Surface Pro 3 from the Microsoft Download Ce
 
 Download the following updates [for Surface 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49040).
 
--   Surface3\_Win10\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
+-  Surface3_WiFi_Win10_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10  
 
--   Surface3\_Win8x\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1 Pro
+-   Surface3_WiFi_Win10_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
 
--   Surface3\_Win8x\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro
+-   Surface3_WiFi_Win8x_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1 Pro
 
--   Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
+-   Surface3_WiFi_Win8x_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro
 
--   Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
+-   Surface 3 AssetTag.zip – UEFI Asset Tag management tool
 
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 
@@ -104,49 +109,43 @@ Download the following updates [for Surface 3 from the Microsoft Download Center
 
 Download the following updates [for AT&T 4G LTE versions of Surface 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49039).
 
--   Surface3\_US1\_Win10\_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10
+-   Surface3_4GLTE-ATT_Win10_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10
 
--   Surface3\_US1\_Win10\_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10
+-   Surface3_4GLTE-ATT_Win10_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10
 
--   Surface3\_US1\_Win8x\_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro
+-   Surface3_4GLTE-ATT_Win8x_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro
 
--   Surface3\_US1\_Win8x\_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro
+-   Surface3_4GLTE-ATT_Win8x_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro
 
--   Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
-
--   Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
+-   Surface 3 AssetTag.zip – UEFI Asset Tag management tool
 
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 
 Download the following updates [for non-AT&T 4G LTE versions of Surface 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49037).
 
--   Surface3\_NAG\_Win10\_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10
+-   Surface3_4GLTE-NorthAmericaUnlocked_Win10_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10
 
--   Surface3\_NAG\_Win10\_xxxxxx.zip – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10
+-   Surface3_4GLTE-NorthAmericaUnlocked_Win10_xxxxxx.zip – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10
 
--   Surface3\_NAG\_Win8x\_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 8.1 Pro
+-   Surface3_4GLTE-NorthAmericaUnlocked_Win8x_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 8.1 Pro
 
--   Surface3\_NAG\_Win8x\_xxxxxx.zip – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 8.1 Pro
+-   Surface3_4GLTE-NorthAmericaUnlocked_Win8x_xxxxxx.zip – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 8.1 Pro
 
--   Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
-
--   Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
+-   Surface 3 AssetTag.zip – UEFI Asset Tag management tool
 
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 
 Download the following updates [for 4G LTE Surface 3 versions for regions outside North America from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49041).
 
--   Surface3\_ROW\_Win10\_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10
+-   Surface3_4GLTE-RestOfTheWorld_Win10_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10
 
--   Surface3\_ROW\_Win10\_xxxxxx.zip – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10
+-   Surface3_4GLTE-RestOfTheWorld_Win10_xxxxxx.zip – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10
 
--   Surface3\_ROW\_Win8x\_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 8.1 Pro
+-   Surface3_4GLTE-RestOfTheWorld_Win8x_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 8.1 Pro
 
--   Surface3\_ROW\_Win8x\_xxxxxx.zip – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 8.1 Pro
+-   Surface3_4GLTE-RestOfTheWorld_Win8x_xxxxxx.zip – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 8.1 Pro
 
--   Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
-
--   Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
+-   Surface 3 AssetTag.zip – UEFI Asset Tag management tool
 
 -   Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
 

education/windows/TOC.md

@@ -17,5 +17,6 @@
 ## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
 ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
 ## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
+## [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)
 ## [Chromebook migration guide](chromebook-migration-guide.md)
 ## [Change history for Windows 10 for Education](change-history-edu.md)

education/windows/change-history-edu.md

@@ -12,6 +12,11 @@ author: jdeckerMS
 
 This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
 
+## December 2016
+| New or changed topic | Description |
+| --- | --- |
+| [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md) | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. |
+
 ## November 2016
 
 | New or changed topic | Description|

education/windows/index.md

@@ -42,6 +42,13 @@ author: CelesteDG
  <b>[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)</b><br />Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.</p></div>
    </div></div>
 
+ ## ![Deploy Windows 10 for education](images/windows.png) Upgrade
+
+ <div class="side-by-side"> <div class="side-by-side-content">
+ <div class="side-by-side-content-left"><p><b>[Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)</b><br />If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free upgrade to Windows 10 Pro Education.</p></div>
+ </div>
+
+
 ## Related topics
 
 - [Try it out: virtual labs and how-to videos for Windows 10 Education](https://technet.microsoft.com/en-us/windows/dn610356)

education/windows/take-a-test-multiple-pcs.md

@@ -17,8 +17,8 @@ author: jdeckerMS
 
 Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
 
-- A Microsoft Edge browser window opens, showing just the test and nothing else.
-- The clipboard is cleared.
+- Take a Test shows just the test and nothing else.
+- Take a Test clears the clipboard.
 - Students aren’t able to go to other websites.
 - Students can’t open or access other apps.
 - Students can't share, print, or record their screens.

education/windows/take-a-test-single-pc.md

@@ -9,7 +9,7 @@ ms.pagetype: edu
 author: jdeckerMS
 ---
 
-# Set up Take a Test on a single PC 
+# Set up Take a Test on a single PC
 **Applies to:**
 
 -   Windows 10  
@@ -17,8 +17,8 @@ author: jdeckerMS
 
 The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
 
-- A Microsoft Edge browser window opens, showing just the test and nothing else.
-- The clipboard is cleared.
+- Take a Test shows just the test and nothing else.
+- Take a Test clears the clipboard.
 - Students aren’t able to go to other websites.
 - Students can’t open or access other apps.
 - Students can't share, print, or record their screens.
@@ -28,6 +28,7 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme
 > [!TIP]  
 > To exit **Take a Test**, press Ctrl+Alt+Delete. 
 
+
 ## How you use Take a Test
 
 ![Use test account or test url in Take a Test](images/take-a-test-flow.png)
@@ -38,7 +39,7 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme
 ## Set up a dedicated test account
 
 
-    
+
 
 
 
@@ -60,10 +61,10 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme
 
 ## Provide link to test
 
-Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments. 
+Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments.
 
