Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client

devices/hololens/hololens-encryption.md

@@ -8,12 +8,12 @@ author: jdeckerms
 ms.author: jdecker
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 12/20/2017
+ms.date: 01/26/2019
 ---
 
 # Enable encryption for HoloLens
 
-You can enable [Bitlocker device encryption](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview) to protect files and information stored on the HoloLens. Device encryption helps protect your data by encrypting it using AES-CBC 128 encryption method, which is equivalent to [EncryptionMethodByDriveType method 3](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype) in the BitLocker configuration service provider (CSP). Only someone with the right encryption key (such as a password) can decrypt it or perform a data recovery.
+You can enable [BitLocker device encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) to protect files and information stored on the HoloLens. Device encryption helps protect your data by encrypting it using AES-CBC 128 encryption method, which is equivalent to [EncryptionMethodByDriveType method 3](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype) in the BitLocker configuration service provider (CSP). Only someone with the right encryption key (such as a password) can decrypt it or perform a data recovery.
 
 
 
@@ -100,6 +100,6 @@ Provisioning packages are files created by the Windows Configuration Designer to
 
 Encryption is silent on HoloLens. To verify the device encryption status:
  
--	On HoloLens, go to **Settings** > **System** > **About**. **Bitlocker** is **enabled** if the device is encrypted. 
+-	On HoloLens, go to **Settings** > **System** > **About**. **BitLocker** is **enabled** if the device is encrypted. 
 
-![About screen showing Bitlocker enabled](images/about-encryption.png)
+![About screen showing BitLocker enabled](images/about-encryption.png)

devices/hololens/hololens-provisioning.md

@@ -72,7 +72,7 @@ Use the Windows Configuration Designer tool to create a provisioning package.
 
 
 <table>
-<tr><td style="width:45%" valign="top"><a id="one"></a>![step one](images/one.png)![set up device](images/set-up-device.png)</br></br>Browse to and select the enterprise license file to upgrade the HoloLens edition.</br></br>You can also toggle **Yes** or **No** to hide parts of the first experience.</br></br>To setup the device without the need to connect to a Wi-Fi network, toggle **Skip Wi-Fi setup** to **On**.</br></br>Select a region and timezone in which the device will be used. </td><td>![Select enterprise licence file and configure OOBE](images/set-up-device-details.png)</td></tr>
+<tr><td style="width:45%" valign="top"><a id="one"></a>![step one](images/one.png)![set up device](images/set-up-device.png)</br></br>Browse to and select the enterprise license file to upgrade the HoloLens edition.</br></br>You can also toggle **Yes** or **No** to hide parts of the first experience.</br></br>To set up the device without the need to connect to a Wi-Fi network, toggle **Skip Wi-Fi setup** to **On**.</br></br>Select a region and timezone in which the device will be used. </td><td>![Select enterprise licence file and configure OOBE](images/set-up-device-details.png)</td></tr>
 <tr><td style="width:45%" valign="top"><a id="two"></a>![step two](images/two.png)  ![set up network](images/set-up-network.png)</br></br>In this section, you can enter the details of the Wi-Fi wireless network that the device should connect to automatically. To do this, select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.</td><td>![Enter network SSID and type](images/set-up-network-details-desktop.png)</td></tr>
 <tr><td style="width:45%" valign="top"><a id="three"></a>![step three](images/three.png)  ![account management](images/account-management.png)</br></br>You can enroll the device in Azure Active Directory, or create a local account on the device</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions. </br></br>To create a local account, select that option and enter a user name and password. </br></br>**Important:** (For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.  </td><td>![join  Azure AD or create a local  account](images/account-management-details.png)</td></tr>
 <tr><td style="width:45%" valign="top"><a id="four"></a>![step four](images/four.png) ![add certificates](images/add-certificates.png)</br></br>To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.</td><td>![add a certificate](images/add-certificates-details.png)</td></tr> 

devices/surface/microsoft-surface-brightness-control.md

@@ -49,12 +49,12 @@ documentation](https://docs.microsoft.com/windows/desktop/sysinfo/registry).
 
 | Registry Setting | Data| Description  
 |-----------|------------|---------------
-| Brightness Control Enabled  |  Default: 01  <br> Option: 01, 00 |  This setting allows you to turn Surface Brightness Control on or off. To disable Surface Brightness Control, set the value to 00. If you do not configure this setting, Surface Brightness Control is on. |
-| Brightness Control On Power Enabled| Default: 01 <br> Options: 01, 00 | This setting allows you to turn off Surface Brightness Control when the device is directly connected to power. To disable Surface Brightness Control when power is plugged in, set the value to 00. If you do not configure this setting, Surface Brightness Control is on. |
-| Dimmed Brightness   | Default: 20  <br>Option: Range of 0-100 percent of screen brightness <br> Data Type: Positive integer | This setting allows you to manage brightness range during periods of inactivity. If you do not configure this setting, the brightness level will drop to 20 percent of full brightness after 30 seconds of inactivity. |
-Full Brightness   | Default: 100  <br>Option: Range of 0-100 percent of screen brightness <br> Data Type: Positive integer | This setting allows you to manage the maximum brightness range for the device. If you do not configure this setting, the maximum brightness range is 100 percent.|  
-| Inactivity Timeout| Default: 30 seconds <br>Option: Any numeric value  <br>Data Type: Integer  | This setting allows you to manage the period of inactivity before dimming the device. If you do not configure this setting, the inactivity timeout is 30 seconds.|
-| Telemetry  Enabled | Default: 01 <br>Option: 01, 00  | This setting allows you to manage the sharing of app usage information to improve software and provide better user experience. To disable telemetry, set the value to 00. If you do not configure this setting, telemetry information is shared with Microsoft in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). |
+| Brightness Control Enabled  |  Default: 01  <br> Option: 01, 00 <br> Type: REG_BINARY |  This setting allows you to turn Surface Brightness Control on or off. To disable Surface Brightness Control, set the value to 00. If you do not configure this setting, Surface Brightness Control is on. |
+| Brightness Control On Power Enabled| Default: 01 <br> Options: 01, 00 <br> Type: REG_BINARY | This setting allows you to turn off Surface Brightness Control when the device is directly connected to power. To disable Surface Brightness Control when power is plugged in, set the value to 00. If you do not configure this setting, Surface Brightness Control is on. |
+| Dimmed Brightness   | Default: 20  <br>Option: Range of 0-100 percent of screen brightness <br> Data Type: Positive integer <br> Type: REG_DWORD | This setting allows you to manage brightness range during periods of inactivity. If you do not configure this setting, the brightness level will drop to 20 percent of full brightness after 30 seconds of inactivity. |
+Full Brightness   | Default: 100  <br>Option: Range of 0-100 percent of screen brightness <br> Data Type: Positive integer <br> Type: REG_DWORD  | This setting allows you to manage the maximum brightness range for the device. If you do not configure this setting, the maximum brightness range is 100 percent.|  
+| Inactivity Timeout| Default: 30 seconds <br>Option: Any numeric value  <br>Data Type: Integer  <br> Type: REG_DWORD | This setting allows you to manage the period of inactivity before dimming the device. If you do not configure this setting, the inactivity timeout is 30 seconds.|
+| Telemetry  Enabled | Default: 01 <br>Option: 01, 00 <br> Type: REG_BINARY  | This setting allows you to manage the sharing of app usage information to improve software and provide better user experience. To disable telemetry, set the value to 00. If you do not configure this setting, telemetry information is shared with Microsoft in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). |
 
 
 

mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md

@@ -14,7 +14,7 @@ ms.date: 07/25/2017
 # Deploying Microsoft Office 2016 by Using App-V
 
 
-Use the information in this article to use Microsoft Application Virtualization 5.0, or later versions, to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v.md). For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](deploying-microsoft-office-2010-by-using-app-v.md).
+Use the information in this article to use Microsoft Application Virtualization 5.0, or later versions, to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2013, see [Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v.md). For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](deploying-microsoft-office-2010-by-using-app-v.md).
 
