diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 78c7959ac0..18e4f74620 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1,6 +1,56 @@
 { 
 "redirections": [
 {
+"source_path": "windows/keep-secure/configure-windows-defender-in-windows-10.md",
+"redirect_url": "/itpro/windows/keep-secure/deploy-manage-report-windows-defender-antivirus",
+"redirect_document_id": true 
+},
+{
+"source_path": "windows/keep-secure/enable-pua-windows-defender-for-windows-10.md",
+"redirect_url": "/itpro/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus",
+"redirect_document_id": true 
+},
+{
+"source_path": "windows/keep-secure/get-started-with-windows-defender-for-windows-10.md",
+"redirect_url": "/itpro/windows/keep-secure/deploy-manage-report-windows-defender-antivirus",
+"redirect_document_id": false 
+},
+{
+"source_path": "windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md",
+"redirect_url": "/itpro/windows/keep-secure/command-line-arguments-windows-defender-antivirus",
+"redirect_document_id": true 
+},
+{
+"source_path": "windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md",
+"redirect_url": "/itpro/windows/keep-secure/troubleshoot-windows-defender-antivirus",
+"redirect_document_id": true 
+},
+{
+"source_path": "windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md",
+"redirect_url": "/itpro/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus",
+"redirect_document_id": true 
+},
+{
+"source_path": "windows/keep-secure/windows-defender-block-at-first-sight.md",
+"redirect_url": "/itpro/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus",
+"redirect_document_id": true 
+},
+{
+"source_path": "windows/keep-secure/windows-defender-in-windows-10.md",
+"redirect_url": "/itpro/windows/keep-secure/windows-defender-antivirus-in-windows-10",
+"redirect_document_id": true 
+},
+{
+"source_path": "windows/keep-secure/windows-defender-enhanced-notifications.md",
+"redirect_url": "/itpro/windows/keep-secure/configure-notifications-windows-defender-antivirus",
+"redirect_document_id": true 
+},
+{
+"source_path": "windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md",
+"redirect_url": "/itpro/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection",
+"redirect_document_id": true
+},
+{
 "source_path": "windows/manage/cortana-at-work-scenario-7.md",
 "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-7",
 "redirect_document_id": true
diff --git a/devices/surface-hub/images/end-session.png b/devices/surface-hub/images/end-session.png
new file mode 100644
index 0000000000..4b28583af4
Binary files /dev/null and b/devices/surface-hub/images/end-session.png differ
diff --git a/devices/surface-hub/images/wcd-wizard.PNG b/devices/surface-hub/images/wcd-wizard.PNG
new file mode 100644
index 0000000000..706771f756
Binary files /dev/null and b/devices/surface-hub/images/wcd-wizard.PNG differ
diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
index c1913c01cc..1954027d43 100644
--- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
@@ -65,22 +65,22 @@ For more information, see [SurfaceHub configuration service provider](https://ms
 | Automatically turn on the screen using motion sensors | InBoxApps/Welcome/AutoWakeScreen | Yes | Yes | Yes |
 | Require a pin for wireless projection | InBoxApps/WirelessProjection/PINRequired | Yes | Yes | Yes |
 | Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.<br> Use a custom setting. | Yes |
+| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 | Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID <br> MOMAgent/WorkspaceKey | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 | Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 | Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Friendly name for wireless projection | Properties/FriendlyName | Yes <br> [Use a custom policy.](#example-intune)) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Friendly name for wireless projection | Properties/FriendlyName | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 | Device account, including password rotation | DeviceAccount/*`<name_of_policy>`* <br> See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes |
-| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
-| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
-| Set default volume | Properties/DefaultVolume | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
-| Set screen timeout | Properties/ScreenTimeout | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
-| Set session timeout | Properties/SessionTimeout | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
-| Set sleep timeout | Properties/SleepTimeout | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
-| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
-| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
-| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
-| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Set default volume | Properties/DefaultVolume | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Set screen timeout | Properties/ScreenTimeout | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Set session timeout | Properties/SessionTimeout | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Set sleep timeout | Properties/SleepTimeout | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. 
 
 ### Supported Windows 10 settings
@@ -92,46 +92,46 @@ The following tables include info on Windows 10 settings that have been validate
 #### Security settings
 | Setting  | Details  | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
 | -------- | -------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
-| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
-| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
-| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
-| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
-| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes. <br>  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br>  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes. <br>  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes. <br> . |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes. <br>  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Browser settings
 
 | Setting  | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
 | -------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
-| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages)  | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
-| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
-| Allow developer tools  | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes. <br>  Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
-| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
-| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
-| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
-| Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
-| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
-| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages)  |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Allow developer tools  | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes <br> [Use a custom policy.](#example-intune) |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Windows Update settings
 
 | Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML*? |
 | ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
-| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
-| Defer feature updates| See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
-| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
-| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
-| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes|
-| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
-| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Defer feature updates| See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) |  Yes <br> [Use a custom policy.](#example-intune)  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes|
+| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Windows Defender settings
 
 | Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
 | ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
-| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br>  Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 | Defender status | Use to initiate a Defender scan, force a signature update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | No. | No. | Yes |
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
@@ -140,8 +140,8 @@ The following tables include info on Windows 10 settings that have been validate
 | Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
 | ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
 | Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | No | No | Yes |
-| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
-| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Install certificates
diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
index e11e0e6e42..9ae8f829c5 100644
--- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -42,6 +42,20 @@ Microsoft collects telemetry to help improve your Surface Hub experience. Add th
 - Telemetry client endpoint: `https://vortex.data.microsoft.com/`
 - Telemetry settings endpoint: `https://settings.data.microsoft.com/`
 
+### Proxy configuration
+
+If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Store for Business. Some of the Store for Business features use Windows Store app and Windows Store services. Devices using Store for Business – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs:
+
+- login.live.com
+- login.windows.net
+- account.live.com
+- clientconfig.passport.net
+- windowsphone.com
+- *.wns.windows.com
+- *.microsoft.com
+- www.msftncsi.com (prior to Windows 10, version 1607)
+- www.msftconnecttest.com/connecttest.txt (replaces www.msftncsi.com starting with Windows 10, version 1607)
+
 
 ## Work with other admins
 
diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md
index 537d6c55a9..d05ed24b2a 100644
--- a/devices/surface-hub/surfacehub-whats-new-1703.md
+++ b/devices/surface-hub/surfacehub-whats-new-1703.md
@@ -13,16 +13,42 @@ localizationpriority: medium
 
 Windows 10, version 1703 (also called the Creators Update), introduces the following changes for Microsoft Surface Hub:
 
+## New settings
 
-- Settings have been added to mobile device management (MDM) and configuration service providers (CSPs) to expand the Surface Hub management capabilities. [Learn more about the new settings.](manage-settings-with-mdm-for-surface-hub.md)
+Settings have been added to mobile device management (MDM) and configuration service providers (CSPs) to expand the Surface Hub management capabilities. [New settings include](manage-settings-with-mdm-for-surface-hub.md):
 
-- An easy-to-use wizard helps you quickly create provisioning packages that you can apply to multiple Surface Hub devices. [Learn how to create a provisioning package for Surface Hub.](provisioning-packages-for-certificates-surface-hub.md)
+- InBoxApps/SkypeForBusiness/DomainName
+- InBoxApps/Connect/AutoLaunch
+- Properties/DefaultVolume
+- Properties/ScreenTimeout
+- Properties/SessionTimeout
+- Properties/SleepTimeout
+- Properties/AllowSessionResume
+- Properties/AllowAutoProxyAuth
+- Properties/DisableSigninSuggestions
+- Properties/DoNotShowMyMeetingsAndFiles
+</br>
 
-- When you reset a Surface Hub device, you now have the ability to download and install a factory build of the operating system from the cloud. [Learn more about cloud recovery.](device-reset-surface-hub.md#cloud-recovery)
-    >[!NOTE]
-    >Cloud recovery doesn't work if you use proxy servers.
+## Provizioning wizard
+
+An easy-to-use wizard helps you quickly create provisioning packages that you can apply to multiple Surface Hub devices, and includes bulk join to Azure Active Directory. [Learn how to create a provisioning package for Surface Hub.](provisioning-packages-for-certificates-surface-hub.md)
+
+![steps in the provision Surface Hub devices wizard](images/wcd-wizard.png)
     
-- **I'm done** is now **End session**. [Learn how to use End session.](i-am-done-finishing-your-surface-hub-meeting.md) 
+## Cloud recovery
+
+When you reset a Surface Hub device, you now have the ability to download and install a factory build of the operating system from the cloud. [Learn more about cloud recovery.](device-reset-surface-hub.md#cloud-recovery)
+
+>[!NOTE]
+>Cloud recovery doesn't work if you use proxy servers.
+    
+![Reinstall](images/reinstall.png)
+    
+## End session
+
+**I'm done** is now **End session**. [Learn how to use End session.](i-am-done-finishing-your-surface-hub-meeting.md) 
+
+![end session](images/end-session.png)
 
 
 
diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md
index ff05c19f62..678d06e664 100644
--- a/devices/surface-hub/troubleshoot-surface-hub.md
+++ b/devices/surface-hub/troubleshoot-surface-hub.md
@@ -622,7 +622,9 @@ This section lists status codes, mapping, user messages, and actions an admin ca
  
 
  
+## Related content
 
+- [Troubleshooting Miracast connection to the Surface Hub](https://blogs.msdn.microsoft.com/surfacehub/2017/01/30/troubleshooting-miracast-connection-to-the-surface-hub/)
  
 
 
diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md
index 888cd863a1..99a8d735a8 100644
--- a/mdop/mbam-v25/mbam-25-supported-configurations.md
+++ b/mdop/mbam-v25/mbam-25-supported-configurations.md
@@ -283,7 +283,12 @@ MBAM supports the following versions of Configuration Manager.
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Microsoft System Center Configuration Manager (Current Branch), version 1606</p></td>
+<td align="left"><p>Microsoft System Center Configuration Manager (Current Branch), version 1610</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft System Center Configuration Manager (LTSB - version 1606)</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
@@ -294,7 +299,7 @@ MBAM supports the following versions of Configuration Manager.
 </tr>
 <tr class="even">
 <td align="left"><p>Microsoft System Center Configuration Manager 2007 R2 or later</p></td>
-<td align="left"><p>SP1 or later</p></td>
+<td align="left"><p></p></td>
 <td align="left"><p>64-bit</p>
 
 >**Note** Although Configuration Manager 2007 R2 is 32 bit, you must install it and SQL Server on a 64-bit operating system in order to match the 64-bit MBAM software.
@@ -330,22 +335,21 @@ You must install SQL Server with the **SQL\_Latin1\_General\_CP1\_CI\_AS** coll
 </thead>
 <tbody>
 <tr class="even">
-<td align="left"><p>Microsoft SQL Server 2014</p></td>
-<td align="left"><p>Standard, Enterprise, or Datacenter</p></td>
-<td align="left"><p>SP2</p></td>
-<td align="left"><p>64-bit</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Microsoft SQL Server 2014</p></td>
+<td align="left"><p>Microsoft SQL Server 2016</p></td>
 <td align="left"><p>Standard, Enterprise, or Datacenter</p></td>
 <td align="left"><p>SP1</p></td>
 <td align="left"><p>64-bit</p></td>
-<tr class="even">
+<tr class="odd">
+<td align="left"><p>Microsoft SQL Server 2014</p></td>
+<td align="left"><p>Standard, Enterprise, or Datacenter</p></td>
+<td align="left"><p>SP1, SP2</p></td>
+<td align="left"><p>64-bit</p></td>
+<tr class="odd">
 <td align="left"><p>Microsoft SQL Server 2012</p></td>
 <td align="left"><p>Standard, Enterprise, or Datacenter</p></td>
 <td align="left"><p>SP3</p></td>
 <td align="left"><p>64-bit</p></td>
-<tr class="odd">
+<tr class="even">
 <td align="left"><p>Microsoft SQL Server 2008 R2</p></td>
 <td align="left"><p>Standard or Enterprise</p></td>
 <td align="left"><p>SP3</p></td>
diff --git a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md
index b4759fe68c..061e95a56a 100644
--- a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md
+++ b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md
@@ -130,6 +130,17 @@ If a UE-V 2 settings location template is distributed to a computer installed wi
 
 WORKAROUND: When migrating from UE-V 1 to UE-V 2 and it is likely you’ll have computers running the previous version of the agent, create a separate UE-V 2.x catalog to support the UE-V 2.x Agent and templates.
 
+### UE-V logoff delay
+
+Occassionally on logoff, UE-V takes a long time to sync settings. Typically, this is due to a high latency network or incorrect use of Distrubuted File System (DFS).
+For DFS support, see [Microsoft’s Support Statement Around Replicated User Profile Data](https://support.microsoft.com/en-us/kb/2533009) for further details.
+
+WORKAROUND: Starting with HF03, a new registry key has been introduced  
+The following registry key provides a mechanism by which the maximum logoff delay can be specified   
+\\Software\\Microsoft\\UEV\\Agent\\Configuration\\LogOffWaitInterval
+
+See [UE-V registry settings](https://support.microsoft.com/en-us/kb/2770042) for further details
+
 ## Hotfixes and Knowledge Base articles for UE-V 2.1 SP1
 
 
diff --git a/windows/configure/how-it-pros-can-use-configuration-service-providers.md b/windows/configure/how-it-pros-can-use-configuration-service-providers.md
index 98152602d5..4a4fc4883a 100644
--- a/windows/configure/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configure/how-it-pros-can-use-configuration-service-providers.md
@@ -21,8 +21,8 @@ Configuration service providers (CSPs) expose device configuration settings in W
 
 The CSPs are documented on the [Hardware Dev Center](https://go.microsoft.com/fwlink/p/?LinkId=717390) because CSPs are used by mobile device management (MDM) service providers. This topic explains how IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations.
 
-**Note**  
-The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile.
+>[!NOTE]  
+>The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile.
 
  [See what's new for CSPs in Windows 10, version 1607.](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whatsnew_1607)
 
@@ -60,15 +60,15 @@ In addition, you may have unmanaged devices, or a large number of devices that y
 
 In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](cortana-at-work-overview.md) which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings.
 
-### CSPs in Windows Imaging and Configuration Designer (ICD)
+### CSPs in Windows Configuration Designer 
 
-You can use Windows Imaging and Configuration Designer (ICD) to create [provisioning packages](https://go.microsoft.com/fwlink/p/?LinkId=717466) to apply settings to devices during the out-of-box-experience (OOBE) and after devices are set up. You can use provisioning packages to configure a device's connectivity and enroll the device in MDM. Many of the runtime settings in Windows ICD are based on CSPs.
+You can use Windows Configuration Designer to create [provisioning packages](https://go.microsoft.com/fwlink/p/?LinkId=717466) to apply settings to devices during the out-of-box-experience (OOBE) and after devices are set up. You can use provisioning packages to configure a device's connectivity and enroll the device in MDM. Many of the runtime settings in Windows Configuration Designer are based on CSPs.
 
-Many settings in Windows ICD will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image.
+Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image.
 
 ![how help content appears in icd](images/cspinicd.png)
 
-[Configure devices without MDM](../manage/configure-devices-without-mdm.md) explains how to use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package.
+[Provisioning packages in Windows 10](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package.
 
 ### CSPs in MDM
 
@@ -78,7 +78,7 @@ When a CSP is available but is not explicitly included in your MDM solution, you
 
 ### CSPs in Lockdown XML
 
-Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601).
+Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601). In Windows 10, version 1703, you can also use the new [Lockdown Designer app](mobile-lockdown-designer.md) to configure your Lockdown XML.
 
 ## <a href="" id="bkmk-csp-doc"></a>How do you use the CSP documentation?
 
diff --git a/windows/configure/images/show-more-tiles.png b/windows/configure/images/show-more-tiles.png
new file mode 100644
index 0000000000..6922edeb4c
Binary files /dev/null and b/windows/configure/images/show-more-tiles.png differ
diff --git a/windows/configure/images/start-screen-size.png b/windows/configure/images/start-screen-size.png
new file mode 100644
index 0000000000..6c09d960ef
Binary files /dev/null and b/windows/configure/images/start-screen-size.png differ
diff --git a/windows/configure/images/wcd-app-commands.PNG b/windows/configure/images/wcd-app-commands.PNG
new file mode 100644
index 0000000000..e52908960f
Binary files /dev/null and b/windows/configure/images/wcd-app-commands.PNG differ
diff --git a/windows/configure/images/wcd-app-name.PNG b/windows/configure/images/wcd-app-name.PNG
new file mode 100644
index 0000000000..23ff06eada
Binary files /dev/null and b/windows/configure/images/wcd-app-name.PNG differ
diff --git a/windows/configure/lockdown-xml.md b/windows/configure/lockdown-xml.md
index 9398934ee7..36fa6806f7 100644
--- a/windows/configure/lockdown-xml.md
+++ b/windows/configure/lockdown-xml.md
@@ -91,7 +91,7 @@ The following example is a complete lockdown XML file that disables Action Cente
 
 The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running. 
 
-You provide the product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you should also provide the App User Model ID (AUMID) to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md)
+You provide the App User Model ID (AUMID) and product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you also provide the ADUMID to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md)
 
 The following example makes Outlook Calendar available on the device.
 
diff --git a/windows/configure/mobile-lockdown-designer.md b/windows/configure/mobile-lockdown-designer.md
index ee7d0aa8b6..bc580504e6 100644
--- a/windows/configure/mobile-lockdown-designer.md
+++ b/windows/configure/mobile-lockdown-designer.md
@@ -47,6 +47,11 @@ Perform these steps on the device running Windows 10 Mobile that you will use to
 
 4. Enable **Device discovery**, and then turn on **Device Portal**. 
 
+>[!IMPORTANT]
+>Check **Settings > Personalization > Start > Show more tiles** on the test mobile device. If **Show more tiles** is **On**, you must select **Large** on the [**Start screen** page](#start) in Lockdown Designer. If you want to apply a **Small** layout, set **Show more tiles** on the test mobile device to **Off**.
+>
+>![turn off show more tiles for small start screen size](images/show-more-tiles.png) 
+
 ## Prepare the PC
 
 [Install Lockdown Designer](https://www.microsoft.com/store/r/9nblggh40753) on the PC. 
@@ -130,7 +135,7 @@ The apps and settings available in the pages of Lockdown Designer should now be
 | ![Quick actions](images/ld-quick.png)  |  On this page, you select the settings that you want visible to users. |
 | ![Buttons](images/ld-buttons.png)  |  Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.</br></br>Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. |
 | ![Other settings](images/ld-other.png)  | This page contains several settings that you can configure:</br></br>- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.</br></br>- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.</br></br>- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both.  |
-| ![Start screen](images/ld-start.png)  | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)</br></br>On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.</br></br>When you are done changing the layout on the test mobile device, click **Accept** on the PC. |
+| <span id="start" />![Start screen](images/ld-start.png)  | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)</br></br>On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.</br></br>When you are done changing the layout on the test mobile device, click **Accept** on the PC. |
 
 
 ## Validate and export
diff --git a/windows/configure/product-ids-in-windows-10-mobile.md b/windows/configure/product-ids-in-windows-10-mobile.md
index 6fd085952b..f2a3295ba9 100644
--- a/windows/configure/product-ids-in-windows-10-mobile.md
+++ b/windows/configure/product-ids-in-windows-10-mobile.md
@@ -230,21 +230,8 @@ The following table lists the product ID and AUMID for each app that is included
 
  
 
-## Get product ID and AUMID for other apps
 
 
-To get the product ID and AUMID for apps that are installed from Windows Store or installed locally ([side-loaded](https://go.microsoft.com/fwlink/p/?LinkID=623433)), use the following steps.
-
-**Prerequisites**: a device with an SD card inserted and all apps installed that you want to get IDs for
-
-1.  On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner**.
-
-2.  Tap **Apps**, tap to select the app that you want to get IDs for, and then tap done ![done button](images/doneicon.png)
-
-3.  Tap **advanced**, and then **tap export to SD card**.
-
-4.  Connect the device to a PC using USB, and then open the WEHLockdown.xml file on the SD card of the device to view the product ID and AUMID for each app.
-
 ## Related topics
 
 
diff --git a/windows/configure/provision-pcs-with-apps.md b/windows/configure/provision-pcs-with-apps.md
index 2314c30c16..26703f40c9 100644
--- a/windows/configure/provision-pcs-with-apps.md
+++ b/windows/configure/provision-pcs-with-apps.md
@@ -40,7 +40,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
 
 - **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app 
 
-- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. 
+- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract).
 
 ### Exe or other installer
 
@@ -52,22 +52,22 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
 
 - **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app 
 
-- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. 
+- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract).
 
 
 <span id="adv" />
-## Add an app using advanced editor in Windows Configuration Designer
+## Add a Classic Windows app using advanced editor in Windows Configuration Designer
 
 
-1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**. 
+1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **PrimaryContext** > **Command**. 
 
-2. Add all the files required for the app install, including the data files and the installer.
+2. Enter a name for the first app, and then click **Add**.
 
-3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the `msiexec /quiet` option. 
+    ![enter name for first app](images/wcd-app-name.png)
 
-> [!NOTE]
-> If you are installing more than one app, then use `CommandLine` to invoke the script or batch file that orchestrates installation of the files. For more information, see [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md). 
+3. [Configure the settings for the appropriate installer type.](#settings-for-classic-windows-apps)
 
+    ![enter settings for first app](images/wcd-app-commands.png)
 
 ### Add a universal app to your package
 
@@ -87,7 +87,7 @@ Universal apps that you can distribute in the provisioning package can be line-o
 
 5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. 
 
-    - In Windows Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**.
+    - In Windows Store for Business, generate the unencoded license for the app on the app's download page. 
 
         ![generate license for offline app](images/uwp-license.png)
         
diff --git a/windows/configure/provisioning-apply-package.md b/windows/configure/provisioning-apply-package.md
index 2fa9efb09a..2725bb140c 100644
--- a/windows/configure/provisioning-apply-package.md
+++ b/windows/configure/provisioning-apply-package.md
@@ -46,7 +46,7 @@ Provisioning packages can be applied to a device during the first-run experience
     
 ### After setup, from a USB drive, network folder, or SharePoint site
 
-On a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. 
+Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network forlder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.
 
 ![add a package option](images/package.png)
     
diff --git a/windows/configure/provisioning-script-to-install-app.md b/windows/configure/provisioning-script-to-install-app.md
index 20ada61de8..639ca1ea2f 100644
--- a/windows/configure/provisioning-script-to-install-app.md
+++ b/windows/configure/provisioning-script-to-install-app.md
@@ -29,6 +29,7 @@ This walkthrough describes how to leverage the ability to include scripts in a W
 
 2. If you need to include a directory structure of files, you will need to cab the assets for easy inclusion in the provisioning packages.
 
+<span id="cab" />
 ## Cab the application assets
 
 1. Create a .DDF file as below, replacing *file1* and *file2* with the files you want to package, and adding the name of file/directory.
@@ -89,7 +90,9 @@ This walkthrough describes how to leverage the ability to include scripts in a W
 
 ## Create the script to install the application
 
-Create a script to perform whatever work is needed to install the application(s). The following examples are provided to help get started authoring the orchestrator script that will execute the required installers. In practice, the orchestrator script may reference many more assets than those in these examples.
+In Windows 10, version 1607 and earlier, create a script to perform whatever work is needed to install the application(s). The following examples are provided to help get started authoring the orchestrator script that will execute the required installers. In practice, the orchestrator script may reference many more assets than those in these examples.
+
+In Windows 10, version 1703, you don’t need to create an orchestrator script. You can have one command line per app. If necessary, you can create a script that logs the output per app, as mentioned below (rather than one orchestrator script for the entire provisioning package). 
 