 1. Create a link to the test URL. Use **ms-edu-secureassessment:** before the URL and **!enforceLockdown** after the URL.
-``` 
+```
 ms-edu-secureassessment:<URL>!enforceLockdown
  ```
    > [!NOTE]  
@@ -79,9 +80,3 @@ ms-edu-secureassessment:<URL>!enforceLockdown
 [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
 
 [Take a Test app technical reference](take-a-test-app-technical.md)
-
-
-
-
-
-

education/windows/windows-10-pro-to-pro-edu-upgrade.md

@@ -0,0 +1,259 @@
+---
+title: Windows 10 Pro to Pro Education upgrade
+description: Describes how IT Pros can opt into a Windows 10 Pro Education upgrade from the Windows Store for Business.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: edu
+author: CelesteDG
+---
+
+# Upgrade Windows 10 Pro to Pro Education from Windows Store for Business
+
+Windows 10 Pro Education is a new offering in Windows 10 Anniversary Update (Windows 10, version 1607). This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings.
+
+If you have an education tenant and use Windows 10 Pro in your schools now, global administrators can opt-in to a free upgrade to Windows 10 Pro Education through the Windows Store for Business. To take advantage of this offering, make sure you meet the [requirements for upgrade](#requirements-for-upgrade).
+
+Starting with Windows 10, version 1607, academic institutions can easily move from Windows 10 Pro to Windows 10 Pro Education—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Pro Education license, the operating system turns from Windows 10 Pro to Windows 10 Pro Education and all the appropriate Windows 10 Pro Education features are unlocked. When a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro.
+
+Previously, only schools or organizations purchasing devices as part of the Shape the Future K-12 program or with a Microsoft Volume Licensing Agreement could deploy Windows 10 Pro Education to their users. Now, if you have a Azure AD for your organization, you can take advantage of the Windows 10 Pro Education features.
+
+When you upgrade to Windows 10 Pro Education, you get the following benefits:
+
+-   **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Pro Education Current Branch (CB). This benefit does not include Long Term Service Branch (LTSB).
+-   **Support from one to hundreds of users**. The Windows 10 Pro Education program does not have a limitation on the number of licenses an organization can have.
+-   **Roll back to Windows 10 Pro at any time**. When a user leaves the domain or you turn off the setting to automatic upgrade to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days).
+
+In summary, the Windows 10 Pro Education free upgrade through the Windows Store for Business is an upgrade offering that provides organizations easier, more flexible access to the benefits of Windows 10 Pro Education edition.
+
+## Compare Windows 10 Pro and Pro Education editions
+
+In Windows 10, version 1607, the Windows 10 Pro Education edition contains the same features as the Windows 10 Pro edition except for the following differences:
+
+- Cortana is removed from Windows 10 Pro Education
+- Options to manage Windows 10 tips and tricks and Windows Store suggestions
+
+See [Windows 10 editions for education customers](windows-editions-for-education-customers.md) for more info about Windows 10 Pro Education and you can also [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) to find out more about the features we support in other editions of Windows 10.
+
+## Requirements for upgrade
+
+Before you upgrade from Windows 10 Pro to Windows 10 Pro Education, make sure you meet these requirements:
+- Devices must be:
+  - Running Windows 10 Pro, version 1607
+  - Must be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices).
+
+    If you haven't domain joined your devices already, [prepare for deployment of Windows 10 Pro Education licenses](#preparing-for-deployment-of-windows-10-pro-education-licenses).
+- The user making the changes must be a member of the Azure AD global administrator group.
+- The Azure AD tenant must be recognized as an education approved tenant.
+- You must have a Windows Store for Business account.
+
+## Upgrade from Windows 10 Pro to Windows 10 Pro Education
+Once you enable the setting to upgrade Windows 10 Pro to Windows 10 Pro Education, the upgrade will begin only after a user signs in to their device. The setting applies to the entire organization so you cannot select which users will receive the upgrade.
+
+**To turn on the automatic upgrade from Windows 10 Pro to Windows 10 Pro Education**
+1. Sign in to [Windows Store for Business](https://businessstore.microsoft.com/en-us/Store/Apps) with your work or school account.
+
+  If this is the first time you're signing into the Store, you'll be prompted to accept the Windows Store for Business Terms of Use.
+2. Go to **Manage > Account information**.
+3. In the **Account information** page, look for the **Automatic Windows 10 Pro Education upgrade** section and follow the link.
+
+  You will see the following page informing you that your school is eligible for a free automatic upgrade from Windows 10 Pro to Windows 10 Pro Education.
+
+  ![Eligible for free Windows 10 Pro to Windows 10 Pro Education upgrade](images/wsfb_win10_pro_to proedu_upgrade_eligibility_page.png)
+
+  **Figure 1** - Upgrade Windows 10 Pro to Windows 10 Pro Education
+
+4. Select **I understand enabling this setting will impact all devices running Windows 10 Pro in my organization**.
+5. Click **Send me email with a link to enable this upgrade** to receive an email with a link to the upgrade.
+
+  ![Email with Windows 10 Pro to Pro Education upgrade link](images/wsfb_win10_pro_to_proedu_email_upgrade_link.png)
+
+  **Figure 2** - Email notification with a link to enable the upgrade
+
+6. Click **Enable the automatic upgrade now** to turn on automatic upgrades.
+
+    ![Enable the automatic upgrade](images/wsfb_win10_pro_to proedu_upgrade_enable.png).
+
+    **Figure 3** - Enable the automatic upgrade
+
+    Enabling the automatic upgrade also triggers an email message notifying all global administrators in your organization about the upgrade. It also contains a link that enables any global administrators to cancel the upgrade, if they choose. For more info about rolling back or canceling the upgrade, see [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro).
+
+    ![Email informing other global admins about the upgrade](images/wsfb_win10_pro_to proedu_upgrade_email_global_admins.png).
+
+    **Figure 4** - Notification email sent to all global administrators
+
+7. Click **Close** in the **Success** page.
+
+  In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, you will see a message informing you when the upgrade was enabled and the name of the admin who enabled the upgrade.
+
+  ![Summary page about the upgrade](images/wsfb_win10_pro_to proedu_upgrade_summary.png)
+
+  **Figure 5** - Details about the automatic upgrade
+
+
+## Explore the upgrade experience
+
+So what will the users experience? How will they upgrade their devices?
+
+### For existing Azure AD domain joined devices
+Existing Azure AD domain joined devices will be upgraded from Windows 10 Pro to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed.
+
+### For new devices that are not Azure AD domain joined
+Now that you've turned on the setting to automatically upgrade Windows 10 Pro to Windows 10 Pro Education, the users are ready to upgrade their devices running Windows 10 Pro, version 1607 edition to Windows 10 Pro Education edition.
+
+#### Step 1: Join users’ devices to Azure AD
+
+Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607.
+
+**To join a device to Azure AD the first time the device is started**
+
+1.  During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 6**.
+
+    <img src="images/windows-who-owns.png" alt="Who owns this PC? page in Windows 10 setup" width="624" height="351" />
+
+    **Figure 6** - The “Who owns this PC?” page in initial Windows 10 setup
+
+2.  On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 7**.
+
+    <img src="images/windows-choose-how.png" alt="Choose how you'll connect - page in Windows 10 setup" width="624" height="351" />
+
+    **Figure 7** - The “Choose how you’ll connect” page in initial Windows 10 setup
+
+3.  On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 8**.
+
+    <img src="images/windows-lets-get.png" alt="Let's get you signed in - page in Windows 10 setup" width="624" height="351" />
+
+    **Figure 8** - The “Let’s get you signed in” page in initial Windows 10 setup
+
+Now the device is Azure AD joined to the company’s subscription.
+
+**To join a device to Azure AD when the device already has Windows 10 Pro, version 1607 installed and set up**
+
+1.  Go to **Settings &gt; Accounts &gt; Access work or school**, as illustrated in **Figure 9**.
+
+    <img src="images/win-10-connect-to-work-or-school.png" alt="Connect to work or school configuration" />
+
+    **Figure 9** - Connect to work or school configuration in Settings
+
+2.  In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 10**.
+
+    <img src="images/win-10-set-up-work-or-school.png" alt="Set up a work or school account" />
+
+    **Figure 10** - Set up a work or school account
+
+3.  On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 11**.
+
+    <img src="images/win-10-lets-get-2.png" alt="Let's get you signed in - dialog box" />
+
+    **Figure 11** - The “Let’s get you signed in” dialog box
+
+Now the device is Azure AD joined to the company’s subscription.
+
+#### Step 2: Sign in using Azure AD account
+
+Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 12**. The Windows 10 Pro Education license associated with the user will enable Windows 10 Pro Education edition capabilities on the device.
+
+<img src="images/windows-sign-in.png" alt="Sign in, Windows 10" width="624" height="351" />