 This topic contains the following sections:
 

windows/application-management/app-v/appv-application-publishing-and-client-interaction.md

@@ -309,7 +309,7 @@ The following table shows local and roaming locations when folder redirection ha
 The current App-V Client VFS driver can't write to network locations, so the App-V Client detects the presence of folder redirection and copies the data on the local drive during publishing and when the virtual environment starts. After the user closes the App-V application and the App-V Client closes the virtual environment, the local storage of the VFS AppData is copied back to the network, enabling roaming to additional machines, where the process will be repeated. Here's what happens during the process:
 
 1. During publishing or virtual environment startup, the App-V Client detects the location of the AppData directory.
-2. If the roaming AppData path is local or ino AppData\\Roaming location is mapped, nothing happens.
+2. If the roaming AppData path is local or no AppData\\Roaming location is mapped, nothing happens.
 3. If the roaming AppData path is not local, the VFS AppData directory is mapped to the local AppData directory.
 
 This process solves the problem of a non-local %AppData% that is not supported by the App-V Client VFS driver. However, the data stored in this new location is not roamed with folder redirection. All changes during the running of the application happen to the local AppData location and must be copied to the redirected location. The process does the following things:
@@ -399,7 +399,7 @@ The process then configures the client for package or connection group additions
 
     7. Create the **Registry.dat** file from the package store to **%ProgramData%\\Microsoft\\AppV\\Client\\VReg\\{VersionGUID}.dat**.
 
-    8. Register the package with the App-V Kernal Mode Driver at **HKLM\\Microsoft\\Software\\AppV\\MAV**.
+    8. Register the package with the App-V Kernel Mode Driver at **HKLM\\Microsoft\\Software\\AppV\\MAV**.
 
     9. Invoke scripting from the **AppxManifest.xml** or **DeploymentConfig.xml** file for Package Add timing.
 

windows/application-management/app-v/appv-auto-batch-updating.md

@@ -80,7 +80,7 @@ Updating multiple apps at the same time requires that you create a **ConfigFile*
 
 ## Update multiple apps with the App-V Sequencer interface
 
-Updating multipe apps at the same time requires that you create a **ConfigFile** to collect all of the info related to each round of updating. This file is then used by the App-V Sequencer interface after creating a "clean" checkpoint on your VM.
+Updating multiple apps at the same time requires that you create a **ConfigFile** to collect all of the info related to each round of updating. This file is then used by the App-V Sequencer interface after creating a "clean" checkpoint on your VM.
 
 ### Create your ConfigFile for use by the App-V Sequencer interface
 
@@ -93,7 +93,7 @@ Updating multipe apps at the same time requires that you create a **ConfigFile**
     - ```<Installer>```. The file name for the app executable. This will typically be an .exe or .msi file.
     - ```<Package>```. The file path to the location of your App-V packages. These packages were created when you sequenced your apps.
     - ```<TimeoutInMinutes>```. The maximum amount of time, in minutes, the cmdlet should wait for updating to complete. You can enter a different value for each app, based on the size and complexity of the app itself.
-    - ```<Cmdlet>```. Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to usea cmdlet-based updating, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps.
+    - ```<Cmdlet>```. Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to use cmdlet-based updating, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps.
     - ```<Enabled>```. Indicates whether the app should be sequenced. **True** includes the app, while **False** ignores it. You can include as many apps as you want in the batch file, but optionally enable only a few of them.
 
         **Example:**

windows/application-management/app-v/appv-capacity-planning.md

@@ -182,7 +182,7 @@ Discounting scaling and fault-tolerance requirements, the minimum number of serv
 
 Ignoring scaling requirements, the minimum number of servers that a fault-tolerant implementation needs to function is four. The management server and Microsoft SQL Server roles support placement in fault-tolerant configurations. The management server service can be combined with any of the roles, but remains a single point of failure.
 
-Although there are many fault-tolerance strategies and technologies you can use, not all are applicable to a given service. Additionally, if App-V roles are combined, the resulting incompatabilities could cause certain fault-tolerance options to stop working.
+Although there are many fault-tolerance strategies and technologies you can use, not all are applicable to a given service. Additionally, if App-V roles are combined, the resulting incompatibilities could cause certain fault-tolerance options to stop working.
 
 ## Have a suggestion for App-V?
 

windows/application-management/app-v/appv-client-configuration-settings.md

@@ -14,7 +14,7 @@ ms.date: 04/18/2018
 
 The Microsoft Application Virtualization (App-V) client stores its configuration in the registry. Understanding how the register's format for data works can help you better understand the client, as you can configure many client actions by changing registry entries. This topic lists the App-V client configuration settings and explains their uses. You can use Windows PowerShell to modify the client configuration settings. For more information about using Windows PowerShell and App-V see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md).
 
-You can use Group Policy to configure App-V client settings by navigating to the **Group Policy managment console** at **Computer Configuration** > **Administrative Templates** > **System** > **App-V**.
+You can use Group Policy to configure App-V client settings by navigating to the **Group Policy management console** at **Computer Configuration** > **Administrative Templates** > **System** > **App-V**.
 
 ## App-V Client Configuration Settings: Windows PowerShell
 

windows/application-management/app-v/appv-connection-group-file.md

@@ -95,7 +95,7 @@ You can use the connection group file to configure each connection group by usin
 
 The priority field is required when a running virtual application initiates from a native application request, such as Microsoft Windows Explorer. The App-V client uses the priority to determine which connection group virtual environment the application should run in. This situation occurs if a virtual application is part of multiple connection groups.
 
-If a virtual application is opened using another virtual application, the client will use the orignal virtual application's virtual environment. The priority field is not used in this case.
+If a virtual application is opened using another virtual application, the client will use the original virtual application's virtual environment. The priority field is not used in this case.
 
 The following is an example of priority configuration:
 

windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md

@@ -24,7 +24,7 @@ Here are some important things to know before you get started:
 - If you add user-published packages in globally entitled connection groups, the connection group will fail.
 - Track the connection groups where you've used a non-optional package before removing it with the **Unpublish-AppvClientPackage <</span>package> -global** cmdlet.
       
-    In situations where you have a gobally published package that's listed as non-optional in a user-published connection group that also appears in other packages, running **Unpublish-AppvClientPackage <</span>package> -global** cmdlet can unpublish the package from every connection group containing that package. Tracking connection groups can help you avoid unintentionally unpublishing non-optional packages.
+    In situations where you have a globally published package that's listed as non-optional in a user-published connection group that also appears in other packages, running **Unpublish-AppvClientPackage <</span>package> -global** cmdlet can unpublish the package from every connection group containing that package. Tracking connection groups can help you avoid unintentionally unpublishing non-optional packages.
 