 >[!NOTE]
 >All actions performed by the script must happen silently, showing no UI and requiring no user interaction.
@@ -138,6 +141,7 @@ PsExec.exe -accepteula -i -s cmd.exe /c powershell.exe my_powershell_script.ps1'
 echo result: %ERRORLEVEL% >> %LOGFILE%
 ```
 
+<span id="cab-extract" />
 ### Extract from a .CAB example
 
 This example script shows expansion of a .cab from the provisioning commands script, as well as installation of the expanded setup.exe
@@ -154,7 +158,9 @@ echo result: %ERRORLEVEL% >> %LOGFILE%
 
 ### Calling multiple scripts in the package
 
-You are currently allowed one CommandLine per PPKG. The batch files shown above are orchestrator scripts that manage the installation and calls any other scripts included in the PPKG. The orchestrator script is what should be invoked from the CommandLine specified in the package. 
+In Windows 10, version 1703, your provisioning package can include multiple CommandLines.
+
+In Windows 10, version 1607 and earlier, you are allowed one CommandLine per provisioning package. The batch files shown above are orchestrator scripts that manage the installation and call any other scripts included in the provisioning package. The orchestrator script is what should be invoked from the CommandLine specified in the package. 
 
 Here’s a table describing this relationship, using the PowerShell example from above:
 
@@ -166,7 +172,7 @@ Here’s a table describing this relationship, using the PowerShell example from
 | ProvisioningCommands/DeviceContext/CommandFiles | my_powershell_script.ps1 | Other assets referenced by the orchestrator script. In this example there is only one, but there could be many assets referenced here. One common use case is using the orchestrator to call a series of install.exe or setup.exe installers to install several applications. Each of those installers must be included as an asset here. |
 
  
-### Add script to provisioning package 
+### Add script to provisioning package (Windows 10, version 1607)
  
 When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Window Configuration Designer. 
 
@@ -197,10 +203,15 @@ When you are done, [build the package](provisioning-create-package.md#build-pack
 2. When applied at first boot, provisioning runs early in the boot sequence and before a user context has been established; care must be taken to only include installers that can run at this time. Other installers can be provisioned via a management tool.
 3. If the device is put into an unrecoverable state because of a bad script, you can reset it using [recovery options in Windows 10](https://support.microsoft.com/help/12415/windows-10-recovery-options).
 4. The CommandFile assets are deployed on the device to a temporary folder unique to each package.
-    a. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands`
-    b. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the PPKG: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands`
+    - For Windows 10, version 1607 and earlier:
+        a. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands`
+        b. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the PPKG: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands`
+    - For Windows 10, version 1703:
+        a. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0`
+        The `0` after `Commands\` refers to the installation order and indicates the first app to be installed. The number will increment for each app in the package.
+        b. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the provisioning package: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0`
 5. The command line will be executed with the directory the CommandFiles were deployed to as the working directory. This means you do not need to specific the full path to assets in the command line or from within any script.
-6. The runtime provisioning component will attempt to run the scripts from the PPKG at the earliest point possible, depending on the stage when the PPKG was added. For example, if the package was added during the Out-of-Box Experience, it will be run immediately after the package is applied, while the Out-of-Box Experience is still happening. This is before the user account configuration options are presented to the user. A spinning progress dialog will appear and “please wait” will be displayed on the screen. 
+6. The runtime provisioning component will attempt to run the scripts from the provisioning package at the earliest point possible, depending on the stage when the PPKG was added. For example, if the package was added during the Out-of-Box Experience, it will be run immediately after the package is applied, while the out of box experience is still happening. This is before the user account configuration options are presented to the user. A spinning progress dialog will appear and “please wait” will be displayed on the screen. 
 
     >[!NOTE]
     >There is a timeout of 30 minutes for the provisioning process at this point. All scripts and installs need to complete within this time. 
diff --git a/windows/deploy/upgrade-readiness-deployment-script.md b/windows/deploy/upgrade-readiness-deployment-script.md
index 0206b5764e..f8d311cd6b 100644
--- a/windows/deploy/upgrade-readiness-deployment-script.md
+++ b/windows/deploy/upgrade-readiness-deployment-script.md
@@ -42,9 +42,9 @@ To run the Upgrade Readiness deployment script:
     3.  By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
 
         > *logMode = 0 log to console only*
->
+        >
         > *logMode = 1 log to file and console*
->
+        >
         > *logMode = 2 log to file only*
 
 3.  To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
@@ -57,7 +57,16 @@ To run the Upgrade Readiness deployment script:
     >
     > *IEOptInLevel = 3 Data collection is enabled for all sites*
 
-4.  After you finish editing the parameters in RunConfig.bat, you are ready to run the script.  If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
+4. The latest version (03.02.17) of the deployment script is configured to collect and send diagnostic and debugging data to Microsoft. If you wish to disable sending diagnostic and debugging data to Microsoft, set **AppInsightsOptIn = false**. By default, **AppInsightsOptIn** is set to **true**.
+
+    The data that is sent is the same data that is collected in the text log file that captures the events and error codes while running the script. This file is named in the following format: **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. Log files are created in the drive that is specified in the RunConfig.bat file. By default this is set to: **%SystemDrive%\UADiagnostics**.
+
+    This data gives us the ability to determine the status of your machines and to help troubleshoot issues. If you choose to opt-in to and send this data to Microsoft, you must also allow https traffic to be sent to the following wildcard endpoints:
+
+    \*vortex\*.data.microsoft.com<BR>
+    \*settings\*.data.microsoft.com
+
+5.  After you finish editing the parameters in RunConfig.bat, you are ready to run the script.  If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
 
 The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
 
diff --git a/windows/deploy/upgrade-readiness-get-started.md b/windows/deploy/upgrade-readiness-get-started.md
index 4829baa632..7cb98c4cf2 100644
--- a/windows/deploy/upgrade-readiness-get-started.md
+++ b/windows/deploy/upgrade-readiness-get-started.md
@@ -79,7 +79,7 @@ For Upgrade Readiness to receive and display upgrade readiness data from Microso
 
 To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this.
 
-Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://go.microsoft.com/fwlink/?linkid=838688) to learn what you need to do to run it under the logged on user account.
+Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) to learn what you need to do to run it under the logged on user account.
 
 | **Endpoint**  | **Function**  |
 |---------------------------------------------------------|-----------|
diff --git a/windows/deploy/upgrade-readiness-requirements.md b/windows/deploy/upgrade-readiness-requirements.md
index 5f706bab59..5593a4eb72 100644
--- a/windows/deploy/upgrade-readiness-requirements.md
+++ b/windows/deploy/upgrade-readiness-requirements.md
@@ -78,8 +78,6 @@ See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields
 
 Before you get started configuring Upgrade Anatlyics, review the following tips and limitations about this release.
 
-**User authenticated proxies are not supported in this release.** User computers communicate with Microsoft through Windows telemetry. The Windows telemetry client runs in System context and requires a connection to various Microsoft telemetry endpoints. User authenticated proxies are not supported at this time. Work with your Network Administrator to ensure that user computers can communicate with telemetry endpoints.
-
 **Upgrade Readiness does not support on-premises Windows deployments.** Upgrade Readiness is built as a cloud service, which allows Upgrade Readiness to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises.
 
 **In-region data storage requirements.** Windows telemetry data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. We’re adding support for additional regions and we’ll update this information when new international regions are supported.
diff --git a/windows/images/w10-evaluation.png b/windows/images/w10-evaluation.png
new file mode 100644
index 0000000000..19d690b694
Binary files /dev/null and b/windows/images/w10-evaluation.png differ
diff --git a/windows/images/w10-whatsnew-highlight.png b/windows/images/w10-whatsnew-highlight.png
new file mode 100644
index 0000000000..b8534ef41d
Binary files /dev/null and b/windows/images/w10-whatsnew-highlight.png differ
diff --git a/windows/index.md b/windows/index.md
index 8d86b31add..dad59e644a 100644
--- a/windows/index.md
+++ b/windows/index.md
@@ -8,18 +8,17 @@ author: brianlic-msft
 ---
 
 # Windows 10 and Windows 10 Mobile
-
+
 This library provides the core content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10 or Windows 10 Mobile.
 
 <center><iframe src="https://channel9.msdn.com/Events/Ignite/Australia-2017/WIN212/player" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
-
-<br/>
+
 <table border="0" width="100%" align='center'>
 </tr>
   <tr style="text-align:center;">
     <td style="width:25%; border:0;">
       <a href="https://technet.microsoft.com/en-us/itpro/windows/whats-new/index">
-        <img src="images/w10-whatsnew.png" alt="Read what's new in Windows 10" title="What's new in Windows 10?" />
+        <img src="images/w10-whatsnew-highlight.png" alt="Read what's new in Windows 10" title="What's new in Windows 10?" />
       </a>
       <br/>What's New?
     </td>
@@ -45,14 +44,14 @@ This library provides the core content that IT pros need to evaluate, plan, depl
   <tr style="text-align:center;">
     <td style="width:25%; border:0;">
     <br/>
-      <a href="https://technet.microsoft.com/en-us/itpro/windows/deploy/index">
+      <a href="https://technet.microsoft.com/en-us/itpro/windows/keep-secure/index">
         <img src="images/w10-secure.png" alt="Keep Windows 10 secure" title="Keep Windows 10 secure" />
       </a>
       <br/>Keep Secure
     </td>
-    <td style="width:25%; border:0;">
+    <td style="width:25%; border:0;">
       <br/>
-      <a href="https://technet.microsoft.com/en-us/itpro/windows/configure/index">
+      <a href="https://technet.microsoft.com/en-us/itpro/windows/configure/index">
         <img src="images/W10-configure.png" alt="Configure Windows 10 in your enterprise" title="Configure Windows 10" />
       </a>
       <br/>Configure
@@ -67,32 +66,28 @@ This library provides the core content that IT pros need to evaluate, plan, depl
     <td style="width:25%; border:0;">
       <br/>
       <a href="">
-        <img src="images/w10-plan.png" alt="Get your " title="What's new in Windows 10" />
+        <img src="images/w10-evaluation.png" alt="Try Windows 10" title="Try Windows 10" />
       </a>
       <br/>Try it
     </td>
   </tr>
-</table>
+</table>
 
-<br/>
-
-# Get to know Windows as a Service (WaaS)
+## Get to know Windows as a Service (WaaS)
 <table border="0" width="100%" align='center'>
 <tr>
-  <td valign=top width=60%>The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
-
-  These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
-
+  <td valign=top width:40%; border:0;>The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
 
-  * [Read more about Windows as a Service]()
-  * [Download the WaaS infographic]()
+  These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
+  - <a href='https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview'>Read more about Windows as a Service</a>
+
+  - <a href=''>Download the WaaS infographic</a>
 
   </td>
-  <td width=40%><center><img style='border:thin silver solid' src="images/w10-WaaS-poster.png" alt="Get to know Windows as a Service (WaaS) " title="Get to know Windows as a Service (WaaS)" /></center></td>
+  <td valign=top width:60%; border:0;><center><img style='border:thin silver solid' src="images/w10-WaaS-poster.png" alt="Get to know Windows as a Service (WaaS) " title="Get to know Windows as a Service (WaaS)" /></center></td>
 </tr>
 <table>
 
-
 ## Related topics
 [Windows 10 TechCenter](https://go.microsoft.com/fwlink/?LinkId=620009)
 
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index f2339f5940..20ab6d7c93 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -578,6 +578,7 @@
 ###### [Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)
 ###### [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)
 ###### [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md)
+###### [Interactive logon: Don't display username at sign-in](interactive-logon-dont-display-username-at-sign-in.md)
 ###### [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)
 ###### [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md)
 ###### [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)
@@ -800,9 +801,13 @@
 #### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md)
 #### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
 #### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender Antivirus compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
+
+
 ###	[Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
 #### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md)
+#### [Windows Defender Antivirus on Windows Server](windows-defender-antivirus-on-windows-server-2016.md)
+#### [Windows Defender Antivirus and Advanced Threat Protection: Better together](windows-defender-antivirus-compatibility.md)
 #### [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md)
 #### [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
 ##### [Deploy and enable Windows Defender Antivirus](deploy-windows-defender-antivirus.md)
@@ -829,8 +834,11 @@
 ###### [Prevent users from seeing or interacting with the user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
 ###### [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
 #### [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
-##### [Exclude files and processes from scans](configure-exclusions-windows-defender-antivirus.md)
-##### [Configure email, removable storage, network, reparse point, and archive scanning](configure-advanced-scan-types-windows-defender-antivirus.md)
+##### [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+###### [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
+###### [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+###### [Configure exclusions in Windows Defender AV on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md)
+##### [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
 ##### [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
 ##### [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
 ##### [Configure and run scans](run-scan-windows-defender-antivirus.md)
diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
index 9176b41ff8..b0396cdfd0 100644
--- a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
+++ b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
@@ -39,15 +39,14 @@ You can add apps to your Windows Information Protection (WIP) protected app list
 
 5.  In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
 
-    >[!NOTE]
+    
     >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
 
 6.  In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
 
 7.  In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
 
-    >[!IMPORTANT]
-    >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
+    >**Important**<br>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
 
 8.  Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
 
@@ -87,18 +86,15 @@ After saving the policy, you’ll need to deploy it to your employee’s devices
 
 5.  In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
 
-    >[!IMPORTANT]
-    >You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
+    >**Important**<br>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
     
-    >[!NOTE]
-    >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
+    >**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
 
 6.  In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
 
 7.  In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
 
-    >[!IMPORTANT]
-    >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
+    >**Important**<br>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
 
 8.  Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
 
diff --git a/windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md b/windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md
index d7678c4832..1bcbb15c46 100644
--- a/windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
 ---
-title: Turn on advanced features in Windows Defender Advanced Threat Protection
+title: Turn on advanced features in Windows Defender ATP
 description: Turn on advanced features such as block file in Windows Defender Advanced Threat Protection.
 keywords: advanced features, preferences setup, block file
 search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
index d551629b2e..580f3684c9 100644
--- a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
@@ -24,7 +24,7 @@ localizationpriority: high
 Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
 
 
-#	Alert API fields and portal mapping
+##	Alert API fields and portal mapping
 Field numbers match the numbers in the images below.
 
 Portal label  | SIEM field name | Description
@@ -75,6 +75,6 @@ Portal label  | SIEM field name | Description
 
 ## Related topics
 - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
-- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)
-- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
 - [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
index 95c54414fa..429ac0c65b 100644
--- a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
@@ -22,10 +22,23 @@ localizationpriority: high
 - Office 365
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). You can assign users with one of the following levels of permissions:
+Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). Use the following methods to assign security roles.
+
+## Assign user access using Azure PowerShell
+You can assign users with one of the following levels of permissions:
 - Full access (Read and Write)
 - Read only access
 
+### Before you begin
+- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).<br>
+
+    > [!NOTE]
+    > You need to run the PowerShell cmdlets in an elevated command-line.
+
+- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
+
+
+
 **Full access** <br>
 Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
 Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles.
@@ -36,13 +49,7 @@ They will not be able to change alert states, submit files for deep analysis or
 Assigning read only access rights requires adding the users to the “Security Reader” AAD built-in role.
 
 Use the following steps to assign security roles:
-- Preparations:
-    - Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).<br>
 
-        > [!NOTE]
-        > You need to run the PowerShell cmdlets in an elevated command-line.
-
-- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
 - For **read and write** access, assign users to the security administrator role by using the following command:
 ```text
 Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
@@ -53,3 +60,21 @@ Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader
 ```
 
 For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
+
+## Assign user access using the Azure portal
+
+1.	Go to the [Azure portal](https://portal.azure.com).
+
+2.	Select **Azure Active Directory**.
+
+3.  Select **Manage** > **Users and groups**.
+
+4.  Select **Manage** > **All users**.
+
+5.	Search or select the user you want to assign the role to.
+
+6.	Select **Manage** > **Directory role**.
+
+7.	Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**.
+
+![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png)
diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md
index c0112dcf47..c16db3871b 100644
--- a/windows/keep-secure/bitlocker-group-policy-settings.md
+++ b/windows/keep-secure/bitlocker-group-policy-settings.md
@@ -32,7 +32,7 @@ The following sections provide a comprehensive list of BitLocker Group Policy se
 
 The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked.
 
--   [Allow devices with Secure Boot and protect DMS ports to opt out of preboot PIN](#bkmk-hstioptout)
+-   [Allow devices with Secure Boot and protect DMA ports to opt out of preboot PIN](#bkmk-hstioptout)
 -   [Allow network unlock at startup](#bkmk-netunlock)
 -   [Require additional authentication at startup](#bkmk-unlockpol1)
 -   [Allow enhanced PINs for startup](#bkmk-unlockpol2)
@@ -86,7 +86,7 @@ The following policies are used to support customized deployment scenarios in yo
 -   [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4)
 -   [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5)
 
-### <a href="" id="bkmk-hstioptout"></a>Allow devices with Secure Boot and protect DMS ports to opt out of preboot PIN
+### <a href="" id="bkmk-hstioptout"></a>Allow devices with Secure Boot and protect DMA ports to opt out of preboot PIN
 
 This policy setting allows users on devices that are compliant with InstantGo or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication.
  
@@ -137,7 +137,8 @@ This setting enables an exception to the PIN-required policy on secure hardware.
 
 ### <a href="" id="bkmk-netunlock"></a>Allow network unlock at startup
 
-This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.
+This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. 
+This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.
  
 <table>
 <colgroup>
diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index 6cd59dffcb..18f2048095 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -16,6 +16,10 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 ## March 2017
 |New or changed topic |Description |
 |---------------------|------------|
+|[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. |
+|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added new content about Azure Rights Management. |
+|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703. |
+|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)|Added content about recovering data from a cloud environment.|
 |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|
 |[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|
 |[Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)|New |
@@ -30,7 +34,6 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 |[Overview of threat mitigations in Windows 10](overview-of-threat-mitigations-in-windows-10.md) | Reorganized from existing content, to provide a better overview of threat mitigations. Added information that maps the Enhanced Mitigation Experience Toolkit (EMET) to Windows 10 features. |
 
 
-
 ## January 2017
 |New or changed topic |Description |
 |---------------------|------------|
diff --git a/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md
index f00f86053f..22861fbaa2 100644
--- a/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
 ---
-title: Check sensor health state in Windows Defender ATP
-description: Check sensor health on machines to see if they are misconfigured or inactive.
+title: Check the health state of the sensor in Windows Defender ATP
+description: Check the sensor health on machines to identify which ones are misconfigured, inactive, or are not reporting sensor data.
 keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communication, communication
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
diff --git a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md
index 241eadd7f7..f00f1b4e23 100644
--- a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md
+++ b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md
@@ -117,9 +117,10 @@ Tables 1 and 2 summarize the recommended mitigations for different types of atta
 
 **Table 2.**&nbsp;&nbsp;How to choose the best countermeasures for Windows 10
 
-The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be, too. DMA port–based attacks, which represent the attack vector of choice, are not possible on InstantGo devices, because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case DMA ports can be disabled entirely, which is an increasingly popular option because the use of 
-DMA ports is infrequent in the non-developer space.
+The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be secure by default too. DMA port–based attacks, which represent the attack vector of choice, are not possible on InstantGo devices because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case, DMA ports can be disabled entirely, which is an increasingly popular option because the use of DMA ports is infrequent in the non-developer space. To prevent DMA port usage unless an authorized user is signed in, you can set the DataProtection/AllowDirectMemoryAccess policy by using Mobile Device Management (MDM) or the Group Policy setting **Disable new DMA devices when this computer is locked** (beginning with Windows 10, version 1703). This setting is **Not configured** by default. The path to the Group Policy setting is:
 
+**Computer Configuration|Administrative Templates|Windows Components|BitLocker Drive Encryption**
+    
 Memory remanence attacks can be mitigated with proper configuration; in cases where the system memory is fixed and non-removable, they are not possible using published techniques. Even in cases where system memory can be removed and loaded into another device, attackers will find the attack vector extremely unreliable, as has been shown in the DRDC Valcartier group’s analysis (see [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078)).
 
 Windows 7 PCs share the same security risks as newer devices but are far more vulnerable to DMA and memory remanence attacks, because Windows 7 devices are more likely to include DMA ports, lack support for UEFI-based Secure Boot, and rarely have fixed memory. To eliminate the need for pre-boot authentication on Windows 7 devices, disable the ability to boot to external media, password-protect the BIOS configuration, and disable the DMA ports. If you believe that your devices may be a target of a memory remanence attack, where the system memory may be removed and put into another computer to gain access to its contents, consider testing your devices to determine whether they are susceptible to this type of attack.
diff --git a/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md b/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md
index ea9f0e7d05..90098f1ce1 100644
--- a/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md
+++ b/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md
@@ -19,10 +19,14 @@ author: iaanw
 
 - Windows 10
 
+**Audience**
+
+- Enterprise security administrators
+
 
 You can use a dedicated command-line tool to perform various functions in Windows Defender Antivirus. 
 
-This utility can be handy when you want to automate the use of Windows Defender Antivirus. 
+This utility can be useful when you want to automate the use of Windows Defender Antivirus. 
 
 The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt.
 
diff --git a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
deleted file mode 100644
index 7f3ba226aa..0000000000
--- a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
+++ /dev/null
@@ -1,116 +0,0 @@
----
-title: Configure an Azure Active Directory application for SIEM integration
-description: Configure an Azure Active Directory application so that it can communicate with supported SIEM tools.
-keywords: configure aad for siem integration, siem integration, application, oauth 2
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-localizationpriority: high
----
-
-# Configure an Azure Active Directory application for SIEM integration
-
-**Applies to:**
-
-- Azure Active Directory
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application  to communicate with it so that your security information and events management (SIEM) tool can pull alerts from Windows Defender ATP portal.
-
-1. Login to the [Azure management portal](https://ms.portal.azure.com).
-
-2. Select **Active Directory**.
-
-3. Select your tenant.
-
-4. Click **Applications**, then select **Add** to create a new application.
-
-5. Click **Add an application my organization is developing**.
-
-6. Choose a client name for the application, for example, *Alert Export Client*.
-
-7. Select **WEB APPLICATION AND/OR WEB API** in the Type section.
-
-8. Assign a sign-on URL and app ID URI to the application, for example, `https://alertexportclient`.
-
-9. Confirm the request details and verify that you have successfully added the app.
-
-10. Select the application you've just created from the directory application list and click the **Configure** tab.
-
-11. Scroll down to the **keys** section and select a duration for the application key.
-
-12. Type the following URLs in the **Reply URL** field:
-
-  - `https://DataAccess-PRD.trafficmanager.net:444/api/FetchAccessTokenFromAuthCode`
-  - `https://localhost:44300/WDATPconnector`
-
-13. Click **Save** and copy the key in a safe place. You'll need this key to authenticate the client application on Azure Active Directory.
-
-14. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=f7c1acd8-0458-48a0-a662-dba6de049d1c&tenantId=<tenant ID>&clientSecret=1234`<br>
-
-  An Azure login page appears.
-  > [!NOTE]
-  > - Replace *tenant ID* with your actual tenant ID.  
-  > - Keep the *clientSecret* as is. This is a dummy value, but the parameter must appear.
-
-15. Sign in with the credentials of a user from your tenant.
-
-16. Click **Accept** to provide consent. Ignore the error.
-
-17. Click **Application configuration** under your tenant.
-
-18. Click **Permissions to other applications**, then select **Add application**.
-
-19. Click **All apps** from the **SHOW** field and submit.
-
-20. Click **WDATPAlertExport**, then select **+** to add the application. You should see it on the **SELECTED** panel.
-
-21. Submit your changes.
-
-22. On the **WDATPAlertExport** record, in the **Delegated Permissions** field, select **Access WDATPAlertExport**.
-
-23. Save the application changes.
-
-After configuring the application in AAD, you'll need to obtain a refresh token. You'll need to use the token when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be pulled by your SIEM.
-
-## Obtain a refresh token using an events URL
-Obtain a refresh token used to retrieve the Windows Defender Advanced Threat Protection events to your SIEM. This section provides information on how you can use an events URL to obtain the required refresh token.
->[!NOTE]
->For HP ArcSight, you can obtain a refresh token using the restutil tool. For more information, see [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md).
-
-### Before you begin
-Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
-
-    - OAuth 2 Client ID
-    - OAuth 2 Client secret
-
-You'll use these values to obtain a refresh token.
-
->[!IMPORTANT]
->Before using the OAuth 2 Client secret described in the next steps, you **must** encode it. Use a URL encoder to transform the OAuth 2 client secret.
-
-### Obtain a refresh token
-1. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=<client ID>&tenantId=<tenant ID>&clientSecret=<client secret>`
-
-  >[!NOTE]
-  >- Replace the *client ID* value with the one you got from your AAD application.
-  >- Replace *tenant ID* with your actual tenant ID.
-  >- Replace *client secret* with your encoded client secret. The client secret **must** be pasted encoded.
-
-2. Click **Accept**. When you authenticate, a web page opens with your refresh token.
-
-3.  Save the refresh token which you'll find it the `<RefreshToken></RefreshToken>`value. You'll need this value when configuring your SIEM tool.
-
-After configuring your AAD application and generating a refresh token, you can proceed to configure your SIEM tool.
-
-## Related topics
-- [Configure security information and events management (SIEM) tools to pull alerts](configure-siem-windows-defender-advanced-threat-protection.md)
-- [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
-- [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
index cd5a3e9874..1f2fa78b86 100644
--- a/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
@@ -1,5 +1,5 @@
 ---
-title: Configure advanced scanning types for Windows Defender AV
+title: Configure scanning options for Windows Defender AV
 description: You can configure Windows Defender AV to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files).
 keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning
 search.product: eADQiWindows 10XVcnh
@@ -12,147 +12,92 @@ localizationpriority: medium
 author: iaanw
 ---
 
-# Configure email, removable storage, network, reparse point, and archive scanning in Windows Defender AV
+# Configure scanning options in Windows Defender AV
 
 
 **Applies to**
 -   Windows 10
 
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager
+- Microsoft Intune
+
+
+To configure the Group Policy settings described in the following table:
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+
+6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx).
+
+Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class
+---|---|---|---
+See [Email scanning limitations](#ref1)) below | Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning`
+Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | `-DisableRestorePoint`
+Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan`
+ Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md) will take precendence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning`
+Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles`
+Scan packed executables | Scan > Scan packed executables | Enabled | Not available
+Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning`
+Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available
+ Specify the maximum CPU load (as a percentage) during a scan. This a theoretical maximum - scans will not always use the maximum load defined here, but they will never exceed it | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 |  `-ScanAvgCPULoadFactor`
+ Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies not limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
+
+**Use Configuration Manager to configure scanning options:**
+
+See [How to create and deploy antimalware policies: Scan settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring System Center Configuration Manager (current branch).
+
+
+**Use Microsoft Intune to configure scanning options**
 
 
 
-
-
-
-## Manage email scans in Windows Defender
-
-You can use Windows Defender to scan email files. Malware can install itself and hide in email files, and although real-time protection offers you the best protection from email malware, you can also scan emails stored on your PC or server with Windows Defender.
-> **Important:**  Mail scanning only applies to on-demand and scheduled scans, not on-access scans.
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Scan options](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#specify-scan-options-settings) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details.
  
-Windows Defender scans Microsoft Office Outlook 2003 and older email files. We identify the file type at run-time based on the content of the file, not on location or extension.
-> **Note: **  Scanning email files might increase the time required to complete a scan.
- 
-Windows Defender can extract embedded objects within a file (attachments and archived files, for example) and scan internally.
-> **Note:**  While Windows Defender can be configured to scan email files, it can only remediate threats detected inside certain files, for example:
--   DBX
--   MBX
--   MIME
- 
-You can configure Windows Defender to scan PST files used by Outlook 2003 or older versions (where the archive type is set to non-uni-code), but Windows Defender cannot remediate threats detected inside PST files. We recommend using real-time protection to protect against email malware.
+
+
+<a id="ref1"></a>
+### Email scanning limitations
+We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware.
+
+Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This provides the strongest form of protection and is the recommended method for scanning emails.
+
+You can use this Group Policy to also enable scanning of older email files used by Outlook 2003 and older during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
+- DBX
+- MBX
+- MIME
+
+PST files used by Outlook 2003 or older (where the archive type is set to non-uni-code) can also be scanned, but Windows Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware.
 
 If Windows Defender detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat:
 -   Email subject
 -   Attachment name
-Email scanning in Windows Defender is turned off by default. There are three ways you can manage scans through Windows Defender:
--   *Group Policy* settings
--   WMI
--   PowerShell
-> **Important:**  There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:
+
+>[!WARNING]
+>There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:
 -   [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1)
 -   [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2)
- 
-## Use *Group Policy* settings to enable email scans
 
-This policy setting allows you to turn on email scanning. When email scanning is enabled, the engine will parse the mailbox and mail files to analyze the mail bodies and attachments.
+## Related topics
 
-Turn on email scanning with the following *Group Policy* settings:
-1.  Open the **Group Policy Editor**.
-2.  In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
-3.  Click **Scan**.
-4.  Double-click **Turn on e-mail scanning**.
-
-    This will open the **Turn on e-mail scanning** window:
-    
-    ![turn on e-mail scanning window](images/defender-scanemailfiles.png)
-    
-5.  Select **Enabled**.
-6.  Click **OK** to apply changes.
-
-## Use WMI to disable email scans
-
-You can write a WMI script or application to disable email scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
-
-Use the **DisableEmailScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
-**DisableEmailScanning**
-Data type: **boolean**
-Access type: Read-only
-Disable email scanning.
-
-## Use PowerShell to enable email scans
-
-You can also enable email scanning using the following PowerShell parameter:
-1.  Open PowerShell or PowerShellIntegrated Scripting Environment (ISE).
-2.  Type **Set-MpPreference -DisableEmailScanning $false**.
-
-Read more about this in:
--   [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
--   [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
-
-## Manage archive scans in Windows Defender
-
-You can use Windows Defender to scan archive files. Malware can install itself and hide in archive files, and although real-time protection offers you the best protection from malware, you can also scan archives stored on your PC or server with Windows Defender.
-> **Important:**  Archive scanning only applies to on-demand and scheduled scans, not on-access scans.
- 
-Archive scanning in Windows Defender is turned on by default. There are four ways you can manage scans through Windows Defender:
--   *Group Policy* settings
--   WMI
--   PowerShell
--   Endpoint Protection
-> **Note:**  Scanning archive files might increase the time required to complete a scan.
- 
-If you exclude an archive file type by using the **Extensions** box, Windows Defender will not scan files with that extension (no matter what the content is), even when you have selected the **Scan archive files** check box. For example, if you exclude .rar files but there�s a .r00 file that�s actually .rar content, it will still be scanned if archive scanning is enabled.
-
-## Use *Group Policy* settings to enable archive scans
-
-This policy setting allows you to turn on archive scanning.
-
-Turn on email scanning with the following *Group Policy* settings:
-1.  Open the **Group Policy Editor**.
-2.  In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
-3.  Click **Scan**.
-4.  Double-click **Scan archive files**.
-
-    This will open the **Scan archive files** window:
-    
-    ![scan archive files window](images/defender-scanarchivefiles.png)
-    
-5.  Select **Enabled**.
-6.  Click **OK** to apply changes.
-
-There are a number of archive scan settings in the **Scan** repository you can configure through *Group Policy*, for example:
--   Maximum directory depth level into which archive files are unpacked during scanning
-
-    ![specify the maximum depth to scan archive files window](images/defender-scanarchivedepth.png)
-    
--   Maximum size of archive files that will be scanned
-
-    ![specify the maximum size of archive files to be scanned window](images/defender-scanarchivesize.png)
-    
--   Maximum percentage CPU utilization permitted during a scan
-
-    ![specify the maximum percentage od cpu utilization during a scan window](images/defender-scanarchivecpu.png)
-
-## Use WMI to disable archive scans
-
-You can write a WMI script or application to disable archive scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
-
-Use the **DisableArchiveScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
-**DisableArchiveScanning**
-Data type: **boolean**
-Access type: Read-only
-Disable archive scanning.
-
-## Use PowerShell to enable archive scans
-
-You can also enable archive scanning using the following PowerShell parameter:
-1.  Open PowerShell or PowerShellISE.
-2.  Type **Set-MpPreference -DisableArchiveScanning $false**.
-
-Read more about this in:
--   [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
--   [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
-
-## Use Endpoint Protection to configure archive scans
-
-In Endpoint Protection, you can use the advanced scanning options to configure archive scanning. For more information, see [What are advanced scanning options?](https://technet.microsoft.com/library/ff823807.aspx)
- 
+- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md)
+- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
index 21b8b172ec..636c697802 100644
--- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
@@ -180,6 +180,5 @@ Windows Defender ATP alerts will appear as discrete events, with "Microsoft” a
 
 ## Related topics
 - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
-- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)
-- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
 - [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md
index 7bd0777196..0321537068 100644
--- a/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -135,7 +135,7 @@ You may choose to disable the Block at First Sight feature if you want to retain
 
 5.  Expand the tree through **Windows components > Windows Defender Antivirus > MAPS**.
 
-1.  Double-click the **Configure the �Block at First Sight� feature** setting and set the option to **Disabled**.
+1.  Double-click the **Configure the 'Block at First Sight' feature** setting and set the option to **Disabled**.
 
     > [!NOTE]
     > Disabling the Block at First Sight feature will not disable or alter the pre-requisite group policies.
@@ -143,7 +143,7 @@ You may choose to disable the Block at First Sight feature if you want to retain
 
 ## Related topics
 
-- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
+- [Windows Defender in Windows 10](windows-defender-antivirus-in-windows-10.md)
 - [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
 
 
diff --git a/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md
index 8846515965..ab5f73d845 100644
--- a/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md
@@ -57,14 +57,14 @@ You can use Group Policy to specify an extended timeout for cloud checks.
 
 4.  Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**
     
-5.  Double-click the **Configure extended cloud check** setting and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination.  You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds.
+5.  Double-click the **Configure extended cloud check** setting and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination. You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds.
     
 6. Click **OK**.
 
 
 ## Related topics
 
-- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
+- [Windows Defender in Windows 10](windows-defender-antivirus-in-windows-10.md)
 - [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
 - [Configure the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
 - [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
index 59f309b4ab..c6e02becaf 100644
--- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
@@ -84,7 +84,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
 
     a. Click **Endpoint Management** on the **Navigation pane**.
 
-    b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file.
+    b. Click the **Endpoint offboarding** section.
+
+    c. Select **Group Policy**, click **Download package** and save the .zip file.
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 
diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index d5fb36ac0b..058966943e 100644
--- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -108,7 +108,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
 
     a. Click **Endpoint Management** on the **Navigation pane**.
 
-    b. Under **Endpoint offboarding** section, select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file.
+    b. Click the **Endpoint offboarding** section.
+
+    c. Select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file.
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*.
 
diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 49e9d275ab..89f4c7887d 100644
--- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -88,7 +88,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
 
     a. Click **Endpoint Management** on the **Navigation pane**.
 
-    b. Under **Endpoint offboarding** section, select **System Center Configuration Manager System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file.
+    b. Click the **Endpoint offboarding** section.
+
+    c. Select **System Center Configuration Manager System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file.
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 
diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
index 50903ddc26..31b9b673c4 100644
--- a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
@@ -78,7 +78,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
 
     a. Click **Endpoint Management** on the **Navigation pane**.
 
-    b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file.
+    b. Click the **Endpoint offboarding** section.
+
+    c. Select **Group Policy**, click **Download package** and save the .zip file.
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 
diff --git a/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md
index 11e86abb86..874d94951f 100644
--- a/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
 ---
 title: Set up exclusions for Windows Defender AV scans
-description: You can exclude files (including files modified by specified processes) and folders from being scanned by Windows Defender AV
+description: You can exclude files (including files modified by specified processes) and folders from being scanned by Windows Defender AV. Validate your exclusions with PowerShell.
 keywords: 
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -12,7 +12,7 @@ localizationpriority: medium
 author: iaanw
 ---
 
-# Exclude files and processes from Windows Defender AV scans
+# Configure and validate file, folder, and process-opened file exclusions in Windows Defender AV scans
 
 
 **Applies to:**
@@ -27,115 +27,26 @@ author: iaanw
 **Manageability available with**
 
 - Group Policy
-- System Center Configuration Manager 
 - PowerShell
 - Windows Management Instrumentation (WMI)
+- System Center Configuration Manager
 - Microsoft Intune
 - Windows Defender Security Center
 
-You can exclude certain files, folders, and process-modified files from being scanned by Windows Defender AV. The exclusions apply to both [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md).
+You can exclude certain files, folders, processes, and process-opened files from being scanned by Windows Defender Antivirus. 
 
