fix conflicts

2025-05-12 13:27:23 +00:00 · 2021-03-05 12:30:36 -08:00 · 2021-03-05 12:30:36 -08:00 · 588f28fc36
commit 588f28fc36
parent f97a0c33f9 793b19e2c7
10 changed files with 521 additions and 282 deletions
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@ -16,7 +16,6 @@ ms.topic: article
 # Create mandatory user profiles
 **Applies to**
 - Windows 10
 A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned.
@ -76,7 +75,7 @@ First, you create a default user profile with the customizations that you want,
   > [!TIP]
   > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following:
   >
-   > ![Microsoft Bing Translator package](images/sysprep-error.png)
+   > ![Microsoft Bing Translator package error](images/sysprep-error.png)
   >
   > Use the [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
@ -86,20 +85,24 @@ First, you create a default user profile with the customizations that you want,
 1. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
-   ![Example of UI](images/copy-to.png)
+
   ![Example of User Profiles UI](images/copy-to.png)
 1. In **Copy To**, under **Permitted to use**, click **Change**.
-   ![Example of UI](images/copy-to-change.png)
+   ![Example of Copy To UI](images/copy-to-change.png)
 1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
 1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with ".v6" to identify it as a user profile folder for Windows 10, version 1607.
   - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
   ![Example of Copy profile to](images/copy-to-path.png)
   - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
-   ![Example of UI](images/copy-to-path.png)
+   ![Example of Copy To UI with UNC path](images/copy-to-path.png)
 1. Click **OK** to copy the default user profile.
--- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
@ -23,10 +23,10 @@ To help diagnose enrollment or device management issues in Windows 10 devices m
   ![Access work or school page in Settings](images/diagnose-mdm-failures15.png)
 1. At the bottom of the **Settings** page, click **Create report**.  
-   ![Access work or school page in Settings](images/diagnose-mdm-failures16.png)
+   ![Access work or school page and then Create report](images/diagnose-mdm-failures16.png)
 1. A window opens that shows the path to the log files. Click **Export**.
-   ![Access work or school page in Settings](images/diagnose-mdm-failures17.png)
+   ![Access work or school log files](images/diagnose-mdm-failures17.png)
 1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report.
@ -294,21 +294,21 @@ For best results, ensure that the PC or VM on which you are viewing logs matches
 3.  Navigate to the etl file that you got from the device and then open the file.
 4.  Click **Yes** when prompted to save it to the new log format.
-    ![prompt](images/diagnose-mdm-failures10.png)
+    ![event viewer prompt](images/diagnose-mdm-failures10.png)
    ![diagnose mdm failures](images/diagnose-mdm-failures11.png)
 5.  The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu.
-    ![event viewer](images/diagnose-mdm-failures12.png)
+    ![event viewer actions](images/diagnose-mdm-failures12.png)
 6.  Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**.
-    ![event filter](images/diagnose-mdm-failures13.png)
+    ![event filter for Device Management](images/diagnose-mdm-failures13.png)
 7.  Now you are ready to start reviewing the logs.
-    ![event viewer](images/diagnose-mdm-failures14.png)
+    ![event viewer review logs](images/diagnose-mdm-failures14.png)
 ## Collect device state data
@ -336,9 +336,3 @@ Here's an example of how to collect current MDM device state data using the [Dia
 ```
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@ -85,21 +85,30 @@ You can configure Windows to be in shared PC mode in a couple different ways:
 - Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps:
-  1. Go to the [Microsoft Endpoint Manager portal](https://endpoint.microsoft.com/#home).
+  1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
  2. Select **Devices** from the navigation. 
  3. Under **Policy**, select **Configuration profiles**.
  4. Select **Create profile**.
  5. From the **Platform** menu, select **Windows 10 and later**.
  6. From the **Profile** menu, select **Shared multi-user device**.
-     ![custom OMA-URI policy in Intune](images/shared_pc_1.jpg) 
+  2. Select **Devices** > **Windows** > **Configuration profiles** > **Create profile**.
-  7. Select **Create**.
+  3. Enter the following properties:
  8. Enter a name for the policy (e.g. My Win10 Shared devices policy). You can optionally add a description should you wish to do so.
  9. Select **Next**.
  10. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**.
-     ![Shared PC settings in ICD](images/shared_pc_3.png) 
+     - **Platform**: Select **Windows 10 and later**.
     - **Profile**: Select **Templates** > **Shared multi-user device**.
  4. Select **Create**.
  5. In **Basics**, enter the following properties:
     - **Name**: Enter a descriptive name for the new profile.
     - **Description**: Enter a description for the profile. This setting is optional, but recommended.
  6. Select **Next**.
  7. In **Configuration settings**, depending on the platform you chose, the settings you can configure are different. Choose your platform for detailed settings:
  8. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**.
     > [!div class="mx-imgBorder"]
     > ![Shared PC mode in the Configuration settings page](images/shared_pc_3.png) 
  11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**.