+
+**Figure 12** - Sign in by using Azure AD account
+
+#### Step 3: Verify that Pro Education edition is enabled
+
+You can verify the Windows 10 Pro Education in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 13**.
+
+<span id="win-10-activated-subscription-active"/>
+
+**Figure 13** - Windows 10 Pro Education in Settings
+
+<img src="images/win-10-pro-edu-activated-subscription-active.png" alt="Windows 10 activated and subscription active" />
+
+If there are any problems with the Windows 10 Pro Education license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
+
+## Troubleshoot the user experience
+
+In some instances, users may experience problems with the Windows 10 Pro Education upgrade. The most common problems that users may experience are as follows:
+
+-   The existing Windows 10 Pro, version 1607 operating system is not activated.
+
+-   The Windows 10 Pro Education upgrade has lapsed or has been removed.
+
+Use the following figures to help you troubleshoot when users experience these common problems:
+
+<span id="win-10-activated-subscription-active"/>
+
+**Figure 13** - Illustrates a device in a healthy state, where Windows 10 Pro, version 1607 is activated and the Windows 10 Pro Education upgrade is active.
+
+<img src="images/win-10-pro-edu-activated-subscription-active.png" alt="Windows 10 activated and subscription active" />
+
+<span id="win-10-not-activated"/>
+
+**Figure 14** - Illustrates a device on which Windows 10 Pro, version 1607 is not activated, but the Windows 10 Pro Education upgrade is active.
+
+<img src="images/win-10-pro-edu-not-activated-subscription-active.png" alt="Windows 10 not activated and subscription active" /><br><br>
+
+
+### Review requirements on devices
+
+Devices must be running Windows 10 Pro, version 1607, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
+
+**To determine if a device is Azure Active Directory joined**
+
+1.  Open a command prompt and type **dsregcmd /status**.
+
+2.  Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined.
+
+**To determine the version of Windows 10**
+
+-   At a command prompt, type:
+    **winver**
+
+    A popup window will display the Windows 10 version number and detailed OS build information.
+
+    If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license.
+
+## Roll back Windows 10 Pro Education to Windows 10 Pro
+
+If your organization has the Windows 10 Pro to Windows 10 Pro Education upgrade enabled, and you decide to roll back to Windows 10 Pro or to cancel the upgrade, you can do this by:
+- Logging into Windows Store for Business page and turning off the automatic upgrade.
+- Selecting the link to turn off the automatic upgrade from the notification email sent to all global administrators.
+
+Once the automatic upgrade to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were upgraded will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was upgraded may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that an upgrade was enabled and then turned off will never see their device change from Windows 10 Pro.
+
+**To roll back Windows 10 Pro Education to Windows 10 Pro**
+1. Log in to [Windows Store for Business](https://businessstore.microsoft.com/en-us/Store/Apps) with your school or work account, or follow the link from the notification email to turn off the automatic upgrade.
+2. Select **Manage > Account information** and locate the section **Automatic Windows 10 Pro Education upgrade** and follow the link.
+3. In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, select **Turn off the automatic upgrade to Windows 10 Pro Education**.
+
+  ![Turn off automatic upgrade to Windows 10 Pro Education](images/wsfb_win10_pro_to proedu_upgrade_disable.png)
+
+  **Figure 15** - Link to turn off the automatic upgrade
+
+4. You will be asked if you're sure that you want to turn off automatic upgrades to Windows 10 Pro Education. Click **Yes**.
+5. Click **Close** in the **Success** page.
+6. In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, you will see information on when the upgrade was disabled.
+
+  If you decide later that you want to turn on automatic upgrades again, you can do this from the **Upgrade Windows 10 Pro to Windows 10 Pro Education**.
+
+## Preparing for deployment of Windows 10 Pro Education licenses
+
+If you have on-premises Active Directory Domain Services (AD DS) domains, users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Pro Education to users, you need to synchronize the identities in the on-premises AD DS domain with Azure AD.
+
+You need to synchronize these identities so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Pro Education). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
+
+**Figure 16** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](http://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
+
+![Illustration of Azure Active Directory Connect](images/windows-ad-connect.png)
+
+**Figure 16** - On-premises AD DS integrated with Azure AD
+
+For more information about integrating on-premises AD DS domains with Azure AD, see these resources:
+-   [Integrating your on-premises identities with Azure Active Directory](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/)
+-   [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
+
+## Related topics
+
+[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
+
+[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
+
+[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)

windows/deploy/upgrade-analytics-get-started.md

@@ -115,7 +115,9 @@ To ensure that user computers are receiving the most up to date data from Micros
 
 ## Run the Upgrade Analytics deployment script
 
-To automate many of the steps outlined above and to troubleshoot data sharing issues, you can run the Upgrade Analytics deployment script, developed by Microsoft.
+To automate many of the steps outlined above and to troubleshoot data sharing issues, you can run the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
+
+> The following guidance applies to version 11.11.16 or later of the Upgrade Analytics deployment script. If you are using an older version, please download the latest from [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
 
 The Upgrade Analytics deployment script does the following:
 
@@ -125,7 +127,7 @@ The Upgrade Analytics deployment script does the following:
 
 3.  Checks whether the computer has a pending restart.  
 
-4.  Verifies that the latest version of KB package 10.0.x is installed (requires 10.0.14348 or subsequent releases).
+4.  Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended).
 
 5.  If enabled, turns on verbose mode for troubleshooting.
 
@@ -135,17 +137,15 @@ The Upgrade Analytics deployment script does the following:
 
 To run the Upgrade Analytics deployment script:
 
-1.  Download the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. The files in the Diagnostics folder are necessary only if you plan to run the script in troubleshooting mode.
+1.  Download the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. Inside, there are two folders: Pilot and Deployment. The Pilot folder contains advanced logging that can help troubleshoot issues and is inteded to be run from an elevated command prompt. The Deployment folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly.  Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
 
 2.  Edit the following parameters in RunConfig.bat:
 
-    1.  Provide a storage location for log information. Example: %SystemDrive%\\UADiagnostics
+    1.  Provide a storage location for log information. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory. Example: %SystemDrive%\\UADiagnostics
 
-    2.  You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory.
+    2.  Input your commercial ID key. This can be found in your OMS workspace under Settings -> Connected Sources -> Windows Telemetry.
 
-    3.  Input your commercial ID key.
-
-    4.  By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
+    3.  By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
 
         > *logMode = 0 log to console only*
 >
@@ -153,9 +153,7 @@ To run the Upgrade Analytics deployment script:
 >
         > *logMode = 2 log to file only*
 
-3.  For troubleshooting, set isVerboseLogging to $true to generate log information that can help with diagnosing issues. By default, isVerboseLogging is set to $false. Ensure the Diagnostics folder is installed in the same directory as the script to use this mode.
-
-4.  To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
+3.  To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
 
     > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
     >
@@ -165,9 +163,7 @@ To run the Upgrade Analytics deployment script:
     >
     > *IEOptInLevel = 3 Data collection is enabled for all sites*
 
-5.  Notify users if they need to restart their computers. By default, this is set to off.
-
-6.  After you finish editing the parameters in RunConfig.bat, run the script as an administrator.
+4.  After you finish editing the parameters in RunConfig.bat, you are ready to run the script.  If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
 
 The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered. 
 
@@ -197,8 +193,13 @@ The deployment script displays the following exit codes to let you know if it wa
 <TR><TD>19<TD>This machine doesn’t have the proper KBs installed. Make sure you have recent compatibility update KB downloaded.
 <TR><TD>20<TD>Error writing RequestAllAppraiserVersions registry key.
 <TR><TD>21<TD>Function – SetRequestAllAppraiserVersions: Unexpected failure.
-<TR><TD>22<TD>Error when running inventory scan.
+<TR><TD>22<TD>RunAppraiser failed with unexpected exception.
 <TR><TD>23<TD>Error finding system variable %WINDIR%.
+<TR><TD>24<TD>SetIEDataOptIn failed when writing IEDataOptIn to registry.