-Changes made via Group Policy to the exclusion lists will show in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
+The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). Exclusions for process-opened files only aply to real-time protection.
 
-However, changes made in the Windows Defender Security Center app will not show in the lists in the Group Policy settings.
+Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization.
 
+>[!WARNING]
+>Defining exclusions lowers the protection offered by Windows Defender AV. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
 
-## Exclude file extensions from Windows Defender AV scans
+## In this section
 
-You can exclude certain file extenstions from being scanned by Windows Defender AV.
+Topic | Description 
+---|---
+[Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) | Exclude files from Windows Defender AV scans based on their file extension, file name, or location
+[Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) | You can exclude files from scans that have been opened by a specific process
+[Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) | Windows Server 2016 includes automatic exclusions, based on the defined Server Role. You can also add custom exclusions
 
-**Use Group Policy to exclude specified file extensions from scans:**
-
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4.  Click **Policies** then **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. 
-
-
-6. Double-click the **Extension Exclusions** setting and add the exclusions:
-
-    1. Set the option to **Enabled**. 
-    2. Under the **Options** section, click **Show...**
-    3. Enter each file extension on its own line under the **Value name** column.  Enter **0** in the **Value** column for all processes.
-
-7. Click **OK**. 
-
-![The Group Policy setting for file exclusions](images/defender/wdav-extension-exclusions.png)
-
-
-
-
-## Exclude paths and files from Windows Defender AV scans
-
-**Use Group Policy to exclude specified paths or folders from scans:**
-
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4.  Click **Policies** then **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. 
-
-
-6. Double-click the **Path Exclusions** setting and add the exclusions:
-
-    1. Set the option to **Enabled**. 
-    2. Under the **Options** section, click **Show...**
-    3. Enter each path or file on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extesnsion. Enter **0** in the **Value** column for all processes.
-
-7. Click **OK**. 
-
-![The Group Policy setting for folder exclusions](images/defender/wdav-path-exclusions.png)
-
-
-## Exclude files opened by processes from Windows Defender AV scns
-
-You can exclude files that are opened by specified processes from being scanned. The specified process won't be excluded - but any files that are opened by that process will be.
-
-You can only exclude executable files.
-
-**Use Group Policy to exclude files that have been used or modified by specified processes from scans:**
-
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4.  Click **Policies** then **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. 
-
-
-6. Double-click the **Process Exclusions** setting and add the exclusions:
-
-    1. Set the option to **Enabled**. 
-    2. Under the **Options** section, click **Show...**
-    3. Enter each process on its own line under the **Value name** column. Ensure you enter a fully qualified path to the process, including the drive letter, folder path, filename, and extesnsion. Enter **0** in the **Value** column for all processes.
-
-7. Click **OK**. 
-
-![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png)
-
-
- ## Configure auto exclusions lists for Windows Server deployments
-
-If you are using Windows Defender AV to protect Windows Server endpoints or machines, you are [automatically enrolled in certain exclusions](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender), as defined by your specified Server role.
-
-These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
-
-You can also [add custom exclusions to the auto exclusions with PowerShell](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server#BKMK_DefExclusions).
-Exclusions | Turn off Auto Exclusions | 
-
-
-
-
-
-
-
-## Related topics
-
-- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md
new file mode 100644
index 0000000000..3d78deccde
--- /dev/null
+++ b/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md
@@ -0,0 +1,281 @@
+---
+title: Configure and validate exclusions based on extension, name, or location
+description: Exclude files from Windows Defender AV scans based on their file extension, file name, or location.
+keywords: exclusions, files, extension, file type, folder name, file name, scans
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure and validate exclusions based on file extension and folder location
+
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager
+- Microsoft Intune
+- Windows Defender Security Center
+
+You can exclude certain files from being scanned by Windows Defender AV by modifying exclusion lists. 
+
+This topic describes how to configure exclusion lists for the following:
+
+Exclusion | Examples | Exclusion list
+---|---|---
+Any file with a specific extension | All files with the .test extension, anywhere on the machine | Extension exclusions
+Any file under a specific folder | All files under the c:\test\sample folder | File and folder exclusions
+A specific file in a specific folder | The file c:\sample\sample.test only | File and folder exclusions
+A specific process | The executable file c:\test\process.exe | File and folder exclusions
+
+This means the exclusion lists have the following characteristics:
+- Folder exclusions will apply to all files and folders under that folder.
+- File extensions will apply to any file name with the defined extension, regardless of where the file is located.
+
+
+To exclude files opened by a specific process, see the [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) topic.
+
+
+The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md).
+
+Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
+
+You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists.
+
+You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) and [validating](#validate) your lists. 
+
+
+By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. 
+
+You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
+
+ 
+
+
+
+
+## Configure the list of exclusions based on folder name or file extension
+
+<a id="gp"></a>
+**Use Group Policy to configure folder or file extension exclusions:**
+
+>[!NOTE]
+>If you include a fully qualified path to a file, then only that file will be excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded.
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. 
+
+
+6. Double-click the **Path Exclusions** setting and add the exclusions:
+
+    1. Set the option to **Enabled**. 
+    2. Under the **Options** section, click **Show...**
+    3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column for all processes.
+
+7. Click **OK**. 
+
+![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png)
+
+8. Double-click the **Extension Exclusions** setting and add the exclusions:
+
+    1. Set the option to **Enabled**. 
+    2. Under the **Options** section, click **Show...**
+    3. Enter each file extension on its own line under the **Value name** column.  Enter **0** in the **Value** column for all processes.
+
+
+9. Click **OK**. 
+
+![The Group Policy setting for extension exclusions](images/defender/wdav-extension-exclusions.png)
+
+
+<a id="ps"></a>
+**Use PowerShell cmdlets to configure file name, folder, or file extension exclusions:**
+
+Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender).
+
+The format for the cmdlets is:
+
+```PowerShell
+<cmdlet> -<exclusion list> "<item>"
+```
+
+The following are allowed as the \<cmdlet>:
+
+Configuration action | PowerShell cmdlet
+---|---
+Create or overwrite the list | `Set-MpPreference` 
+Add to the list | `Add-MpPreference` 
+Remove item from the list | `Remove-MpPreference` 
+
+The following are allowed as the \<exclusion list>:
+
+Exclusion type | PowerShell parameter
+---|---
+All files with a specified file extension | `-ExclusionExtension`
+All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath`
+
+
+>[!IMPORTANT]
+>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. 
+
+
+For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the **.test** file extension:
+
+```PowerShell
+Add-MpPreference -ExclusionExtension ".test"
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+
+**Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions:**
+
+Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+ExclusionExtension
+ExclusionPath
+```
+
+The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+<a id="man-tools"></a>
+**Use Configuration Manager to configure file name, folder, or file extension exclusions:**
+
+See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
+
+
+**Use Microsoft Intune to configure file name, folder, or file extension exclusions:**
+
+
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details.
+
+
+**Use the Windows Defender Security Center app to configure file name, folder, or file extension exclusions:**
+
+See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
+
+
+
+<a id="wildcards"></a>
+## Use wildcards in the file name and folder path or extension exclusion lists
+
+You can use the asterisk \*, question mark ?, or environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the file name or folder path exclusion list.
+
+>[!IMPORTANT]
+>Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
+
+You cannot use a wildcard in place of a drive letter.
+
+
+The following table describes how the wildcards can be used and provides some examples.
+
+Wildcard | Use | Example use | Example matches
+---|---|---|---
+\* (asterisk) | Replaces any number of characters | <ul><li>C:\MyData\my\*.zip</li><li>C:\somepath\\\*\Data</li></ul> | <ul><li>C:\MyData\my-archived-files-43.zip</li><li>Any file in C:\somepath\folder1\folder2\Data</li></ul>
+? (question mark) | Replaces a single character | <ul><li>C:\MyData\my\?.zip</li><li>C:\somepath\\\?\Data</li></ul> | <ul><li>C:\MyData\my1.zip</li><li>Any file in C:\somepath\P\Data</li></ul>
+Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |  <ul><li>%ALLUSERSPROFILE%\CustomLogFiles</li></ul> | <ul><li>C:\ProgramData\CustomLogFiles\Folder1\file1.txt</li></ul>
+
+
+
+
+<a id="review"></a>
+## Review the list of exclusions
+
+You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
+
+If you use PowerShell, you can retrieve the list in two ways:
+
+- Retrieve the status of all Windows Defender AV preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
+- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
+
+**Review the list of exclusions alongside all other Windows Defender AV preferences:**
+
+Use the following cmdlet:
+
+```PowerShell
+Get-MpPreference
+```
+
+In the following example, the items contained in the `ExclusionExtension` list are highlighted:
+  
+
+![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png)
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+
+**Retrieve a specific exclusions list:**
+
+Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
+
+```PowerShell
+$WDAVprefs = Get-MpPreference
+$WDAVprefs.ExclusionExtension
+$WDAVprefs.ExclusionPath
+```
+
+In the following example, the list is split into new lines for each use of the `Add-MpPreference` cmdlet:
+
+![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png)
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+
+
+ 
+
+<a id="validate"></a>
+## Validate exclusions lists with the EICAR test file
+
+You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file.
+
+In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the .testing extension, replace *test.txt* with *test.testing*. If you are testing a path, ensure you run the cmdlet within that path.
+
+```PowerShell
+Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"
+```
+
+If Windows Defender AV reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html).
+
+You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating:
+
+```PowerShell 
+$client = new-object System.Net.WebClient
+$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")
+```
+
+
+
+## Related topics
+
+- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
+- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md
index fb1993e2a1..58d8075e0c 100644
--- a/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md
@@ -53,27 +53,27 @@ To configure these settings:
 
 7. Deploy the Group Policy Object as usual.
 
-Location | Setting | Impact if **Enabled** | Configuration topic
+Location | Setting | Configuration topic
 ---|---|---|---
-MAPS | Configure local setting override for reporting to Microsoft MAPS | User can disable cloud protection | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
-Quarantine | Configure local setting override for the removal of items from Quarantine folder | User can change the number of days threats are kept in the quarantine folder before being removed |[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override for monitoring file and program activity on your computer | User can disable real-time protection | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | User can change direction for file activity monitoring | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override for scanning all downloaded files and attachments | Allow user to disable scans of downloaded files and attachments | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override for turn on behavior monitoring | User  | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override to turn on real-time protection | xxx | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | xxx | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
-Scan | Configure local setting override for maximum percentage of CPU utilization | xxx | [Configure and run scans](run-scan-windows-defender-antivirus.md)
-Scan | Configure local setting override for schedule scan day | xxx | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Configure local setting override for scheduled quick scan time | xxx | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Configure local setting override for scheduled scan time | xxx | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Configure local setting override for the scan type to use for a scheduled scan | xxx | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
-
+MAPS | Configure local setting override for reporting to Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for turn on behavior monitoring | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override to turn on real-time protection | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
+Scan | Configure local setting override for maximum percentage of CPU utilization | [Configure and run scans](run-scan-windows-defender-antivirus.md)
+Scan | Configure local setting override for schedule scan day | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Configure local setting override for scheduled quick scan time | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Configure local setting override for scheduled scan time | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Configure local setting override for the scan type to use for a scheduled scan | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
 
 
 
 
 
+<a id="merge-lists"></a>
 ## Configure how locally and globally defined threat remediation and exclusions lists are merged
 
 You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md) and [specified remediation lists](configure-remediation-windows-defender-antivirus.md).
diff --git a/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md b/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md
index 4bba9f4ec2..21303b1d7c 100644
--- a/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md
@@ -191,9 +191,7 @@ The Windows event log will also show [Windows Defender client event ID 2050](tro
 
 ## Related topics
 
-- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
 - [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
 - [Run a Windows Defender scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md)
 - [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) 
-
-
diff --git a/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md
new file mode 100644
index 0000000000..48dcf3df40
--- /dev/null
+++ b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md
@@ -0,0 +1,217 @@
+---
+title: Configure exclusions for files opened by specific processes
+description: You can exclude files from scans if they have been opened by a specific process.
+keywords: process, exclusion, files, scans
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure exclusions for files opened by processes
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager
+- Microsoft Intune
+- Windows Defender Security Center
+
+You can exclude files that have been opened by specific processes from being scanned by Windows Defender AV. 
+
+This topic describes how to configure exclusion lists for the following:
+
+<a id="examples"></a>
+
+Exclusion | Example 
+---|---
+Any file on the machine that is opened by any process with a specific file name | Specifying "*test.exe*" would exclude files opened by: <ul><li>*c:\sample\test.exe*</li><li>*d:\internal\files\test.exe*</li></ul>  
+Any file on the machine that is opened by any process under a specific folder | Specifying "*c:\test\sample\\**" would exclude files opened by:<ul><li>*c:\test\sample\test.exe*</li><li>*c:\test\sample\test2.exe*</li><li>*c:\test\sample\utility.exe*</li></ul> 
+Any file on the machine that is opened by a specific process in a specific folder | Specifying "*c:\test\process.exe*" would exclude files only opened by *c:\test\process.exe*
+
+When you add a process to the process exclusion list, Windows Defender AV will not scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md).
+
+The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). They do not apply to scheduled or on-demand scans.
+
+Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
+
+You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists.
+
+You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists. 
+
+
+By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. 
+
+You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
+
+
+## Configure the list of exclusions for files opened by specified processes
+
+
+<a id="gp"></a>
+**Use Group Policy to exclude files that have been opened by specified processes from scans:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. 
+
+
+6. Double-click the **Process Exclusions** setting and add the exclusions:
+
+    1. Set the option to **Enabled**. 
+    2. Under the **Options** section, click **Show...**
+    3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions.  Enter **0** in the **Value** column for all processes.
+
+7. Click **OK**. 
+
+![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png)
+
+
+<a id="ps"></a>
+**Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:**
+
+Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess' parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender).
+
+The format for the cmdlets is:
+
+```PowerShell
+<cmdlet> -ExclusionProcess "<item>"
+```
+
+The following are allowed as the \<cmdlet>:
+
+Configuration action | PowerShell cmdlet
+---|---
+Create or overwrite the list | `Set-MpPreference` 
+Add to the list | `Add-MpPreference` 
+Remove items from the list | `Remove-MpPreference` 
+
+
+>[!IMPORTANT]
+>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. 
+
+
+For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the specified process:
+
+```PowerShell
+Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
+```
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+
+**Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans:**
+
+Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+ExclusionProcess
+```
+
+The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+<a id="man-tools"></a>
+**Use Configuration Manager to exclude files that have been opened by specified processes from scans:**
+
+See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
+
+
+**Use Microsoft Intune to exclude files that have been opened by specified processes from scans:**
+
+
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details.
+
+
+**Use the Windows Defender Security Center app to exclude files that have been opened by specified processes from scans:**
+
+See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
+
+
+
+<a id="wildcards"></a>
+## Use wildcards in the process exclusion list
+
+The use of wildcards in the process exclusion list is different from their use in other exclusion lists.
+
+In particular, you cannot use the question mark ? wildcard, and the asterisk \* wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list.
+
+The following table describes how the wildcards can be used in the process exclusion list:
+
+Wildcard | Use | Example use | Example matches
+---|---|---|---
+\* (asterisk) | Replaces any number of characters | <ul><li>C:\MyData\\*</li></ul> | <ul><li>Any file opened by *C:\MyData\file.exe*</li></ul>
+? (question mark) | Not available | \- | \-
+Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |  <ul><li>%ALLUSERSPROFILE%\CustomLogFiles\file.exe</li></ul> | <ul><li>Any file opened by C:\ProgramData\CustomLogFiles\file.exe</li></ul>
+
+
+
+
+<a id="review"></a>
+## Review the list of exclusions
+
+You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
+
+If you use PowerShell, you can retrieve the list in two ways:
+
+- Retrieve the status of all Windows Defender AV preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
+- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
+
+**Review the list of exclusions alongside all other Windows Defender AV preferences:**
+
+Use the following cmdlet:
+
+```PowerShell
+Get-MpPreference
+```
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+
+**Retrieve a specific exclusions list:**
+
+Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
+
+```PowerShell
+$WDAVprefs = Get-MpPreference
+$WDAVprefs.ExclusionProcess
+```
+
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+
+
+
+
+## Related topics
+
+- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
+- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
+- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index 5e69d804c4..8ef29a6be5 100644
--- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -37,8 +37,8 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
 
 
  - Manual static proxy configuration:
-    - WinHTTP configured using netsh command
     - Registry based configuration
+    - WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
 
 ## Configure the proxy server manually using a registry-based static proxy
 Configure a registry-based static proxy to allow only Windows Defender ATP sensor to report telemetry and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet.
@@ -61,7 +61,8 @@ The registry value `DisableEnterpriseAuthProxy` should be set to 1.
 Use netsh to configure a system-wide static proxy.
 
 > [!NOTE]
-> This will affect all applications including Windows services which use WinHTTP with default proxy.
+> - This will affect all applications including Windows services which use WinHTTP with default proxy.</br>
+> - Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration.
 
 1. Open an elevated command-line:
 
diff --git a/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md b/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md
index ad4ca873ec..6b0d0a8a25 100644
--- a/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md
@@ -42,7 +42,7 @@ These activities include events such as processes making unusual changes to exis
 
 ## Configure and enable always-on protection
 
-You can configure how always-on protection works with the following Group Policy settings described in this section.
+You can configure how always-on protection works with the Group Policy settings described in this section.
 
 To configure these settings:
 
@@ -67,8 +67,10 @@ Real-time protection | Turn on process scanning whenever real-time protection is
 Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled
 Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analysed by behavior monitoring | Enabled
 Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled 
-Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or server roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. 
+Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. 
 Scan	| Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the AV engine is asked to detect the activity | Enabled (both directions)
+Root | Allow antimalware service to startup with normal priority | You can lower the priority of the AV engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
+Root | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender AV to still run. This lowers the protection on the endpoint. | Disabled
 
 
 
diff --git a/windows/keep-secure/configure-remediation-windows-defender-antivirus.md b/windows/keep-secure/configure-remediation-windows-defender-antivirus.md
index bfc941c20c..ea6dd93746 100644
--- a/windows/keep-secure/configure-remediation-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-remediation-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
 ---
 title: Remediate and resolve infections detected by Windows Defender AV
 description: Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
-keywords: 
+keywords: remediation, fix, remove, threats, quarantine, scan, restore
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -14,4 +14,64 @@ author: iaanw
 
 
 
-# Configure remediation for Windows Defender AV scans
\ No newline at end of file
+# Configure remediation for Windows Defender AV scans
+
+**Applies to**
+-   Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager 
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- Microsoft Intune
+
+When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender AV should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats.
+
+This topic describes how to configure these settings with Group Policy, but you can also use [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-default-actions-settings).
+
+You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) to configure these settings.
+
+## Configure remediation options
+
+You can configure how remediation with the Group Policy settings described in this section.
+
+To configure these settings:
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+
+6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled
+Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days
+Root | Turn off routine remediation | You can specify whether Windows Defender AV automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically)
+Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed
+Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender AV is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable
+Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable
+
+
+Also see the [Configure remediation-required scheduled full scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) topic for more remediation-related settings.
+
+## Related topics
+
+- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md)
+- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
+- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/configure-server-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-server-exclusions-windows-defender-antivirus.md
new file mode 100644
index 0000000000..c293dd3358
--- /dev/null
+++ b/windows/keep-secure/configure-server-exclusions-windows-defender-antivirus.md
@@ -0,0 +1,84 @@
+---
+title: Automatic and customized exclusions for Windows Defender AV on Windows Server 2016
+description: Windows Server 2016 includes automatic exclusions, based on Server Role. You can also add custom exclusions.
+keywords: exclusions, server, auto-exclusions, automatic, custom, scans
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure exclusions in Windows Defender AV on Windows Server 2016
+
+
+**Applies to:**
+
+- Windows Server 2016
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Windows Management Instrumentation (WMI)
+
+If you are using Windows Defender Antivirus to protect Windows Server 2016 machines, you are [automatically enrolled in certain exclusions](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender), as defined by your specified Windows Server Role.
+
+These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
+
+You can still add or remove custom exclusions (in addition to the Server Role-defined auto exclusions) as described in the other exclusion-related topics:
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+
+
+You can disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, and WMI.
+
+**Use Group Policy to disable the auto-exclusions list on Windows Server 2016:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
+
+6. Double-click the **Turn off Auto Exclusions** setting and set the option to **Enabled**. Click **OK**. 
+
+**Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -DisableAutoExclusions
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+DisableAutoExclusions
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+## Related topics
+
+- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
index f40c7d579d..708ddc8854 100644
--- a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
@@ -135,6 +135,6 @@ Use the solution explorer to view alerts in Splunk.
 
 ## Related topics
 - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
-- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
 - [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
 - [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-windows-defender-in-windows-10.md b/windows/keep-secure/configure-windows-defender-in-windows-10.md
deleted file mode 100644
index 32dc5bdf7d..0000000000
--- a/windows/keep-secure/configure-windows-defender-in-windows-10.md
+++ /dev/null
@@ -1,16 +0,0 @@
----
-title: Configure and use Windows Defender in Windows 10
-description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
-ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: jasesso
-redirect_url: /itpro/windows/keep-secure/deploy-manage-report-windows-defender-antivirus/
----
-
-# Configure Windows Defender in Windows 10
-
-This page has been redirected to *Windows Defender Antivirus in Windows 10*.
diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
index 079086758f..36c57e9ecf 100644
--- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
@@ -13,7 +13,7 @@ localizationpriority: high
 # Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate
 **Applies to:**
 
--   Windows 10, version 1607
+-   Windows 10, version 1703
 -   Windows 10 Mobile
 
 If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
@@ -29,20 +29,20 @@ The recovery process included in this topic only works for desktop devices. WIP
 
 2.	Run this command:
     
-    `cipher /r:<EFSRA>`
+    <code>cipher /r:<i>EFSRA</i></code>
     
-    Where *&lt;EFSRA&gt;* is the name of the .cer and .pfx files that you want to create.
+    Where *EFSRA* is the name of the .cer and .pfx files that you want to create.
 
 3.	When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file.
 
     The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1.
 
-    >[!IMPORTANT]
+    >[!Important]
     >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location.
 
-4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. 
+4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager.
 
-    >[!NOTE]
+    >[!Note]
     >To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic.
 
 **To verify your data recovery certificate is correctly set up on a WIP client computer**
@@ -53,9 +53,9 @@ The recovery process included in this topic only works for desktop devices. WIP
 
 3.	Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
 
-    `cipher /c <filename>`
+    <code>cipher /c <i>file_name</i></code>
 
-    Where *&lt;filename&gt;* is the name of the file you created in Step 1.
+    Where *file_name* is the name of the file you created in Step 1.
 
 4.	Make sure that your data recovery certificate is listed in the **Recovery Certificates** list.
 
@@ -67,9 +67,9 @@ The recovery process included in this topic only works for desktop devices. WIP
 
 3.	Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command:
 
-    `cipher /d <encryptedfile.extension>`
+    <code>cipher /d <i>encryptedfile.extension</i>></code>
     
-    Where *&lt;encryptedfile.extension&gt;* is the name of your encrypted file. For example, corporatedata.docx.
+    Where *encryptedfile.extension* is the name of your encrypted file. For example, corporatedata.docx.
 
 **To quickly recover WIP-protected desktop data after unenrollment**<br>
 It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps.
@@ -79,24 +79,50 @@ It's possible that you might revoke data from an unenrolled device only to later
 
 1. Have your employee sign in to the unenrolled device, open a command prompt, and type:
     
-    `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW`
+    <code>Robocopy “%localappdata%\Microsoft\EDP\Recovery” “<i>new_location</i>” /EFSRAW</code>
 
-    Where *&lt;”new_location”&gt;* is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent.
+    Where ”*new_location*" is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent.
 
 2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing:
 
-    `cipher.exe /D <“new_location”>`
+    <code>cipher.exe /D "<i>new_location</i>"</code>
 
 3. Have your employee sign in to the unenrolled device, and type:
 
-    `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”`
+    <code>Robocopy "<i>new_location</i>" “%localappdata%\Microsoft\EDP\Recovery\Input”</code>
 
 4. Ask the employee to lock and unlock the device.
 
-    The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location.
+    The Windows Credential service automatically recovers the employee’s previously revoked keys from the <code>Recovery\Input</code> location.
 
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+**To quickly recover WIP-protected desktop data in a cloud-based environment**<br>
+If you use a cloud environment in your organization, you may still want to restore an employee's data after revocation. While much of the process is the same as when you're not in a cloud environment, there are a couple of differences.
+
+>[!IMPORTANT]
+>To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. 
+
+1. Have your employee sign in to the device that has revoked data for you to restore, open the **Run** command (Windows logo key + R), and type one of the following commands:
+
+    - If the keys are still stored within the employee's profile, type: <code>Robocopy “%localappdata%\Microsoft\EDP\Recovery” “<i>new_location</i>” * /EFSRAW</code>
+
+    -or-
+
+    - If the employee performed a clean installation over the operating system and you need to recover the keys from the System Volume folder, type: <code>Robocopy “<i>drive_letter:</i>\System Volume Information\EDP\Recovery\” "<i>new_location</i>” * /EFSRAW></code>
+
+    >[!Important]
+    >The “*new_location*” must be in a different directory, either on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share, which can be accessed while you're logged in as a data recovery agent.
+
+2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate private key, and perform the file decryption and recovery by typing:
+
+    <code>cipher.exe /D “<i>new_location</i>”</code>
+
+3. Have your employee sign in to the device again, open the **Run** command, and type:
+
+    <code>Robocopy “<i>new_location</i>” “%localappdata%\Microsoft\EDP\Recovery\Input”</code>
+
+4. Ask the employee to lock and unlock the device.
+
+    The Windows Credential service automatically recovers the employee’s previously revoked keys from the <code>Recovery\Input</code> location. All your company’s previously revoked files should be accessible to the employee again.
 
 ## Related topics
 - [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx)
@@ -109,5 +135,5 @@ It's possible that you might revoke data from an unenrolled device only to later
 
 - [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA)
 
-
+<p>**Note**<br>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
 
diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md
index f0c94d6dba..76ded492c6 100644
--- a/windows/keep-secure/create-wip-policy-using-intune.md
+++ b/windows/keep-secure/create-wip-policy-using-intune.md
@@ -11,20 +11,14 @@ localizationpriority: high
 ---
 
 # Create a Windows Information Protection (WIP) policy using Microsoft Intune
+
 **Applies to:**
 
--   Windows 10, version 1607
--   Windows 10 Mobile
+-   Windows 10, version 1703
+-   Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop)
 
 Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network.
 
-## Important note about the June service update for Insider Preview
-We've received some great feedback from you, our Windows 10 Insider Preview customers, about our Windows Information Protection experiences and processes. Because of that feedback, we're delighted to deliver an enhanced apps policy experience with the June service update. This means that when you open an existing Windows Information Protection policy after we release the June service update in your test environment, your existing Windows 10 Windows Information Protection app rules (formerly in the **Protected Apps** area) will be removed.<p>To prepare for this change, we recommend that you make an immediate backup of your current app rules as they are today, so you can use them to help reconfigure your app rules with the enhanced experience. When you open an existing Windows Information Protection policy after we release the June service update, you'll get a dialog box telling you about this change. Click the **OK** button to close the box and to begin reconfiguring your app rules.
-
-![Microsoft Intune: Reconfigure app rules list dialog box](images/wip-intune-app-reconfig-warning.png)
-
-Note that if you exit the **Policy** page before you've saved your new policy, your existing deployments won't be affected. However, if you save the policy without reconfiguring your apps, an updated policy will be deployed to your employees with an empty app rules list.
- 
 ## Add a WIP policy
 After you’ve set up Intune for your organization, you must create a WIP-specific policy.
 
@@ -44,10 +38,11 @@ During the policy-creation process in Intune, you can choose the apps you want t
 
 The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
 
->[!IMPORTANT]
+>[!Important]
 >WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
 
->[!NOTE]
+
+>[!Note]
 >If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
 
 #### Add a store app rule to your policy
@@ -77,8 +72,7 @@ If you don't know the publisher or product name, you can find them for both desk
 **To find the Publisher and Product Name values for Store apps without installing them**
 1.	Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*.
 
-    >[!NOTE]
-    >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
+    >**Note**<br>If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
 
 2.	Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
 
@@ -95,11 +89,8 @@ If you don't know the publisher or product name, you can find them for both desk
 
 4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune.
 
-    >[!IMPORTANT]
-    >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
-    
-    For example:
-        
+    >[!Important]
+    >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<p>For example:<br>
     ```json
         {
             "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
@@ -109,8 +100,7 @@ If you don't know the publisher or product name, you can find them for both desk
 **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
 1.	If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
 
-    >[!NOTE]
-    >Your PC and phone must be on the same wireless network.
+    >**Note**<br>Your PC and phone must be on the same wireless network.
 
 2.	On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
 
@@ -126,15 +116,12 @@ If you don't know the publisher or product name, you can find them for both desk
 
 8.	Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
 
-    >[!IMPORTANT]
-    >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
-    
-    For example:
-    
-    ``` json
+    >[!Important]
+    >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<p>For example:<br>
+    ```json
         {
-	       "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
-	    }
+            "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+        }
     ```
 
 #### Add a desktop app rule to your policy
@@ -367,49 +354,49 @@ There are no default locations included with WIP, you must add each of your netw
 2.	Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
 
     ![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png)
-<p>
+    <p>
     <table>
-            <tr>
-                <th>Network location type</th>
-                <th>Format</th>
-                <th>Description</th>
-            </tr>
-            <tr>
-                <td>Enterprise Cloud Resources</td>
-                <td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
-                <td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the <code>/*AppCompat*/</code> string to this setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/*AppCompat*/</code></td>
-            </tr>
-            <tr>
-                <td>Enterprise Network Domain Names (Required)</td>
-                <td>corp.contoso.com,region.contoso.com</td>
-                <td>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<p>This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>                
-            </tr>
-            <tr>
-                <td>Enterprise Proxy Servers</td>
-                <td>proxy.contoso.com:80;proxy2.contoso.com:443</td>
-                <td>Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.<p>This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.<p>This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
-            </tr>
-            <tr>
-                <td>Enterprise Internal Proxy Servers</td>
-                <td>contoso.internalproxy1.com;contoso.internalproxy2.com</td>
-                <td>Specify the proxy servers your devices will go through to reach your cloud resources.<p>Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.<p>This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>                
-            </tr>
-            <tr>
-                <td>Enterprise IPv4 Range (Required, if not using IPv6)</td>
-                <td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
-                <td>Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
-            </tr>
-            <tr>
-                <td>Enterprise IPv6 Range (Required, if not using IPv4)</td>
-                <td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
-                <td>Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
-            </tr>
-            <tr>
-                <td>Neutral Resources</td>
-                <td>sts.contoso.com,sts.contoso2.com</td>
-                <td>Specify your authentication redirection endpoints for your company.<p>These locations are considered enterprise or personal, based on the context of the connection before the redirection.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>
-            </tr>           
-        </table>
+        <tr>
+            <th>Network location type</th>
+            <th>Format</th>
+            <th>Description</th>
+        </tr>
+        <tr>
+            <td>Enterprise Cloud Resources</td>
+            <td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
+            <td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<p>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
+        </tr>
+        <tr>
+            <td>Enterprise Network Domain Names (Required)</td>
+            <td>corp.contoso.com,region.contoso.com</td>
+            <td>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<p>This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>
+        </tr>
+        <tr>
+            <td>Enterprise Proxy Servers</td>
+            <td>proxy.contoso.com:80;proxy2.contoso.com:443</td>
+            <td>Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.<p>This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.<p>This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
+        </tr>
+        <tr>
+            <td>Enterprise Internal Proxy Servers</td>
+            <td>contoso.internalproxy1.com;contoso.internalproxy2.com</td>
+            <td>Specify the proxy servers your devices will go through to reach your cloud resources.<p>Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.<p>This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
+        </tr>
+        <tr>
+            <td>Enterprise IPv4 Range (Required, if not using IPv6)</td>
+            <td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
+            <td>Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
+        </tr>
+        <tr>
+            <td>Enterprise IPv6 Range (Required, if not using IPv4)</td>
+            <td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
+            <td>Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
+        </tr>
+        <tr>
+            <td>Neutral Resources</td>
+            <td>sts.contoso.com,sts.contoso2.com</td>
+            <td>Specify your authentication redirection endpoints for your company.<p>These locations are considered enterprise or personal, based on the context of the connection before the redirection.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>
+        </tr>
+    </table>
 
 3.	Add as many locations as you need, and then click **OK**.
 
@@ -431,6 +418,16 @@ There are no default locations included with WIP, you must add each of your netw
 
     For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
 
+### Choose to set up Azure Rights Management with WIP
+WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
+
+To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.
+
+Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. 
+
+>[!NOTE]
+>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
+
 ### Choose your optional WIP-related settings
 After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings.
 
@@ -471,11 +468,13 @@ After you've decided where your protected apps can access enterprise data on you
 
 2. Click **Save Policy**.
 
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
-
 ## Related topics
 - [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)
 - [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
 - [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
-- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
\ No newline at end of file
+- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
+- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
+- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms)
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md
index 49801ae337..5a51f50d60 100644
--- a/windows/keep-secure/create-wip-policy-using-sccm.md
+++ b/windows/keep-secure/create-wip-policy-using-sccm.md
@@ -94,8 +94,7 @@ If you don't know the publisher or product name, you can find them for both desk
 
 1.	Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
 
-    >[!NOTE]
-    >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
+    >**Note**<br>If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
 
 2.	Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
 
@@ -112,10 +111,7 @@ If you don't know the publisher or product name, you can find them for both desk
 
 4.  Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
 
-    >[!IMPORTANT]
-    >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
-    >For example:<p>
-    
+    >**Important**<br>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:<p>
     ```json
         {
             "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
@@ -125,8 +121,7 @@ If you don't know the publisher or product name, you can find them for both desk
 **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
 1.	If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
 
-    >[!NOTE]
-    >Your PC and phone must be on the same wireless network.
+    >**Note**<br>Your PC and phone must be on the same wireless network.
 
 2.	On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
 
@@ -142,10 +137,8 @@ If you don't know the publisher or product name, you can find them for both desk
 
 8.	Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
 
-    >[!IMPORTANT]
-    >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
+    >**Important**<br>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
     >For example:<p>
-
     ```json
         {
             "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index dab9e6eabd..f36732aa45 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -126,9 +126,9 @@ The following tables describe baseline protections, plus protections for improve
 