@ -109,26 +118,26 @@ You can configure Windows to be in shared PC mode in a couple different ways:
 - WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following:
-```
+  ```powershell
-$sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
+  $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
-$sharedPC.EnableSharedPCMode = $True
+  $sharedPC.EnableSharedPCMode = $True
-$sharedPC.SetEduPolicies = $True
+  $sharedPC.SetEduPolicies = $True
-$sharedPC.SetPowerPolicies = $True
+  $sharedPC.SetPowerPolicies = $True
-$sharedPC.MaintenanceStartTime = 0
+  $sharedPC.MaintenanceStartTime = 0
-$sharedPC.SignInOnResume = $True
+  $sharedPC.SignInOnResume = $True
-$sharedPC.SleepTimeout = 0
+  $sharedPC.SleepTimeout = 0
-$sharedPC.EnableAccountManager = $True
+  $sharedPC.EnableAccountManager = $True
-$sharedPC.AccountModel = 2
+  $sharedPC.AccountModel = 2
-$sharedPC.DeletionPolicy = 1
+  $sharedPC.DeletionPolicy = 1
-$sharedPC.DiskLevelDeletion = 25
+  $sharedPC.DiskLevelDeletion = 25
-$sharedPC.DiskLevelCaching = 50
+  $sharedPC.DiskLevelCaching = 50
-$sharedPC.RestrictLocalStorage = $False
+  $sharedPC.RestrictLocalStorage = $False
-$sharedPC.KioskModeAUMID = ""
+  $sharedPC.KioskModeAUMID = ""
-$sharedPC.KioskModeUserTileDisplayText = ""
+  $sharedPC.KioskModeUserTileDisplayText = ""
-$sharedPC.InactiveThreshold = 0
+  $sharedPC.InactiveThreshold = 0
-Set-CimInstance -CimInstance $sharedPC
+  Set-CimInstance -CimInstance $sharedPC
-Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC
+  Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC
-```
+  ```
 ### Create a provisioning package for shared use
@ -205,19 +214,24 @@ On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work ac
 ## Guidance for accounts on shared PCs
 * We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
 * When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out.
 * On a Windows PC joined to Azure Active Directory:
    * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
    * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
 * Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign-out.
 * If admin accounts are necessary on the PC
    * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
    * Create admin accounts before setting up shared PC mode, or 
    * Create exempt accounts before signing out when turning shared pc mode on.
 * The account management service supports accounts that are exempt from deletion.
-    * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key.
+    * An account can be marked exempt from deletion by adding the account SID to the registry key: `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\`.
-    * To add the account SID to the registry key using PowerShell:<br/>
+    * To add the account SID to the registry key using PowerShell:
-        ```
+
        ```powershell
        $adminName = "LocalAdmin"
        $adminPass = 'Pa$$word123'
        iex "net user /add $adminName $adminPass"
@ -228,8 +242,6 @@ On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work ac
        ``` 
 ## Policies set by shared PC mode
 Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options.
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@ -45,8 +45,9 @@ These steps will show you how to configure an Active Directory account with the
 On **DC01**:
-1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on DC01.  This script configures permissions to allow the MDT_JD account to manage computer accounts in the contoso > Computers organizational unit.
+1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on **DC01**.  This script configures permissions to allow the **MDT_JD** account to manage computer accounts in the contoso > Computers organizational unit.
-2. Create the MDT_JD service account by running the following command from an elevated Windows PowerShell prompt:
+
 2. Create the **MDT_JD** service account by running the following command from an elevated **Windows PowerShell prompt**:
   ```powershell
   New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true 
@ -60,19 +61,20 @@ On **DC01**:
   .\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
   ```
-The following is a list of the permissions being granted:
+   The following is a list of the permissions being granted:
-    a.  Scope: This object and all descendant objects
+
-    b.  Create Computer objects
+   - Scope: This object and all descendant objects
-    c.  Delete Computer objects
+   - Create Computer objects
-    d.  Scope: Descendant Computer objects
+   - Delete Computer objects
-    e.  Read All Properties
+   - Scope: Descendant Computer objects
-    f.  Write All Properties
+   - Read All Properties
-    g.  Read Permissions
+   - Write All Properties
-    h.  Modify Permissions
+   - Read Permissions
-    i.  Change Password
+   - Modify Permissions
-    j.  Reset Password
+   - Change Password
-    k.  Validated write to DNS host name
+   - Reset Password
-    l.  Validated write to service principal name
+   - Validated write to DNS host name
   - Validated write to service principal name
 ## Step 2: Set up the MDT production deployment share
@ -87,8 +89,11 @@ The steps for creating the deployment share for production are the same as when
 1. Ensure you are signed on as: contoso\administrator.
 2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
 3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**.
 4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**.
 5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**.
 6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**.
 7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
@ -116,9 +121,13 @@ In these steps, we assume that you have completed the steps in the [Create a Win
 1.  Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**.
 2.  Right-click the **Windows 10** folder and select **Import Operating System**.
 3.  On the **OS Type** page, select **Custom image file** and click **Next**.
 4.  On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**.
 5.  On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**.
 6.  On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, click **Next** twice, and then click **Finish**.
 7.  After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**.
@ -140,16 +149,22 @@ On **MDT01**:
 2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC1902120058_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
 3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
 4. Right-click the **Applications** node, and create a new folder named **Adobe**.
 5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**.
 6. On the **Application Type** page, select the **Application with source files** option and click **Next**.
 7. On the **Details** page, in the **Application Name** text box, type **Install - Adobe Reader** and click *Next**.
 8. On the **Source** page, in the **Source Directory** text box, browse to **D:\\setup\\adobe\\install** and click **Next**.
 9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and click **Next**.
 10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**.
-![acroread image](../images/acroread.png)
+    ![acroread image](../images/acroread.png)
-The Adobe Reader application added to the Deployment Workbench.
+    The Adobe Reader application added to the Deployment Workbench.
 ## Step 5: Prepare the drivers repository
@ -211,16 +226,17 @@ When you import drivers to the MDT driver repository, MDT creates a single insta
 The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in Windows PowerShell:
-``` powershell
+```powershell
 Get-WmiObject -Class:Win32_ComputerSystem
 ```
 Or, you can use this command in a normal command prompt:
-``` 
+```console
 wmic csproduct get name
 ```
-If you want a more standardized naming convention, try the ModelAliasExit.vbs script from the Deployment Guys blog post entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536).