+<TR><TD>25<TD>SetIEDataOptIn failed with unexpected exception.
+<TR><TD>26<TD>The operating system is Server or LTSB SKU. The script does not support Server or LTSB SKUs.
+<TR><TD>27<TD>The script is not running under System account.  The Upgrade Analytics configuration script must be run as system.
+<TR><TD>28<TD>Could not create log file at the specified logPath.
 </TABLE>
 
 </div>

windows/keep-secure/TOC.md

@@ -32,14 +32,12 @@
 ##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
 #### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md)
 #### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)
+### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
+### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
+### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
 ### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
-#### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
 #### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md)
 #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md)
-#### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
-#### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
-## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
-## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
 ## [VPN technical guide](vpn-guide.md)
 ### [VPN connection types](vpn-connection-type.md)
 ### [VPN routing decisions](vpn-routing.md)
@@ -741,10 +739,12 @@
 ##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
 ##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
 #### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md)
 #### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
 ##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
 ##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
 ##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+#### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
 #### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
 #### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
 #### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)

windows/keep-secure/access-this-computer-from-the-network.md

@@ -1,5 +1,5 @@
 ---
-title: Access this computer from the network (Windows 10)
+title: Access this computer from the network - security policy setting (Windows 10)
 description: Describes the best practices, location, values, policy management, and security considerations for the Access this computer from the network security policy setting.
 ms.assetid: f6767bc2-83d1-45f1-847c-54f5362db022
 ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Access this computer from the network
+# Access this computer from the network - security policy setting
 
 **Applies to**
 -   Windows 10

windows/keep-secure/accounts-guest-account-status.md

@@ -1,5 +1,5 @@
 ---
-title: Accounts Guest account status (Windows 10)
+title: Accounts Guest account status - security policy setting (Windows 10)
 description: Describes the best practices, location, values, and security considerations for the Accounts Guest account status security policy setting.
 ms.assetid: 07e53fc5-b495-4d02-ab42-5b245d10d0ce
 ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Accounts: Guest account status
+# Accounts: Guest account status - security policy setting
 
 **Applies to**
 -   Windows 10

windows/keep-secure/accounts-rename-guest-account.md

@@ -1,5 +1,5 @@
 ---
-title: Accounts Rename guest account (Windows 10)
+title: Accounts Rename guest account - security policy setting (Windows 10)
 description: Describes the best practices, location, values, and security considerations for the Accounts Rename guest account security policy setting.
 ms.assetid: 9b8052b4-bbb9-4cc1-bfee-ce25390db707
 ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Accounts: Rename guest account
+# Accounts: Rename guest account - security policy setting
 
 **Applies to**
 -   Windows 10

windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md

@@ -19,8 +19,8 @@ localizationpriority: high
 
 You can add apps to your Windows Information Protection (WIP) protected app list using the Microsoft Intune custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, [Windows 10 custom policy settings in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkID=691330).
 
->**Important**<br>
-Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy.
+>[!IMPORTANT]
+>Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy.
 
 ## Add Store apps
 1.  Go to the AppLocker UI by opening a command line window and running secpol.msc. The local security policy MMC snap-in opens showing the **Security Settings**.
@@ -39,13 +39,15 @@ Results can be unpredictable if you configure your policy using both the UI and
 
 5.  In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
 
-    >**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
+    >[!NOTE]
+    >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
 
 6.  In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
 
 7.  In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
 
-    >**Important**<br>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
+    >[!IMPORTANT]
+    >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
 
 8.  Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
 
@@ -85,16 +87,18 @@ After saving the policy, you’ll need to deploy it to your employee’s devices
 
 5.  In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
 
-    >**Important**<br>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
+    >[!IMPORTANT]
+    >You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
     
-    <p>
-    >**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
+    >[!NOTE]
+    >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
 
 6.  In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
 
 7.  In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
 
-    >**Important**<br>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
+    >[!IMPORTANT]
+    >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
 
 8.  Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
 
@@ -118,7 +122,10 @@ After saving the policy, you’ll need to deploy it to your employee’s devices
 
     After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
 
-##Related topics
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+
+## Related topics
 - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
 - [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
 - [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)

windows/keep-secure/allow-log-on-locally.md

@@ -1,5 +1,5 @@
 ---
-title: Allow log on locally (Windows 10)
+title: Allow log on locally - security policy setting (Windows 10)
 description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on locally security policy setting.
 ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055
 ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Allow log on locally
+# Allow log on locally - security policy setting
 
 **Applies to**
 -   Windows 10

windows/keep-secure/app-behavior-with-wip.md

@@ -129,3 +129,6 @@ This table includes info about how enlightened apps might behave, based on your
         </td>
     </tr>
 </table>
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/keep-secure/back-up-files-and-directories.md

@@ -1,5 +1,5 @@
 ---
-title: Back up files and directories (Windows 10)
+title: Back up files and directories - security policy setting (Windows 10)
 description: Describes the best practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting.
 ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae
 ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Back up files and directories
+# Back up files and directories - security policy setting
 
 **Applies to**
 -   Windows 10

windows/keep-secure/bitlocker-basic-deployment.md

@@ -40,7 +40,7 @@ BitLocker encryption can be done using the following methods:
 
 ### Encrypting volumes using the BitLocker control panel
 
-Encrypting volumes with the BitLocker control panel is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
+Encrypting volumes with the BitLocker control panel (click **Start**, type **bitlocker**, click **Manage BitLocker**) is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
 To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume).
 
 ### Operating system volume

windows/keep-secure/bitlocker-frequently-asked-questions.md

@@ -47,6 +47,8 @@ Yes, BitLocker supports multifactor authentication for operating system drives.
 
 ### <a href="" id="bkmk-hsrequirements"></a>What are the BitLocker hardware and software requirements?
 
+For requirements, see [System requirements](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview#system-requirements).
+
 > **Note:**  Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker.
  
 ### <a href="" id="bkmk-partitions"></a>Why are two partitions required? Why does the system drive have to be so large?
@@ -198,9 +200,9 @@ Any number of internal, fixed data drives can be protected with BitLocker. On so
 
 ## <a href="" id="bkmk-keymanagement"></a>Key management
 
-### <a href="" id="bkmk-key"></a>What is the difference between a TPM owner password, recovery password, recovery key, password, PIN, enhanced PIN, and startup key?
+### <a href="" id="bkmk-key"></a>What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key?
 
-There are multiple keys that can be generated and used by BitLocker. Some keys are required and some are optional protectors you can choose to use depending on the level of security you require.
+For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods). 
 
 ### <a href="" id="bkmk-recoverypass"></a>How can the recovery password and recovery key be stored?
 

windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md

@@ -14,7 +14,7 @@ author: brianlic-msft
 **Applies to**
 -   Windows 10
 
-This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.