 <br>
 
-#### 2017 Additional security qualifications starting with Windows 10, version 1703 
+#### 2017 Additional security qualifications starting in 2017 
 
-The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications. 
+The following table lists qualifications for 2017, which are in addition to all preceding qualifications. 
 
 | Protection for Improved Security          | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
diff --git a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md
index 18a8804998..3f71267756 100644
--- a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
 ---
-title: Create threat intelligence using REST API in Windows Defender ATP
+title: Create custom alerts using the threat intelligence API
 description: Create your custom alert definitions and indicators of compromise in Windows Defender ATP using the available APIs in Windows Enterprise, Education, and Pro editions.
 keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api
 search.product: eADQiWindows 10XVcnh
@@ -389,7 +389,8 @@ The following articles provide detailed code examples that demonstrate how to us
 
 ## Related topics
 - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
-- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
-- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
+- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
 - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
index de668b5c69..314ccc9c79 100644
--- a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
@@ -30,4 +30,4 @@ Windows Defender Antivirus will continue to receive updates, and the *mspeng.exe
 
 The Windows Defender Antivirus interface will be disabled, and users on the endpoint will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options.
 
-For more information, see the **Compatibility** section in the [Windows Defender Antivirus in Windows 10 topic](windows-defender-in-windows-10.md).
+For more information, see the [Windows Defender Antivirus and Windows Defender ATP compatibility topic](windows-defender-antivirus-compatibility.md).
diff --git a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
index b03c8c1332..68ae726ace 100644
--- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
+++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
@@ -144,7 +144,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
 ```
 
-> To enable **VBS with Secure Boot and DMA (value 2)**, in the preceding command, change **/d 1** to **/d 2**.
+> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**.
 
 **To enable VBS without UEFI lock (value 0)**
 
@@ -196,7 +196,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
 ```
 
-> To enable **VBS with Secure Boot and DMA (value 2)**, in the preceding command, change **/d 1** to **/d 2**.
+> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**.
 
 **To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)**
 
diff --git a/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md b/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md
index 18cfd5e134..56578ebbbb 100644
--- a/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md
+++ b/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md
@@ -26,7 +26,7 @@ You can deploy, manage, and report on Windows Defender Antivirus in a number of
 
 As the Windows Defender AV client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply.
 
-However, in most cases you will still need to enable the protection service on your endpoints with System Center Configuration Manager, Microsoft Intune, Azure Secrutiy Center, or Group Policy Objects, which is described in the following table.
+However, in most cases you will still need to enable the protection service on your endpoints with System Center Configuration Manager, Microsoft Intune, Azure Security Center, or Group Policy Objects, which is described in the following table.
 
 You'll also see additional links for:
 - Managing Windows Defender Antivirus protection, including managing product and protection updates
@@ -45,11 +45,11 @@ PowerShell|Deploy with Group Policy, System Center Configuration Manager, or man
 Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
 Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD.
 
-1. <span id="fn1" />The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager, current branch (for example, System Center Configuration Manager 2016) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager, current branch (2016). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for a table that describes the major differences.  [(Return to table)](#ref1)
+1. <span id="fn1" />The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager, current branch (for example, System Center Configuration Manager 2016) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager, current branch (2016). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for a table that describes the major differences. [(Return to table)](#ref1)
 
-1. <span id="fn2" />Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library.  [(Return to table)](#ref2)
+1. <span id="fn2" />Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
   
-1.	<span id="fn3" />In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date. Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers.  [(Return to table)](#ref3)
+1.	<span id="fn3" />In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref3)
 
 
 
@@ -88,7 +88,4 @@ Topic | Description
 [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating definitions (protection updates). You can update definitions in a number of ways, using System Center Configuration Manager, Group Policy, PowerShell, and WMI.
 [Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use System Center Configuration Manager, a third-party SIEM product (by consuming Windows event logs), or Microsoft Intune to monitor protection status and create reports about endpoint protection
 
-## Related topics
 
-- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
-- [Configure Windows Defender Antivirus features](configure-windows-defender-antivirus-features.md)
diff --git a/windows/keep-secure/deploy-windows-defender-antivirus.md b/windows/keep-secure/deploy-windows-defender-antivirus.md
index 6f98f62d52..f81ce50c65 100644
--- a/windows/keep-secure/deploy-windows-defender-antivirus.md
+++ b/windows/keep-secure/deploy-windows-defender-antivirus.md
@@ -35,6 +35,6 @@ The remaining topic in this section provides end-to-end advice and best practice
 
 ## Related topics
 
-- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
 - [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
 - [Deployment guide for Windows Defender Antivirus in a virtual desktop infrasructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md)
\ No newline at end of file
diff --git a/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md b/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md
index 50d37bfe9d..54535d3ef1 100644
--- a/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md
@@ -20,7 +20,7 @@ author: iaanw
 
 **Audience**
 
-- IT professionals
+- Enterprise security administrators
 
 **Manageability available with**
 
@@ -31,7 +31,20 @@ author: iaanw
 
 In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus (Windows Defender AV) in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment. 
 
-Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware. For more details on the best configuration options to ensure a good balance between performance and protection, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section.
+Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware. 
+
+We recommend setting the following when deploying Windows Defender AV in a VDI environment:
+
+Location | Setting | Suggested configuration
+---|---|---
+Client interface | Enable headless UI mode | Enabled
+Client interface | Suppress all notifications | Enabled
+Scan | Specify the scan type to use for a scheduled scan | Enabled - Quick
+Root | Randomize scheduled task times | Enabled
+Signature updates | Turn on scan after signature update | Enabled
+Scan | Turn on catch up quick scan | Enabled
+
+For more details on the best configuration options to ensure a good balance between performance and protection, including detailed instructions for Group Policy and System Center Configuration Manager, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section.
 
 See the [Microsoft Desktop virtualization site](https://www.microsoft.com/en-us/server-cloud/products/virtual-desktop-infrastructure/) for more details on Microsoft Remote Desktop Services and VDI support.
 
@@ -54,8 +67,6 @@ There are three main steps in this guide to help roll out Windows Defender AV pr
 >[!NOTE] 
 >When you manage Windows with System Center Configuration Manager, Windows Defender AV protection will be referred to as Endpoint Protection or System Center Endpoint Protection. See the [Endpoint Protection section at the Configuration Manager library]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) for more information.
 
-The following table lists the configuration settings that we recommend when deploying Windows Defender AV in a VDI environment:
-
 
 
 ## Create and deploy the base image 
@@ -75,7 +86,9 @@ After creating the image, you should ensure it is fully updated. See [Configure
 ### Seal the base image
 When the base image is fully updated, you should run a quick scan on the image. This “sealing” or “locking” of the image helps Windows Defender AV build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted.
 
+<!--
 You can run a quick scan [from the command line](command-line-arguments-windows-defender-antivirus.md) or via [System Center Configuration Manager](run-scan-windows-defender-antivirus.md).
+-->
 
 >[!NOTE] 
 ><b>Quick scan versus full scan</b>
@@ -85,7 +98,7 @@ You can run a quick scan [from the command line](command-line-arguments-windows-
 
 
 ### Deploy the base image  
-You’ll then need to deploy the base image across your VDI. For example, you can create or clone a VHD from your base image, and then use that VHD when you create or start your VMs. 
+You'll then need to deploy the base image across your VDI. For example, you can create or clone a VHD from your base image, and then use that VHD when you create or start your VMs. 
 
 The following references provide ways you can create and deploy the base image across your VDI:
 
@@ -102,7 +115,7 @@ The following references provide ways you can create and deploy the base image a
 ## Manage your VMs and base image
 How you manage your VDI will affect the performance impact of Windows Defender AV on your VMs and infrastructure.
 
-Because Windows Defender AV downloads protection updates every day, [or based on your protection update settings](manage-protection-updates-windows-defender-antivirus.md), network bandwidth can be a problem if multiple VMs attempt to download updates at the same time.  
+Because Windows Defender AV downloads protection updates every day, or based on your protection update settings,<!-- (manage-protection-updates-windows-defender-antivirus.md) --> network bandwidth can be a problem if multiple VMs attempt to download updates at the same time.  
 
 Following the guidelines in this means the VMs will only need to download “delta” updates, which are the differences between an existing definition set and the next one. Delta updates are typically much smaller (a few kilobytes) than a full definition download (which can average around 150 mb).
 