 ## How to use Windows PowerShell cmdlets to create user-entitled connection groups
 

windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md

@@ -413,12 +413,11 @@ To use a custom instance of Microsoft SQL Server, use these parameters:
 ### Example for using a custom instance of Microsoft SQL Server for installing the Reporting database on a different computer than the Reporting server
 
 ```SQL
-Using a custom instance of Microsoft SQL Server example:<br>
-/appv_server_setup.exe /QUIET<br>
-/DB_PREDEPLOY_REPORTING<br>
-/REPORTING_DB_CUSTOM_SQLINSTANCE="SqlInstanceName"<br>
-/REPORTING_DB_NAME="AppVReporting"<br>
-/REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT="Domain\MachineAccount"<br>
+/appv_server_setup.exe /QUIET
+/DB_PREDEPLOY_REPORTING
+/REPORTING_DB_CUSTOM_SQLINSTANCE="SqlInstanceName"
+/REPORTING_DB_NAME="AppVReporting"
+/REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT="Domain\MachineAccount"
 /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT="Domain\InstallAdminAccount"
 ```
 

windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md

@@ -255,7 +255,7 @@ Deploy the App-V package for Office 2013 by using the same methods you use for a
 
 ### How to publish an Office package
 
-Run the following command to publish an Office package globally, wtih the bracketed value replaced by the path to the App-V package:
+Run the following command to publish an Office package globally, with the bracketed value replaced by the path to the App-V package:
 
 ```PowerShell
 Add-AppvClientPackage <Path_to_AppV_Package> | Publish-AppvClientPackage –global

windows/application-management/app-v/appv-deployment-checklist.md

@@ -12,7 +12,7 @@ ms.date: 04/18/2018
 
 >Applies to: Windows 10, version 1607
 
-This checklist outlines the recommended steps and items to consider when deploying App-V features. Use it to organize your priorites while you deploy App-V. You can copy this checklist into a spreadsheet program and customize it for your use.
+This checklist outlines the recommended steps and items to consider when deploying App-V features. Use it to organize your priorities while you deploy App-V. You can copy this checklist into a spreadsheet program and customize it for your use.
 
 |Status|Task|References|Notes|
 |---|---|---|---|

windows/application-management/app-v/appv-dynamic-configuration.md

@@ -186,7 +186,7 @@ All shortcuts in the manifest will be ignored and no shortcuts will be integrate
     </Shortcuts>
 ```
 
-**File Type Associations**: Associates file types with programs to open by default as well as setup the context menu. (MIME types can also be set up with this susbsystem). The following is an example of a FileType association:
+**File Type Associations**: Associates file types with programs to open by default as well as setup the context menu. (MIME types can also be set up with this subsystem). The following is an example of a FileType association:
 
 ```xml
     <FileTypeAssociations Enabled="true">
@@ -252,7 +252,7 @@ All shortcuts in the manifest will be ignored and no shortcuts will be integrate
       </FileTypeAssociations>
 ```
 
-**URL Protocols**: This controls the URL Protocols integrated into the local registry of the client machine. The following example illustrates the “mailto:” ptrotocol.
+**URL Protocols**: This controls the URL Protocols integrated into the local registry of the client machine. The following example illustrates the “mailto:” protocol.
 
 ```xml
     <URLProtocols Enabled="true">

windows/application-management/app-v/appv-performance-guidance.md

@@ -587,7 +587,7 @@ If, during sequencer monitoring, an SxS Assembly (such as a VC++ Runtime) is ins
 
 **Client Side**:
 
-When publishing a virtual application package, the App-V Client will detect if a required SxS dependency is already installed. If the dependency is unavailable on the computer and it is included in the package, a traditional Windows Insataller (.**msi**) installation of the SxS assembly will be initiated. As previously documented, simply install the dependency on the computer running the client to ensure that the Windows Installer (.msi) installation will not occur.
+When publishing a virtual application package, the App-V Client will detect if a required SxS dependency is already installed. If the dependency is unavailable on the computer and it is included in the package, a traditional Windows Installer (.**msi**) installation of the SxS assembly will be initiated. As previously documented, simply install the dependency on the computer running the client to ensure that the Windows Installer (.msi) installation will not occur.
 
 <table>
 <colgroup>
@@ -618,7 +618,7 @@ When publishing a virtual application package, the App-V Client will detect if a
 
  
 
-### Disabling a Dynamic Configuration by using Windows Powershell
+### Disabling a Dynamic Configuration by using Windows PowerShell
 
 -   For already published packages, you can use `Set-AppVClientPackage –Name Myapp –Path c:\Packages\Apps\MyApp.appv` without
 
@@ -725,7 +725,7 @@ The following terms are used when describing concepts and actions related to App
 
     -   From the point that users initiate a log-in to when they are able to manipulate the desktop.
 
-    -   From the point where the desktop can be interacted with to the point a publishing refresh begins (in Windows PowerShell terms, sync) when using the App-V full server infrastructure. In standalone instances, it is when the **Add-AppVClientPackage** and **Publish-AppVClientPackage** Windows Powershell commands are initiated.
+    -   From the point where the desktop can be interacted with to the point a publishing refresh begins (in Windows PowerShell terms, sync) when using the App-V full server infrastructure. In standalone instances, it is when the **Add-AppVClientPackage** and **Publish-AppVClientPackage** Windows PowerShell commands are initiated.
 
     -   From start to completion of the publishing refresh. In standalone instances, this is the first to last virtual application published.
 

windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md

@@ -37,7 +37,7 @@ For more information, see [Application publishing and client interaction](appv-a
 
 ## Unsupported scenarios for App-V folder redirection
 
-The following scenatios aren't supported by App-V:
+The following scenarios aren't supported by App-V:
 
 * Configuring %LocalAppData% as a network drive.
 * Redirecting the Start menu to a single folder for multiple users.

windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md

@@ -77,7 +77,7 @@ The connection string on the management server can be modified to include ```fai
 Use the following steps to modify the connection string to include ```failover partner = <server2>```:
 
 >[!IMPORTANT]
->This process involves changing the Windows registry with Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. Always make a backup copy of the registry files (**System.dat** and **User.dat**) before chagning the registry. Microsoft can't guarantee that problems caused by changing the registry can be resolved, so change the registry at your own risk.
+>This process involves changing the Windows registry with Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. Always make a backup copy of the registry files (**System.dat** and **User.dat**) before changing the registry. Microsoft can't guarantee that problems caused by changing the registry can be resolved, so change the registry at your own risk.
 
 1. Log in to the management server and open **regedit**.
 2. Navigate to **HKEY\_LOCAL\_MACHINE** \\ **Software** \\ **Microsoft** \\ **AppV** \\ **Server** \\ **ManagementService**.

windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md

@@ -30,7 +30,7 @@ Ideally, you should install the sequencer on a computer running as a virtual mac
 3. Take a “snapshot” of the environment.
 
 >[!IMPORTANT]
->Your corporate security team should review and approve the sequencing process plan before implementing it. For security reasons, it's a good idea to keep sequencer operations in a lab separate from the production environment. The sequencing computers must be capapble of connecting to the corporate network to copy finished packages to the production servers. However, because the sequencing computers are typically operated without antivirus protection, they shouldn't remail on the corporate network unprotected. You can protect your sequencing computers by operating them on an isolated network, behind a firewall, or by using virtual machines on an isolated virtual network. Make sure your solution follows your company's corporate security policies.