+This topic for the IT professional explains how to deploy BitLocker on Windows Server 2012 and later.
 
 For all Windows Server editions, BitLocker must be installed using Server Manager. However, you can still provision BitLocker before the server operating system is installed as part of your deployment.
 

windows/keep-secure/bitlocker-overview.md

@@ -79,4 +79,4 @@ When installing the BitLocker optional component on a server you will also need
 | [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. |
 | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.| 
 
-If you're looking for info on how to use it with Windows 10 IoT Core, see [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/win10/SB_BL.htm).
+If you're looking for info on how to use it with Windows 10 IoT Core, see [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker).

windows/keep-secure/change-the-system-time.md

@@ -1,5 +1,5 @@
 ---
-title: Change the system time (Windows 10)
+title: Change the system time - security policy setting (Windows 10)
 description: Describes the best practices, location, values, policy management, and security considerations for the Change the system time security policy setting.
 ms.assetid: f2f6637d-acbc-4352-8ca3-ec563f918e65
 ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Change the system time
+# Change the system time - security policy setting
 
 **Applies to**
 -   Windows 10

windows/keep-secure/change-the-time-zone.md

@@ -1,5 +1,5 @@
 ---
-title: Change the time zone (Windows 10)
+title: Change the time zone - security policy setting (Windows 10)
 description: Describes the best practices, location, values, policy management, and security considerations for the Change the time zone security policy setting.
 ms.assetid: 3b1afae4-68bb-472f-a43e-49e300d73e50
 ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Change the time zone
+# Change the time zone - security policy setting
 
 **Applies to**
 -   Windows 10

windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,63 @@
+---
+title: Configure email notifications in Windows Defender ATP
+description: Send email notifications to specified recipients to receive new alerts based on severity with Windows Defender ATP on Windows 10 Enterprise, Pro, and Education editions.
+keywords: email notifications, configure alert notifications, windows defender atp notifications, windows defender atp alerts, windows 10 enterprise, windows 10 education
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Configure email notifications
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.
+
+> [!NOTE]
+> Only users with full access can configure email notifications.
+
+You can set the alert severity levels that trigger notifications. When you turn enable the email notifications feature, it’s set to high and medium alerts by default.
+
+You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md).
+
+The email notification includes basic information about the alert and a link to the portal where you can do further investigation.
+
+## Set up email notifications for alerts
+The email notifications feature is turned off by default. Turn it on to start receiving email notifications.
+
+1. On the navigation pane, select **Preferences Setup** > **Email Notifications**.
+2. Toggle the setting between **On** and **Off**.
+3.	Select the alert severity level that you’d like your recipients to receive:
+  - **High** – Select this level to send notifications for high-severity alerts.
+  - **Medium** – Select this level to send notifications for medium-severity alerts.
+  - **Low** - Select this level to send notifications for low-severity alerts.
+4.	In **Email recipients to notify on new alerts**, type the email address then select the + sign.
+5.	Click **Save preferences** when you’ve completed adding all the recipients.
+
+Check that email recipients are able to receive the email notifications by selecting **Send test email**. All recipients in the list will receive the test email.
+
+## Remove email recipients
+
+1. Select the trash bin icon beside the email address you’d like to remove.
+2. Click **Save preferences**.
+
+## Troubleshoot email notifications for alerts
+This section lists various issues that you may encounter when using email notifications for alerts.
+
+**Problem:** Intended recipients report they are not getting the notifications.
+
+**Solution:** Make sure that the notifications are not blocked by email filters:
+
+1.	Check that the Windows Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk.
+2.	Check that your email security product is not blocking the email notifications from Windows Defender ATP.
+3.	Check your email application rules that might be catching and moving your Windows Defender ATP email notifications.

windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md

@@ -51,6 +51,10 @@ You can use System Center Configuration Manager’s existing functionality to cr
 
     a. Choose a predefined device collection to deploy the package to.
 
+> [!NOTE]
+> Onboarding couldn't be completed during Out-Of-Box Experience (OOBE). Make sure users pass OOBE after running Windows installation or upgrading.
+
+
 ### Configure sample collection settings
 For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
 

windows/keep-secure/create-a-pagefile.md

@@ -1,5 +1,5 @@
 ---
-title: Create a pagefile (Windows 10)
+title: Create a pagefile - security policy setting (Windows 10)
 description: Describes the best practices, location, values, policy management, and security considerations for the Create a pagefile security policy setting.
 ms.assetid: dc087897-459d-414b-abe0-cd86c8dccdea
 ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Create a pagefile
+# Create a pagefile - security policy setting
 
 **Applies to**
 -   Windows 10

windows/keep-secure/create-and-verify-an-efs-dra-certificate.md

@@ -19,8 +19,8 @@ If you don’t already have an EFS DRA certificate, you’ll need to create and
 
 The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices.   
 
->**Important**<br>
-If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).<p>If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
+>[!IMPORTANT]
+>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).<p>If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
 
 **To manually create an EFS DRA certificate**
 
@@ -36,13 +36,13 @@ If you already have an EFS DRA certificate for your organization, you can skip c
 
     The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1.
 
-    >**Important**<br> 
-    Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location.
+    >[!IMPORTANT]
+    >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location.
 
 4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. 
 
-    >**Note**<br>
-    To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic.
+    >[!NOTE]
+    >To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic.
 
 **To verify your data recovery certificate is correctly set up on a WIP client computer**
 
@@ -73,7 +73,8 @@ If you already have an EFS DRA certificate for your organization, you can skip c
 **To quickly recover WIP-protected desktop data after unenrollment**<br>
 It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps.
 
->**Important**<br>To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. 
+>[!IMPORTANT]
+>To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. 
 
 1. Have your employee sign in to the unenrolled device, open a command prompt, and type:
     
@@ -93,6 +94,9 @@ It's possible that you might revoke data from an unenrolled device only to later
 
     The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location.
 
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+
 ## Related topics
 - [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx)
 

windows/keep-secure/create-applocker-default-rules.md

@@ -27,3 +27,7 @@ You can perform this task by using the Group Policy Management Console for an Ap
 1.  Open the AppLocker console.
 2.  Right-click the appropriate rule type for which you want to automatically generate default rules. You can automatically generate rules for executable, Windows Installer, script rules and Packaged app rules.
 3.  Click **Create Default Rules**.
+
+## Related topics
+
+- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)

windows/keep-secure/create-vpn-and-wip-policy-using-intune.md

@@ -111,6 +111,10 @@ The final step to making your VPN configuration work with WIP, is to link your t
 3.  After you've picked all of the employees and groups that should get the policy, click **OK**. The policy is deployed to the selected users' devices.
 
 
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+
+
 
 
 

windows/keep-secure/create-wip-policy-using-intune.md

@@ -44,10 +44,11 @@ During the policy-creation process in Intune, you can choose the apps you want t
 
 The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
 
->**Important**<br>WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
+>[!IMPORTANT]
+>WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
 
->**Note**<br>
-If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
+>[!NOTE]
+>If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
 
 #### Add a store app rule to your policy
 For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
@@ -76,8 +77,8 @@ If you don't know the publisher or product name, you can find them for both desk
 **To find the Publisher and Product Name values for Store apps without installing them**
 1.	Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*.
 
-    >**Note**<br>
-    If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
+    >[!NOTE]
+    >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
 
 2.	Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
 
@@ -94,8 +95,10 @@ If you don't know the publisher or product name, you can find them for both desk
 