@@ -112,9 +125,9 @@ Following the guidelines in this means the VMs will only need to download “del
 If you are using a persistent VDI, you should update the base image monthly, and set up protection updates to be delivered daily via a file share, as follows:  
 1. Create a dedicated file share location on your network that can be accessed by your VMs and your VM host (or other, persistent machine, such as a dedicated admin console that you use to manage your VMs).
 2. Set up a scheduled task on your VM host to automatically download updates from the MMPC website or Microsoft Update and save them to the file share (the [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) can help with this).
-3. [Configure the VMs to pull protection updates from the file share](manage-protection-updates-windows-defender-antivirus.md).
+3. Configure the VMs to pull protection updates from the file share<!-- (manage-protection-updates-windows-defender-antivirus.md) -->.
 4. Disable or delay automatic Microsoft updates on your VMs. See [Update Windows 10 in the enterprise](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-update-windows-10) for information on managing operating system updates with WSUS, SCCM, and others.
-5. On or just after each Patch Tuesday (the second Tuesday of each month), update your base image with [the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md). Also apply all other Windows patches and fixes that were delivered on the Patch Tuesday. You can automate this by following the instructions in [Orchestrated offline VM Patching using Service Management Automation](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/).
+5. On or just after each Patch Tuesday (the second Tuesday of each month), update your base image with the latest protection updates from the MMPC website, WSUS, or Microsoft Update<!-- (manage-protection-updates-windows-defender-antivirus.md)-->. Also apply all other Windows patches and fixes that were delivered on the Patch Tuesday. You can automate this by following the instructions in [Orchestrated offline VM Patching using Service Management Automation](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/).
 5. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
 
 A benefit to aligning your image update to the monthly Microsoft Update is that you ensure your VMs will have the latest Windows security patches and other important Microsoft updates without each VM needing to individually download them. 
@@ -125,8 +138,8 @@ A benefit to aligning your image update to the monthly Microsoft Update is that
 If you are using a non-persistent VDI, you can update the base image daily (or nightly) and directly apply the latest updates to the image.
 
 An example:  
-1. Every night or other time when you can safely take your VMs offline, update your base image with t[the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md).
-2. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
+1. Every night or other time when you can safely take your VMs offline, update your base image with the latest protection updates from the MMPC website, WSUS, or Microsoft Update<!--(manage-protection-updates-windows-defender-antivirus.md)-->.
+2. Run a quick scan<!--(run-scan-windows-defender-antivirus.md)--> on your base image before deploying it to your VMs.
 
 
 
@@ -148,11 +161,11 @@ These settings can be configured as part of creating your base image, or as a da
 
 Windows Defender AV supports the randomization of scheduled scans and signature updates. This can be extremely helpful in reducing boot storms (especially when used in conjuction with [Disable scans from occuring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline).
 
-Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-windows-defender-antivirus.md).
+Scheduled scans run in addition to real-time protection and scanning<!--(configure-real-time-protection-windows-defender-antivirus.md)-->.
 
 The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime, ScheduleQuickScanTime.  
  
-<!-- individual instructions will be removed and linked to RS2 content when it’s live, for now I’ll put them inline-->
+<!-- individual instructions will be removed and linked to RS2 content when it's live, for now I'll put them inline-->
 
 **Use Group Policy to randomize scheduled scan start times:**
 
@@ -170,7 +183,7 @@ The start time of the scan itself is still based on the scheduled scan policy 
 
 See [How to create and deploy antimalware policies: Advanced settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#advanced-settings) for details on configuring System Center Configuration Manager (current branch).
 
-See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans.
+<!--See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans.-->
 
 ### Use quick scans
 
@@ -229,7 +242,7 @@ Sometimes, Windows Defender AV notifications may be sent to or persist across mu
 
 ### Disable scans after an update
 
-This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as you’ve already scanned it when you created the base image).
+This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as you've already scanned it when you created the base image).
 
 >[!IMPORTANT]
 >Running scans after an update will help ensure your VMs are protected with the latest definition updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image.
@@ -267,9 +280,6 @@ This setting will prevent a scan from occurring after receiving an update. You c
 
 This setting will help ensure protection for a VM that has been offline for some time or has otherwise missed a scheduled scan. 
 
-DisableCatchupQuickScan, is the setting that I use (set to OFF) to ensure that a quick scan is performed on a VM which has been offline and has missed a schedule scan. 
-
-
 **Use Group Policy to enable a catch-up scan:**
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -283,6 +293,8 @@ DisableCatchupQuickScan, is the setting that I use (set to OFF) to ensure that a
 1.  Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. Click **OK**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
 
 
+
+
 **Use Configuration Manager to disable scans after an update:**
 
 1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
diff --git a/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
index 30d7011a23..296bbd7013 100644
--- a/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -46,7 +46,7 @@ PUAs are blocked when a user attempts to download or install the detected file,
 - The file is in the %downloads% folder
 - The file is in the %temp% folder
 
-The file is placed in the quarantine section so it won’t run. 
+The file is placed in the quarantine section so it won't run. 
 
 When a PUA is detected on an endpoint, the endpoint will present a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:"). 
 
@@ -66,7 +66,7 @@ You can enable the PUA protection feature with System Center Configuration Manag
 
 You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log. 
 
-This feature is useful if your company is conducting an internal software security compliance check and you’d like to avoid any false positives.
+This feature is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.
 
 
 **Use Configuration Manager to configure the PUA protection feature:**
diff --git a/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md b/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md
index ddb0ce57ac..abdb360aef 100644
--- a/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md
@@ -127,7 +127,7 @@ See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](http
 
 **Enable cloud-delivered protection on individual clients with the Windows Defender Security Center app**
 > [!NOTE]
-> If the **Configure local setting override for reporting Microsoft MAPS** GP setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
+> If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
 
 
 1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -139,15 +139,15 @@ See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](http
 3.	Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
 
 >[!NOTE]
->If automatic sample submission has been configured with GP then the setting will be greyed-out and unavailble.
+>If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailble.
 
 ## Related topics
 
-- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
 - [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
 - [Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
 - [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)
 - [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)]
 - [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx)
 - [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
\ No newline at end of file
+- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
+- - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md
index dd97cca65e..da53066333 100644
--- a/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md
@@ -41,7 +41,8 @@ You’ll need to use the access token in the Authorization header when doing RES
 
 ## Related topics
 - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
-- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
-- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
+- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
 - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md b/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
deleted file mode 100644
index 0feb3a91f8..0000000000
--- a/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-title: Detect and block Potentially Unwanted Application with Windows Defender
-description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
-keywords: pua, enable, detect pua, block pua, windows defender and pua
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: detect
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: dulcemv
-redirect_url: /detect-block-potentially-unwanted-apps-windows-defender-antivirus/
----
-
-# Detect and block Potentially Unwanted Application in Windows 10
-
-This page has been redirected to *Detect and block unwanted applications*.
\ No newline at end of file
diff --git a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md
index a645f8ccad..9c83ea0f99 100644
--- a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
 ---
-title: Enable SIEM integration in Windows Defender Advanced Threat Protection
+title: Enable SIEM integration in Windows Defender ATP
 description: Enable SIEM integration to receive alerts in your security information and event management (SIEM) solution.
 keywords: enable siem connector, siem, connector, security information and events
 search.product: eADQiWindows 10XVcnh
@@ -49,7 +49,7 @@ Enable security information and event management (SIEM) integration so you can p
 You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal.
 
 ## Related topics
-- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)
-- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
 - [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
 - [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/evaluate-windows-defender-antivirus.md b/windows/keep-secure/evaluate-windows-defender-antivirus.md
index af84e29eb5..4f51b16a7a 100644
--- a/windows/keep-secure/evaluate-windows-defender-antivirus.md
+++ b/windows/keep-secure/evaluate-windows-defender-antivirus.md
@@ -24,7 +24,7 @@ author: iaanw
 - Enterprise security administrators
 
 
-If you�re an enterprise security administrator, and you want to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications, then you can use this guide to help you evaluate Microsoft protection.
+If you're an enterprise security administrator, and you want to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications, then you can use this guide to help you evaluate Microsoft protection.
 
 It explains the important features available for both small and large enterprises in Windows Defender, and how they will increase malware detection and protection across your network.
 
@@ -44,7 +44,7 @@ You can also download a PowerShell that will enable all the settings described i
 
 ## Related topics
 
-- [Windows Defender Antivirus](windows-defender-in-windows-10.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
 - [Deploy, manage, and report](deploy-manage-report-windows-defender-antivirus.md)
 
 
diff --git a/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md
index 670b72a6d5..b7f9bce85f 100644
--- a/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md
@@ -82,3 +82,11 @@ This step will guide you in exploring the custom alert in the portal.
 
 > [!NOTE]
 > It can take up to 15 minutes for the alert to appear in the portal.
+
+## Related topics
+- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
+- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
index 0e7e6fa111..a301137ca4 100644
--- a/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
 ---
 title: Fix unhealthy sensors in Windows Defender ATP
-description: Fix machine sensors that are reporting as misconfigured or inactive.
+description: Fix machine sensors that are reporting as misconfigured or inactive so that the service receives data from the machine.
 keywords: misconfigured, inactive, fix sensor, sensor health,  no sensor data, sensor data, impaired communication, communication
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
diff --git a/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md
index d53c76fc27..aca26a9b12 100644
--- a/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
 ---
 title: Update general Windows Defender Advanced Threat Protection settings
-description: Update your general Windows Defender Advanced Threat Protection settings after onboarding.
+description: Update your general Windows Defender Advanced Threat Protection settings such as data retention or industry after onboarding.
 keywords: general settings, settings, update settings
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
diff --git a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
deleted file mode 100644
index e9c2b82470..0000000000
--- a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
+++ /dev/null
@@ -1,16 +0,0 @@
----
-title: Update and manage Windows Defender in Windows 10 (Windows 10)
-description: IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using Group Policy SettingsWindows Management Instrumentation (WMI)PowerShell.
-ms.assetid: 045F5BF2-87D7-4522-97E1-C1D508E063A7
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: jasesso
-redirect_url: /deploy-manage-report-windows-defender-antivirus/
----
-
-# Update and manage Windows Defender in Windows 10
-
-This page has been redirected to *Windows Defender Antivirus in Windows 10*.
diff --git a/windows/keep-secure/images/atp-azure-ui-user-access.png b/windows/keep-secure/images/atp-azure-ui-user-access.png
new file mode 100644
index 0000000000..dd7fe7dc4d
Binary files /dev/null and b/windows/keep-secure/images/atp-azure-ui-user-access.png differ
diff --git a/windows/keep-secure/images/atp-disableantispyware-regkey.png b/windows/keep-secure/images/atp-disableantispyware-regkey.png
index ae3d800c69..ed34f9dc65 100644
Binary files a/windows/keep-secure/images/atp-disableantispyware-regkey.png and b/windows/keep-secure/images/atp-disableantispyware-regkey.png differ
diff --git a/windows/keep-secure/images/atp-users-at-risk.png b/windows/keep-secure/images/atp-users-at-risk.png
index 4e86dbb2f5..cd43cdf607 100644
Binary files a/windows/keep-secure/images/atp-users-at-risk.png and b/windows/keep-secure/images/atp-users-at-risk.png differ
diff --git a/windows/keep-secure/images/defender/wdav-get-mpthreat.png b/windows/keep-secure/images/defender/wdav-get-mpthreat.png
new file mode 100644
index 0000000000..e1671237a6
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-get-mpthreat.png differ
diff --git a/windows/keep-secure/images/defender/wdav-get-mpthreatdetection.png b/windows/keep-secure/images/defender/wdav-get-mpthreatdetection.png
new file mode 100644
index 0000000000..3e5de6552f
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-get-mpthreatdetection.png differ
diff --git a/windows/keep-secure/images/defender/wdav-powershell-get-exclusions-all.png b/windows/keep-secure/images/defender/wdav-powershell-get-exclusions-all.png
new file mode 100644
index 0000000000..099c1a4a48
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-powershell-get-exclusions-all.png differ
diff --git a/windows/keep-secure/images/defender/wdav-powershell-get-exclusions-variable.png b/windows/keep-secure/images/defender/wdav-powershell-get-exclusions-variable.png
new file mode 100644
index 0000000000..68b455b5a3
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-powershell-get-exclusions-variable.png differ
diff --git a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
index 813dde388c..152eec4793 100644
--- a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
@@ -112,7 +112,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ
 
 5.  After the PC restarts, your TPM will be automatically prepared for use by Windows 10.
 
-## <a href="" id="turn-on-or-turn-off"></a>Turn on or turn off the TPM (TPM 1.2 with Windows 10, version 1507 or 1511)
+## <a href="" id="turn-on-or-turn-off"></a>Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 or 1511)
 
 Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC.
 
@@ -147,6 +147,20 @@ If you want to stop using the services that are provided by the TPM, you can use
   -   If you do not have the removable storage device with your saved TPM owner password, click **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then click **Turn TPM Off**.
 
   -   If you did not save your TPM owner password or no longer know it, click **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
+  
+### Change the TPM Owner Password (available only with Windows 10, version 1607 and earlier versions)
+
+If you have the [owner password](https://technet.microsoft.com/itpro/windows/keep-secure/change-the-tpm-owner-password) available, you can use TPM.msc to change the TPM Owner Password.
+
+1.  Open the TPM MMC (tpm.msc).
+
+2. In the **Action** pane, click **Change the Owner Password**
+
+  -   If you saved your TPM owner password on a removable storage device, insert it, and then click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, click **Browse** to locate the .tpm file that is saved on your removable storage device, click **Open**, and then click **Turn TPM Off**.
+
+  -   If you do not have the removable storage device with your saved TPM owner password, click **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then click **Turn TPM Off**.
+
+This capability was fully removed from TPM.msc in later versions of Windows.
 
 ## Use the TPM cmdlets
 
diff --git a/windows/keep-secure/interactive-logon-dont-display-username-at-sign-in.md b/windows/keep-secure/interactive-logon-dont-display-username-at-sign-in.md
new file mode 100644
index 0000000000..db24fb9fca
--- /dev/null
+++ b/windows/keep-secure/interactive-logon-dont-display-username-at-sign-in.md
@@ -0,0 +1,86 @@
+---
+title: Interactive logon Don't display username at sign-in (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Interactive logon Don't display username at sign-in security policy setting.
+ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Interactive logon: Don't display username at sign-in
+
+**Applies to**
+-   Windows Server 2003, Windows Vista, Windows XP, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8, Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display username at sign-in** security policy setting. 
+
+## Reference
+
+A new policy setting has been introduced in Windows 10 starting with Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign in. This setting only affects the **Other user** tile.
+
+If the policy is enabled and a user signs in as **Other user**, the full name of the user is not displayed during sign-in. In the same context, if users type their email address and password at the sign in screen and press **Enter**, the displayed text “Other user” remains unchanged, and is no longer replaced by the user’s first and last name, as in previous versions of Windows 10. Additionally,if users enter their domain user name and password and click **Submit**, their full name is not shown until the Start screen displays.
+
+If the policy is disabled and a user signs in as **Other user**, the “Other user” text is replaced by the user’s first and last name during sign-in.
+
+### Possible values
+
+-   Enabled
+-   Disabled
+-   Not defined
+
+### Best practices
+
+Your implementation of this policy depends on your security requirements for displayed logon information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+| Server type or Group Policy object (GPO) | Default value|
+| - | - |
+| Default domain policy| Not defined|
+| Default domain controller policy| Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Effective GPO default settings on client computers | Not defined|
+ 
+## Policy management
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Policy conflict considerations
+
+None.
+
+### Group Policy
+
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+
+## Security considerations
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to log on.
+
+### Countermeasure
+
+Enable the **Interactive logon: Don't display user name at sign-in** setting.
+
+### Potential impact
+
+Users must always type their usernames and passwords when they log on locally or to the domain. The logon tiles of all logged on users are not displayed.
+
+## Related topics
+
+- [Security Options](security-options.md)
diff --git a/windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md
index 276cb49632..e0b1346b9e 100644
--- a/windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
 ---
-title: Investigate user account in Windows Defender Advanced Threat Protection
-description: Investigate a user account in Windows Defender Advanced Threat Protection for potential compromised credentials or pivot on the associated user account during an investigation.
+title: Investigate a user account in Windows Defender ATP
+description: Investigate a user account for potential compromised credentials or pivot on the associated user account during an investigation.
 keywords: investigate, account, user, user entity, alert, windows defender atp
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md
index 39aaeb8dc5..0ab1a6ae4b 100644
--- a/windows/keep-secure/limitations-with-wip.md
+++ b/windows/keep-secure/limitations-with-wip.md
@@ -13,7 +13,7 @@ localizationpriority: high
 # Limitations while using Windows Information Protection (WIP)
 **Applies to:**
 
--   Windows 10, version 1607
+-   Windows 10, version 1703
 -   Windows 10 Mobile
 
 This table provides info about the most common problems you might encounter while running WIP in your organization.
@@ -26,7 +26,7 @@ This table provides info about the most common problems you might encounter whil
     </tr>
     <tr>
         <td>Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.</td>
-        <td><strong>If you’re using Azure RMS:</strong> Authenticated users can open enterprise data on USB drives, on computers running the latest build from the Windows Insider Program.<p><strong>If you’re not using Azure RMS:</strong> Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.</td>
+        <td><strong>If you’re using Azure RMS:</strong> Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.<p><strong>If you’re not using Azure RMS:</strong> Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.</td>
         <td>Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.<p>We strongly recommend educating employees about how to limit or eliminate the need for this decryption.</td>
     </tr>
     <tr>
@@ -79,6 +79,27 @@ This table provides info about the most common problems you might encounter whil
         <td>Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP.</td>
         <td>We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.<p>For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).</td>
     </tr>
+    <tr>
+        <td>WIP isn’t turned on if any of the following folders have the <strong>MakeFolderAvailableOfflineDisabled</strong> option set to <strong>False</strong>:
+            <ul>
+                <li>AppDataRoaming</li>
+                <li>Desktop</li>
+                <li>StartMenu</li>
+                <li>Documents</li>
+                <li>Pictures</li>
+                <li>Music</li>
+                <li>Videos</li>
+                <li>Favorites</li>
+                <li>Contacts</li>
+                <li>Downloads</li>
+                <li>Links</li>
+                <li>Searches</li>
+                <li>SavedGames</li>
+            </ul>
+        </td>
+        <td>WIP isn’t turned on for employees in your organization.</td>
+        <td>Don’t set the <strong>MakeFolderAvailableOfflineDisabled</strong> option to <strong>False</strong> for any of the specified folders.<p>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection).</td>
+    </tr>
 </table>
 
 >[!NOTE]
diff --git a/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md
index 73f0e86007..4537784b7b 100644
--- a/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
 ---
 title: View and organize the Windows Defender ATP machines list
-description: Learn about the available features that you can use from the Machines list such as sorting, filtering, and exporting the machine list which can enhance investigations.
+description: Learn about the available features that you can use from the Machines list such as sorting, filtering, and exporting the list to enhance investigations.
 keywords: sort, filter, export, csv, machine name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
diff --git a/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md b/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md
index 39ecd14409..e1142eb8e3 100644
--- a/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md
+++ b/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md
@@ -124,7 +124,7 @@ You can also use Group Policy, PowerShell, or WMI to configure Windows Defender
 
 **Use PowerShell cmdlets to download updates when Windows Defender AV is not present:**
 
-Use the following cmdlets to enable cloud-delivered protection:
+Use the following cmdlets:
 
 ```PowerShell
 Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine
@@ -171,9 +171,13 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi
 
 ## Related topics
 
+- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
 - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
-- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
+- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
 
 
 
diff --git a/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md
index 87b9ad4cbd..7228604795 100644
--- a/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md
+++ b/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md
@@ -56,7 +56,7 @@ If Windows Defender AV did not download protection updates for a specified perio
 
 **Use PowerShell cmdlets to configure catch-up protection updates:**
 
-Use the following cmdlets to enable cloud-delivered protection:
+Use the following cmdlets:
 
 ```PowerShell
 Set-MpPreference -SignatureUpdateCatchupInterval
@@ -145,11 +145,11 @@ This feature can be enabled for both full and quick scans.
     4. Enter the number of scans that can be missed before a scan will be automatically run when the user next logs on to the PC. The type of scan that is run is determined by the **Specify the scan type to use for a scheduled scan** (see the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic). Click **OK**.
 
 > [!NOTE]
-> The GP setting title refers to the number of days. The setting, however, is applied to the number of scans (not days) before the catch-up scan will be run.
+> The Group Policy setting title refers to the number of days. The setting, however, is applied to the number of scans (not days) before the catch-up scan will be run.
 
-**Use PowerShell cmdlets to XX:**
+**Use PowerShell cmdlets to configure catch-up scans:**
 
-Use the following cmdlets to enable cloud-delivered protection:
+Use the following cmdlets:
 
 ```PowerShell
 Set-MpPreference -DisableCatchupFullScan
@@ -185,6 +185,10 @@ See the following for more information and allowed parameters:
 
 ## Related topics
 
+- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
 - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
-- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
+- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md
index 8112758cdd..28197fc0c6 100644
--- a/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md
+++ b/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md
@@ -74,7 +74,7 @@ You can also randomize the times when each endpoint checks and downloads protect
 
 **Use PowerShell cmdlets to schedule protection updates:**
 
-Use the following cmdlets to enable cloud-delivered protection:
+Use the following cmdlets:
 
 ```PowerShell
 Set-MpPreference -SignatureScheduleDay
@@ -100,9 +100,13 @@ See the following for more information and allowed parameters:
 
 ## Related topics
 
+- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
 - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
-- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
+- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
 
 
 
diff --git a/windows/keep-secure/manage-protection-updates-windows-defender-antivirus.md b/windows/keep-secure/manage-protection-updates-windows-defender-antivirus.md
index 00e332bca1..a9cc36fc65 100644
--- a/windows/keep-secure/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/keep-secure/manage-protection-updates-windows-defender-antivirus.md
@@ -131,6 +131,11 @@ See the following for more information:
 
 
 ## Related topics
+- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
+- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
+- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
 
-- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
-- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md
index f92c5cee6a..8ab1cccc68 100644
--- a/windows/keep-secure/mandatory-settings-for-wip.md
+++ b/windows/keep-secure/mandatory-settings-for-wip.md
@@ -13,13 +13,13 @@ localizationpriority: high
 # Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
 **Applies to:**
 
--   Windows 10, version 1607
+-   Windows 10, version 1703
 -   Windows 10 Mobile
 
 This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise.
 
 >[!IMPORTANT]
->All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your enterprise.
+>All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your organization.
 
 
 |Task                                |Description               |
diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
index b8c5694f12..5498802fbb 100644
--- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -53,10 +53,7 @@ The hardware requirements for Windows Defender ATP on endpoints is the same as t
 #### Internet connectivity
 Internet connectivity on endpoints is required.
 
-SENSE can utilize up to 5MB daily of bandwidth  to communicate with the Windows Defender ATP cloud service and report cyber data.
-
-> [!NOTE]
-> SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
+The Windows Defender ATP sensor can utilize up to 5MB daily of bandwidth  to communicate with the Windows Defender ATP cloud service and report cyber data.
 
 For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .
 
diff --git a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md
index 2e7af88cf4..718ca488fb 100644
--- a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md
@@ -365,17 +365,33 @@ to Windows 10 features</strong></th>
 
 ### Converting an EMET XML settings file into Windows 10 mitigation policies
 
-One of EMET’s strengths is that it allows you to import and export configuration settings for EMET mitigations as an XML settings file, thus enabling a straightforward deployment workflow. To aid with security configuration and deployment of Windows 10 devices, you can download a set of EMET Policy Converter cmdlets. With these cmdlets, you can use an EMET XML settings file to generate mitigation policies for Windows 10.
+One of EMET’s strengths is that it allows you to import and export configuration settings for EMET mitigations as an XML settings file for straightforward deployment. To generate mitigation policies for Windows 10 from an EMET XML settings file, you can install the ProcessMitigations PowerShell module. In an elevated PowerShell session, run this cmdlet:
 
-The Converter feature is currently available as a Windows PowerShell cmdlet, **Set-ProcessMitigations -c** (instead of **-c**, you can also type **-Convert**). This cmdlet, and the Process Mitigation Management Tool collection of cmdlets, provides the following capabilities:
+```powershell
+Install-Module -Name ProcessMitigations
+```
 
--   **Converting EMET settings to Windows 10 settings**: You can run **Set-ProcessMitigations -Convert** and provide an EMET XML settings file as input, which will generate an output file of Windows 10 mitigation settings.
+The ConvertTo-ProcessMitigationPolicy cmdlet can:
 
--   **Auditing and modifying the converted settings (the output file)**: After you create the output file, you can apply and manually audit the mitigation settings by running cmdlets, through which you can Apply, Enumerate, Enable, Disable, and Save settings (see the Process Mitigation Management Tool documentation).
+-   **Convert EMET settings to Windows 10 settings**: You can run ConvertTo-ProcessMitigationPolicy and provide an EMET XML settings file as input, which will generate an output file of Windows 10 mitigation settings. For example:
+    
+    ```powershell
+    ConvertTo-ProcessMitigationPolicy -EMETfile emetpolicy.xml -output newconfiguration.xml
+    ```
 
--   **Converting Attack Surface Reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET’s Attack Surface Reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). This will enable protections on Windows 10 equivalent to EMET’s ASR protections.
+-   **Audit and modify the converted settings (the output file)**: Additional cmdlets let you apply, enumerate, enable, disable, and save settings in the output file. For example, this cmdlet enables SEHOP and disables MandatoryASLR and DEPATL registry settings for Notepad:
 
--   **Converting Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use **Set-ProcessMitigations -Convert** to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](enterprise-certificate-pinning.md).
+    ```powershell
+    Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL
+    ```
+
+-   **Convert Attack Surface Reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET’s Attack Surface Reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). This will enable protections on Windows 10 equivalent to EMET’s ASR protections.
+
+-   **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](enterprise-certificate-pinning.md). For example:
+
+    ```powershell
+    ConvertTo-ProcessMitigationPolicy -EMETfile certtrustrules.xml -output enterprisecertpinningrules.xml
+    ```
 
 #### EMET-related products
 
diff --git a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
index 1e062c51a0..b41b8bdaae 100644
--- a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
@@ -71,7 +71,8 @@ You can use the complete code to create calls to the API.
 