+If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post, entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536).
 ![drivers](../images/fig4-oob-drivers.png)
@ -244,9 +260,9 @@ On **MDT01**:
    2.  Folders: Select the WinPE x64 folder in Out-of-Box Drivers.
    3.  Click **Next**, **Next** and **Finish**.
-![figure 5](../images/fig5-selectprofile.png)
+    ![figure 5](../images/fig5-selectprofile.png)
-Creating the WinPE x64 selection profile.
+    Creating the WinPE x64 selection profile.
 ### Extract and import drivers for the x64 boot image
@ -267,7 +283,8 @@ On **MDT01**:
 For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6.
-![ThinkStation image](../images/thinkstation.png)
+> [!div class="mx-imgBorder"]
 > ![ThinkStation image](../images/thinkstation.png)
 To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
@ -276,9 +293,12 @@ In this example, we assume you have downloaded and extracted the drivers using T
 On **MDT01**:
 1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Lenovo** node.
 2.  Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)**
-The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers.
+2.  Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: 
    **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)**
    The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers.
 ### For the Latitude E7450
@ -289,7 +309,10 @@ In these steps, we assume you have downloaded and extracted the CAB file for the
 On **MDT01**:
 1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc** node.
-2.  Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Dell Inc\\Latitude E7450**
+
 2.  Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: 
    **D:\\Drivers\\Windows 10 x64\\Dell Inc\\Latitude E7450**
 ### For the HP EliteBook 8560w
@ -300,7 +323,10 @@ In these steps, we assume you have downloaded and extracted the drivers for the
 On **MDT01**:
 1.  In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node.
-2.  Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w**
+
 2.  Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: 
    **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w**
 ### For the Microsoft Surface Laptop
@ -309,7 +335,10 @@ For the Microsoft Surface Laptop model, you find the drivers on the Microsoft we
 On **MDT01**:
 1.  In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Microsoft** node.
-2.  Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop**
+
 2.  Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: 
    **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop**
 ## Step 6: Create the deployment task sequence
@ -320,40 +349,46 @@ This section will show you how to create the task sequence used to deploy your p
 On **MDT01**:
 1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 10**.
 2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
-   1. Task sequence ID: W10-X64-001
+   - Task sequence ID: W10-X64-001
-   2. Task sequence name: Windows 10 Enterprise x64 RTM Custom Image
+   - Task sequence name: Windows 10 Enterprise x64 RTM Custom Image
-   3. Task sequence comments: Production Image
+   - Task sequence comments: Production Image
-   4. Template: Standard Client Task Sequence
+   - Template: Standard Client Task Sequence
-   5. Select OS: Windows 10 Enterprise x64 RTM Custom Image
+   - Select OS: Windows 10 Enterprise x64 RTM Custom Image
-   6. Specify Product Key: Do not specify a product key at this time
+   - Specify Product Key: Do not specify a product key at this time
-   7. Full Name: Contoso
+   - Full Name: Contoso
-   8. Organization: Contoso
+   - Organization: Contoso
-   9. Internet Explorer home page: https://www.contoso.com
+   - Internet Explorer home page: https://www.contoso.com
-   10. Admin Password: Do not specify an Administrator Password at this time
+   - Admin Password: Do not specify an Administrator Password at this time
 ### Edit the Windows 10 task sequence
 1. Continuing from the previous procedure, right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**.
 2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
   1.  Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
       1.  Name: Set DriverGroup001
       2.  Task Sequence Variable: DriverGroup001
       3.  Value: Windows 10 x64\\%Make%\\%Model%
   2.  Configure the **Inject Drivers** action with the following settings:
       1.  Choose a selection profile: Nothing
       2.  Install all drivers from the selection profile
-           >[!NOTE]
+2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
-           >The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting.
+
   1.  Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
       - Name: Set DriverGroup001
       - Task Sequence Variable: DriverGroup001
       - Value: Windows 10 x64\\%Make%\\%Model%
   2.  Configure the **Inject Drivers** action with the following settings:
       - Choose a selection profile: Nothing
       - Install all drivers from the selection profile
       > [!NOTE]
       > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting.
   3.  State Restore. Enable the **Windows Update (Pre-Application Installation)** action.
   4.  State Restore. Enable the **Windows Update (Post-Application Installation)** action.
 3. Click **OK**.
-![drivergroup](../images/fig6-taskseq.png)
+   ![drivergroup](../images/fig6-taskseq.png)
-The task sequence for production deployment.
+   The task sequence for production deployment.
 ## Step 7: Configure the MDT production deployment share
@ -408,56 +443,65 @@ On **MDT01**:
 3. Click **Edit Bootstrap.ini** and modify using the following information:
-``` 
+   ``` 
-[Settings]
+   [Settings]
-Priority=Default
+   Priority=Default
-[Default]
+   [Default]
-DeployRoot=\\MDT01\MDTProduction$
+   DeployRoot=\\MDT01\MDTProduction$
-UserDomain=CONTOSO
+   UserDomain=CONTOSO
-UserID=MDT_BA
+   UserID=MDT_BA
-UserPassword=pass@word1
+   UserPassword=pass@word1
-SkipBDDWelcome=YES
+   SkipBDDWelcome=YES
-```
+   ```
 4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
 5. On the **General** sub tab (still under the main Windows PE tab), configure the following settings:
-   - In the **Lite Touch Boot Image Settings** area:
+
-     1.  Image description: MDT Production x86
+   In the **Lite Touch Boot Image Settings** area:
-     2.  ISO file name: MDT Production x86.iso
+
   - Image description: MDT Production x86
   - ISO file name: MDT Production x86.iso
   > [!NOTE]
   > 
-     >Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.