 4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune.
 
-    >**Important**<br>
-    The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<p>For example:
+    >[!IMPORTANT]
+    >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
+    
+    For example:
         
     ```json
         {
@@ -106,7 +109,8 @@ If you don't know the publisher or product name, you can find them for both desk
 **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
 1.	If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
 
-    >**Note**<br>Your PC and phone must be on the same wireless network.
+    >[!NOTE]
+    >Your PC and phone must be on the same wireless network.
 
 2.	On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
 
@@ -122,8 +126,10 @@ If you don't know the publisher or product name, you can find them for both desk
 
 8.	Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
 
-    >**Important**<br>
-    The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<p>For example:<br>
+    >[!IMPORTANT]
+    >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
+    
+    For example:
     
     ``` json
         {
@@ -348,9 +354,9 @@ After you've added a protection mode to your apps, you'll need to decide where t
 
 There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
 
->**Important**
-- Every WIP policy should include policy that defines your enterprise network locations.
-- Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
+>[!IMPORTANT]
+>Every WIP policy should include policy that defines your enterprise network locations.<br>
+>Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
 
 **To define where your protected apps can find and send enterprise data on you network**
 
@@ -465,6 +471,9 @@ After you've decided where your protected apps can access enterprise data on you
 
 2. Click **Save Policy**.
 
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+
 ## Related topics
 - [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)
 - [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)

windows/keep-secure/create-wip-policy-using-sccm.md

@@ -20,8 +20,8 @@ localizationpriority: high
 
 System Center Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
 
->**Important**<br>
-If you previously created a WIP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1606 or later. Editing a WIP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer WIP policies.
+>[!IMPORTANT]
+>If you previously created a WIP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1606 or later. Editing a WIP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer WIP policies.
 
 ## Add a WIP policy
 After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
@@ -62,8 +62,8 @@ During the policy-creation process in System Center Configuration Manager, you c
 
 The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
 
->**Important**<br>
-WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process. <p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
+>[!IMPORTANT]
+>WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process. <p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
 
 #### Add a store app rule to your policy
 For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
@@ -94,8 +94,8 @@ If you don't know the publisher or product name, you can find them for both desk
 
 1.	Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
 
-    >**Note**<br>
-    If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
+    >[!NOTE]
+    >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
 
 2.	Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
 
@@ -112,8 +112,9 @@ If you don't know the publisher or product name, you can find them for both desk
 
 4.  Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
 
-    >**Important**<br>
-    The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:<p>
+    >[!IMPORTANT]
+    >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
+    >For example:<p>
     
     ```json
         {
@@ -124,8 +125,8 @@ If you don't know the publisher or product name, you can find them for both desk
 **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
 1.	If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
 
-    >**Note**<br>
-    Your PC and phone must be on the same wireless network.
+    >[!NOTE]
+    >Your PC and phone must be on the same wireless network.
 
 2.	On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
 
@@ -141,8 +142,9 @@ If you don't know the publisher or product name, you can find them for both desk
 
 8.	Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
 
-    >**Important**<br>
-    The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:<p>
+    >[!IMPORTANT]
+    >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
+    >For example:<p>
 
     ```json
         {
@@ -369,9 +371,9 @@ After you've added a protection mode to your apps, you'll need to decide where t
 
 There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
 
->**Important**<br>
-- Every WIP policy should include policy that defines your enterprise network locations.
-- Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
+>[!IMPORTANT]
+>Every WIP policy should include policy that defines your enterprise network locations.<br>
+>Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
 
 **To define where your protected apps can find and send enterprise data on you network**
 
@@ -492,13 +494,15 @@ After you've finished configuring your policy, you can review all of your info o
  
     A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
 
-
 ## Deploy the WIP policy
 After you’ve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
 - [Operations and Maintenance for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708224)
 - [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708225)
 - [How to Deploy Configuration Baselines in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708226)
 
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+
 ## Related topics
 - [System Center Configuration Manager and Endpoint Protection (Version 1606)](https://go.microsoft.com/fwlink/p/?LinkId=717372)
 - [TechNet documentation for Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=691623)

windows/keep-secure/create-wmi-filters-for-the-gpo.md

@@ -51,7 +51,7 @@ First, create the WMI filter and configure it to look for a specified version (o
     select * from Win32_OperatingSystem where Version like "6.%"
     ```
 
-    This query will return **true** for devices running at least Windows Vista and Windows Server 2008. To set a filter for just Windows 8 and Windows Server 2012, use "6.2%". To specify multiple versions, combine them with or, as shown in the following:
+    This query will return **true** for devices running at least Windows Vista and Windows Server 2008. To set a filter for just Windows 8 and Windows Server 2012, use "6.2%". For Windows 10 and Windows Server 2016, use "10.%". To specify multiple versions, combine them with or, as shown in the following:
 
     ``` syntax
     ... where Version like "6.1%" or Version like "6.2%"
@@ -65,16 +65,16 @@ First, create the WMI filter and configure it to look for a specified version (o
     ... where ProductType="1" or ProductType="3"
     ```
 
-    The following complete query returns **true** for all devices running Windows 8, and returns **false** for any server operating system or any other client operating system.
+    The following complete query returns **true** for all devices running Windows 10, and returns **false** for any server operating system or any other client operating system.
 
     ``` syntax
-    select * from Win32_OperatingSystem where Version like "6.2%" and ProductType="1"
+    select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1"
     ```
 
-    The following query returns **true** for any device running Windows Server 2012, except domain controllers:
+    The following query returns **true** for any device running Windows Server 2016, except domain controllers:
 
     ``` syntax
-    select * from Win32_OperatingSystem where Version like "6.2%" and ProductType="3"
+    select * from Win32_OperatingSystem where Version like "10.%" and ProductType="3"
     ```
 
 9.  Click **OK** to save the query to the filter.

windows/keep-secure/credential-guard.md

@@ -123,7 +123,7 @@ To enforce processing of the group policy, you can run ```gpupdate /force```.
 
 If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
 
-##### Add the virtualization-based security features
+#### Add the virtualization-based security features
 
 Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
 
@@ -156,7 +156,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic
 > [!NOTE]  
 > You can also add these features to an online image by using either DISM or Configuration Manager.
 
-##### Enable virtualization-based security and Credential Guard
+#### Enable virtualization-based security and Credential Guard
 
 1.  Open Registry Editor.
 2.  Enable virtualization-based security:
@@ -195,10 +195,9 @@ Requirements for running Credential Guard in Hyper-V virtual machines
 - The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
 - The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. 
 
-
 ### Remove Credential Guard
 
-If you have to remove Credential Guard on a PC, you need to do the following:
+If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
 
 1.  If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**).
 2.  Delete the following registry settings:
@@ -242,9 +241,10 @@ If you have to remove Credential Guard on a PC, you need to do the following:
 
 For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
 
-**Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool**
+<span id="turn-off-with-hardware-readiness-tool" />
+#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
 
-You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
 