+>Your corporate security team should review and approve the sequencing process plan before implementing it. For security reasons, it's a good idea to keep sequencer operations in a lab separate from the production environment. The sequencing computers must be capable of connecting to the corporate network to copy finished packages to the production servers. However, because the sequencing computers are typically operated without antivirus protection, they shouldn't remain on the corporate network unprotected. You can protect your sequencing computers by operating them on an isolated network, behind a firewall, or by using virtual machines on an isolated virtual network. Make sure your solution follows your company's corporate security policies.
 
 ## Planning for App-V client deployment
 

windows/application-management/app-v/appv-planning-for-using-appv-with-office.md

@@ -26,7 +26,7 @@ You can use the App-V Sequencer to create plug-in packages for language packs, l
 For a list of supported Office products, see [Microsoft Office Product IDs that App-V supports](https://support.microsoft.com/help/2842297/product-ids-that-are-supported-by-the-office-deployment-tool-for-click).
 
 >[!NOTE]
->You must use the Office Deployment Tool instead of the App-V Sequencer to create App-V packages for Office 365 ProPlus. App-V does not support package creation for volume-licensed versions of Office Professional Plus or Office Standard. Support for the [Office 2013 version of Office 365 ended in Februrary 2017](https://support.microsoft.com/kb/3199744).
+>You must use the Office Deployment Tool instead of the App-V Sequencer to create App-V packages for Office 365 ProPlus. App-V does not support package creation for volume-licensed versions of Office Professional Plus or Office Standard. Support for the [Office 2013 version of Office 365 ended in February 2017](https://support.microsoft.com/kb/3199744).
 
 ## Using App-V with coexisting versions of Office
 
@@ -90,7 +90,7 @@ To bypass the auto-registration operation for native Word 2010, follow these ste
 
     * In Windows 8.1 or Windows 10, enter **regedit**, select **Enter** on the Start page, then select the Enter key.
 
-    If you're prompted for an administrator password, enter the password. If you're propmted for a confirmation, select **Continue**.
+    If you're prompted for an administrator password, enter the password. If you're prompted for a confirmation, select **Continue**.
 3. Locate and then select the following registry subkey:
 
     ``` syntax

windows/application-management/app-v/appv-security-considerations.md

@@ -60,7 +60,7 @@ Consider the following additional information:
 
 The following will help you plan how to ensure that virtualized packages are secure.
 
-* If an application installer applies an access control list (ACL) to a file or directory, then that ACL is not persisted in the package. If thje file or directory is modified by a user when the package is deployed, the modified file or directory will either inherit the ACL in the **%userprofile%** or inherit the ACL of the target computer’s directory. The former occurs if the file or directory does not exist in a virtual file system location; the latter occurs if the file or directory exists in a virtual file system location, such as **%windir%**.
+* If an application installer applies an access control list (ACL) to a file or directory, then that ACL is not persisted in the package. If the file or directory is modified by a user when the package is deployed, the modified file or directory will either inherit the ACL in the **%userprofile%** or inherit the ACL of the target computer’s directory. The former occurs if the file or directory does not exist in a virtual file system location; the latter occurs if the file or directory exists in a virtual file system location, such as **%windir%**.
 
 ## App-V log files
 

windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md

@@ -84,7 +84,7 @@ In your publishing metadata query, enter the string values that correspond to th
 <tr class="header">
 <th align="left">Operating system</th>
 <th align="left">Architecture</th>
-<th align="left">Operating string string value</th>
+<th align="left">String value</th>
 </tr>
 </thead>
 <tbody>

windows/application-management/deploy-app-upgrades-windows-10-mobile.md

@@ -20,7 +20,7 @@ There are two steps to deploy an app upgrade:
 1. [Define the supersedence](#define-app-supersedence) - this lets Configuration Manager know that the old version should be replaced by the new version.
 2. [Deploy the upgrade](#deploy-the-app-upgrade) to your users.
 
-The following steps walk you through the upgrade deployment process - we have an upgraded version of the Walking Scorer app (moving from version 12.23.2.0 to 12.23.3.0). Becasuse we previously used Configuration Manager to deploy the existing version, we'll use it now to upgrade the app. 
+The following steps walk you through the upgrade deployment process - we have an upgraded version of the Walking Scorer app (moving from version 12.23.2.0 to 12.23.3.0). Because we previously used Configuration Manager to deploy the existing version, we'll use it now to upgrade the app. 
 
 Before you can deploy the upgrade, make sure you import the new version of the app and distribute it to your manage.microsoft.com distribution point.
 
@@ -42,7 +42,7 @@ Before you can deploy the upgrade, make sure you import the new version of the a
    > Do **NOT** select **Uninstall**. This tells Configuration Manager to uninstall the old version, but it does **NOT** then install the new version.
 
 6. Click **OK**.
-7. If you have other versions of the same app, repeate steps 4-6 for each version. Click **OK** when you're done.
+7. If you have other versions of the same app, repeat steps 4-6 for each version. Click **OK** when you're done.
 
 > [!NOTE]
 > Need to remove a supersedence? (Maybe the new version turned out to be flaky and you don't want users to get it yet.) On the **Supersedence** tab for the *new* version of the app, double-click the older version in the list of supersedence rules, and then change the **New Deployment Type** to **Do not replace**.

windows/application-management/msix-app-packaging-tool.md

@@ -15,7 +15,7 @@ ms.date: 12/03/2018
 
 MSIX is a packaging format built to be safe, secure and reliable, based on a combination of .msi, .appx, App-V and ClickOnce installation technologies. You can [use the MSIX packaging tool](https://docs.microsoft.com/windows/msix/packaging-tool/create-app-package-msi-vm) to repackage your existing Win32 applications to the MSIX format. 
 
-You can either run your installer interactivly (through the UI) or create a package from the command line. Either way, you can convert an application without having the source code. Then, you can make your app available through the Microsoft Store.
+You can either run your installer interactively (through the UI) or create a package from the command line. Either way, you can convert an application without having the source code. Then, you can make your app available through the Microsoft Store.
 
 - [Package your favorite application installer](https://docs.microsoft.com/windows/msix/packaging-tool/create-app-package-msi-vm) interactively (msi, exe, App-V 5.x and ClickOnce) in MSIX format. 
 - Create a [modification package](https://docs.microsoft.com/windows/msix/packaging-tool/package-editor) to update an existing MSIX package.

windows/application-management/svchost-service-refactoring.md

@@ -68,7 +68,7 @@ For example, this is the registry key configuration for BFE:
 
 ## Memory footprint
 
-Be aware that separating services increases the total number of SvcHost instances, which increases memory utlization. (Service grouping provided a modest reduction to the overall resource footprint of the services involved.) 
+Be aware that separating services increases the total number of SvcHost instances, which increases memory utilization. (Service grouping provided a modest reduction to the overall resource footprint of the services involved.) 
 
 Consider the following:
 

windows/client-management/data-collection-for-802-authentication.md

@@ -39,9 +39,10 @@ Use the following steps to collect wireless and wired logs on Windows and Window
    netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_cli.etl
    ```
  
-3. Run the following command to enable CAPI2 logging:
+3. Run the following command to enable CAPI2 logging and increase the size :
    ```
    wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
+   wevtutil sl Microsoft-Windows-CAPI2/Operational /ms:104857600
    ```
  
 4. Create C:\MSLOG on the NPS to store captured logs.
@@ -66,9 +67,10 @@ Use the following steps to collect wireless and wired logs on Windows and Window
    netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_nps.etl
    ```
  
-6. Run the following command to enable CAPI2 logging:
+6. Run the following command to enable CAPI2 logging and increase the size :
    ```
     wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
+    wevtutil sl Microsoft-Windows-CAPI2/Operational /ms:104857600
   ```
 7. Run the following command from the command prompt on the client machine and start PSR to capture screen images:
  