+   > Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.
 6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option.
 7. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
 8. On the **General** sub tab, configure the following settings:
-   -   In the **Lite Touch Boot Image Settings** area:
+
-       1.  Image description: MDT Production x64
+   In the **Lite Touch Boot Image Settings** area:
-       2.  ISO file name: MDT Production x64.iso
+
   - Image description: MDT Production x64
   - ISO file name: MDT Production x64.iso
 9. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
 10. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box.
 11. Click **OK**.
->[!NOTE]
+    >[!NOTE]
->It will take a while for the Deployment Workbench to create the monitoring database and web service.
+    >It will take a while for the Deployment Workbench to create the monitoring database and web service.
    ![figure 8](../images/mdt-07-fig08.png)
-![figure 8](../images/mdt-07-fig08.png)
+    The Windows PE tab for the x64 boot image.
 The Windows PE tab for the x64 boot image.
 ### The rules explained
 The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup.
->
+You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address.  In this example we are skipping the welcome screen and providing credentials.
 >You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address.  In this example we are skipping the welcome screen and providing credentials.
 ### The Bootstrap.ini file
 This is the MDT Production Bootstrap.ini:
 ``` 
 [Settings]
 Priority=Default
@ -473,6 +517,7 @@ SkipBDDWelcome=YES
 ### The CustomSettings.ini file
 This is the CustomSettings.ini file with the new join domain information:
 ``` 
 [Settings]
 Priority=Default
@ -529,18 +574,26 @@ If your organization has a Microsoft Software Assurance agreement, you also can
 If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following:
->DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop). Note: MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**.
+
 > [!NOTE]
 > DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop).
 >
 > MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**.
 On **MDT01**:
 1. Download MDOP 2015 and copy the DaRT 10 installer file to the D:\\Setup\\DaRT 10 folder on MDT01 (DaRT\\DaRT 10\\Installers\\\<lang\>\\x64\\MSDaRT100.msi).
 2. Install DaRT 10 (MSDaRT10.msi) using the default settings.
   ![DaRT image](../images/dart.png)
 2. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively.
 3. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**.
 4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
 5. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox.
   ![DaRT selection](../images/mdt-07-fig09.png)
@ -548,13 +601,17 @@ On **MDT01**:
   Selecting the DaRT 10 feature in the deployment share.
 8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
 9. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
 10. Click **OK**.
 ### Update the deployment share
 Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This is the process during which the Windows PE boot images are created.
 1.  Right-click the **MDT Production** deployment share and select **Update Deployment Share**.
 2.  Use the default options for the Update Deployment Share Wizard.
 >[!NOTE]
@ -571,12 +628,14 @@ You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparati
 On **MDT01**:
 1. Open the Windows Deployment Services console, expand the **Servers** node and then expand **MDT01.contoso.com**.
 2. Right-click **Boot Images** and select **Add Boot Image**.
 3. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings.
-![figure 9](../images/mdt-07-fig10.png)
+   ![figure 9](../images/mdt-07-fig10.png)
-The boot image added to the WDS console.
+   The boot image added to the WDS console.
 ### Deploy the Windows 10 client
@ -585,13 +644,15 @@ At this point, you should have a solution ready for deploying the Windows 10 cl
 On **HV01**:
 1. Create a virtual machine with the following settings:
-    1. Name: PC0005
+
-    2. Store the virtual machine in a different location: C:\VM
+   - Name: PC0005
-    3. Generation: 2
+   - Store the virtual machine in a different location: C:\VM
-    4. Memory: 2048 MB
+   - Generation: 2
-    5. Network: Must be able to connect to \\MDT01\MDTProduction$
+   - Memory: 2048 MB
-    6. Hard disk: 60 GB (dynamic disk)
+   - Network: Must be able to connect to \\MDT01\MDTProduction$
-    7. Installation Options: Install an operating system from a network-based installation server
+   - Hard disk: 60 GB (dynamic disk)
   - Installation Options: Install an operating system from a network-based installation server
 2.  Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server.
    ![figure 10](../images/mdt-07-fig11.png)
@ -599,15 +660,18 @@ On **HV01**:
    The initial PXE boot process of PC0005.
 3.  After Windows PE has booted, complete the Windows Deployment Wizard using the following setting:
    1.  Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
    2.  Computer Name: **PC0005**
    3.  Applications: Select the **Install - Adobe Reader** checkbox.
 4.  Setup now begins and does the following:
    1.  Installs the Windows 10 Enterprise operating system.
    2.  Installs the added application.
    3.  Updates the operating system via your local Windows Server Update Services (WSUS) server.
-![pc0005 image1](../images/pc0005-vm.png)
+    - Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
    - Computer Name: **PC0005**
    - Applications: Select the **Install - Adobe Reader** checkbox.
 4.  Setup now begins and does the following:
    - Installs the Windows 10 Enterprise operating system.
    - Installs the added application.
    - Updates the operating system via your local Windows Server Update Services (WSUS) server.
    ![pc0005 image1](../images/pc0005-vm.png)
 ### Application installation
@ -622,12 +686,14 @@ Since you have enabled the monitoring on the MDT Production deployment share, yo
 On **MDT01**:
 1.  In the Deployment Workbench, expand the **MDT Production** deployment share folder.
 2.  Select the **Monitoring** node, and wait until you see PC0005.
 3.  Double-click PC0005, and review the information.
-![figure 11](../images/mdt-07-fig13.png)
+    ![figure 11](../images/mdt-07-fig13.png)
-The Monitoring node, showing the deployment progress of PC0005.