 ## Related topics
 - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
-- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
-- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
 - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md
index 1523930b5c..dab6725222 100644
--- a/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
 ---
-title: Configure Windows Defender Advanced Threat Protection preferences settings
+title: Configure Windows Defender ATP preferences settings
 description: Use the preferences setup to configure and update your preferences settings such as enabling advanced features, preview experience, email notifications, or custom threat intelligence.
 keywords: preferences settings, settings, advanced features, preview experience, email notifications, custom threat intelligence
 search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md
index f1e4b41964..8ae02a81bb 100644
--- a/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
 ---
-title: Turn on the preview experience in Windows Defender Advanced Threat Protection
+title: Turn on the preview experience in Windows Defender ATP
 description: Turn on the preview experience in Windows Defender Advanced Threat Protection to try upcoming features.
 keywords: advanced features, preferences setup, block file
 search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md
index a37553eb2c..7f5e04babd 100644
--- a/windows/keep-secure/protect-enterprise-data-using-wip.md
+++ b/windows/keep-secure/protect-enterprise-data-using-wip.md
@@ -93,8 +93,8 @@ WIP gives you a new way to manage data policy enforcement for apps and documents
     -   **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
 
 -   **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
-    >[!NOTE] 
-    >For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.<br>System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
+    
+    >**Note**<br>For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.<br>System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
 
 ## How WIP works
 WIP helps address your everyday challenges in the enterprise. Including:
diff --git a/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
index 670143cd10..5e04c5302d 100644
--- a/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
@@ -190,6 +190,6 @@ HTTP error code | Description
 
 ## Related topics
 - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
-- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)
-- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
 - [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
index fb4e54687b..a67b250923 100644
--- a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
@@ -73,8 +73,9 @@ You can use the complete code to create calls to the API.
 [!code[CustomTIAPI](./code/example.py#L1-L53)]
 
 ## Related topics
-- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
-- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
-- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
+- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
+- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
 - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
index 0bba05e0b7..35cd55629e 100644
--- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -62,7 +62,9 @@ The following tables provide more information about the hardware, firmware, and
 
 The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
 
-### Additional Qualification Requirements starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4
+
+### Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4
+
 
 | Protections for Improved Security - requirement         | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
diff --git a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
index b7812a0ba4..e9d223c9d6 100644
--- a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
 ---
-title: Take response actions on a file in Windows Defender Advanced Threat Protection
+title: Take response actions on a file in Windows Defender ATP
 description: Take response actions on file related alerts by stopping and quarantining a file or blocking a file and checking activity details.
 keywords: respond, stop and quarantine, block file, deep analysis
 search.product: eADQiWindows 10XVcnh
@@ -85,7 +85,7 @@ You can roll back and remove a file from quarantine if you’ve determined that
   ```
   “%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All
   ```
-  
+
 > [!NOTE]
 > Windows Defender ATP will remove all files that were quarantined on this machine in the last 30 days.
 
diff --git a/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md
index 0e2b10168f..d0c899983f 100644
--- a/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
 ---
-title: Take response actions on a machine in Windows Defender Advanced Threat Protection
+title: Take response actions on a machine in Windows Defender ATP
 description: Take response actions on a machine by isolating machines, collecting an investigation package, and checking activity details.
 keywords: respond, isolate, isolate machine, collect investigation package, action center
 search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md b/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md
index 22b507a210..a22e882c62 100644
--- a/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
 ---
-title: Take response actions on files and machines in Windows Defender Advanced Threat Protection
+title: Take response actions on files and machines in Windows Defender ATP
 description: Take response actions on files and machines by stopping and quarantining files, blocking a file, isolating machines, or collecting an investigation package.
 keywords: respond, stop and quarantine, block file, deep analysis, isolate machine, collect investigation package, action center
 search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/review-scan-results-windows-defender-antivirus.md b/windows/keep-secure/review-scan-results-windows-defender-antivirus.md
index 7147c968b9..aa7ec15eef 100644
--- a/windows/keep-secure/review-scan-results-windows-defender-antivirus.md
+++ b/windows/keep-secure/review-scan-results-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
 ---
 title: Review the results of Windows Defender AV scans 
 description: Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app
-keywords: 
+keywords: scan results, remediation, full scan, quick scan
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -13,3 +13,79 @@ author: iaanw
 ---
 
 # Review Windows Defender AV scan results
+
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager 
+- Microsoft Intune
+- Windows Defender Security Center app
+
+
+After Windows Defender Antivirus has completed a scan, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results. You can also define
+
+
+**Use Configuration Manager to review Windows Defender AV scan results:**
+
+See [How to monitor Endpoint Protection status](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection).
+
+
+**Use the Windows Defender Security Center app to review Windows Defender AV scan results:**
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label.
+
+    - Click **See full history** for any of the sections to see previous detections and the action taken. You can also clear the list.
+    - Information about the last scan is displayed at the bottom of the page.
+
+
+
+
+**Use PowerShell cmdlets to review Windows Defender AV scan results:**
+
+The following cmdlet will return each detection on the endpoint. If there are multiple detection of the same threat, each detection will be listed separately, based on the time of each detection:
+
+```PowerShell
+Get-MpThreatDetection
+```
+
+![IMAGEALT](images/defender/wdav-get-mpthreatdetection.png)
+
+You can specify `-ThreatID` to limit the output to only show the detections for a specific threat.
+
+If you want to list threat detections, but combine detections of the same threat into a single item, you can use the following cmdlet:
+
+```PowerShell
+Get-MpThreat
+```
+
+![IMAGEALT](images/defender/wdav-get-mpthreat.png)
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to review Windows Defender AV scan results:**
+
+Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) classes.
+
+
+**Use Microsoft Intune to review Windows Defender AV scan results:**
+
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Monitor Endpoint Protection](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection).
+
+
+
+## Related topics
+
+- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
deleted file mode 100644
index f8f3682a5d..0000000000
--- a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-title: Learn how to run a scan from command line in Windows Defender (Windows 10)
-description: Windows Defender utility enables IT professionals to use command line to run antivirus scans.
-keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: mjcaparas
-redirect_url: /command-line-arguments-windows-defender-antivirus/
----
-
-# Run a Windows Defender scan from the command line
-
-This page has been redirected to *Use�the�mpcmdrun.exe�commandline�tool�to�configure�and�manage�Windows�Defender�Antivirus*.
\ No newline at end of file
diff --git a/windows/keep-secure/run-scan-windows-defender-antivirus.md b/windows/keep-secure/run-scan-windows-defender-antivirus.md
index 2c09909c04..f494c10f93 100644
--- a/windows/keep-secure/run-scan-windows-defender-antivirus.md
+++ b/windows/keep-secure/run-scan-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
 ---
 title: Run and customize on-demand scans in Windows Defender AV
 description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app
-keywords: 
+keywords: scan, on-demand, dos, intune, instant scan
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -16,44 +16,93 @@ author: iaanw
 
 
 
-# Configure and run Windows Defender AV scans
+# Configure and run on-demand Windows Defender AV scans
 
 **Applies to:**
 
 - Windows 10
 
-IT professionals can use a command-line utility to run a Windows Defender scan. 
+**Audience**
 
-The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_.
+- Enterprise security administrators
 
-This utility can be handy when you want to automate the use of Windows Defender. 
+**Manageability available with**
 
-**To run a quick scan from the command line**
+- Windows Defender AV mpcmdrun utility
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager 
+- Microsoft Intune
+- Windows Defender Security Center app
 
-1. Click **Start**, type **cmd**, and press **Enter**.
-2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**:
-
-```
-C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 1
-```
-The quick scan will start. When the scan completes, you'll see a message indicating that the scan is finished. 
+You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.
 
 
-The utility also provides other commands that you can run:
+## Quick scan versus full scan
 
-```
-MpCmdRun.exe [command] [-options]
+Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. 
+
+Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.  
+
+In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
+
+A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans.
+
+
+**Use the mpcmdrum.exe command-line utility to run a scan:**
+
+Use the following `-scan` parameter:
+
+```DOS
+mpcmdrun.exe -scan -scantype 1
 ```
 
-Command | Description 
-:---|:---
-\- ? / -h | Displays all available options for the tool
-\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]][-Timeout <days>] | Scans for malicious software
-\-Trace  [-Grouping #] [-Level #]| Starts diagnostic tracing
-\-GetFiles | Collects support information
-\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
-\-AddDynamicSignature [-Path] | Loads a dynamic signature
-\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
-\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
-<br>
-The command-line utility provides detailed information on the other commands supported by the tool. 
+
+
+See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths.
+
+
+
+**Use Configuration Manager to run a scan:**
+
+See [Antimalware and firewall tasks: How to perform an on-demance scan](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
+
+
+
+**Use the Windows Defender Security Center app to run a scan:**
+
+See [Run a scan in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints.
+
+
+
+**Use PowerShell cmdlets to run a scan:**
+
+Use the following cmdlet:
+
+```PowerShell
+Start-MpScan
+```
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to run a scan:**
+
+Use the [**Start** method of the **MSFT_MpScan**](https://msdn.microsoft.com/en-us/library/dn455324(v=vs.85).aspx#methods) class.
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+**Use Microsoft Intune to run a scan:**
+
+
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Run a malware scan](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#run-a-malware-scan-or-update-malware-definitions-on-a-computer) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details.
+
+
+## Related topics
+
+
+- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md
index 0c16327c23..50ca1d5359 100644
--- a/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md
+++ b/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
 ---
 title: Schedule regular scans with Windows Defender AV
 description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
-keywords: 
+keywords: schedule scan, daily, weekly, time, scheduled, recurring, regular
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -22,7 +22,7 @@ author: iaanw
 
 **Audience**
 
-- Network administrators
+- Enterprise security administrators
 
 **Manageability available with**
 
@@ -37,7 +37,197 @@ author: iaanw
 > By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default. 
 
 
-RANDOMIZE
+In addition to always-on real-time protection and [on-demand](run-scan-windows-defender-antivirus.md) scans, you can set up regular, scheduled scans. 
+
+You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-windows-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
+
+This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intunespecify-scan-schedule-settings).
+
+To configure the Group Policy settings described in this topic:
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+
+6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+
+
+Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics.
+
+## Quick scan versus full scan
+
+When you set up scheduled scans, you can set up whether the scan should be a full or quick scan.
+
+Quick scans look at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. 
+
+Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.  
+
+In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
+
+A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-windows-defender-antivirus.md).
+
+## Set up scheduled scans
+
+Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans.
+
+
+**Use Group Policy to schedule scans:**
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Scan | Specify the scan type to use for a scheduled scan | Quick scan
+Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never
+Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
+Root | Randomize scheduled task times | Randomize the start time of the scan to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments | Enabled
+
+**Use PowerShell cmdlets to schedule scans:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -ScanParameters
+Set-MpPreference -ScanScheduleDay
+Set-MpPreference -ScanScheduleTime
+Set-MpPreference -RandomizeScheduleTaskTimes
+
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to schedule scans:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureFallbackOrder
+SignatureDefinitionUpdateFileSharesSouce
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+
+
+## Start scheduled scans only when the endpoint is not in use
+
+You can set the scheduled scan to only occur when the endpoint is turned on but not in use with Group Policy, PowerShell, or WMI.
+
+**Use Group Policy to schedule scans**
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled
+
+**Use PowerShell cmdlets:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -ScanOnlyIfIdleEnabled
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI):**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureFallbackOrder
+SignatureDefinitionUpdateFileSharesSouce
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+<a id="remed"></a>
+## Configure when full scans should be run to complete remediation
+
+Some threats may require a full scan to complete their removal and remediation. You can schedule when these scans should occur with Group Policy, PowerShell, or WMI.
+
+
+**Use Group Policy to schedule remediation-required scans**
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never
+Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
+
+**Use PowerShell cmdlets:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -RemediationScheduleDay
+Set-MpPreference -RemediationScheduleTime
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI):**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureFallbackOrder
+SignatureDefinitionUpdateFileSharesSouce
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+
+
+## Set up daily quick scans
+
+You can enable a daily quick scan that can be run in addition to your other scheduled scans with Group Policy, PowerShell, or WMI.
+
+
+**Use Group Policy to schedule daily scans:**
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never
+Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
+
+**Use PowerShell cmdlets to schedule daily scans:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference Set-MpPreference -ScanScheduleQuickTime
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to schedule daily scans:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureFallbackOrder
+SignatureDefinitionUpdateFileSharesSouce
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+## Enable scans after protection updates
+
+You can force a scan to occur after every [protection update](manage-protection-updates-windows-defender-antivirus.md) with Group Policy.
+
+**Use Group Policy to schedule scans after protection updates**
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Signature updates | Turn on scan after signature update | A scan will occur immediately after a new protection update is downloaded | Enabled
 
 
 
@@ -45,6 +235,10 @@ RANDOMIZE
 
 ## Related topics
 
+
+- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md)
+- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
 - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
-- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) 
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md
index 923b49d30a..321924a398 100644
--- a/windows/keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md
+++ b/windows/keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md
@@ -40,7 +40,7 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.  
+3.  In the **Group Policy Management Editor** go to **Computer configuration**. 
 
 4.  Click **Policies** then **Administrative templates**.
 
@@ -48,7 +48,7 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi
 
 1.  Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:  
     1.  Setting to **Default Windows Defender Antivirus blocking level** will provide strong detection without increasing the risk of detecting legitimate files.  
-    2.  Setting to **High blocking level** will apply a strong level of detection. While unlikely, some legitimate files may be detected (although you will have the option to unblock or dispute that detection).  
+    2.  Setting to **High blocking level** will apply a strong level of detection. While unlikely, some legitimate files may be detected (although you will have the option to unblock or dispute that detection). 
  
 1. Click **OK**.
 
@@ -62,7 +62,7 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi
 
 ## Related topics
 
-- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
 - [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
 - [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
 
diff --git a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
index 96e53b49bd..d1968d5761 100644
--- a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
@@ -46,8 +46,9 @@ Here is an example of an IOC:
 IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it.
 
 ## Related topics
-- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
-- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
-- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
-- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
+- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
 - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
index d1a50e1df1..40fc971abf 100644
--- a/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
@@ -46,8 +46,9 @@ If your client secret expires or if you've misplaced the copy provided when you
 
 
 ## Related topics
-- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
-- [Create custom threat intelligence](custom-ti-api-windows-defender-advanced-threat-protection.md)
-- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
-- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
+- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index 3a2b9f8868..f05e878db5 100644
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -229,22 +229,21 @@ If the verification fails and your environment is using a proxy to connect to th
 
 **Solution**: If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy.
 
-- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are set to ```0``` or that the settings are cleared:
+- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared:
 
-  - ```DisableAntiSpyware```
-  - ```DisableAntiVirus```
+  - DisableAntiSpyware
+  - DisableAntiVirus
 
-  For example, in Group Policy:
+  For example, in Group Policy there should be no entries such as the following values:
 