@@ -363,7 +365,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window
    reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%_CertSvc.hiv
    reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%_CertSvc.txt
    reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%_Cryptography.hiv
-   reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%_Cryptography.tx
+   reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%_Cryptography.txt
    ```
 3. Copy the following files, if exist, to C:\MSLOG: %windir%\CAPolicy.inf
 4. Log on to a domain controller and create C:\MSLOG to store captured logs.

windows/client-management/mdm/index.md

@@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: jdeckerms
-ms.date: 10/09/2018
+ms.date: 01/25/2019
 ---
 
 # Mobile device management

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -22,32 +22,50 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 
 ## In this section
 
--   [What's new in Windows 10, version 1511](#whatsnew)
--   [What's new in Windows 10, version 1607](#whatsnew1607)
--   [What's new in Windows 10, version 1703](#whatsnew10)
--   [What's new in Windows 10, version 1709](#whatsnew1709)
--   [What's new in Windows 10, version 1803](#whatsnew1803)
--   [What's new in Windows 10, version 1809](#whatsnew1809)
--   [Change history in MDM documentation](#change-history-in-mdm-documentation)
--   [Breaking changes and known issues](#breaking-changes-and-known-issues)
-    -   [Get command inside an atomic command is not supported](#getcommand)
-    -   [Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10](#notification)
-    -   [Apps installed using WMI classes are not removed](#appsnotremoved)
-    -   [Passing CDATA in SyncML does not work](#cdata)
-    -   [SSL settings in IIS server for SCEP must be set to "Ignore"](#sslsettings)
-    -   [MDM enrollment fails on the mobile device when traffic is going through proxy](#enrollmentviaproxy)
-    -   [Server-initiated unenroll failure](#unenrollment)
-    -   [Certificates causing issues with Wi-Fi and VPN](#certissues)
-    -   [Version information for mobile devices](#versioninformation)
-    -   [Upgrading Windows Phone 8.1 devices with app whitelisting using ApplicationRestriction policy has issues](#whitelist)
-    -   [Apps dependent on Microsoft Frameworks may get blocked](#frameworks)
-    -   [Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 Mobile](#wificertissue)
-    -   [Remote PIN reset not supported in Azure Active Directory joined mobile devices](#remote)
-    -   [MDM client will immediately check-in with the MDM server after client renews WNS channel URI](#renewwns)
-    -   [User provisioning failure in Azure Active Directory joined Windows 10 PC](#userprovisioning)
-    -   [Requirements to note for VPN certificates also used for Kerberos Authentication](#kerberos)
-    -   [Device management agent for the push-button reset is not working](#pushbuttonreset)
--   [FAQ](#faq)
+- [What's new in MDM enrollment and management](#whats-new-in-mdm-enrollment-and-management)
+  - [In this section](#in-this-section)
+  - [<a href="" id="whatsnew"></a>What's new in Windows 10, version 1511](#a-href%22%22-id%22whatsnew%22awhats-new-in-windows-10-version-1511)
+  - [<a href="" id="whatsnew1607"></a>What's new in Windows 10, version 1607](#a-href%22%22-id%22whatsnew1607%22awhats-new-in-windows-10-version-1607)
+  - [<a href="" id="whatsnew10"></a>What's new in Windows 10, version 1703](#a-href%22%22-id%22whatsnew10%22awhats-new-in-windows-10-version-1703)
+  - [<a href="" id="whatsnew1709"></a>What's new in Windows 10, version 1709](#a-href%22%22-id%22whatsnew1709%22awhats-new-in-windows-10-version-1709)
+  - [<a href="" id="whatsnew1803"></a>What's new in Windows 10, version 1803](#a-href%22%22-id%22whatsnew1803%22awhats-new-in-windows-10-version-1803)
+  - [<a href="" id="whatsnew1809"></a>What's new in Windows 10, version 1809](#a-href%22%22-id%22whatsnew1809%22awhats-new-in-windows-10-version-1809)
+  - [Breaking changes and known issues](#breaking-changes-and-known-issues)
+    - [<a href="" id="getcommand"></a>Get command inside an atomic command is not supported](#a-href%22%22-id%22getcommand%22aget-command-inside-an-atomic-command-is-not-supported)
+    - [<a href="" id="notification"></a>Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10](#a-href%22%22-id%22notification%22anotification-channel-uri-not-preserved-during-upgrade-from-windows-81-to-windows-10)
+    - [<a href="" id="appsnotremoved"></a>Apps installed using WMI classes are not removed](#a-href%22%22-id%22appsnotremoved%22aapps-installed-using-wmi-classes-are-not-removed)
+    - [<a href="" id="cdata"></a>Passing CDATA in SyncML does not work](#a-href%22%22-id%22cdata%22apassing-cdata-in-syncml-does-not-work)
+    - [<a href="" id="sslsettings"></a>SSL settings in IIS server for SCEP must be set to "Ignore"](#a-href%22%22-id%22sslsettings%22assl-settings-in-iis-server-for-scep-must-be-set-to-%22ignore%22)
+    - [<a href="" id="enrollmentviaproxy"></a>MDM enrollment fails on the mobile device when traffic is going through proxy](#a-href%22%22-id%22enrollmentviaproxy%22amdm-enrollment-fails-on-the-mobile-device-when-traffic-is-going-through-proxy)
+    - [<a href="" id="unenrollment"></a>Server-initiated unenrollment failure](#a-href%22%22-id%22unenrollment%22aserver-initiated-unenrollment-failure)
+    - [<a href="" id="certissues"></a>Certificates causing issues with Wi-Fi and VPN](#a-href%22%22-id%22certissues%22acertificates-causing-issues-with-wi-fi-and-vpn)
+    - [<a href="" id="versioninformation"></a>Version information for mobile devices](#a-href%22%22-id%22versioninformation%22aversion-information-for-mobile-devices)
+    - [<a href="" id="whitelist"></a>Upgrading Windows Phone 8.1 devices with app whitelisting using ApplicationRestriction policy has issues](#a-href%22%22-id%22whitelist%22aupgrading-windows-phone-81-devices-with-app-whitelisting-using-applicationrestriction-policy-has-issues)
+    - [<a href="" id="frameworks"></a>Apps dependent on Microsoft Frameworks may get blocked in phones prior to build 10586.218](#a-href%22%22-id%22frameworks%22aapps-dependent-on-microsoft-frameworks-may-get-blocked-in-phones-prior-to-build-10586218)
+    - [<a href="" id="wificertissue"></a>Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 Mobile](#a-href%22%22-id%22wificertissue%22amultiple-certificates-might-cause-wi-fi-connection-instabilities-in-windows-10-mobile)
+    - [<a href="" id="remote"></a>Remote PIN reset not supported in Azure Active Directory joined mobile devices](#a-href%22%22-id%22remote%22aremote-pin-reset-not-supported-in-azure-active-directory-joined-mobile-devices)
+    - [<a href="" id="renewwns"></a>MDM client will immediately check-in with the MDM server after client renews WNS channel URI](#a-href%22%22-id%22renewwns%22amdm-client-will-immediately-check-in-with-the-mdm-server-after-client-renews-wns-channel-uri)
+    - [<a href="" id="userprovisioning"></a>User provisioning failure in Azure Active Directory joined Windows 10 PC](#a-href%22%22-id%22userprovisioning%22auser-provisioning-failure-in-azure-active-directory-joined-windows-10-pc)
+    - [<a href="" id="kerberos"></a>Requirements to note for VPN certificates also used for Kerberos Authentication](#a-href%22%22-id%22kerberos%22arequirements-to-note-for-vpn-certificates-also-used-for-kerberos-authentication)
+    - [<a href="" id="pushbuttonreset"></a>Device management agent for the push-button reset is not working](#a-href%22%22-id%22pushbuttonreset%22adevice-management-agent-for-the-push-button-reset-is-not-working)
+  - [Change history in MDM documentation](#change-history-in-mdm-documentation)
+    - [January 2019](#january-2019)
+    - [December 2018](#december-2018)
+    - [September 2018](#september-2018)
+    - [August 2018](#august-2018)
+    - [July 2018](#july-2018)
+    - [June 2018](#june-2018)
+    - [May 2018](#may-2018)
+    - [April 2018](#april-2018)
+    - [March 2018](#march-2018)
+    - [February 2018](#february-2018)
+    - [January 2018](#january-2018)
+    - [December 2017](#december-2017)
+    - [November 2017](#november-2017)
+    - [October 2017](#october-2017)
+    - [September 2017](#september-2017)
+    - [August 2017](#august-2017)
+  - [FAQ](#faq)
 
 ## <a href="" id="whatsnew"></a>What's new in Windows 10, version 1511
 
@@ -1766,6 +1784,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 |--- | ---|
 |[Policy CSP - Storage](policy-csp-storage.md)|Added the following new policies: AllowStorageSenseGlobal, ConfigStorageSenseGlobalCadence, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseRecycleBinCleanupThreshold, ConfigStorageSenseDownloadsCleanupThreshold, and ConfigStorageSenseCloudContentCleanupThreshold.|
 |[SharedPC CSP](sharedpc-csp.md)|Updated values and supported operations.|
+|[Mobile device management](index.md)|Updated information about MDM Security Baseline.|
 
 ### December 2018
 

windows/client-management/mdm/policy-csp-dataprotection.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 05/14/2018
+ms.date: 01/26/2019
 ---
 
 # Policy CSP - DataProtection
@@ -66,7 +66,7 @@ ms.date: 05/14/2018
 
 <!--/Scope-->
 <!--Description-->
-This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.
+This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when [BitLocker Device Encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) is enabled.
 