+    The Monitoring node, showing the deployment progress of PC0005.
 ### Use information in the Event Viewer
@ -657,9 +723,9 @@ On **MDT01**:
 3.  Right-click the **MDT Production** deployment share folder and select **Update Deployment Share**.
 4.  After updating the deployment share, use the Windows Deployment Services console to, verify that the multicast namespace was created.
-![figure 13](../images/mdt-07-fig15.png)
+    ![figure 13](../images/mdt-07-fig15.png)
-The newly created multicast namespace.
+    The newly created multicast namespace.
 ## Use offline media to deploy Windows 10
@ -674,15 +740,18 @@ To filter what is being added to the media, you create a selection profile. When
 On **MDT01**:
 1.  In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click **Selection Profiles**, and select **New Selection Profile**.
 2.  Use the following settings for the New Selection Profile Wizard:
-    1.  General Settings
+
    - General Settings
      -   Selection profile name: Windows 10 Offline Media
-    2.  Folders
+
-        1.  Applications / Adobe
+    - Folders
-        2.  Operating Systems / Windows 10
+      - Applications / Adobe
-        3.  Out-Of-Box Drivers / WinPE x64
+      - Operating Systems / Windows 10
-        4.  Out-Of-Box Drivers / Windows 10 x64
+      - Out-Of-Box Drivers / WinPE x64
-        5.  Task Sequences / Windows 10
+      - Out-Of-Box Drivers / Windows 10 x64
      - Task Sequences / Windows 10
      ![offline media](../images/mdt-offline-media.png)
@ -696,10 +765,11 @@ In these steps, you generate offline media from the MDT Production deployment sh
     >When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media.
 2.  In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**.
 3.  Use the following settings for the New Media Wizard:
    -   General Settings
-        1.  Media path: **D:\\MDTOfflineMedia**
+        - Media path: **D:\\MDTOfflineMedia**
-        2.  Selection profile: **Windows 10 Offline Media**
+        - Selection profile: **Windows 10 Offline Media**
 ### Configure the offline media
@ -708,16 +778,22 @@ Offline media has its own rules, its own Bootstrap.ini and CustomSettings.ini fi
 On **MDT01**:
 1.  Copy the CustomSettings.ini file from the **D:\MDTProduction\Control** folder to **D:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files.
 2.  In the Deployment Workbench, under the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**.
 3.  In the **General** tab, configure the following:
-    1.  Clear the Generate x86 boot image check box.
+    - Clear the Generate x86 boot image check box.
-    2.  ISO file name: Windows 10 Offline Media.iso
+    - ISO file name: Windows 10 Offline Media.iso
 4.  On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
 5.  On the **General** sub tab, configure the following settings:
-    1.  In the **Lite Touch Boot Image Settings** area:
+    - In the **Lite Touch Boot Image Settings** area:
      -  Image description: MDT Production x64
-    2.  In the **Windows PE Customizations** area, set the Scratch space size to 128.
+    - In the **Windows PE Customizations** area, set the Scratch space size to 128.
 6.  On the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
 7.  Click **OK**.
 ### Generate the offline media
@ -727,6 +803,7 @@ You have now configured the offline media deployment share, however the share ha
 On **MDT01**:
 1.  In the Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node.
 2.  Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **D:\\MDTOfflineMedia\\Content** folder. The process might require several minutes.
 ### Create a bootable USB stick
@ -734,15 +811,20 @@ On **MDT01**:
 The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it is often more efficient to use USB sticks instead since they are faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.)
 >[!TIP] 
->In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM: <br>&nbsp;<br>Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800. <br>&nbsp;<br>Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm. <br>&nbsp;<br>To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (\<SkipWimSplit\>True\</SkipWimSplit\>), so this must be changed and the offline media content updated.
+>In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM: <br>&nbsp;<br>Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800. <br>&nbsp;<br>Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm. <br>&nbsp;<br>To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`<SkipWimSplit>True</SkipWimSplit>`), so this must be changed and the offline media content updated.
 Follow these steps to create a bootable USB stick from the offline media content:
 1.  On a physical machine running Windows 7 or later, insert the USB stick you want to use.
 2.  Copy the content of the **MDTOfflineMedia\\Content** folder to the root of the USB stick.
 3.  Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**.
 4.  In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you really only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F.
 5.  In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter).
 6.  In the Diskpart utility, type **active**, and then type **exit**.
 ## Unified Extensible Firmware Interface (UEFI)-based deployments
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@ -46,10 +46,13 @@ The process proceeds as follows:
 1. Perform one of the following tasks:
   - Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard.
   - Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT.
 1. Microsoft verifies the KMS host key, and an activation object is created.
 1. Client computers are activated by receiving the activation object from a domain controller during startup.
-    ![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg)
+    > [!div class="mx-imgBorder"]
    > ![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg)
    **Figure 10**. The Active Directory-based activation flow
@ -69,7 +72,9 @@ When a reactivation event occurs, the client queries AD DS for the activation o
 **To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:**
 1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller.
 1. Launch Server Manager.
 1. Add the Volume Activation Services role, as shown in Figure 11.
    ![Adding the Volume Activation Services role](../images/volumeactivationforwindows81-11.jpg)
@ -100,6 +105,16 @@ When a reactivation event occurs, the client queries AD DS for the activation o
    **Figure 15**. Choosing how to activate your product
    > [!NOTE]
    > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed.