-  ```<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/></Key>
-  ```
+  - ```<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/></Key>```
+  - ```<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/></Key>```
 -  After clearing the policy, run the onboarding steps again on the endpoint.
 
 - You can also check the following registry key values to verify that the policy is disabled:
 
-  1. Open the registry ```key HKEY_LOCAL_MACHINE\ SOFTWARE\Policies\Microsoft\Windows Defender```.
-  2. Find the value ```DisableAntiSpyware```.
-  3. Ensure that the value is set to 0.
+  1. Open the registry ```key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender```.
+  2. Ensure that the value ```DisableAntiSpyware``` is not present.
 
     ![Image of registry key for Windows Defender](images/atp-disableantispyware-regkey.png)
 
diff --git a/windows/keep-secure/troubleshoot-windows-defender-antivirus.md b/windows/keep-secure/troubleshoot-windows-defender-antivirus.md
index 0006cde7b3..ebca8b01c8 100644
--- a/windows/keep-secure/troubleshoot-windows-defender-antivirus.md
+++ b/windows/keep-secure/troubleshoot-windows-defender-antivirus.md
@@ -2,7 +2,8 @@
 title: Windows Defender AV event IDs and error codes
 description: Look up the causes and solutions for Windows Defender Antivirus event IDs and errors
 keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding
-ms.assetid: EE488CC1-E340-4D47-B50B-35BD23CB4D70
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
@@ -2283,9 +2284,9 @@ Description of the error. </dt>
 <p>User action:</p>
 </td>
 <td colspan="2">
-<p>You should restart the system then run a full scan because it’s possible the system was not protected for some time.
+<p>You should restart the system then run a full scan because it's possible the system was not protected for some time.
 </p>
-<p>The Windows Defender client’s real-time protection feature encountered an error because one of the services failed to start. 
+<p>The Windows Defender client's real-time protection feature encountered an error because one of the services failed to start. 
 </p>
 <p>If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure. 
 </p>
diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
deleted file mode 100644
index 2c5e7c8ce8..0000000000
--- a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
+++ /dev/null
@@ -1,16 +0,0 @@
----
-title: Troubleshoot Windows Defender in Windows 10 (Windows 10)
-description: IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take.
-ms.assetid: EE488CC1-E340-4D47-B50B-35BD23CB4D70
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: jasesso
-redirect_url: /troubleshoot-windows-defender-antivirus/
----
-
-# Troubleshoot Windows Defender in Windows 10
-
-This page has been redirected to *Troubleshoot Windows Defender Antivirus*. 
\ No newline at end of file
diff --git a/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md
index c155873b90..ba2be9225a 100644
--- a/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
 ---
-title: Use the custom threat intelligence API to create custom alerts for your organization
+title: Use the custom threat intelligence API to create custom alerts
 description: Use the threat intelligence API in Windows Defender Advanced Threat Protection to create custom alerts
 keywords: threat intelligence, alert definitions, indicators of compromise
 search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/use-group-policy-windows-defender-antivirus.md b/windows/keep-secure/use-group-policy-windows-defender-antivirus.md
index 07133adfb1..b9a28ec92a 100644
--- a/windows/keep-secure/use-group-policy-windows-defender-antivirus.md
+++ b/windows/keep-secure/use-group-policy-windows-defender-antivirus.md
@@ -12,4 +12,139 @@ localizationpriority: medium
 author: iaanw
 ---
 
-# Use Group Policy settings to configure and manage Windows Defender AV
\ No newline at end of file
+# Use Group Policy settings to configure and manage Windows Defender AV
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+You can use [Group Policy](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx) to configure and manage Windows Defender Antivirus on your endpoints.
+
+In general, you can use the following procedure to configure or change Windows Defender AV group policy settings:
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus**.
+
+6. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.
+
+7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). 
+
+The following table in this topic lists the Group Policy settings available in Windows 10, version 1703, and provides links to the appropriate topic in this documentation library (where applicable).
+
+
+Location | Setting | Documented in topic
+---|---|---
+Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
+Client interface | Display additional text to clients when they need to perform an action | [Configure�the�notifications�that�appear�on�endpoints](configure-notifications-windows-defender-antivirus.md)
+Client interface | Suppress all notifications | [Configure�the�notifications�that�appear�on�endpoints](configure-notifications-windows-defender-antivirus.md)
+Client interface | Suppresses reboot notifications | [Configure�the�notifications�that�appear�on�endpoints](configure-notifications-windows-defender-antivirus.md)
+Exclusions | Extension Exclusions | [Configure�and�validate�exclusions�in�Windows�Defender�AV�scans](configure-exclusions-windows-defender-antivirus.md)
+Exclusions | Path Exclusions | [Configure�and�validate�exclusions�in�Windows�Defender�AV�scans](configure-exclusions-windows-defender-antivirus.md)
+Exclusions | Process Exclusions | [Configure�and�validate�exclusions�in�Windows�Defender�AV�scans](configure-exclusions-windows-defender-antivirus.md)
+Exclusions | Turn off Auto Exclusions | [Configure�and�validate�exclusions�in�Windows�Defender�AV�scans](configure-exclusions-windows-defender-antivirus.md)
+MAPS | Configure the 'Block at First Sight' feature | [Enable the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
+MAPS | Join Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+MAPS | Send file samples when further analysis is required | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+MAPS | Configure local setting override for reporting to Microsoft MAPS | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+MpEngine | Configure extended cloud check | [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+MpEngine | Select cloud protection level | [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md)
+Network inspection system | Specify additional definition sets for network traffic inspection | Not used
+Network inspection system | Turn on definition retirement | Not used
+Network inspection system | Turn on protocol recognition | Not used
+Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Quarantine | Configure removal of items from Quarantine folder | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for turn on behavior monitoring | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override to turn on real-time protection | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [Enable�and�configure�Windows�Defender�AV�always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Monitor file and program activity on your computer | [Enable�and�configure�Windows�Defender�AV�always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Scan all downloaded files and attachments | [Enable�and�configure�Windows�Defender�AV�always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Turn off real-time protection | [Enable�and�configure�Windows�Defender�AV�always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Turn on behavior monitoring | [Enable�and�configure�Windows�Defender�AV�always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Turn on process scanning whenever real-time protection is enabled | [Enable�and�configure�Windows�Defender�AV�always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Turn on raw volume write notifications | [Enable�and�configure�Windows�Defender�AV�always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [Enable�and�configure�Windows�Defender�AV�always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Remediation | Specify the time of day to run a scheduled full scan to complete remediation | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Reporting | Configure Watson events | Not used
+Reporting | Configure Windows software trace preprocessor components | Not used
+Reporting | Configure WPP tracing level | Not used
+Reporting | Configure time out for detections in critically failed state | Not used
+Reporting | Configure time out for detections in non-critical failed state | Not used
+Reporting | Configure time out for detections in recently remediated state | Not used
+Reporting | Configure time out for detections requiring additional action | Not used
+Reporting | Turn off enhanced notifications | [Configure�the�notifications�that�appear�on�endpoints](configure-notifications-windows-defender-antivirus.md)
+Root | Turn off Windows Defender Antivirus | Not used
+Root | Define addresses to bypass proxy server | Not used
+Root | Define proxy auto-config (.pac) for connecting to the network | Not used
+Root | Define proxy server for connecting to the network | Not used
+Root | Configure local administrator merge behavior for lists | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Root | Allow antimalware service to startup with normal priority | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
+Root | Allow antimalware service to remain running always | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
+Root | Turn off routine remediation | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
+Root | Randomize scheduled task times | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
+Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+Scan | Turn on catch up quick scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+Scan | Configure local setting override for maximum percentage of CPU utilization | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Scan | Configure local setting override for schedule scan day | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Scan | Configure local setting override for scheduled quick scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Scan | Configure local setting override for scheduled scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Scan | Configure local setting override for the scan type to use for a scheduled scan | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Scan | Create a system restore point | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
+Scan | Turn on removal of items from scan history folder | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
+Scan | Turn on heuristics | [Enable�and�configure�Windows�Defender�AV�always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Scan | Turn on e-mail scanning | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Turn on reparse point scanning | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Run full scan on mapped network drives | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Scan archive files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Scan network files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Scan packed executables | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Scan removable drives | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Specify the maximum depth to scan archive files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Specify the maximum percentage of CPU utilization during a scan | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Specify the maximum size of archive files to be scanned | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Specify the day of the week to run a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Specify the interval to run quick scans per day | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Signature updates | Allow definition updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+Signature updates | Allow definition updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+Signature updates | Allow notifications to disable definitions based repots to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+Signature updates | Allow real-time definition updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+Signature updates | Check for the latest virus and spyware definitions on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+Signature updates | Define file shares for downloading definition updates | [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
+Signature updates | Define the number of days after which a catch up definition update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+Signature updates | Define the number of days before spyware definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+Signature updates | Define the number of days before virus definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+Signature updates | Define the order of sources for downloading definition updates | [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
+Signature updates | Initiate definition update on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+Signature updates | Specify the day of the week to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+Signature updates | Specify the interval to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+Signature updates | Specify the time to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+Signature updates | Turn on scan after signature update | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
+Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
+
+
+
+
+
+
+
+## Related topics
+
+- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md b/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md
index 9f6c3a09b5..2cf071feeb 100644
--- a/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md
+++ b/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md
@@ -12,4 +12,18 @@ localizationpriority: medium
 author: iaanw
 ---
 
-# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
\ No newline at end of file
+# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
+
+If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender AV.
+
+In both cases, the protection will be labelled as Endpoint Protection, although the engine is the same as that used by Windows Defender AV.
+
+See the [Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager.
+
+For Microsoft Intune, consult the [Help secure Windows PCs with Endpoint Protection for Microsoft Intune library](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune).
+
+
+## Related topics
+
+- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md
index 7d975adcd1..d3d65aa3ad 100644
--- a/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -27,10 +27,14 @@ PowerShell cmdlets are most useful in Windows Server environments that don't rel
 > [!NOTE]
 > PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
 
+Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that dployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell. 
+
+You can [configure which settings can be overriden locally  with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
+
 PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
 
 
-**Use Windows Defender PowerShell cmdlets**
+**Use Windows Defender AV PowerShell cmdlets:**
 
 1. Click **Start**, type **powershell**, and press **Enter**.
 2. Click **Windows PowerShell** to open the interface. 
diff --git a/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md b/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
deleted file mode 100644
index dec540347e..0000000000
--- a/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-title: Use PowerShell cmdlets to configure and run Windows Defender in Windows 10
-description: In Windows 10, you can use PowerShell cmdlets to run scans, update definitions, and change settings in Windows Defender.
-keywords: scan, command line, mpcmdrun, defender
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: iaanw
-redirect_url: /use-powershell-cmdlets-windows-defender-antivirus/
----
-
-# Use PowerShell cmdlets to configure and run Windows Defender
-
-This page has been redirected to *Use PowerShell cmdlets to configure and run Windows Defender Antivirus*.
\ No newline at end of file
diff --git a/windows/keep-secure/use-wmi-windows-defender-antivirus.md b/windows/keep-secure/use-wmi-windows-defender-antivirus.md
index e369e90bd8..cc74e07307 100644
--- a/windows/keep-secure/use-wmi-windows-defender-antivirus.md
+++ b/windows/keep-secure/use-wmi-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
 ---
 title: Configure Windows Defender AV with WMI
-description: Use WMI scripts to configure Windows Defender AV
+description: Use WMI scripts to configure Windows Defender AV.
 keywords: wmi, scripts, windows management instrumentation, configuration
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -12,4 +12,25 @@ localizationpriority: medium
 author: iaanw
 ---
 
-# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
\ No newline at end of file
+# Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV
+
+**Applies to:**
+
+- Windows 10
+
+Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings.
+
+Read more about WMI at the [Microsoft Develop Network System Administration library](https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx).
+
+Windows Defender AV has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md).
+
+The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender AV, and includes example scripts.
+
+Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that dployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with WMI. 
+
+You can [configure which settings can be overriden locally  with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
+
+## Related topics
+
+- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-antivirus-compatibility.md b/windows/keep-secure/windows-defender-antivirus-compatibility.md
new file mode 100644
index 0000000000..23e1a82978
--- /dev/null
+++ b/windows/keep-secure/windows-defender-antivirus-compatibility.md
@@ -0,0 +1,43 @@
+---
+title: Windows Defender Antivirus and Windows Defender ATP
+description: Windows Defender AV and Windows Defender ATP work together to provide threat detection, remediation, and investigation.
+keywords: windows defender, atp, advanced threat protection, compatibility, passive mode
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+# Windows Defender Antivirus and Advanced Threat Protection: Better together
+
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+
+
+Windows Defender Advanced Threat Protection (ATP) is an additional service beyond Windows Defender Antivirus that helps enterprises detect, investigate, and respond to advanced persistent threats on their network. 
+See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service.
+
+If you are enrolled in Windows Defender ATP, and you are not using Windows Defender AV as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. On Windows Server 2016 SKUs, Windows Defender AV will not enter into the passive mode and will run alongisde your other antivirus product.
+
+In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender will not provide real-time protection from malware.
+
+You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
+
+If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
+
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-antivirus-in-windows-10.md b/windows/keep-secure/windows-defender-antivirus-in-windows-10.md
index 350b93809e..a9cdcf6735 100644
--- a/windows/keep-secure/windows-defender-antivirus-in-windows-10.md
+++ b/windows/keep-secure/windows-defender-antivirus-in-windows-10.md
@@ -2,7 +2,8 @@
 title: Windows Defender Antivirus
 description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10.
 keywords: windows defender antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security
-ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
@@ -22,6 +23,22 @@ This library of documentation is aimed for enterprise security administrators wh
 
 For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/library/dn765478.aspx).
 
+Windows Defender AV can be managed with:
+- System Center Configuration Manager (as System Center Endpoint Protection, or SCEP) 
+- Microsoft Intune
+
+It can be configured with:
+- System Center Configuration Manager (as System Center Endpoint Protection, or SCEP) 
+- Microsoft Intune
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- Group Policy
+
+Some of the highlights of Windows Defender AV include:
+- [Cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for near-instant detection and blocking of new and emerging threats
+- [Always-on scanning](configure-real-time-protection-windows-defender-antivirus.md), using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection")
+- [Dedicated protection updates](manage-updates-baselines-windows-defender-antivirus.md) based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
+
 ## What's new in Windows 10, version 1703
 
 New features for Windows Defender AV in Windows 10, version 1703 include:
@@ -36,6 +53,8 @@ We've expanded this documentation library to cover end-to-end deployment, manage
 See the [In this library](#in-this-library) list at the end of this topic for links to each of the updated sections in this library.
 
 
+
+<a id="sysreq"></a>
 ## Minimum system requirements
 
 Windows Defender has the same hardware requirements as Windows 10. For more information, see:
@@ -45,19 +64,9 @@ Windows Defender has the same hardware requirements as Windows 10. For more info
 
 Some features require a certain version of Windows 10 - the minimum version required is specified at the top of each topic.
 
-## Compatibility with Windows Defender Advanced Threat Protection
+Functionality, configuration, and management is largely the same when using Windows Defender Antivirus on Windows Server 2016, however [there are some differences](windows-defender-antivirus-on-windows-server-2016.md).
 
-Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network. 
-
-See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service.
-
-If you are enrolled in Windows Defender ATP, and you are not using Windows Defender as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. 
-
-In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won’t run, and Windows Defender will not provide real-time protection from malware.
-
-You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
-
-If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
+#
 
 
  
@@ -65,10 +74,10 @@ If you uninstall the other product, and choose to use Windows Defender to provid
 
 Topic | Description
 :---|:---
-[Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and powershell script.
-[Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools.
-[Configure Windows Defender features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can use a number of management tools, including Group Policy, System Center Configuration Manager, Microsoft Intune, PowerShell cmdlets, and Windows Management Instrumentation (WMI). You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings.
-[Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) | You can set up scheduled scans, run on-demand scans, and configure how remediation works when threats are detected.
-[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-antivirus.md)|Review event IDs in Windows Defender Antivirus and take the appropriate actions.
-[Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)|The management and configuration tools that you can use with Windows Defender AV are listed and described here.
+[Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and powershell script
+[Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools
+[Configure Windows Defender features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings
+[Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) | You can set up scheduled scans, run on-demand scans, and configure how remediation works when threats are detected
+[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-antivirus.md)|Review event IDs and error codes in Windows Defender Antivirus to determine causes of problems and troubleshoot issues
+[Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)|The management and configuration tools that you can use with Windows Defender AV are listed and described here
 
diff --git a/windows/keep-secure/windows-defender-antivirus-on-windows-server-2016.md b/windows/keep-secure/windows-defender-antivirus-on-windows-server-2016.md
new file mode 100644
index 0000000000..3510bcb390
--- /dev/null
+++ b/windows/keep-secure/windows-defender-antivirus-on-windows-server-2016.md
@@ -0,0 +1,50 @@
+---
+title: Windows Defender Antivirus on Windows Server 2016
+description: Compare the differences when Windows Defender AV is on a Windows Server SKU versus a Windows 10 endpoint
+keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+# Windows Defender Antivirus on Windows Server
+
+
+**Applies to:**
+
+- Windows Server 2016
+
+**Audience**
+
+- Enterprise security administrators
+- Network administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager 
+- PowerShell
+- Windows Management Instrumentation (WMI)
+
+
+Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same.
+
+See [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features.
+
+While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences:
+
+- In Windows Server 2016, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role.
+- In Windows Server 2016, [Windows Defender AV will not disable itself if you are running another antivirus product](windows-defender-antivirus-on-windows-server-2016.md#sysreq).
+
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-block-at-first-sight.md b/windows/keep-secure/windows-defender-block-at-first-sight.md
deleted file mode 100644
index 4c9af5e903..0000000000
--- a/windows/keep-secure/windows-defender-block-at-first-sight.md
+++ /dev/null
@@ -1,19 +0,0 @@
----
-title: Enable the Block at First Sight feature to detect malware within seconds
-description: In Windows 10 the Block at First Sight feature determines and blocks new malware variants in seconds. You can enable the feature with Group Policy.
-keywords: scan, BAFS, malware, first seen, first sight, cloud, MAPS, defender
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: iaanw
-redirect_url: /configure-block-at-first-sight-windows-defender-antivirus/
-
----
-
-# Block at First Sight
-
-This page has been redirected to *Configure the Block at First Sight feature*.
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-enhanced-notifications.md b/windows/keep-secure/windows-defender-enhanced-notifications.md
deleted file mode 100644
index b63c67e65f..0000000000
--- a/windows/keep-secure/windows-defender-enhanced-notifications.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-title: Configure enhanced notifications for Windows Defender
-description: In Windows 10, you can enable advanced notifications for endpoints throughout your enterprise network.
-keywords: notifications, defender, endpoint, management, admin
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: iaanw
-redirect_url: /configure-notifications-windows-defender-antivirus/
----
-
-# Configure enhanced notifications for Windows Defender in Windows 10
-
-This page has been redirected to *Configure notifications*.
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-in-windows-10.md b/windows/keep-secure/windows-defender-in-windows-10.md
deleted file mode 100644
index 4eb81e6c4e..0000000000
--- a/windows/keep-secure/windows-defender-in-windows-10.md
+++ /dev/null
@@ -1,16 +0,0 @@
----
-title: Windows Defender in Windows 10 (Windows 10)
-description: This topic provides an overview of Windows Defender, including a list of system requirements and new features.
-ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: jasesso
-redirect_url: /windows-defender-antivirus-in-windows-10/
----
-
-# Windows Defender in Windows 10
-
-This page has been redirected to *Windows Defender Antivirus in Windows 10*.
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-security-center-antivirus.md b/windows/keep-secure/windows-defender-security-center-antivirus.md
index 3eba103bd0..dec5bc9ff3 100644
--- a/windows/keep-secure/windows-defender-security-center-antivirus.md
+++ b/windows/keep-secure/windows-defender-security-center-antivirus.md
@@ -42,6 +42,9 @@ The app also includes the settings and status of:
 - Windows Defender SmartScreen Filter
 - Parental and Family Controls
 
+>[!NOTE]
+>The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Advanced Security Center, which is the web portal used to review and manage [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md).
+
 **Review virus and threat protection settings in the Windows Defender Security Center app:**
 
 1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -52,7 +55,7 @@ The app also includes the settings and status of:
     
 ## Comparison of settings and functions of the old app and the new app
 
-All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Defender Security app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app. 
+All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Defender Security Center app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app. 
 
 The following diagrams compare the location of settings and functions between the old and new apps:
 
@@ -71,11 +74,12 @@ Item | Windows 10, before version 1703 | Windows 10, version 1703 | Description
 
 ## Common tasks
 
-This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the new Windows Defender Security app.
+This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the new Windows Defender Security Center app.
 
 > [!NOTE]
 > If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured.
 
+<a id="scan"></a>
 **Run a scan with the Windows Defender Security Center app**
 1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
@@ -105,12 +109,11 @@ This section describes how to perform some of the most common tasks when reviewi
 
 3. Click **Virus & threat protection settings**.
 
-4. Toggle the switches to **On** for the following settings:
-    1.  **Real-time protection**
-    2.  **Cloud-based protection**
-    3.  **Automatic sample submission**
-
+4. Toggle the **Real-time protection** switch to **On**.
 
+>[!NOTE]
+>If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats.  
+>If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Defender Security Center app. A setting will appear that will allow you to enable limited periodic scanning.
 
 
 <a id="exclusions"></a>
diff --git a/windows/keep-secure/wip-app-enterprise-context.md b/windows/keep-secure/wip-app-enterprise-context.md
index 98ee046b77..e8d03a3768 100644
--- a/windows/keep-secure/wip-app-enterprise-context.md
+++ b/windows/keep-secure/wip-app-enterprise-context.md
@@ -46,8 +46,7 @@ The **Enterprise Context** column shows you what each app can do with your enter
 
 - **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components).
 
-    >[!IMPORTANT]
-    >Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials.
+    >**Important**<br>Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials.
 
 
 
diff --git a/windows/manage/new-policies-for-windows-10.md b/windows/manage/new-policies-for-windows-10.md
index 873c393efd..311f3f125f 100644
--- a/windows/manage/new-policies-for-windows-10.md
+++ b/windows/manage/new-policies-for-windows-10.md
@@ -74,6 +74,8 @@ Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, Wind
 
 -   Consumer experiences, such as suggested apps in Start and app tiles from Microsoft dynamically inserted in the default Start menu
 
+Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed).
+
 If you use Microsoft Intune for MDM, you can [configure custom policies](https://go.microsoft.com/fwlink/p/?LinkId=616316) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616317).
 
 No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId=613264). For more information, see the [ActiveSync configuration service provider](https://go.microsoft.com/fwlink/p/?LinkId=618944) technical reference.
diff --git a/windows/manage/roles-and-permissions-windows-store-for-business.md b/windows/manage/roles-and-permissions-windows-store-for-business.md
index 9542529fbe..8985c21e1c 100644
--- a/windows/manage/roles-and-permissions-windows-store-for-business.md
+++ b/windows/manage/roles-and-permissions-windows-store-for-business.md
@@ -26,72 +26,15 @@ Store for Business has a set of roles that help admins and employees manage acce
 
 This table lists the global user accounts and the permissions they have in the Store for Business.
 
-<table>
-<colgroup>
-<col width="25%" />
-<col width="25%" />
-<col width="25%" />
-<col width="25%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left"></th>
-<th align="left">Global Administrator</th>
-<th align="left">User Administrator</th>
-<th align="left">Billing Administrator</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Sign up for Store for Business</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"></td>
-<td align="left"></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Assign roles</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Modify company profile settings</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"></td>
-<td align="left"></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Manage Store for Business settings</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"></td>
-<td align="left"></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Acquire apps</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"></td>
-<td align="left"><p>X</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Distribute apps</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"></td>
-<td align="left"><p>X</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Sign policies and catalogs</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"></td>
-<td align="left"></td>
-</tr>
-</tbody>
-</table>
-
+|                                |  Global Administrator | Billing Administrator |
+| ------------------------------ | --------------------- | --------------------- |
+| Sign up for Store for Business |  X                    |                       |
+| Modify company profile settings | X                    |                       |
+| Acquire apps                   |  X                    | X                     |
+| Distribute apps                |  X                    | X                     |
  
 
--   **Global Administrator** - IT Pros with this account have full access to Store for Business. They can do everything allowed in the Store for Business Admin role, plus they can sign up for the Store for Business, and assign Store for Business roles to other employees.
-
--   **User Administrator** - IT Pros with this account can assign Store for Business roles to other employees, as long as the User Administrator also has the Store for Business Admin role.
+-   **Global Administrator** - IT Pros with this account have full access to Store for Business. They can do everything allowed in the Store for Business Admin role, plus they can sign up for the Store for Business.
 
 -   **Billing Administrator** - IT Pros with this account have the same permissions as the Store for Business Purchaser role.
 
@@ -101,74 +44,15 @@ Store for Business has a set of roles that help IT admins and employees manage a
 
 This table lists the roles and their permissions.
 
-<table>
-<colgroup>
-<col width="25%" />
-<col width="25%" />
-<col width="25%" />
-<col width="25%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left"></th>
-<th align="left">Admin</th>
-<th align="left">Purchaser</th>
-<th align="left">Device Guard signer</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Sign up for Store for Business</p></td>
-<td align="left"></td>
-<td align="left"></td>
-<td align="left"></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Assign roles</p></td>
-<td align="left"></td>
-<td align="left"></td>
-<td align="left"></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Modify company profile settings</p></td>
-<td align="left"></td>
-<td align="left"></td>
-<td align="left"></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Manage Store for Business settings</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"></td>
-<td align="left"></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Acquire apps</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Distribute apps</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Sign policies and catalogs</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"></td>
-<td align="left"></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Sign Device Guard changes</p></td>
-<td align="left"></td>
-<td align="left"></td>
-<td align="left"><p>X</p></td>
-</tr>
-</tbody>
-</table>
+|                                |  Admin | Purchaser | Device Guard signer |
+| ------------------------------ | ------ | --------  | ------------------- |
+| Assign roles                   | X      |           |                     |
+| Manage Store for Business settings |  X |           |                     |
+| Acquire apps                   | X      | X         |                     |
+| Distribute apps                | X      | X         |                     |
+| Sign policies and catalogs     | X      |           |                     |
+| Sign Device Guard changes      | X      |           |  X                   |
 
- 
 
 These permissions allow people to:
 
@@ -184,7 +68,7 @@ These permissions allow people to:
 
     -   Offline licensing
 
-    -   Permissions (view only)
+    -   Permissions
 
     -   Private store
 
@@ -196,12 +80,10 @@ These permissions allow people to:
 
 1.  Sign in to Store for Business.
 
-    **Note**  
-    You need to be a Global Administrator, or have the Store for Business Admin role to access the **Permissions** page.
-
-    To assign roles, you need to be a Global Administrator or a Store Administrator that is also a User Administrator.
-
-     
+    >[!Note]
+    >You need to be a Global Administrator, or have the Store for Business Admin role to access the **Permissions** page. 
+    
+    To assign roles, you need to be a Global Administrator or a Store Administrator.
 
 2.  Click **Settings**, and then choose **Permissions**.
 
@@ -211,9 +93,7 @@ These permissions allow people to:
 
     ![Image showing Assign roles to people box in Windows Store for Business.](images/wsfb-permissions-assignrole.png)
 
-4.  
-
-    If you are not finding the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in the Windows Store for Business.](manage-users-and-groups-windows-store-for-business.md)
+4.  If you are not finding the name you want, you might need to add people to your        Azure AD directory. For more information, see [Manage user accounts in the     Windows Store for Business.](manage-users-and-groups-windows-store-for-business.md)
 
  
 
diff --git a/windows/plan/windows-10-enterprise-faq-itpro.md b/windows/plan/windows-10-enterprise-faq-itpro.md
index 192d0910c6..60a48fef2f 100644
--- a/windows/plan/windows-10-enterprise-faq-itpro.md
+++ b/windows/plan/windows-10-enterprise-faq-itpro.md
@@ -49,7 +49,7 @@ Many existing Win32 and Win64 applications already run reliably on Windows 10 wi
 
 ### Is there an easy way to assess if my organization’s devices are ready to upgrade to Windows 10?
 
-[Windows Upgrade Readiness](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects.
+[Windows Analytics Upgrade Readiness](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. You can find additional product information at [Windows Analytics](https://www.microsoft.com/en-us/WindowsForBusiness/Windows-Analytics).
 
 ## Administration and deployment
 
@@ -64,15 +64,9 @@ Updated versions of Microsoft deployment tools, including MDT, Configuration Man
 
 Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit).
 
-### Are there any deployment tools available to support Windows 10?
-
-Updated versions of Microsoft deployment tools, including Configuration Manager, MDT, and the Windows Assessment and Deployment Kit (Windows ADK) have been released adding support for Windows 10. For most organizations currently using MDT or Configuration Manager to deploy Windows, deployment of Windows 10 will change very little. 
-
-For more information on deployment methods for Windows 10, see [Windows 10 deployment tools](https://technet.microsoft.com/library/mt297512.aspx) and [Windows 10 deployment scenarios](https://technet.microsoft.com/library/mt282208.aspx).
-
 ### Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free?
 
-If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Software Assurance, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
+If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
 
 For devices that are licensed under a volume license agreement for Windows that does not include Software Assurance, new licenses will be required to upgrade these devices to Windows 10.
 
@@ -104,12 +98,7 @@ For more information on pros and cons for these tools, see [Servicing Tools](htt
 
 ### Where can I find information about new features and changes in Windows 10 Enterprise?
 
-For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](https://tnstage.redmond.corp.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1703?branch=rs2) in the TechNet library. You can find information You'll find info on features like these:
--  Modern deployment - Zero-touch deployment, bulk AD enrollment with provisioning, UEFI conversion tooland 
-- Windows Analytics -  Upgrade Readiness, and Update Compliance
-- Windows as a service enhancements -  Differential feature update support, express update support for System Center Configuration Manager and third-party management software
-- Mobile application management (MAM) and  enhanced MDM
-- Advanced security with Windows Defender - App Guard, Credential Guard, App Control, ATP) and Windows Hello
+For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](https://tnstage.redmond.corp.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1703?branch=rs2) in the TechNet library. 
 
 Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. 
 
diff --git a/windows/update/TOC.md b/windows/update/TOC.md
index cb2e9787f8..b16ed8c89e 100644
--- a/windows/update/TOC.md
+++ b/windows/update/TOC.md
@@ -19,5 +19,8 @@
 ## [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
 ## [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
 ## [Manage device restarts after updates](waas-restart.md)
+## [Windows Insider Program for Business](waas-windows-insider-for-business.md)
+### [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md)
+### [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md)
 ## [Change history for Update Windows 10](change-history-for-update-windows-10.md)
 
diff --git a/windows/update/images/waas-wipfb-accounts.png b/windows/update/images/waas-wipfb-accounts.png
new file mode 100644
index 0000000000..27387e3e7b
Binary files /dev/null and b/windows/update/images/waas-wipfb-accounts.png differ
diff --git a/windows/update/images/waas-wipfb-change-user.png b/windows/update/images/waas-wipfb-change-user.png
new file mode 100644
index 0000000000..bf6fe39beb
Binary files /dev/null and b/windows/update/images/waas-wipfb-change-user.png differ
diff --git a/windows/update/images/waas-wipfb-work-account.jpg b/windows/update/images/waas-wipfb-work-account.jpg
new file mode 100644
index 0000000000..4b34385b18
Binary files /dev/null and b/windows/update/images/waas-wipfb-work-account.jpg differ
diff --git a/windows/update/waas-restart.md b/windows/update/waas-restart.md
index 0577ff709a..8eb41f55fc 100644
--- a/windows/update/waas-restart.md
+++ b/windows/update/waas-restart.md
@@ -49,6 +49,8 @@ For a detailed description of these regsitry keys, see [Registry keys used to ma
 
 By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually. 
 
+Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range will be counted from the active hours start time.
+
 Administrators can use multiple ways to set active hours for managed devices:
 
 - You can use Group Policy, as described in the procedure that follows.
@@ -61,9 +63,11 @@ To configure active hours using Group Policy, go to **Computer Configuration\Adm
 
 ![Use Group Policy to configure active hours](images/waas-active-hours-policy.png)
 
+To configure max active hours range, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Specify active hours range for auto-restarts**. This is only available from Windows 10, version 1703.
+
 ### Configuring active hours with MDM
 
-MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours.
+MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd)  and [Update/ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours.
 
 ### Configuring active hours through Registry
 
diff --git a/windows/update/waas-windows-insider-for-business-aad.md b/windows/update/waas-windows-insider-for-business-aad.md
new file mode 100644
index 0000000000..f749ef1c36
--- /dev/null
+++ b/windows/update/waas-windows-insider-for-business-aad.md
@@ -0,0 +1,72 @@
+---
+title: Windows Insider Program for Business using Azure Active Directory
+description: Benefits and configuration of corporate accounts in the Windows Insider Program
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Windows Insider Program for Business using Azure Active Directory
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+We recently added features and benefits to better support the IT Professionals and business users in our Insider community. This includes the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. 
+
+>[!NOTE]
+>At this point, the Windows Insider Program for Business only supports Azure Active Directory (and not Active Directory on premises) as a corporate authentication method.
+
+>[!TIP]
+>New to Azure Active Directory? Go here for [an introduction to AAD](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect), including guidance for [adding users](https://docs.microsoft.com/azure/active-directory/active-directory-users-create-azure-portal), [device registration](https://docs.microsoft.com/azure/active-directory/active-directory-device-registration-overview) and [integrating your on-premises directories with Azure AD](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect).
+>
+>If your company is currently not using AAD – but has a paid subscription to  Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services – you have a free subscription to Microsoft Azure Active Directory. This subscription  can be used to create users for enrollment in the Windows Insider Program for Business.
+
+In order to get the most benefit out of the Windows Insider Program for Business, organizations should not use a test tenant of AAD. There will be no modifications to the AAD tenant to support the Windows Insider Program as it will only be used as an authentication method.
+
+## Check if a device is connected to your company’s Azure Active Directory subscription
+Simply go to **Settings > Accounts > Access work or school**. If a corporate account is on Azure Active Directory and it is connected to the device, you will see the account listed as highlighted in the image below.
+
+![Device connected to Work Account](images/waas-wipfb-work-account.jpg)
+
+## Enroll a device with an Azure Active Directory account
+1. Visit [insider.windows.com](https://insider.windows.com). Sign-in with your corporate account in AAD and follow the on-screen registration directions. 
+2. On your Windows 10 device, go to **Settings > Updates & Security >  Windows Insider Program**. 
+
+>[!NOTE]
+>Make sure that you have administrator rights to the machine and that it has latest Windows updates. 
+
+3. Enter the AAD account that you used to register and follow the on-screen directions. 
+
+## Switch device enrollment from your Microsoft account to your AAD account 
+1. Visit [insider.windows.com](https://insider.windows.com) to register your AAD account. If you are signed in with your Microsoft account, sign out, then sign back in with your corporate AAD account. 
+2. Click **Get started**, read and accept the privacy statement and program terms and click **Submit**. 
+3. On your Windows 10 PC, go to **Settings > Updates & Security >  Windows Insider Program**. 
+4. Under Windows Insider account, click your Microsoft account, then **Change** to open a Sign In box. 
+5. Select your corporate account and click Continue to change your account. 
+
+![Change Windows Insider account](images/waas-wipfb-change-user.png)
+
+>[!NOTE]
+>Your device must be connected to your corporate account in AAD for the account to appear in the account list.
+
+## Frequently Asked Questions
+
+### Will my test machines be affected by automatic registration?
+All devices enrolled in the Windows Insider Program (physical or virtual) will receive Windows 10 Insider Preview builds (regardless of registration with MSA or AAD).
+
+### Once I register with my corporate account in AAD, do I need to keep my Microsoft account for the Windows Insider Program?
+No, once you set up your device using AAD credentials – all feedback and flighting on that machine will be under your AAD account. You may need MSA for other machines that aren’t being used on your corporate network or to get Windows store app updates.
+
+### How do I stop receiving updates? 
+You can simply “unlink” your account by going to **Settings > Updates & Security > Windows Insider Program**, select Windows Insider Account and click **Unlink**.
+
+
+## Related Topics
+- [Windows Insider Program for Business](waas-windows-insider-for-business.md)
+- [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md)
diff --git a/windows/update/waas-windows-insider-for-business-faq.md b/windows/update/waas-windows-insider-for-business-faq.md
new file mode 100644
index 0000000000..653d6d5c93
--- /dev/null
+++ b/windows/update/waas-windows-insider-for-business-faq.md
@@ -0,0 +1,90 @@
+---
+title: Windows Insider Program for Business Frequently Asked Questions
+description: Frequently Asked Questions and answers about the Windows Insider Program
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Windows Insider Program for Business Frequently Asked Questions
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+### Are the Windows Insider Program and Windows Insider Program for Business separate programs?
+No, in fact just the opposite. The Windows Insider Program was created in 2014 to help Microsoft engage with Windows Fans worldwide. Windows Insiders are the first to be able to try new Windows features that we introduce through Windows 10 Insider Preview Builds. At the same time, they can provide feedback through the Feedback Hub App which helps create even better versions of Windows for all users. The Windows Insider Program for Business enables you to incorporate Insider Preview builds into your deployment plans using your corporate credentials, deepen connections with the IT Pro community, collect feedback within your organization, and increase the visibility of your organization’s feedback – especially on features that support productivity and business needs. Together we can resolve blocking or critical issues to better support your organization’s needs sooner. Incorporating the Windows Insider Program for Business into your deployment plans enables you to prepare your organization for the next update of Windows 10, to deploy new services and tools more quickly, to help secure your applications, and to increase productivity and confidence in the stability of your environment. Windows Insider Program for Business participants collaborate with the Windows team to build and document features, infuse innovation, and plan for what’s around the bend. We’ve architected some great features together, received amazing feedback, and we’re not done.
+
+### What Languages are available? 
+Insider Preview builds are available in the following languages: English (United States), English (United Kingdom), Chinese (Simplified), Chinese (Traditional), Portuguese (Brazilian), Japanese,Russian, German, French, French (Canada), Korean, Italian, Spanish, Spanish (Latin America), Swedish, Finnish, Turkish, Arabic, Dutch, Czech, Polish, Thai, Catalan, Hindi, and Vietnamese.
+
+If your Windows build is not in one of the available base languages, you will not receive Insider Preview builds.
+
+Hindi, Catalan, and Vietnamese can only be installed as a language pack over [supported base languages](https://support.microsoft.com/help/14236/language-packs).
+
+>[!NOTE]
+> To learn how to install a language pack, see [How to add an input language to your PC Additional](https://support.microsoft.com/instantanswers/60f32ff8-8697-4452-af7d-647439c38433/how-to-add-and-switch-input-languages-on-your-pc).
+
+### How do I register for  the Windows Insider Program for Business? 
+To register for the Windows Insider Program for Business, follow the steps below using your corporate account in Azure Active Directory (AAD). This account is the same account  \that you use for Office 365 and other Microsoft services. 
+
+1. Visit https://insider.windows.com and click **Get Started**. 
+2. Sign-in with your corporate account in AAD (username/password) and follow the on-screen registration directions. 
+3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds. Go to **Settings > Updates & Security > Windows Insider Program**. Click **Get Started**, enter your corporate credentials that you used to register, then follow the on-screen directions. 
+>[!NOTE]
+>Make sure that you have administrator rights to your machine and that it has latest Windows updates.
+
+### How can I find out if my corporate account is on Azure Active Directory? 
+On your PC, go to **Settings > Accounts > Access work or school**. If your organization has set up your corporate account in Azure Active Directory and it is connected to your PC, you will see the account listed.  
+
+### I have more than one Azure Active Directory account. Which should I use? 
+Register for Windows Insider Program for Business with the same active account that you use to access your corporate email in Office 365 and other Microsoft services. To ensure you get the most benefit out of the Windows Insider Program for Business and that your company is fully represented, do not set up a separate tenant for testing activities. There will be no modifications to the AAD tenant to support Windows Insider Program for Business, and it will only be used as an authentication method. 
+
+### My account is listed in Active Directory but not Azure Active Directory. Can I still register using my Active Directory credentials?
+No. At this point, we are only supporting Azure Active Directory as a corporate authentication method. If you’d like to suggest or upvote another authentication method, please visit this [forum](https://answers.microsoft.com/en-us/insider/forum/insider_wintp).
+
+### I just want to participate as a Windows Insider. Do I still need to register with my corporate account in Azure Active Directory? 
+No. You can join using your Microsoft account (MSA) by following the steps below. However, please note that if you want to access the benefits of the Windows Insider Program for Business, you will need to sign-up using your corporate account in Azure Active Directory. 
+
+1. Visit https://insider.windows.com and click Get Started. 
+2. Register with your Microsoft account and follow the on-screen registration directions. 
+3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds by going to **Settings > Updates & Security > Windows Insider Program** and entering your Microsoft account that you used to register. Now follow the on-screen directions. 
+
+>[!NOTE]
+>Make sure that you have administrator rights to your machine and that it has latest Windows updates. 
+
+### I am already a Windows Insider. I want to switch my account from my Microsoft account to my corporate account in Azure Active Directory. How do I do this?
+In just a few steps, you can switch your existing program registration from your Microsoft account to your corporate account in Azure Active Directory. 
+
+1. Visit https://insider.windows.com. If you are signed in with your Microsoft account, sign out then sign back in to register with your corporate account in AAD. 
+2. On your Windows 10 PC, go to **Settings > Updates & Security > Windows Insider Program**. 
+3. In your account Under Windows Insider account, click **Change** to open a pop-up box. 
+4. Select your corporate account and click Continue to change your account. 
+
+>[!NOTE]
+>Your corporate account must be connected to the device for it to appear in the account list.
+
+### How do I sign into the Feedback Hub with my corporate credentials? 
+Sign in to the Feedback Hub using the same AAD account you are using to flight builds.
+
+### Am I going to lose all the feedback I submitted and badges I earned with my MSA?
+No. However, your feedback will not be transferred from your MSA to your AAD account. You can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badge you’ve earned.
+
+### How is licensing handled for Windows 10 Insider builds? 
+All PCs need to have a valid Windows 10 license. This requirement applies whether the device is joined to the Windows Insider Program using a Microsoft account or an Azure Active Directory account. 
+
+### Can I use the Software in a live operating environment? 
+The software is a pre-release version, and we do not recommend that organizations run Windows Insider Preview builds outside of their test environments. This software may not work the way a final version of the software will. We may change it for the final, commercial version. We also may not release a commercial version.
+
+### Can a single MSA or AAD account be used to register more than one PC in the program? 
+Yes. If each PC has a valid Windows 10 or Windows 10 Mobile license you can use your MSA on as many devices as you’d like. However, the main concern would be that within the feedback it all looks like it comes from a single user. If multiple devices are experiencing problems with a build, you’d want the ability to submit the same feedback from multiple people (or upvote the same piece of feedback). 
+
+
+## Related Topics
+- [Windows Insider Program for Business](waas-windows-insider-for-business.md)
+- [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md)
\ No newline at end of file
diff --git a/windows/update/waas-windows-insider-for-business.md b/windows/update/waas-windows-insider-for-business.md
new file mode 100644
index 0000000000..b25fa5f18b
--- /dev/null
+++ b/windows/update/waas-windows-insider-for-business.md
@@ -0,0 +1,166 @@
+---
+title: Windows Insider Program for Business
+description: Overview of the Windows Insider Program for Business
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Windows Insider Program for Business
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+For many IT pros, gaining visibility into feature updates early—before they’re available to the CB servicing branch—can be both intriguing and valuable for future end user communications as well as provide additional prestaging for CB machines. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to CB, organizations can test their deployment on test devices for compatibility validation.
+
+The Windows Insider Program for Business gives you the opportunity to: 
+* Get early access to Windows Insider Preview Builds 
+* Provide feedback to Microsoft in real-time via the Feedback Hub app.
+* Sign-in with coproate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs.
+
+
+Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app. 
+
+The Windows Insider Program isn’t intended to replace CB deployments in an organization. Rather, it provides IT pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. 
+
+## Getting started with Windows Insider Program for Business
+
+To get started with the Windows Insider Program for Business, you will need to follow a few simple steps:
+
+1. Navigate to [insider.windows.com](https://insider.windows.com) and go to **Get Started**.
+2. Sign-in with you desired account. It can be either a Microsoft Account or your organizational Azure Active Directory Account.
+
+![Account Types](images/waas-wipfb-accounts.png)
+
+3. Enroll your device by going to **Start > Settings > Update & security > Windows Insider Program** and selecting **Get Started**. Sign-in using the account you used to register for the Windows Insider Program.
+4. After reading the privacy statement and clicking **Next**, **Confirm** and schedule a restart.
+
+## Install your first preview build from the Windows Insider Program
+
+After enrolling your devices, you are ready to install your first preview build. To do so, go to **Start** > **Settings** > **Update & security** > **Windows Insider Program** to select your Insider level. The device receives the most recent Windows Insider build for the Insider level you select. 
+
+>[!TIP]
+>Flighting rings are used to evaluate the quality of our software as it is released to progressively larger audiences. We will flight a Feature Update, application, etc. to the first ring if it passes all required automated testing in the lab. The flight will continue to be evaluated against a set of criteria to ensure it is ready to progress to the next ring.
+
+The options for Insider level are:
+
+### Release Preview
+
+Best for Insiders who enjoy getting early access to updates for the Current Branch, Microsoft applications, and drivers, with minimal risk to their devices, and still want to provide feedback to make Windows devices great.
+
+Insiders on this level receive builds of Windows just before Microsoft releases them for CB. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs.
+
+* The Release Preview Ring will only be visible when your Windows build version is the same as the Current Branch  
+* The easiest way to go between the Development Branch to the Current Branch is to use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows  
+Ring 
+
+### Slow
+
+The Slow Windows Insider level is for users who enjoy seeing new builds of Windows with minimal risk to their devices but still want to provide feedback to Microsoft about their experience with the new build.
+
+* Builds are sent to the Slow Ring after feedback has been received from Insiders within the Fast Ring and analyzed by our Engineering teams.  
+* These builds will include updates to fix key issues that would prevent many Windows Insiders from being able to use the build on a daily basis.  
+* These builds are still may have issues that would be addressed in a future flight.
+
+### Fast
+
+Best for Insiders who enjoy being the first to get access to builds and feature upgrades, with some risk to their devices in order to identify issues, and provide suggestions and ideas to make Windows software and devices great 
+
+* Windows Insiders with devices in the Fast Ring should be prepared for more issues that may block key activities that are important to you or may require significant workarounds. 
+* Because we are also validating a build on a smaller set of devices before going to Fast, there is also a chance that some features may work on some devices but may fail in other device configurations. 
+* Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked. • Please remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community Forum 
+
+>[!NOTE]
+>Once your machine is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your machine will be auto-targeted for the next available flight for your selected ring. For the first build on any given machine, this may take up to 24 hours to complete.
+
+## How to switch between flight rings
+
+During your time in the Windows Insider Program, you may want to change between flight rings for any number of reasons. Changing rings is a simple process that requires only a few clicks:
+
+1. Go to **Settings > Updates & Security >  Windows Insider Program**
+2. Under **Choose your level**, select between the following rings -
+    * [Windows Insider Fast](#fast)
+    * [Windows Insider Slow](#slow)
+    * [Release Preview](#release-preview)
+
+## How to switch between you MSA and your Corporate AAD account
+
+The Windows Insider Program for Business now gives users the option to register and enroll devices using a corporate account in [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) (AAD) as well as their Microsoft Account (MSA).
+
+To switch between accounts, go to **Settings > Updates & Security >  Windows Insider Program**, and under **Windows Insider account** select **Change**.
+![Change Windows Insider account](images/waas-wipfb-change-user.png)
+
+>[!NOTE]
+>If you would like to use your corporate account, your device must be connected to your corporate account in AAD for the account to appear in the account list.
+
+## Sharing Feedback Via the Feedback Hub
+As you know a key benefit to being a Windows Insider is Feedback. It’s definitely a benefit to us, and we hope it’s a benefit to you. Feedback is vital for making changes and improvements in Windows 10. Receiving quality and actionable feedback is key in achieving these goals.
+
+When providing feedback, please consider the following: 
+1. Please use the **Feedback Hub** app to submit your feedback to Microsoft.  
+2. Check for existing feedback on the topic you are preparing to log. Another user may have already shared the same feedback. If they have, please “upvote” the existing feedback to help prevent duplicate submissions. Adding additional comments to existing feedback can help others by providing clarity to existing information or additional scenarios to review. 
+3. Provide as much information to us as possible: include reproduction steps, screenshots, any detail you think would help us experience the issue as you have, so that we can work on a fix and get it into a new build as soon as possible.
+
+### How to use your corporate AAD account for additional Feedback Hub benefits 
+Get even more out of the Feedback Hub by signing in to the Feedback Hub using the same corporate account in AAD that are using to flight builds. One of the benefits of submitting feedback using your AAD account is the addition of a page to the Feedback Hub for your organization. Simply click the **My Company** page in the feedback hub to see and upvote all feedback submitted by other Insiders in your organization.
+
+>[!NOTE]
+>If you signed into the Feedback Hub previously with your MSA, your feedback and badges will not be transferred to your AAD sing-in. However, you can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badges you’ve earned.
+
+## Not receiving Windows 10 Insider Preview build updates?
+
+In some cases, your PC may not update to the latest Insider Preview build as expected. Here are items that you can review to troubleshoot this issue:
+
+### Perform a manual check for updates 
+Go to **Settings > Updates & Security**. Review available updates or select **Check for updates**.
+
+>[!NOTE]
+>If you have set Active Hours, ensure your device is left turned on and signed in during the off-hours so the install process can complete.
+
+### Make sure Windows is activated 
+Go to **Settings > Updates & Security > Activation** to verify Windows is activated.
+
+### Make sure your coporate account in AAD is connected to your device
+Open **Settings \ Accounts \ Access work or school**. If your PC is not listed as connected to your account in AAD, click Connect and enter your AAD account.
+
+### Make sure you have selected a flight ring
+Open **Settings > Update & Security > Windows Insider Program** and select your flight ring.
+
+### Have you recently done a roll-back? 
+If so, please double-check your flight settings under **Settings > Update & Security > Windows Insider Program**.
+
+### Did you do a clean install? 
+After a clean-install and initial setup of a Microsoft or coporate account (even one that has been used previously for flighting) the appropriate targeting needs to take place for your PC. This background process is known as Compatibility Checker and will run during idle time on your PC. This process may take up to 24 hours. Please leave your PC turned on to ensure this occurs in timely manner. 
+
+### Are there known issues for your current build?
+On rare occasion, there may be an issue with a build that could lead to issues with updates being received. Please check the most recent Blog Post or reach out to the Windows Insider team on Twitter for verification (*@WindowsInsider*). You can also check the **Feedback Hub** for announcments and known issues.
+
+## Exiting flighting
+
+After you’ve tried the latest Insider Preview builds, you may want to opt out. In order to do that, go to  **Settings > Update & Security > Windows Insider Program** and select **Stop Insider Preview Builds**. Follow the on-screen instructions to stop flighting to your device.
+
+## Additional help resources
+
+* [**Windows Blog**](https://blogs.windows.com/blog/tag/windows-insider-program/) - With each new build release we publish a Windows Blog post that outlines key feature changes as well as known issues that Insiders may encounter while using the build.
+* [**Windows Insider Preview community forum**](https://answers.microsoft.com/en-us/insider/forum/insider_wintp) - Answers is Microsoft’s forum platform and there is an entire area dedicated to the Windows Insider Program. Insiders can filter between PC, Office, Edge, and many others.
+
+## Learn More
+- [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md)
+- [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md)
+
+
+## Related Topics
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Manage Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/whats-new/images/wcd-cleanpc.PNG b/windows/whats-new/images/wcd-cleanpc.PNG
new file mode 100644
index 0000000000..434eb55cb0
Binary files /dev/null and b/windows/whats-new/images/wcd-cleanpc.PNG differ
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 8b68fc3f56..ed03eaead1 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -1,6 +1,6 @@
 ---
 title: What's in Windows 10, version 1703
-description: New and updated IT Pro content about new features in Windows 10, version 1703 (also known as the Creators Updated).
+description: New and updated IT pro content about new features in Windows 10, version 1703 (also known as the Creators Updated).
 keywords: ["What's new in Windows 10", "Windows 10", "creators update"]
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -10,14 +10,14 @@ localizationpriority: high
 ms.assetid: dca7c655-c4f6-45f8-aa02-64187b202617
 ---
 
-# What's new in Windows 10, version 1703 IT Pro content
+# What's new in Windows 10, version 1703 IT pro content
 
-Below is a list of some of the new and updated content that discusses Information Technology (IT) Pro features in Windows 10, version 1703 (also known as the Creators Update).
+Below is a list of some of the new and updated content that discusses Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update).
 
 For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](index.md).
 
 >[!NOTE]
->For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update).
+>Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update). 
  
 ## Configuration
 
@@ -27,7 +27,11 @@ Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool
 
 Windows Configuration Designer in Windows 10, version 1703, includes several new wizards to make it easier to create provisioning packages.
 
-![wizards for desktop, mobile, kiosk, HoloLens, Surface Hub](images/wcd-options.png)
+![wizards for desktop, mobile, kiosk, Surface Hub](images/wcd-options.png)
+
+Both the desktop and kiosk wizards include an option to remove pre-installed software, based on the new [CleanPC configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp).
+
+![remove pre-installed software option](images/wcd-cleanpc.png)
 
 [Learn more about Windows Configuration Designer.](../configure/provisioning-packages.md)
 
@@ -36,7 +40,7 @@ Windows Configuration Designer in Windows 10, version 1703, includes several new
 
 Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](../configure/provisioning-packages.md#configuration-designer-wizards). Bulk enrollment in Azure AD is available in the desktop, mobile, kiosk, and Surface Hub wizards.
 
-![get bulk token action in wizard](images/bulk-token.png) 
+![get bulk token action in wizard](images/bulk-token.png)
 
 
 ### Windows Spotlight
@@ -52,19 +56,18 @@ The following new Group Policy and mobile device management (MDM) settings are a
 
 ### Start and taskbar layout
 
-Enterprises have been able to apply customized Start and taskbar layouts to devices running Windows 10 Enterprise and Education. In Windows 10, version 1703, customized Start and taskbar layout can also be applied to Windows 10 Pro. 
-
-Additional MDM policy settings are available for Start and taskbar layout. For details, see [Manage Windows 10 Start and taskbar layout](../configure/windows-10-start-layout-options-and-policies.md).
+Enterprises have been able to apply customized Start and taskbar layouts to devices running Windows 10 Enterprise and Education. In Windows 10, version 1703, customized Start and taskbar layout can also be applied to Windows 10 Pro.
 
 Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10, version 1703, adds support for customized taskbars to [MDM](../configure/customize-windows-10-start-screens-by-using-mobile-device-management.md).
 
-### Lockdown Designer for Windows 10 Mobile lockdown files
+[Additional MDM policy settings are available for Start and taskbar layout](../configure/windows-10-start-layout-options-and-policies.md). New MDM policy settings include:
+
+- Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings)
+- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep)
+- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist).
 
-The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](../configure/lockdown-xml.md).
 
-![Lockdown Designer app in Store](images/ldstore.png)
 
-[Learn more about the Lockdown Designer app.](../configure/mobile-lockdown-designer.md)
 
 ### Cortana at work
 
@@ -79,7 +82,7 @@ Using Azure AD also means that you can remove an employee’s profile (for examp
 
 MBR2GPT.EXE is a new command-line tool available in Windows 10 version 1703 and later versions. MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
 
-The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. 
+The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
 
 Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
 
@@ -87,7 +90,7 @@ For details, see [MBR2GPT.EXE](../deploy/mbr-to-gpt.md).
 
 ## Security
 
-### Windows Defender Advanced Threat Protection 
+### Windows Defender Advanced Threat Protection
 
 New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10, version 1703 include:
 - **Detection**<br>
@@ -95,7 +98,7 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10
   - [Use the threat intelligence API to create custom alerts](../keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
   - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks
   - Upgraded detections of ransomware and other advanced attacks
-  - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect attacks that previously went unnoticed
+  - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed
 
 - **Investigation**<br>
   Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus detections and Device Guard blocks being surfaced in the Windows Defender ATP portal. Other capabilities have been added to help you gain a holistic view on investigations.
@@ -114,16 +117,10 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10
 - **Other features**
   - [Check sensor health state](../keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues.
 
- 
+You can read more about ransomware mitigations and detection capability in Windows Defender Advanced Threat Protection in the blog: [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/).
 
 ### Windows Defender Antivirus
-New features for Windows Defender Antivirus (AV) in Windows 10, version 1703 include:
-
-- [Updates to how the Block at First Sight feature can be configured](../keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md)
-- [The ability to specify the level of cloud-protection](../keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md)
-- [Windows Defender Antivirus protection in the Windows Defender Security Center app](../keep-secure/windows-defender-security-center-antivirus.md)
-
-Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](../keep-secure/windows-defender-antivirus-in-windows-10.md). 
+Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](../keep-secure/windows-defender-antivirus-in-windows-10.md).
 
 The new library includes information on:
 - [Deploying and enabling AV protection](../keep-secure/deploy-windows-defender-antivirus.md)
@@ -136,15 +133,28 @@ Some of the highlights of the new library include:
 - [Evaluation guide for Windows Defender AV](../keep-secure/evaluate-windows-defender-antivirus.md)
 - [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](../keep-secure/deployment-vdi-windows-defender-antivirus.md)
 
+New features for Windows Defender AV in Windows 10, version 1703 include:
+
+- [Updates to how the Block at First Sight feature can be configured](../keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md)
+- [The ability to specify the level of cloud-protection](../keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md)
+- [Windows Defender Antivirus protection in the Windows Defender Security Center app](../keep-secure/windows-defender-security-center-antivirus.md)
+
+In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated beahvior monitoring and always-on real-time protection](../keep-secure/configure-real-time-protection-windows-defender-antivirus.md).
+
+
+You can read more about ransomware mitigations and detection capability in Windows Defender AV in the [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/).
 
 ### Device Guard and Credential Guard
 
-Additional security qualifications for Device Guard and Credential Guard help protect vulnerabilities in UEFI runtime. 
+Additional security qualifications for Device Guard and Credential Guard help protect vulnerabilities in UEFI runtime.
 For more information, see [Device Guard Requirements](../keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md#device-guard-requirements-for-improved-security) and [Credential Guard Security Considerations](../keep-secure/credential-guard.md#security-considerations).
 
 ### Group Policy Security Options
 
-The security setting [**Interactive logon: Display user information when the session is locked**](../keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. 
+The security setting [**Interactive logon: Display user information when the session is locked**](../keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
+
+A new security policy setting
+[**Interactive logon: Don't display username at sign-in**](../keep-secure/interactive-logon-dont-display-username-at-sign-in.md) has been introduced in Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
 
 ## Update
 
@@ -152,13 +162,17 @@ The security setting [**Interactive logon: Display user information when the ses
 
 The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](../update/waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](../update/waas-configure-wufb.md#pause-quality-updates).
 
-You are now able to defer feature update installation by up to 365 days. In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details.
+Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details.
+
+### Windows Insider for Business
+
+We recently the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](waas-windows-insider-for-business.md).
 
 ### Optimize update delivery
 
 [Express updates](../update/waas-optimize-windows-10-updates.md#express-update-delivery) are now supported on System Center Configuration Manager, starting with version 1702 of Configuration Manager, in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
 
-Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios. 
+Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios.
 
 Added policies include:
 - [Allow uploads while the device is on battery while under set Battery level](../update/waas-delivery-optimization.md#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level)
@@ -169,13 +183,17 @@ Added policies include:
 
 To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](../update/waas-delivery-optimization.md)
 
+### Uninstalled in-box apps no longer automatically reinstall
+
+When upgrading to Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.  (Apps de-provisioned by IT administrators will still be reinstalled.)
+
 ## Management
 
 ### New MDM capabilities
 
-Windows 10, version 1703 adds several new configuration service providers (CSPs) that provide new capabilities for managing Windows 10 devices using MDM. Some of the new CSPs are:
+Windows 10, version 1703 adds several new [configuration service providers (CSPs)](../configure/how-it-pros-can-use-configuration-service-providers.md) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Some of the new CSPs are:
 
-- The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. 
+- The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
 
 - The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data.
 
@@ -183,8 +201,18 @@ Windows 10, version 1703 adds several new configuration service providers (CSPs)
 
 - The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections.
 
+- The [Office CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx).
+
+- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM. 
+
 [Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
 
+### Mobile application management support for Windows 10
+
+The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703.
+
+For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management).
+
 
 
 ### Application Virtualization for Windows (App-V)
@@ -196,12 +224,38 @@ For more info, see the following topics:
 - [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-batch-updating.md)
 - [Automatically cleanup unpublished packages on the App-V client](../manage/appv-auto-clean-unpublished-packages.md)
 
+## Windows 10 Mobile enhancements
+
+### Lockdown Designer
+
+The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](../configure/lockdown-xml.md).
+
+![Lockdown Designer app in Store](images/ldstore.png)
+
+[Learn more about the Lockdown Designer app.](../configure/mobile-lockdown-designer.md)
+
+### Other enhancements
+
+Windows 10 Mobile, version 1703 also includes the following enhancements:
+
+- SD card encryption
+- Remote PIN resets for Azure Active Directory accounts
+- SMS text message archiving
+- WiFi Direct management
+- OTC update tool
+- Continuum display management
+   - Individually turn off the monitor or phone screen when not in use
+   - Indivudally adjust screen time-out settings
+- Continuum docking solutions
+   - Set Ethernet port properties
+   - Set proxy properties for the Ethernet port
+
 ## New features in related products
 The following new features aren't part of Windows 10, but help you make the most of it.
 
 ### Upgrade Readiness
 
-Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. 
+Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
 
 The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.  
 
@@ -215,10 +269,6 @@ For more information about Upgrade Readiness, see the following topics:
 
 Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
 
-Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
+Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
 
 For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](../manage/update-compliance-monitor.md).
-
-### Enhanced Mobile Device Management (MDM) support
-
-Mobile device management (MDM) has new configuration service providers (CSPs) that can be called from code to manage Windows 10 devices. For more info, see [What's new in MDM in Windows 10, version 1703](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10).