 Most restricted value is 0.
 

windows/client-management/mdm/policy-csp-security.md

@@ -148,7 +148,7 @@ The following list shows the supported values:
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
 
 
-Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
+Specifies whether to allow automatic [device encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined.
 
 <!--/Description-->
 <!--SupportedValues-->
@@ -479,7 +479,7 @@ The following list shows the supported values:
 
 Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**.
 
-Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
+Specifies whether to allow automatic [device encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined.
 
 <!--/Description-->
 <!--SupportedValues-->

windows/client-management/mdm/policy-csp-settings.md

@@ -239,10 +239,10 @@ The following list shows the supported values:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 </tr>

windows/client-management/windows-10-mobile-and-mdm.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: mobile, devices, security
 ms.localizationpriority: medium
 author: AMeeus
-ms.date: 09/21/2017
+ms.date: 01/26/2019
 ---
 
 # Windows 10 Mobile deployment and management guide
@@ -460,7 +460,7 @@ Some device-wide settings for managing VPN connections can help you manage VPNs
 
 *Applies to: Corporate and personal devices*
 
-Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage. The device encryption in Windows 10 Mobile helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device.
+Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage. The [device encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) in Windows 10 Mobile helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device.
 
 Windows 10 Mobile also has the ability to install apps on a secure digital (SD) card. The operating system stores apps on a partition specifically designated for that purpose. This feature is always on so you don’t need to set a policy explicitly to enable it.
 

windows/deployment/deploy-whats-new.md

@@ -7,7 +7,6 @@ ms.localizationpriority: medium
 ms.prod: w10
 ms.sitesec: library
 ms.pagetype: deploy
-ms.date: 12/18/2018
 author: greg-lindsay
 ---
 

windows/deployment/update/windows-analytics-FAQ-troubleshooting.md

@@ -8,7 +8,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: jaimeo
 ms.author: jaimeo
-ms.date: 10/29/2018
 ms.localizationpriority: medium
 ---
 
@@ -209,7 +208,8 @@ If you want to stop using Upgrade Readiness and stop sending diagnostic data to
 2.  Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the diagnostic data level to **Security**:
 
   **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*
-  **Windows 10**: Follow the instructions in the [Configure Windows diagnostic data in your organization](/configuration/configure-windows-diagnostic-data-in-your-organization.md) topic.
+
+  **Windows 10**: Follow the instructions in [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization).
 
 3.	If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0".  The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*.
 4.	**Optional step:** You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". 

windows/deployment/windows-autopilot/TOC.md

@@ -24,6 +24,7 @@
 ### [Administering Autopilot via Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
 ## Getting started
 ### [Demonstrate Autopilot deployment on a VM](demonstrate-deployment-on-vm.md)
+## [Customer consent](registration-auth.md)
 ## [Troubleshooting](troubleshooting.md)
 ## [FAQ](autopilot-faq.md)
-## [Support](autopilot-support.md)
+## [Support](autopilot-support.md)

windows/deployment/windows-autopilot/add-devices.md

@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 12/12/2018
 ---
 
 # Adding devices to Windows Autopilot

windows/deployment/windows-autopilot/autopilot-faq.md

@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 11/05/2018
 ---
 
 # Windows Autopilot FAQ
@@ -27,6 +26,7 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e
 | --- | --- |
 | In the Partner Center, does the Tenant ID need to be provided with every device file upload? Is this needed to allow the business customer to access their devices in MSfB?     | No. Providing the Tenant ID is a one-time entry in the Partner Center that can be re-used with future device uploads. |
 | How does the customer or tenant know that their devices are ready to be claimed in MSfB?    |  After the device file upload is completed in the Partner Center, the tenant can see the devices available for Windows Autopilot setup in MSfB. The OEM would need to advise the tenant to access MSfB. Auto-notification from MSfB to the tenant is being developed.  |
+| How does a customer authorize an OEM or Channel Partner to register Autopilot devices on the customer’s behalf?   |  Before an OEM or Channel Partner can register a device for Autopilot on behalf of a customer, the customer must first give them consent.  The consent process begins with the OEM or Channel Partner sending a link to the customer, which directs the customer to a consent page in Microsoft Store for Business.  The steps explaining this process are [here](registration-auth.md).  |
 |  Are there any restrictions if a business customer has registered devices in MSfB and later wants those devices to be managed by a CSP via the Partner Center? | The devices will need to be deleted in MSfB by the business customer before the CSP can upload and manage them in the Partner Center. | 
 | Does Windows Autopilot support removing the option to enable a local administrator account?    |  Windows Autopilot doesn’t support removing the local admin account. However, it does support restricting the user performing AAD domain join in OOBE to a standard account (versus admin account by default).|
 | How can I test the Windows Autopilot CSV file in the Partner Center?    |  Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account which has access to “Devices” for testing the file. This can be done today in the Partner Center. <br><br>Go [here](https://msdn.microsoft.com/partner-center/createuseraccounts-and-set-permissions) for more information. |

windows/deployment/windows-autopilot/configure-autopilot.md

@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
 ---
 
 # Configure Autopilot deployment
@@ -32,4 +31,4 @@ When deploying new devices using Windows Autopilot, a common set of steps are re
 
 ## Related topics
 
-[Windows Autopilot scenarios](windows-autopilot-scenarios.md)
+[Windows Autopilot scenarios](windows-autopilot-scenarios.md)

windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md

@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
 ---
 
 # Demonstrate Autopilot deployment on a VM

windows/deployment/windows-autopilot/enrollment-status.md

@@ -10,7 +10,6 @@ ms.pagetype: deploy
 ms.localizationpriority: medium
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 12/13/2018
 ---
 
 # Windows Autopilot Enrollment Status page
@@ -63,6 +62,4 @@ For more information on configuring the Enrollment Status page, see the [Microso
 For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP docuementation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).<br>
 For more information about blocking for app installation:
 - [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/).
-- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514).
-
-
+- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514).

windows/deployment/windows-autopilot/profiles.md

@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 12/13/2018
 ---
 
 # Configure Autopilot profiles
@@ -58,4 +57,4 @@ The following profile settings are available:
 
 ## Related topics
 
-[Configure Autopilot deployment](configure-autopilot.md)
+[Configure Autopilot deployment](configure-autopilot.md)

windows/deployment/windows-autopilot/registration-auth.md

@@ -0,0 +1,75 @@
+---
+title: Windows Autopilot customer consent
+description: Support information for Windows Autopilot
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, csp, OEM
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: low
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.author: greg-lindsay
+---
+
+# Windows Autopilot customer consent
+
+**Applies to: Windows 10**
+
+This article describes how a cloud service provider (CSP) partner (direct bill, indirect provider, or indirect reseller) or an OEM can get customer authorization to register Windows Autopilot devices on the customer’s behalf.
+
+## CSP authorization
+
+CSP partners can get customer authorization to register Windows Autopilot devices on the customer’s behalf per the following restrictions:
+
+<table>
+<tr><td>Direct CSP<td>Gets direct authorization from the customer to register devices.
+<tr><td>Indirect CSP Provider<td>Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer.  Indirect CSP Providers register devices through Microsoft Partner Center.
+<tr><td>Indirect CSP Reseller<td>Gets direct authorization from the customer to register devices.  At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer.  However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs.
+</table>
+
+### Steps
+
+For a CSP to register Windows Autopilot devices on behalf of a customer, the customer must first grant that CSP partner permission using the following process:
+
+1.	CSP sends link to customer requesting authorization/consent to register/manage devices on their behalf.  To do so:
+    - CSP logs into Microsoft Partner Center
+    - Click **Dashboard** on the top menu
+    - Click **Customer** on the side menu
+    - Click the **Request a reseller relationship** link:
+    ![Request a reseller relationship](images/csp1.png)
+    - Select the checkbox indicating whether or not you want delegated admin rights:
+    ![Delegated rights](images/csp2.png)
+    - Send the template above to the customer via email.
+2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page:
+
+    ![Global admin](images/csp3.png)
+
+    NOTE: A user without global admin privileges who clicks the link will see a message similar to the following:
+
+    ![Not global admin](images/csp4.png)
+
+3.	Customer selects the **Yes** checkbox, followed by the **Accept** button. Authorization happens instantaneously.
+4.	The CSP will know that this consent/authorization request has been completed because the customer will show up in the CSP’s MPC account under their **customers** list, for example:
+
+![Customers](images/csp5.png)
+
+## OEM authorization
+
+Each OEM has a unique link to provide to their respective customers, which the OEM can request from Microsoft via msoemops@microsoft.com.
+
+1.	OEM emails link to their customer.
+2.	Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link once they receive it from the OEM, which takes them directly to the following MSfB page:
+
+    ![Global admin](images/csp6.png)
+
+    NOTE: A user without global admin privileges who clicks the link will see a message similar to the following:
+
+    ![Not global admin](images/csp7.png)
+3.	Customer selects the **Yes** checkbox, followed by the **Accept** button, and they’re done.  Authorization happens instantaneously.
+
+4.	The OEM can use the Validate Device Submission Data API to verify the consent has completed.  This API is discussed in the latest version of the API Whitepaper, p. 14ff [https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx](https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx). **Note**: this link is only accessible by Microsoft Device Partners. As discussed in this whitepaper, it’s a best practice recommendation for OEM partners to run the API check to confirm they’ve received customer consent before attempting to register devices, thus avoiding errors in the registration process.
+
+## Summary
+
+At this stage of the process, Microsoft is no longer involved; the consent exchange happens directly between the OEM and the customer.  And, it all happens instantaneously - as quickly as buttons are clicked.
+