    > 
    > 
    > - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584)
    > 
    > - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164)
    >
    > - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342)
 1. After activating the key, click **Commit**, and then click **Close**.
 ## Verifying the configuration of Active Directory-based activation
@ -107,14 +122,22 @@ When a reactivation event occurs, the client queries AD DS for the activation o
 To verify your Active Directory-based activation configuration, complete the following steps:
 1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing.
 1. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key.
 1. If the computer is not joined to your domain, join it to the domain.
 1. Sign in to the computer.
 1. Open Windows Explorer, right-click **Computer**, and then click **Properties**.
 1. Scroll down to the **Windows activation** section, and verify that this client has been activated.
    > [!NOTE]
    > If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
    > 
    > To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-management-tool).
 ## See also
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@ -21,7 +21,7 @@ ms.topic: article
 Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to **Windows 10 Enterprise** automatically if they are subscribed to Windows 10 Enterprise E3 or E5.
-With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions – **Windows 10 Education**.
+With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions—**Windows 10 Education**.
 The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices.
@ -68,12 +68,19 @@ The following figure illustrates how deploying Windows 10 has evolved with each
 ![Illustration of how Windows 10 deployment has evolved](images/sa-evolution.png)
 - **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.<br>
 - **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a “repair upgrade” because the OS version was the same before and after).  This was a lot easier than wipe-and-load, but it was still time-consuming.<br>
 - **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU.  This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.<br>
 - **Windows 10, version 1607** made a big leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise.  In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.<br>
 - **Windows 10, version 1703** made this “step-up” from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.<br>
 - **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, very similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.<br>
 - **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.<br>
 - **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription.
 ## Requirements
@ -105,21 +112,29 @@ To resolve this issue:
 If the device is running Windows 10, version 1703, 1709, or 1803, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal.
 If the device is running Windows 10, version 1809 or later:
 1. Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
 2. When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
-![Subscription Activation with MFA example 1](images/sa-mfa1.png)<br>
+- Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
-![Subscription Activation with MFA example 2](images/sa-mfa2.png)<br>
+
-![Subscription Activation with MFA example 3](images/sa-mfa3.png)
+- When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
   ![Subscription Activation with MFA example 1](images/sa-mfa1.png)<br>
   ![Subscription Activation with MFA example 2](images/sa-mfa2.png)<br>
   ![Subscription Activation with MFA example 3](images/sa-mfa3.png)
 ### Windows 10 Education requirements
-1. Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded.
+- Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded.
 2. A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security > Activation.
 3. The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
 4. Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
-> If Windows 10 Pro is converted to Windows 10 Pro Education [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
+- A device with a Windows 10 Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**.
 - The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
 - Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
 > [!IMPORTANT]
 > If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
 ## Benefits
@ -131,15 +146,19 @@ With Windows 10 Enterprise or Windows 10 Education, businesses and institutions
 You can benefit by moving to Windows as an online service in the following ways:
-1. Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization.
+- Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization.
-2. User logon triggers a silent edition upgrade, with no reboot required
+
-3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys.
+- User logon triggers a silent edition upgrade, with no reboot required.
-4. Compliance support via seat assignment.
+
-5. Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs.
+- Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys.
 - Compliance support via seat assignment.
 - Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs.
 ## How it works
-The device is AAD joined from Settings > Accounts > Access work or school.
+The device is AAD joined from **Settings > Accounts > Access work or school**.
 The IT administrator assigns Windows 10 Enterprise to a user. See the following figure.
@ -157,26 +176,35 @@ Before Windows 10, version 1903:<br>
 After Windows 10, version 1903:<br>
 ![1903](images/after.png)
-Note:
+> [!NOTE]
-1. A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
+> 
-2. A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
+> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
 > 
 > - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
 ### Scenarios
-**Scenario #1**:  You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
+#### Scenario #1
 You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
 All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device.
-**Scenario #2**:  You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
+#### Scenario #2 
 You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
 To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer:
-<pre style="overflow-y: visible">
+```console
 cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43</pre>
 ```
 The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate.  This key comes from [Appendix A: KMS Client Setup Keys](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)) in the Volume Activation guide.  It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro.
-**Scenario #3**:  Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts.  The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
+#### Scenario #3
 Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts.  The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
 In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, it’s really simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above.
@ -204,7 +232,7 @@ If you are using Windows 10, version 1607, 1703, or 1709 and have already deploy
 If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt:
-<pre style="overflow-y: visible">
+```console
@echo off
 FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO  (
 SET "ProductKey=%%A"
@ -218,18 +246,24 @@ echo No key present
 echo Installing %ProductKey%
 changepk.exe /ProductKey %ProductKey%
 )
-</pre>
+```
 ### Obtaining an Azure AD license
 Enterprise Agreement/Software Assurance (EA/SA):
 - Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea).
 - The license administrator can assign seats to Azure AD users with the same process that is used for O365.
 - New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
 Microsoft Products & Services Agreements (MPSA):
 - Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions.
 - Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service.
 - New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method.
 ### Deploying licenses
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@ -44,42 +44,58 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
 ### Connect Azure Active Directory with the PIN reset service
 1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
 2. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account.
   ![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png)
 3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
 4. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account.
 ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png)
 > [!NOTE]
 > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.
 5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
- ![PIN reset service permissions page](images/pinreset/pin-reset-applications.png)
+
   > [!div class="mx-imgBorder"]
   > ![PIN reset service permissions page](images/pinreset/pin-reset-applications.png)
 ### Configure Windows devices to use PIN reset using Group Policy
 You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
 1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
 2. Edit the Group Policy object from Step 1.
 3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**.