 ```
 DG_Readiness_Tool_v2.0.ps1 -Disable -AutoReboot

windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md

@@ -56,10 +56,12 @@ Click the name of the machine to see details about that machine. For more inform
 You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
 
 ## Status
-The **Status** tile informs you if the service is active and running and the unique number of machines (endpoints) reporting over the past 30 days.
+The **Status** tile informs you if the service is active or if there are issues and the unique number of machines (endpoints) reporting to the service over the past 30 days.
 
 ![The Status tile shows an overall indicator of the service and the total number of machines reporting to the service](images/status-tile.png)
 
+For more information on the service status, see [Check the Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md).
+
 ## Machines reporting
 The **Machines reporting** tile shows a bar graph that represents the number of machines reporting alerts daily. Hover over individual bars on the graph to see the exact number of machines reporting in each day.
 

windows/keep-secure/deploy-wip-policy-using-intune.md

@@ -33,6 +33,9 @@ The added people move to the **Selected Groups** list on the right-hand pane.
 3.  After you've picked all of the employees and groups that should get the policy, click **OK**.<p>
 The policy is deployed to the selected users' devices.
 
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+
 ## Related topics
 - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
 - [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)

windows/keep-secure/enlightened-microsoft-apps-and-wip.md

@@ -78,4 +78,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
 |Microsoft OneDrive |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** onedrive.exe<br>**App Type:** Desktop app|
 |Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** notepad.exe<br>**App Type:** Desktop app |
 |Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mspaint.exe<br>**App Type:** Desktop app |
-|Microsoft Remote Desktop |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mstsc.exe<br>**App Type:** Desktop app |
+|Microsoft Remote Desktop |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mstsc.exe<br>**App Type:** Desktop app |
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/keep-secure/guidance-and-best-practices-wip.md

@@ -26,4 +26,7 @@ This section includes info about the enlightened Microsoft apps, including how t
 |[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. |
 |[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
 |[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. |
-|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |The most common problems you might encounter while using Windows Information Protection (WIP). |
+|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |The most common problems you might encounter while using Windows Information Protection (WIP). |
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/keep-secure/implement-microsoft-passport-in-your-organization.md

@@ -20,9 +20,9 @@ redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hell
 You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
 
 >[!IMPORTANT]
->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511. 
+>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. Use the **Turn on PIN sign-in** setting to allow or deny the use of a convenience PIN for Windows 10, version 1607. 
 >
->Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. 
+>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. Learn more in the blog post [Changes to Convenience PIN/Windows Hello Behavior in Windows 10, version 1607](https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/).
 >
 >Use **Windows Hello for Business** policy settings to manage PINs for Windows Hello for Business.
  
@@ -378,4 +378,4 @@ The PIN is managed using the same Windows Hello for Business policies that you c
 [Event ID 300 - Windows Hello successfully created](passport-event-300.md)
 
 [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
- 
+ 

windows/keep-secure/interactive-logon-require-smart-card.md

@@ -1,5 +1,5 @@
 ---
-title: Interactive logon Require smart card (Windows 10)
+title: Interactive logon Require smart card - security policy setting (Windows 10)
 description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Require smart card security policy setting.
 ms.assetid: c6a8c040-cbc7-472d-8bc5-579ddf3cbd6c
 ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Interactive logon: Require smart card
+# Interactive logon: Require smart card - security policy setting
 
 **Applies to**
 -   Windows 10

windows/keep-secure/limitations-with-wip.md

@@ -79,4 +79,7 @@ This table provides info about the most common problems you might encounter whil
         <td>Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP.</td>
         <td>We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.<p>For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).</td>
     </tr>
-</table>                 
+</table>
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).       

windows/keep-secure/mandatory-settings-for-wip.md

@@ -17,8 +17,8 @@ localizationpriority: high
 
 This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise.
 
->**Important**<br>
-All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your enterprise.
+>[!IMPORTANT]
+>All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your enterprise.
 
 
 |Task                                |Description               |
@@ -28,4 +28,7 @@ All sections provided for more info appear in either the [Create a Windows Infor
 |Specify your corporate identity. |You must specify your corporate identity, usually expressed as your primary Internet domain (for example, contoso.com). For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |
 |Specify your Enterprise Network Domain Names. |You must specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics. |
 |Specify your Enterprise IPv4 or IPv6 Ranges. |Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics. |
-|Include your Data Recovery Agent (DRA) certificate. |This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the **Create and verify an Encrypting File System (EFS) DRA certificate** section of the policy creation topics. |
+|Include your Data Recovery Agent (DRA) certificate. |This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the **Create and verify an Encrypting File System (EFS) DRA certificate** section of the policy creation topics. |
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md

@@ -113,4 +113,4 @@ When Windows Defender is not the active antimalware in your organization and you
 ## Windows Defender Early Launch Antimalware (ELAM) driver is enabled
 If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard.
 
-If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information on how to validate and enable the Windows Defender ELAM driver see, [Ensure the Windows Defender ELAM driver is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-windows-defender-elam-driver-is-enabled).
+If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information, see [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy).

windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md

@@ -23,6 +23,7 @@ localizationpriority: high
 
 You need to onboard to Windows Defender ATP before you can use the service.
 
+For more information, see [Onboard your Windows 10 endpoints to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be). 
 
 ## In this section
 Topic | Description

windows/keep-secure/overview-create-wip-policy.md

@@ -23,4 +23,7 @@ Microsoft Intune and System Center Configuration Manager helps you create and de
 |------|------------|
 |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Intune helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
 |[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
-|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
+|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md

@@ -48,13 +48,13 @@ BitLocker helps prevent unauthorized access to data on lost or stolen computers
 -   Encrypting the entire Windows operating system volume on the hard disk.
 -   Verifying the boot process integrity.
 
-The trusted platform module (TPM)is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
+The trusted platform module (TPM) is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
 
 In addition, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.
 
 On computers that do not have a TPM version 1.2 or higher, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
 
-**BitLocker key protectors**
+### BitLocker key protectors
 
 | Key protector | Description |
 | - | - |
@@ -65,7 +65,7 @@ On computers that do not have a TPM version 1.2 or higher, you can still use Bi
 | Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard, if the numbers on the normal keyboard are not responding you can always use the function keys (F1-F10) to input the numbers.| 
 | Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.| 
  
-**BitLocker authentication methods**
+### BitLocker authentication methods
 
 | Authentication method | Requires user interaction | Description |
 | - | - | - |

windows/keep-secure/protect-enterprise-data-using-wip.md

@@ -93,7 +93,8 @@ WIP gives you a new way to manage data policy enforcement for apps and documents
     -   **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
 
 -   **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
-    > **Note**<br>System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
+    >[!NOTE] 
+    >For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.<br>System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
 
 ## How WIP works
 WIP helps address your everyday challenges in the enterprise. Including:
@@ -137,3 +138,7 @@ You can turn off all Windows Information Protection and restrictions, decrypting
 After deciding to use WIP in your enterprise, you need to:
 
 -   [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md)
+
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md

@@ -93,7 +93,7 @@ This section is an overview that describes different parts of the end-to-end sec
 
 | Number | Part of the solution | Description |
 | - | - | - |
-| **1** | Windows 10-based device | The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.<br/>A Windows 10-based device with TPM 2.0 can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.|
+| **1** | Windows 10-based device | The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.<br/>A Windows 10-based device with TPM can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.|
 | **2** | Identity provider | Azure AD contains users, registered devices, and registered application of organization’s tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.<br/>Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that leverages the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.|
 | **3**|Mobile device management| Windows 10 has MDM support that enables the device to be managed out-of-box without deploying any agent.<br/>MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows 10.|
 | **4** | Remote health attestation | The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device.<br/>Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).|
@@ -125,7 +125,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware li
 
     Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948).
 
-    Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. TPM 2.0 is required for device health attestation.
+    Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. 
 
     TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
 
@@ -202,8 +202,6 @@ Windows 10 supports features to help prevent sophisticated low-level malware li
 
     During each subsequent boot, the same components are measured, which allows comparison of the measurements against an expected baseline. For additional security, the values measured by the TPM can be signed and transmitted to a remote server, which can then perform the comparison. This process, called *remote device health attestation*, allows the server to verify health status of the Windows device.
 
-    Health attestation requires the presence of TPM 2.0. On Windows 10, TPM 2.0 also requires UEFI firmware.
-
     Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot protection. Health attestation ships disabled in Windows and is enabled by an antimalware or an MDM vendor. Unlike Secure Boot, health attestation will not stop the boot process and enter remediation when a measurement does not work. But with conditional access control, health attestation will help to prevent access to high-value assets.
 
 ### <a href="" id="virtual"></a>Virtualization-based security
@@ -317,7 +315,7 @@ MDM solutions are becoming prevalent as a light-weight device management technol
 
 ### Device health attestation
 
-Device health attestation leverages the TPM 2.0 to provide cryptographically strong and verifiable measurements of the chain of software used to boot the device.
+Device health attestation leverages the TPM to provide cryptographically strong and verifiable measurements of the chain of software used to boot the device.
 
 For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy.
 
@@ -366,7 +364,7 @@ The following table details the hardware requirements for both virtualization-ba
 <td align="left"><p>Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Trusted Platform Module (TPM) 2.0</p></td>
+<td align="left"><p>Trusted Platform Module (TPM) </p></td>
 <td align="left"><p>Required to support health attestation and necessary for additional key protections for virtualization-based security.</p></td>
 </tr>
 </tbody>
@@ -380,7 +378,7 @@ As of today, many organizations only consider devices to be compliant with compa
 
 The biggest challenge with rootkits is that they can be undetectable to the client. Because they start before antimalware, and they have system-level privileges, they can completely disguise themselves while continuing to access system resources. As a result, traditional computers infected with rootkits appear to be healthy, even with antimalware running.
 
-As previously discussed, the health attestation feature of Windows 10 uses the TPM 2.0 hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because, health attestation leverages the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware.
+As previously discussed, the health attestation feature of Windows 10 uses the TPM hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because, health attestation leverages the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware.
 
 By attesting a trusted boot state, devices can prove that they are not running low-level malware that could spoof later compliance checks. TPM-based health attestation provides a reliable anchor of trust for assets that contain high-value data.
 
@@ -404,7 +402,7 @@ This is the most secure approach available for Windows 10-based devices to dete
 
 A relying party like an MDM can inspect the report generated by the remote health attestation service.
 
->**Note:**  To use the health attestation feature of Windows 10, the device must be equipped with a discrete or firmware TPM 2.0. There is no restriction on any particular edition of Windows 10.
+>**Note:**  To use the health attestation feature of Windows 10, the device must be equipped with a discrete or firmware TPM. There is no restriction on any particular edition of Windows 10.
  
 Windows 10 supports health attestation scenarios by allowing applications access to the underlying health attestation configuration service provider (CSP) so that applications can request a health attestation token. The measurement of the boot sequence can be checked at any time locally by an antimalware or an MDM agent.
 
@@ -418,7 +416,7 @@ Health attestation logs the measurements in various TPM Platform Configuration R
 
 ![figure 6](images/hva-fig6-logs.png)
 
-When starting a device equipped with a TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log.
+When starting a device equipped with TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log.
 
 ![figure 7](images/hva-fig7-measurement.png)
 
@@ -438,7 +436,7 @@ The number of retained logs may be set with the registry **REG\_DWORD** value **
  
 The following process describes how health boot measurements are sent to the health attestation service:
 
-1.  The client (a Windows 10-based device with a TPM 2.0) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
+1.  The client (a Windows 10-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
 2.  The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information.
 3.  The remote device heath attestation service then:
 
@@ -457,7 +455,7 @@ The device health attestation solution involves different components that are TP
 
 ### <a href="" id="trusted-platform-module-"></a>Trusted Platform Module
 
-*It’s all about TPM 2.0 and endorsement certificates.* This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting.
+This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting.
 
 In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device.
 
@@ -492,7 +490,7 @@ For certain devices that use firmware-based TPM produced by Intel or Qualcomm, t
 
 Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
 
->**Note:**  Before the device can report its health using the TPM 2.0 attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
+>**Note:**  Before the device can report its health using the TPM attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
  
 The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.
 

windows/keep-secure/remove-computer-from-docking-station.md

@@ -1,5 +1,5 @@
 ---
-title: Remove computer from docking station (Windows 10)
+title: Remove computer from docking station - security policy setting (Windows 10)
 description: Describes the best practices, location, values, policy management, and security considerations for the Remove computer from docking station security policy setting.
 ms.assetid: 229a385a-a862-4973-899a-413b1b5b6c30
 ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Remove computer from docking station
+# Remove computer from docking station - security policy setting
 
 **Applies to**
 -   Windows 10

windows/keep-secure/requirements-for-deploying-applocker-policies.md

@@ -24,7 +24,7 @@ The following requirements must be met or addressed before you deploy your AppLo
 
 ### <a href="" id="bkmk-reqdepplan"></a>Deployment plan
 
-An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).
+An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md)).
 
 <table style="width:100%;">
 <colgroup>

windows/keep-secure/restore-files-and-directories.md

@@ -1,5 +1,5 @@
 ---
-title: Restore files and directories (Windows 10)
+title: Restore files and directories - security policy setting (Windows 10)
 description: Describes the best practices, location, values, policy management, and security considerations for the Restore files and directories security policy setting.
 ms.assetid: c673c0fa-6f49-4edd-8c1f-c5e8513f701d
 ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Restore files and directories
+# Restore files and directories - security policy setting
 
 **Applies to**
 -   Windows 10

windows/keep-secure/select-types-of-rules-to-create.md

@@ -55,7 +55,7 @@ In the Woodgrove Bank example, the line-of-business app for the Bank Tellers bus
 
 ### Determine how to allow system files to run
 
-Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection.
+Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules (listed in [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules)) as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection.
 
 You can also create a rule for the system files based on the path condition. In the preceding example, for the Bank Tellers group, all Windows files reside under C:\\Windows and can be defined with the path rule condition type. This will permit access to these files whenever updates are applied and the files change. If you require additional application security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions:
 

windows/keep-secure/service-status-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,54 @@
+---
+title: Check the Windows Defender ATP service status
+description: Check Windows Defender ATP service status, see if the service is experiencing issues and review previous issues that have been resolved.
+keywords: dashboard, service, issues, service status, current issues, status history, summary of impact, preliminary root cause, resolution, resolution time, expected resolution time
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Check the Windows Defender Advanced Threat Protection service status
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+The **Service health** provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service status is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time.
+
+You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status.
+
+You can view details on the service status by clicking the tile from the **Dashboard** or selecting the **Service health** menu from the navigation pane.
+
+The **Service health** details page has the following tabs:
+
+- **Current issues**
+- **Status History**
+
+## Current issues
+The **Current issues** tab shows the current state of the Windows Defender ATP service. When the service is running smoothly a healthy service status is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue:
+
+- Date and time for when the issue was detected
+- A short description of the issue
+- Update time
+- Summary of impact
+- Preliminary root cause
+- Next steps
+- Expected resolution time
+
+Updates on the progress of an issue is reflected on the page as the issue gets resolved. You'll see updates on information such as an updated estimate resolution time or next steps.
+
+When an issue is resolved, it gets recorded in the **Status history** tab.
+
+## Status history
+The **Status history** tab reflects all the historical issues that were seen and resolved. You'll see details of the resolved issues along with the other information that were included while it was being resolved.
+
+### Related topic
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)

windows/keep-secure/shut-down-the-system.md

@@ -1,5 +1,5 @@
 ---
-title: Shut down the system (Windows 10)
+title: Shut down the system - security policy setting (Windows 10)
 description: Describes the best practices, location, values, policy management, and security considerations for the Shut down the system security policy setting.
 ms.assetid: c8e8f890-153a-401e-a957-ba6a130304bf
 ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Shut down the system
+# Shut down the system - security policy setting
 
 **Applies to**
 -   Windows 10