windows/deployment/windows-autopilot/rip-and-replace.md

@@ -0,0 +1,19 @@
+---
+title: Rip and Replace
+description: Listing of Autopilot scenarios
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Rip and replace
+
+**Applies to: Windows 10**
+
+DO NOT PUBLISH.  Just a placeholder for now, coming with 1809.

windows/deployment/windows-autopilot/self-deploying.md

@@ -10,7 +10,6 @@ ms.pagetype:
 ms.localizationpriority: medium
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
 ---
 
 # Windows Autopilot Self-Deploying mode (Preview)

windows/deployment/windows-autopilot/troubleshooting.md

@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
 ---
 
 # Troubleshooting Windows Autopilot

windows/deployment/windows-autopilot/user-driven-aad.md

@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 11/07/2018
 ---
 
 # Windows Autopilot user-driven mode for Azure Active Directory join
@@ -32,4 +31,4 @@ For each device that will be deployed using user-driven deployment, these additi
     -   If using Intune and Azure Active Directory static device groups, manually add the device to the device group.
     -   If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device.
 
-Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. 
+Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic.

windows/deployment/windows-autopilot/user-driven-hybrid.md

@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 11/12/2018
 ---
 
 
@@ -37,4 +36,4 @@ To perform a user-driven hybrid AAD joined deployment using Windows Autopilot:
 
 See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid).
 
-Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. 
+Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. 

windows/deployment/windows-autopilot/user-driven.md

@@ -10,7 +10,6 @@ ms.pagetype: deploy
 author: greg-lindsay
 ms.date: 11/07/2018
 ms.author: greg-lindsay
-ms.date: 11/07/2018
 ---
 
 # Windows Autopilot user-driven mode

windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md

@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
 ---
 
 # Windows Autopilot configuration requirements

windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md

@@ -9,10 +9,8 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
-ms.author: greg-lindsay
-ms.date: 10/02/2018
 ---
+
 # Windows Autopilot licensing requirements
 
 **Applies to: Windows 10**

windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md

@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
 ---
 
 # Windows Autopilot networking requirements

windows/deployment/windows-autopilot/windows-autopilot-requirements.md

@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 12/13/2018
 ---
 
 # Windows Autopilot requirements
@@ -28,4 +27,4 @@ There are no additional hardware requirements to use Windows 10 Autopilot, beyon
 
 ## Related topics
 
-[Configure Autopilot deployment](configure-autopilot.md)
+[Configure Autopilot deployment](configure-autopilot.md)

windows/deployment/windows-autopilot/windows-autopilot-reset-local.md

@@ -10,7 +10,6 @@ ms.pagetype:
 ms.localizationpriority: medium
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
 ---
 
 # Reset devices with local Windows Autopilot Reset 

windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md

@@ -10,7 +10,6 @@ ms.pagetype:
 ms.localizationpriority: medium
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
 ---
 
 # Reset devices with remote Windows Autopilot Reset (Preview)

windows/deployment/windows-autopilot/windows-autopilot-reset.md

@@ -10,7 +10,6 @@ ms.pagetype:
 ms.localizationpriority: medium
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
 ---
 
 # Windows Autopilot Reset

windows/deployment/windows-autopilot/windows-autopilot-scenarios.md

@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 12/13/2018
 ---
 
 # Windows Autopilot scenarios

windows/deployment/windows-autopilot/windows-autopilot.md

@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 01/03/2018
 ---
 
 # Overview of Windows Autopilot
@@ -71,4 +70,4 @@ See [Windows Autopilot scenarios](https://docs.microsoft.com/en-us/windows/deplo
 
 ## Related topics
 
-[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/en-us/intune/enrollment-autopilot)
+[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/en-us/intune/enrollment-autopilot)

windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -1915,8 +1915,8 @@ If you're not running Windows 10, version 1607 or later, you can use the other o
 
   - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Get fun facts, tips, tricks and more on your lock screen**.
 
-        > [!NOTE]
-        > In Windows 10, version 1507 and Windows 10, version 1511, this setting was named **Show me tips, tricks, and more on the lock screen**.
+    > [!NOTE]
+    > In Windows 10, version 1507 and Windows 10, version 1511, this setting was named **Show me tips, tricks, and more on the lock screen**.
 
   - **Personalization** > **Start** > **Occasionally show suggestions in Start**.
 

windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md

@@ -66,7 +66,7 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o
 
 3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration.   
     ```PowerShell
-    Install-AdcsCertificateAuthority
+    Install-AdcsCertificationAuthority
     ```   
     
 ## Configure a Production Public Key Infrastructure

windows/security/identity-protection/vpn/vpn-conditional-access.md

@@ -10,7 +10,7 @@ ms.author: pashort
 manager: elizapo
 ms.reviewer: 
 ms.localizationpriority: medium
-ms.date: 04/20/2018
+ms.date: 01/26/2019
 ---
 
 # VPN and conditional access
@@ -30,9 +30,9 @@ Conditional Access Platform components used for Device Compliance include the fo
 
 - [Windows Health Attestation Service](https://technet.microsoft.com/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices#device-health-attestation) (optional)
 
-- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA).  An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. 
+- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. 
 
-- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules.  If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN.  Note that certificate authentication methods such as EAP-TLS can be used. 
+- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. 
 
     Additional details regarding the Azure AD issued short-lived certificate: 
     - The default lifetime is 60 minutes and is configurable
@@ -52,15 +52,13 @@ The following client-side components are also required:
 - Trusted Platform Module (TPM)
 
 ## VPN device compliance 
-According to the VPNv2 CSP, these settings options are **Optional**.  If you want your users to access on-premises resources, such as files on a network share, based on the credential of a certificate that was issued by an on-premises CA, and not the Cloud CA certificate, you add these settings to the VPNv2 profile.  Alternatively, if you add the cloud root certificates to the NTAuth store in on-prem AD, your user's cloud certificate will chain and KDC will issue TGT and TGS tickets to them.
+At this time, the Azure AD certificates issued to users do not contain a CRL Distribution Point (CDP) and are not suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the <SSO> section.
 
 Server-side infrastructure requirements to support VPN device compliance include:
 
-- The VPN server should be configured for certificate authentication.
+- The VPN server should be configured for certificate authentication
 - The VPN server should trust the tenant-specific Azure AD CA
-- Either of the below should be true for Kerberos/NTLM SSO:
-   -	Domain servers trust Azure AD CA
-   -	A domain-trusted certificate is deployed to the client device and is configured to be used for single sign-on (SSO)
+- For client access using Kerberos/NTLM, a domain-trusted certificate is deployed to the client device and is configured to be used for single sign-on (SSO)
    
 After the server side is set up, VPN admins can add the policy settings for conditional access to the VPN profile using the VPNv2 DeviceCompliance node.
 
@@ -68,7 +66,7 @@ Two client-side configuration service providers are leveraged for VPN device com
 
 - VPNv2 CSP DeviceCompliance settings
    - **Enabled**: enables the Device Compliance flow from the client. If marked as **true**, the VPN client attempts to communicate with Azure AD to get a certificate to use for authentication. The VPN should be set up to use certificate authentication and the VPN server must trust the server returned by Azure AD.
-   - **Sso**: nodes under SSO can be used to choose a certificate different from the VPN authentication certificate for Kerberos authentication in the case of device compliance.
+   - **Sso**: entries under SSO should be used to direct the VPN client to use a certificate other than the VPN authentication certificate when accessing resources that require Kerberos authentication.
    - **Sso/Enabled**: if this field is set to **true**, the VPN client looks for a separate certificate for Kerberos authentication.
    - **Sso/IssuerHash**: hashes for the VPN client to look for the correct certificate for Kerberos authentication.
    - **Sso/Eku**: comma-separated list of Enhanced Key Usage (EKU) extensions for the VPN client to look for the correct certificate for Kerberos authentication.
@@ -79,8 +77,7 @@ Two client-side configuration service providers are leveraged for VPN device com
    - Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
    
 >[!NOTE]
->Enabling SSO is not necessarily required unless you want VPN users to be issued Kerberos tickets to access on-premises resources using a certificate issued by the on-premises CA; not the cloud certificate issued by AAD.
-
+>Currently, it is required that certificates be issued from an on-premises CA, and that SSO be enabled in the user’s VPN profile. This will enable the user to obtain Kerberos tickets in order to access resources on-premises. Kerberos currently does not support the use of Azure AD certificates.
 
 ## Client connection flow
 The VPN client side connection flow works as follows:
@@ -89,7 +86,7 @@ The VPN client side connection flow works as follows:
  
 When a VPNv2 Profile is configured with \<DeviceCompliance> \<Enabled>true<\/Enabled> the VPN client uses this connection flow:
 
-1.	 The VPN client calls into Windows 10’s AAD Token Broker, identifying itself as a VPN client.
+1.	 The VPN client calls into Windows 10’s Azure AD Token Broker, identifying itself as a VPN client.
 2.	 The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device trying to connect. The Azure AD Server checks if the device is in compliance with the policies.
 3.	 If compliant, Azure AD requests a short-lived certificate
 4.	 Azure AD pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection  processing.

windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: brianlic-msft
-ms.date: 09/17/2018
+ms.date: 01/26/2019
 ---
 
 # BitLocker Management for Enterprises
@@ -25,11 +25,11 @@ Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](h
 
 ## Managing devices joined to Azure Active Directory
 
-Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
+Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
 
 Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones.
 
-For hardware that is compliant with Modern Standby and HSTI, when using either of these features, BitLocker Device Encryption is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
+For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
 
 
 ## Managing workplace-joined PCs and phones

windows/security/information-protection/bitlocker/bitlocker-overview.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: brianlic-msft
-ms.date: 10/16/2017
+ms.date: 01/26/2018
 ---
 
 # BitLocker
@@ -42,7 +42,7 @@ BitLocker control panel, and they are appropriate to use for automated deploymen
 
 ## <a href="" id="bkmk-new"></a>New and changed functionality
 
-To find out what's new in BitLocker for Windows 10, such as support for the XTS-AES encryption algorithm, see the [BitLocker](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10, versions 1507 and 1511."
+To find out what's new in BitLocker for Windows 10, such as support for the XTS-AES encryption algorithm, see the [BitLocker](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10."
  
 ## System requirements
 
@@ -71,7 +71,7 @@ When installing the BitLocker optional component on a server you will also need
 | [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) | This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| 
 | [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic for the IT professional explains how can you plan your BitLocker deployment. |
 | [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. |
-| [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md)| This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.| 
+| [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This topic for the IT professional explains how to deploy BitLocker on Windows Server.| 
 | [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. |
 | [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This topic for the IT professional describes how to use tools to manage BitLocker.| 
 | [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. |

windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md

@@ -7,8 +7,6 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-
-ms.date: 08/17/2017
 ---
 
 # BitLocker recovery guide
@@ -26,7 +24,7 @@ This article does not detail how to configure AD DS to store the BitLocker reco
 
 ## <a href="" id="bkmk-whatisrecovery"></a>What is BitLocker recovery?
 
-BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario you have the following options to restore access to the drive:
+BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario, you have the following options to restore access to the drive:
 
 -   The user can supply the recovery password. If your organization allows users to print or store recovery passwords, the user can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft Account online. (Saving a recovery password with your Microsoft Account online is only allowed when BitLocker is used on a PC that is not a member of a domain).
 -   A data recovery agent can use their credentials to unlock the drive. If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
@@ -36,7 +34,7 @@ BitLocker recovery is the process by which you can restore access to a BitLocker
 
 The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
 
--   On PCs that use BitLocker, or on devices such as tablets or phones that use Device Encryption only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](https://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](https://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout.
+-   On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](https://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](https://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout.
 -   On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised.
 -   Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
 -   Failing to boot from a network drive before booting from the hard drive.
@@ -245,7 +243,7 @@ This error might occur if you updated the firmware. As a best practice you shoul
 
 ## Windows RE and BitLocker Device Encryption
 
-Windows Recovery Environment (RE) can be used to recover access to a drive protected by BitLocker Device Encryption. If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
+Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
 
 ## <a href="" id="bkmk-usingaddrecovery"></a>Using additional recovery information
 

windows/security/information-protection/tpm/tpm-recommendations.md

@@ -87,7 +87,7 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u
 
 ### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
 
--   Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn91508.aspx) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
+-   Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
 
 ### IoT Core
 
@@ -104,7 +104,7 @@ The following table defines which Windows features require TPM support.
 | Windows Features        | TPM Required | Supports TPM 1.2   | Supports TPM 2.0   | Details  |
 |-------------------------|--------------|--------------------|--------------------|----------|
 | Measured Boot           | Yes          | Yes                | Yes                | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot         |
-| BitLocker               | Yes           | Yes                | Yes                | TPM 1.2 or 2.0 is required  |
+| BitLocker               | Yes           | Yes                | Yes                | TPM 1.2 or 2.0 is required, but [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support |
 | Device Encryption       | Yes          | N/A                | Yes                | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. |
 | Windows Defender Application Control (Device Guard)            | No           | Yes                | Yes                |          |
 | Windows Defender Exploit Guard | No   | N/A                | N/A                |           |

windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md

@@ -36,9 +36,9 @@ Windows Defender Antivirus is  part of the  [next generation](https://www.youtub
 
 The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
 
-- September - October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) <sup>**Latest**</sup>
+- September - October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqOqD)  <sup>**Latest**</sup>
 
-    Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 21,568 malware samples tested.
+    Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, protecting against 21,566 of 21,568 tested malware samples.
 
 - July - August 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2018/microsoft-windows-defender-antivirus-4.12--4.18-183212/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y)
 

windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md

@@ -30,7 +30,7 @@ ms.localizationpriority: medium
 Windows Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions.
 
 >[!IMPORTANT]
->This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more information, see [Preview features](preview-windows-defender-advanced-threat-protection).
+>This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more information, see [Preview features](preview-windows-defender-advanced-threat-protection.md).
 
 To onboard down-level Windows client endpoints to Windows Defender ATP, you'll need to:
 - Configure and update System Center Endpoint Protection clients.