 4. Close the Group Policy Management Editor to save the Group Policy object.  Close the GPMC.
 #### Create a PIN Reset Device configuration profile using Microsoft Intune
 1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account.
 2. Click **Endpoint Security** > **Account Protection** > **Properties**.
 3. Set **Enable PIN recovery** to **Yes**.
 > [!NOTE]
 > You can also setup PIN recovery using configuration profiles.
 > 1. Sign in to Endpoint Manager.
 >
 > 2. Click **Devices** > **Configuration Profiles** > Create a new profile or edit an existing profile using the Identity Protection profile type.
 > 
 > 3. Set **Enable PIN recovery** to **Yes**.
 #### Assign the PIN Reset Device configuration profile using Microsoft Intune
-1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account. 
+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account. 
 2. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration.
 3. In the device configuration profile, select **Assignments**.
 4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups.
 ## On-premises Deployments
@ -104,15 +120,15 @@ On-premises deployments provide users with the ability to reset forgotten PINs e
 #### Reset PIN above the Lock Screen
- 1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in
+1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in
- 2. Enter your password and press enter.
+2. Enter your password and press enter.
- 3. Follow the instructions provided by the provisioning process
+3. Follow the instructions provided by the provisioning process
- 4. When finished, unlock your desktop using your newly created PIN.
+4. When finished, unlock your desktop using your newly created PIN.
 You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - **General limitations**](https://docs.microsoft.com/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
 > [!NOTE]
-> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video.
+> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience).
 ## Related topics
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@ -13,7 +13,7 @@ ms.author: deniseb
 ms.custom: nextgen
 ms.reviewer: pahuijbr
 manager: dansimp
-ms.date: 02/12/2021
+ms.date: 03/05/2021
 ms.technology: mde
 ---
@ -408,6 +408,20 @@ We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind
 For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
 <details>
 <summary>1.1.2103.01</summary>
 &ensp;Package version: **1.1.2103.01**    
 &ensp;Platform version: **4.18.2101.9**   
 &ensp;Engine version: **1.17800.5**  
 &ensp;Signature version: **1.331.2302.0**    
 ### Fixes
 - None
 ### Additional information
 - None  
 <br/>
 </details><details>
 <summary>1.1.2102.03</summary>
 &ensp;Package version: **1.1.2102.03**    
--- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
@ -45,7 +45,7 @@ Microsoft recommends onboarding Windows Virtual Desktop as a single entry per vi
 Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD image. This way, you can be sure that this onboarding script runs immediately at first boot. It is executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you are using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy. 
 > [!NOTE]
-> The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It is NOT recommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 & 2 take this into account.
+> The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It is _not_ recommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 & 2 take this into account.
 ## Scenarios
 There are several ways to onboard a WVD host machine:
@ -64,24 +64,36 @@ Follow the instructions for a single entry for each device.
 This scenario uses a centrally located script and runs it using a domain-based group policy. You can also place the script in the golden image and run it in the same way.
 #### Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center
-1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip)  
+
-    - In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**. 
+1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip).
-    - Select Windows 10 as the operating system. 
+
-    - In the **Deployment method** field, select VDI onboarding scripts for non-persistent endpoints. 
+   1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**. 
-    - Click **Download package** and save the .zip file. 
+   1. Select Windows 10 as the operating system. 
   1. In the **Deployment method** field, select VDI onboarding scripts for non-persistent endpoints. 
   1. Click **Download package** and save the .zip file. 
 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called **OptionalParamsPolicy** and the files **WindowsDefenderATPOnboardingScript.cmd** and **Onboard-NonPersistentMachine.ps1**.
 #### Use Group Policy management console to run the script when the virtual machine starts
 1. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
 2. In the Group Policy Management Editor, go to **Computer configuration** > **Preferences** > **Control panel settings**. 
 3. Right-click **Scheduled tasks**, click **New**, and then select **Immediate Task** (At least Windows 7). 
 4. In the Task window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM. Click **Check Names** and then click OK. `NT AUTHORITY\SYSTEM` appears as the user account under which the task will run. 
 5. Select **Run whether user is logged on or not** and select the **Run with highest privileges** option. 
 6. Go to the **Actions** tab and select **New**. Confirm that **Start a program** is selected in the **Action** field.
 7. Specify the following: <br/> 
   - Action = **Start a program**
   - Program/Script = `C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe` 
   - Add Arguments (optional) = `-ExecutionPolicy Bypass -command "& \\Path\To\Onboard-NonPersistentMachine.ps1"`
 8. Select **OK** and close any open GPMC windows.
 ### Scenario 3: Onboarding using management tools
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@ -36,7 +36,7 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use
 ## Microsoft Intune
->Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later.  This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching.
+Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later.  This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching.
 ## Security
@ -100,24 +100,37 @@ Endpoint detection and response is improved. Enterprise customers can now take a
  - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed.
  **Threat response** is improved when an attack is detected, enabling immediate action by security teams to contain a breach:
- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
+  - [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
  - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
 Additional capabilities have been added to help you gain a holistic view on **investigations** include:
 - [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
 - [Query data using Advanced hunting in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
 - [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
 - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
 - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
 - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Microsoft Defender for Endpoint.
 Other enhanced security features include:
 - [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues.
 - [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
 - [Integration with Azure Defender](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers.
 - [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Defender for Endpoint monitored machines.
 - [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. 
 - [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor.
 - [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
 We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on.
@ -172,10 +185,16 @@ For example, you can choose the XTS-AES 256 encryption algorithm, and have it ap
 To achieve this:
 1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. 
 2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. 
-    - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users.
+
   > [!IMPORTANT]
   > The encryption policy must be assigned to **devices** in the group, not users.
 3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. 
-    - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts.
+
   > [!IMPORTANT]
   > If the ESP is not enabled, the policy will not apply before encryption starts.
 ### Identity protection
@ -186,16 +205,25 @@ Improvements have been added are to Windows Hello for Business and Credential Gu
 New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when  you are not present.
 New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) include: 
 - You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
 - For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal.
 - For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
-[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section. 
+[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration). 
 - Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/).
 - Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
 - Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off.
 - You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
 - New [public API](https://docs.microsoft.com/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider.
 - It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off).
 For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97)
@ -204,7 +232,10 @@ For more information, see: [Windows Hello and FIDO2 Security Keys enable secure
 Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
-Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. Please note that Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. 
+Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. 
 > [!NOTE]
 > Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. 
 For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
@ -277,14 +308,17 @@ For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
 The following new DISM commands have been added to manage feature updates:
-    DISM /Online /Initiate-OSUninstall 
+- **DISM /Online /Initiate-OSUninstall**
-        – Initiates a OS uninstall to take the computer back to the previous installation of windows.
+  - Initiates an OS uninstall to take the computer back to the previous installation of windows.
-    DISM /Online /Remove-OSUninstall 
+
-        – Removes the OS uninstall capability from the computer. 
+- **DISM /Online /Remove-OSUninstall**
-    DISM /Online /Get-OSUninstallWindow 
+  - Removes the OS uninstall capability from the computer.
-        – Displays the number of days after upgrade during which uninstall can be performed.
+
-    DISM /Online /Set-OSUninstallWindow 
+- **DISM /Online /Get-OSUninstallWindow**
-        – Sets the number of days after upgrade during which uninstall can be performed.
+  - Displays the number of days after upgrade during which uninstall can be performed.
 - **DISM /Online /Set-OSUninstallWindow**
  - Sets the number of days after upgrade during which uninstall can be performed.
 For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
@ -300,20 +334,22 @@ For more information, see [Run custom actions during feature update](https://doc
 It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.
-    /PostRollback<location> [\setuprollback.cmd] [/postrollback {system / admin}]
+`/PostRollback<location> [\setuprollback.cmd] [/postrollback {system / admin}]`
-For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21)
+For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21).
 New command-line switches are also available to control BitLocker:
-    Setup.exe /BitLocker AlwaysSuspend 
+- **Setup.exe /BitLocker AlwaysSuspend**
-        – Always suspend bitlocker during upgrade.
+  - Always suspend BitLocker during upgrade.
    Setup.exe /BitLocker TryKeepActive 
        – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade.
    Setup.exe /BitLocker ForceKeepActive 
        – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade.
-For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33)
+- **Setup.exe /BitLocker TryKeepActive**
  - Enable upgrade without suspending BitLocker, but if upgrade does not work, then suspend BitLocker and complete the upgrade.
 - **Setup.exe /BitLocker ForceKeepActive**
  - Enable upgrade without suspending BitLocker, but if upgrade does not work, fail the upgrade.
 For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33).
 ### Feature update improvements
@ -332,8 +368,11 @@ SetupDiag works by searching Windows Setup log files. When searching log files,
 If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash!
 **To enable fast sign-in:**
 1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise LTSC 2019.
 2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in.
 3. Sign-in to a shared PC with your account. You'll notice the difference!
   ![fast sign-in](../images/fastsignin.png "fast sign-in")
@ -343,8 +382,11 @@ If you have shared devices deployed in your work place, **Fast sign-in** enables
 Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).
 **To try out web sign-in:**
 1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
 2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. 
 3. On the lock screen, select web sign-in under sign-in options.
 4. Click the “Sign in” button to continue.
@ -386,7 +428,7 @@ Maintaining devices is made easier with Device Health, a new, premium analytic t
 ### Accessibility
-"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post.
+"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/), a blog post.
 ### Privacy
@ -404,7 +446,7 @@ If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.micro
 Intune and Microsoft Endpoint Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
-For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803)
+For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803).
 ### OS uninstall period
@ -433,7 +475,9 @@ Previously, the customized taskbar could only be deployed using Group Policy or
 [Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include:
 - Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings)
 - Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep)
 - Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist).
 ## Windows Update
@ -481,7 +525,7 @@ Added policies include:
 - [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching)
 - [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size)
-To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization)
+To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization).
 ### Uninstalled in-box apps no longer automatically reinstall
@ -564,11 +608,11 @@ Several network stack enhancements are available in this release. Some of these
 In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx).
-How it works:
+#### How it works
 Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
-Miracast over Infrastructure offers a number of benefits:
+#### Miracast over Infrastructure offers a number of benefits
 - Windows automatically detects when sending the video stream over this path is applicable.
 - Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network.
@ -577,18 +621,22 @@ Miracast over Infrastructure offers a number of benefits:
 - It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct.
 - It leverages an existing connection which both reduces the time to connect and provides a very stable stream.
-Enabling Miracast over Infrastructure:
+#### Enabling Miracast over Infrastructure
 If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
 - The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise LTSC 2019, or a later OS.
 - A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
    - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
    - As a Miracast source, the  PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
 - The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
 - Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
-It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
+> [!IMPORTANT]
 > Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
 ## Registry editor improvements
@ -603,6 +651,7 @@ Azure Active Directory and Active Directory users using Windows Hello for Busine
 To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**.
 - Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials.
 - Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN.
 See the following example: