diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json
index c0761e7192..58807f7d8a 100644
--- a/browsers/edge/docfx.json
+++ b/browsers/edge/docfx.json
@@ -19,9 +19,7 @@
         "ROBOTS": "INDEX, FOLLOW",
 		"ms.technology": "microsoft-edge",
 		"ms.topic": "article",
-		"ms.author": "shortpatti",
-		"ms.date": "04/05/2017",
-	    "feedback_system": "GitHub",
+		"feedback_system": "GitHub",
         "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
         "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
 		"_op_documentIdPathDepotMapping": {
diff --git a/browsers/edge/microsoft-edge-faq.md b/browsers/edge/microsoft-edge-faq.md
index f989f0e5c8..e3a128b0ac 100644
--- a/browsers/edge/microsoft-edge-faq.md
+++ b/browsers/edge/microsoft-edge-faq.md
@@ -1,96 +1,52 @@
 ---
 title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros 
 description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems.
-author: shortpatti
-ms.author: pashort
+author: lizap
+ms.author: elizapo
 ms.prod: edge
-ms.topic: reference
+ms.topic: article
 ms.mktglfcycl: general
 ms.sitesec: library
 ms.localizationpriority: medium
-ms.date: 11/05/2018
 ---
 
 # Frequently Asked Questions (FAQs) for IT Pros
 
 >Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile
 
-**Q: Why is the Sync settings option under Settings \> Accounts \> Sync your settings permanently disabled?  
+## How can I get the next major version of Microsoft Edge, based on Chromium?
+In December 2018, Microsoft [announced](https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-better-through-more-open-source-collaboration/#8jv53blDvL6TIKuS.97) our intention to adopt the Chromium open source project in the development of Microsoft Edge on the desktop, to create better web compatibility for our customers and less fragmentation of the web for all web developers. You can get more information at the [Microsoft Edge Insiders site](https://www.microsoftedgeinsider.com/).
 
-**A:** In the Windows 10 Anniversary Update, domain-joined users who connected their Microsoft Account (MSA) could roam settings and data between Windows devices.  A group policy to prevent users from connecting their MSAs exists, but this setting also prevents users from easily accessing their personal Microsoft services.  Enterprises can still enable Enterprise State Roaming with Azure Active Directory. 
+## What’s the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use?
+Microsoft Edge is the default browser for all Windows 10 devices. It’s built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](emie-to-improve-compatibility.md) to automatically send users to Internet Explorer 11.
 
->In a nutshell, any fresh install of Windows 10 Creators Update or higher does not support funtionality if it's under an Active Directory, but works for Azure Active Directory.
+For more information on how Internet Explorer and Microsoft Edge work together to support your legacy web apps, while still defaulting to the higher security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97).
 
-**Q: What is the size of the local storage for Microsoft Edge overall and per domain?**  
+## Does Microsoft Edge work with Enterprise Mode?
+[Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) helps you run many legacy web applications with better backward compatibility. You can configure both Microsoft Edge and Internet Explorer to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps.
 
-**A:** The limits are 5MB per subdomain, 10MB per domain, and 50MB total.
+## How do I customize Microsoft Edge and related settings for my organization?
+You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/group-policies/index.md) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals.  
 
-**Q: What is the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use?**
+## Is Adobe Flash supported in Microsoft Edge?
+Adobe Flash is currently supported as a built-in feature of Microsoft Edge on PCs running Windows 10. In July 2017, Adobe announced that Flash support will end after 2020. With this change to Adobe support, we’ve started to phase Flash out of  Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting group policy](/available-policies.md#configure-the-adobe-flash-click-to-run-setting) - this lets you control which websites can run Adobe Flash content.
 
-**A:** Microsoft Edge is the default browser for all Windows 10 devices. It is built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites on the web that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility) to automatically send users to Internet Explorer 11 for those sites.
+To learn more about Microsoft’s plan for phasing Flash out of Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article).
 
-For more information on how Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97).
+## Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java?
+No. Microsoft Edge doesn’t support ActiveX controls and BHOs like Silverlight or Java. If you’re running web apps that use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and standards support.
 
-**Q: Does Microsoft Edge work with Enterprise Mode?**
+## How often will Microsoft Edge be updated?
+In Windows 10, we’re delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, while bigger feature updates are included in the Windows 10 releases on a semi-annual cadence.
 
-**A:** [Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) offers better backward compatibility and enables customers to run many legacy web applications. Microsoft Edge and Internet Explorer can be configured to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. 
+## How can I provide feedback on Microsoft Edge?
+Microsoft Edge is an evergreen browser - we’ll continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. 
 
+## Will Internet Explorer 11 continue to receive updates?
+We’re committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it’s installed. For details, see [Lifecycle FAQ - Internet Explorer](https://support.microsoft.com/help/17454/). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge.
 
-**Q: I have Windows 10, but I don’t seem to have Microsoft Edge. Why?**
-
-**A:** Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016 and Windows Server 2019, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality and can't be supported on systems running LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11.
-
-**Q: How do I get the latest Canary/Beta/Preview version of Microsoft Edge?**
-
-**A:** You can access the latest preview version of Microsoft Edge by updating to the latest Windows 10 preview via the [Windows Insider Program](https://insider.windows.com/). To run the preview version of Microsoft Edge on a stable version of Windows 10 (or any other OS), you can download a [Virtual Machine](https://developer.microsoft.com/microsoft-edge/tools/vms/windows/) that we provide or use the upcoming RemoteEdge service.
-
-**Q: How do I customize Microsoft Edge and related settings for my organization?**
-
-**A:** You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/index) for a list of available policies for Microsoft Edge and configuration combinations.
-
-**Q: Is Adobe Flash supported in Microsoft Edge?**
-
-**A:** Currently, Adobe Flash is supported as a built-in feature of Microsoft Edge on devices running the desktop version of Windows 10. In July 2017, Adobe announced that Flash will no longer be supported after 2020. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting](available-policies.md#configure-the-adobe-flash-click-to-run-setting) group policy giving you a way to control the list of websites that have permission to run Adobe Flash content.
-
-
-
-To learn more about Microsoft’s plan for phasing out Flash from Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash]( https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). 
-
-
-**Q: Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java?**  
-
-**A:** No. Microsoft Edge does not support ActiveX controls and BHOs such as Silverlight or Java. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11.  IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support.
-
-
-**Q: How often will Microsoft Edge be updated?**
-
-**A:** In Windows 10, we are delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, and the bigger feature updates are currently pushed out with the Windows 10 releases on a semi-annual cadence.
-
-**Q: How can I provide feedback on Microsoft Edge?**
-
-**A:** Microsoft Edge is an evergreen browser and we will continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, you can use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. You can also provide feedback through the [Microsoft Edge Dev Twitter](https://twitter.com/MSEdgeDev) account. 
-
-**Q: Will Internet Explorer 11 continue to receive updates?**
-
-**A:** We will continue to deliver security updates to Internet Explorer 11 through its supported lifespan. To ensure consistent behavior across Windows versions, we will evaluate Internet Explorer 11 bugs for servicing on a case by case basis. The latest features and platform updates will only be available in Microsoft Edge. 
-
-**Q: I loaded a web page and Microsoft Edge sent me to Internet Explorer - what happened?**
-
-**A:** In some cases, Internet Explorer loads automatically for sites that still rely on legacy technologies such as ActiveX. For more information, read [Legacy web apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#uHpbs94kAaVsU1qB.97).
-
-**Q: Why is Do Not Track (DNT) off by default in Microsoft Edge?**
-
-**A:** When Microsoft first set the Do Not Track setting to “On” by default in Internet Explorer 10, industry standards had not yet been established. We are now making this default change as the World Wide Web Consortium (W3C) formalizes industry standards to recommend that default settings allow customers to actively indicate whether they want to enable DNT. As a result, DNT will not be enabled by default in upcoming versions of Microsoft’s browsers, but we will provide customers with clear information on how to turn this feature on in the browser settings should you wish to do so.
-
-**Q: How do I find out what version of Microsoft Edge I have?**
-
-**A:** Open Microsoft Edge. In the upper right corner click the ellipses icon (**…**), and then click **Settings**. Look in the **About this app** section to find your version. 
- 
-**Q: What is Microsoft EdgeHTML?**
-
-**A:** Microsoft EdgeHTML is the new web rendering engine that powers the Microsoft Edge web browser and Windows 10 web app platform, and that helps web developers build and maintain a consistent site across all modern browsers. The Microsoft EdgeHTML engine also helps to defend against hacking through support for the W3C standard for [Content Security Policy (CSP)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/content-Security-Policy), which can help web developers defend their sites against cross-site scripting attacks, and support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant), which helps ensure that connections to important sites, such as to your bank, are always secured.
-
-**Q: Will Windows 7 or Windows 8.1 users get Microsoft Edge or the new Microsoft EdgeHTML rendering engine?**
-
-**A:** No. Microsoft Edge has been designed and built to showcase Windows 10 features like Cortana, and is built on top of the Universal Windows Platform. 
+## How do I find out what version of Microsoft Edge I have?
+In the upper right corner of Microsoft Edge, click the ellipses icon (**...**), and then click **Settings**. Look in the **About Microsoft Edge** section to find your version.
 
+## What is Microsoft EdgeHTML?
+Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform. (As opposed to *Microsoft Edge, based on Chromium*.)
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index b314f85b52..01c64d22e8 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -12,5 +12,6 @@
 ## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
 ## [Install apps on HoloLens](hololens-install-apps.md)
 ## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
+## [Restart, reset, or recover HoloLens 2](hololens-recovery.md)
 ## [How HoloLens stores data for spaces](hololens-spaces.md)
 ## [Change history for Microsoft HoloLens documentation](change-history-hololens.md)
\ No newline at end of file
diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
index 1fc820a243..92bb653843 100644
--- a/devices/hololens/change-history-hololens.md
+++ b/devices/hololens/change-history-hololens.md
@@ -9,16 +9,17 @@ author: jdeckerms
 ms.author: jdecker
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 11/05/2018
 ---
 
 # Change history for Microsoft HoloLens documentation
 
 This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
 
-## Windows 10 Holographic for Business, version 1809
+## April 2019
 
-The topics in this library have been updated for Windows 10 Holographic for Business, version 1809.
+New or changed topic | Description
+--- | ---
+[Restart, reset, or recover HoloLens 2](hololens-recovery.md) | New
 
 ## November 2018
 
@@ -26,6 +27,10 @@ New or changed topic | Description
 --- | ---
 [How HoloLens stores data for spaces](hololens-spaces.md) | New
 
+## Windows 10 Holographic for Business, version 1809
+
+The topics in this library have been updated for Windows 10 Holographic for Business, version 1809.
+
 
 ## October 2018
 
diff --git a/devices/hololens/hololens-recovery.md b/devices/hololens/hololens-recovery.md
new file mode 100644
index 0000000000..e4f20a30d6
--- /dev/null
+++ b/devices/hololens/hololens-recovery.md
@@ -0,0 +1,60 @@
+---
+title: Restart, reset, or recover HoloLens 2 
+description: How to use Advanced Recovery Companion to flash an image to HoloLens 2.
+ms.prod: hololens
+ms.sitesec: library
+author: jdeckerms
+ms.author: jdecker
+ms.topic: article
+ms.localizationpriority: medium
+---
+
+# Restart, reset, or recover HoloLens 2
+
+>[!TIP]
+>If you're having issues with HoloLens (the first device released), see [Restart, reset, or recover HoloLens](https://support.microsoft.com/help/13452/hololens-restart-reset-or-recover-hololens). Advanced Recovery Companion is only supported for HoloLens 2.
+
+>[!WARNING]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The Advanced Recovery Companion is a new app in Microsoft Store that you can use to restore the operating system image to your HoloLens device.
+
+When your HoloLens 2 is unresponsive, not running properly, or is experiencing software or update problems, try these things in order:
+
+1. [Restart](#restart-hololens-2) the HoloLens 2.
+2. [Reset](#reset-hololens-2) the HoloLens 2.
+3. [Recover](#recover-hololens-2) the HoloLens 2.
+
+>[!IMPORTANT]
+>Resetting or recovering your HoloLens will erase all of your personal data, including apps, games, photos, and settings. You won’t be able to restore a backup once the reset is complete.
+
+## Restart HoloLens 2
+
+A device restart can often "fix" a computer issue. First, say "Hey Cortana, restart the device."
+
+If you’re still having problems, press the power button for 4 seconds, until all of the battery indicators fade out. Wait 1 minute, then press the power button again to turn on the device.
+
+If neither of those things works, force restart the device. Hold down the power button for 10 seconds. Release it and wait 30 seconds, then press the power button again to turn on the device.
+
+## Reset HoloLens 2
+
+If the device is still having a problem after restart, use reset to return the HoloLens 2 to factory settings.
+
+To reset your HoloLens 2, go to **Settings > Update > Reset** and select **Reset device**. 
+
+>[!NOTE]
+>The battery needs at least 40 percent charge to reset.
+
+## Recover HoloLens 2
+
+If the device is still having a problem after reset, you can use Advanced Recovery Companion to flash the device with a new image.
+
+1. On your computer, get [Advanced Recovery Companion](need store link) from Microsoft Store.
+2. Connect HoloLens 2 to your computer.
+3. Start Advanced Recovery Companion.
+4. On the **Welcome** page, select your device.
+5. On the **Device info** page, select **Install software** to install the default package. (If you have a Full Flash Update (FFU) image that you want to install instead, select **Manual package selection**.)
+6. Software installation will begin. Do not use the device or disconnect the cable during installation. When you see the **Installation finished** page, you can disconnect and use your device.
+
+>[!NOTE]
+>[Learn about FFU image file formats.](https://docs.microsoft.com/windows-hardware/manufacture/desktop/wim-vs-ffu-image-file-formats)
\ No newline at end of file
diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index d24333f170..a264981b50 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -2,6 +2,7 @@
 ## [What's new in Windows 10, version 1703 for Surface Hub?](surfacehub-whats-new-1703.md)
 ## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)
 ## [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md)
+### [Surface Hub Site Readiness Guide](surface-hub-site-readiness-guide.md)
 ### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)
 ### [Create and test a device account](create-and-test-a-device-account-surface-hub.md)
 #### [Online deployment](online-deployment-surface-hub-device-accounts.md)
@@ -41,10 +42,13 @@
 ### [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md)
 ### [Using a room control system](use-room-control-system-with-surface-hub.md)
 ### [Using the Surface Hub Recovery Tool](surface-hub-recovery-tool.md)
+### [Surface Hub SSD replacement](surface-hub-ssd-replacement.md)
 ## [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md)
 ## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)
 ## [Top support solutions for Surface Hub](support-solutions-surface-hub.md)
 ## [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
 ## [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md)
 ## [Useful downloads for Surface Hub administrators](surface-hub-downloads.md)
+## [Technical information for 55” Microsoft Surface Hub](surface-hub-technical-55.md)
+## [Technical information for 84” Microsoft Surface Hub ](surface-hub-technical-84.md)
 ## [Change history for Surface Hub](change-history-surface-hub.md)
\ No newline at end of file
diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index 836ff19136..10ae4ecd42 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -7,7 +7,6 @@ ms.sitesec: library
 author: jdeckerms
 ms.author: jdecker
 ms.topic: article
-ms.date: 07/12/2018
 ms.localizationpriority: medium
 ---
 
@@ -15,6 +14,15 @@ ms.localizationpriority: medium
 
 This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
 
+## April 2019
+
+New or changed topic | Description
+--- | ---
+[Surface Hub Site Readiness Guide](surface-hub-site-readiness-guide.md) | New; previously available for download only
+[Technical information for 55” Microsoft Surface Hub](surface-hub-technical-55.md) | New; previously available for download and on [Surface Hub Tech Spec](https://support.microsoft.com/help/4483539/surface-hub-tech-spec)
+[Technical information for 84” Microsoft Surface Hub ](surface-hub-technical-84.md) | New; previously available for download and on [Surface Hub Tech Spec](https://support.microsoft.com/help/4483539/surface-hub-tech-spec)
+[Surface Hub SSD replacement](surface-hub-ssd-replacement.md) | New; previously available for download only
+
 ## July 2018
 
 New or changed topic | Description
diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md
index 7fce01ab55..f562b84288 100644
--- a/devices/surface-hub/device-reset-surface-hub.md
+++ b/devices/surface-hub/device-reset-surface-hub.md
@@ -76,7 +76,7 @@ If the device account gets into an unstable state or the Admin account is runnin
 
 On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset or recover the device from [Windows RE](https://technet.microsoft.com/library/cc765966.aspx).
 
-1.  From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide (PDF)](https://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf) for help with locating the power switch.
+1.  From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide (PDF)](surface-hub-site-readiness-guide.md) for help with locating the power switch.
 2. The device should automatically boot into Windows RE.
 3. After the Surface Hub enters Windows RE, select **Recover from the cloud**. (Optionally, you can choose **Reset**, however **Recover from the cloud** is the recommended approach.)
 
diff --git a/devices/surface-hub/images/35mm.png b/devices/surface-hub/images/35mm.png
new file mode 100644
index 0000000000..7a414337b6
Binary files /dev/null and b/devices/surface-hub/images/35mm.png differ
diff --git a/devices/surface-hub/images/analog.png b/devices/surface-hub/images/analog.png
new file mode 100644
index 0000000000..1f1666903b
Binary files /dev/null and b/devices/surface-hub/images/analog.png differ
diff --git a/devices/surface-hub/images/caution.PNG b/devices/surface-hub/images/caution.PNG
new file mode 100644
index 0000000000..0f87b07c0f
Binary files /dev/null and b/devices/surface-hub/images/caution.PNG differ
diff --git a/devices/surface-hub/images/dport.png b/devices/surface-hub/images/dport.png
new file mode 100644
index 0000000000..2842f96ad4
Binary files /dev/null and b/devices/surface-hub/images/dport.png differ
diff --git a/devices/surface-hub/images/dportio.png b/devices/surface-hub/images/dportio.png
new file mode 100644
index 0000000000..02bf145d60
Binary files /dev/null and b/devices/surface-hub/images/dportio.png differ
diff --git a/devices/surface-hub/images/dportout.png b/devices/surface-hub/images/dportout.png
new file mode 100644
index 0000000000..4b6bb87663
Binary files /dev/null and b/devices/surface-hub/images/dportout.png differ
diff --git a/devices/surface-hub/images/hdmi.png b/devices/surface-hub/images/hdmi.png
new file mode 100644
index 0000000000..a2c69ace45
Binary files /dev/null and b/devices/surface-hub/images/hdmi.png differ
diff --git a/devices/surface-hub/images/iec.png b/devices/surface-hub/images/iec.png
new file mode 100644
index 0000000000..7ca6e9237b
Binary files /dev/null and b/devices/surface-hub/images/iec.png differ
diff --git a/devices/surface-hub/images/key-55.png b/devices/surface-hub/images/key-55.png
new file mode 100644
index 0000000000..d0ee9a5d13
Binary files /dev/null and b/devices/surface-hub/images/key-55.png differ
diff --git a/devices/surface-hub/images/replacement-port-55.PNG b/devices/surface-hub/images/replacement-port-55.PNG
new file mode 100644
index 0000000000..5bf0b51b02
Binary files /dev/null and b/devices/surface-hub/images/replacement-port-55.PNG differ
diff --git a/devices/surface-hub/images/replacement-port-84.PNG b/devices/surface-hub/images/replacement-port-84.PNG
new file mode 100644
index 0000000000..45284b4ab9
Binary files /dev/null and b/devices/surface-hub/images/replacement-port-84.PNG differ
diff --git a/devices/surface-hub/images/rj11.png b/devices/surface-hub/images/rj11.png
new file mode 100644
index 0000000000..f044354caa
Binary files /dev/null and b/devices/surface-hub/images/rj11.png differ
diff --git a/devices/surface-hub/images/rj45.png b/devices/surface-hub/images/rj45.png
new file mode 100644
index 0000000000..ca88423217
Binary files /dev/null and b/devices/surface-hub/images/rj45.png differ
diff --git a/devices/surface-hub/images/sh-55-bottom.png b/devices/surface-hub/images/sh-55-bottom.png
new file mode 100644
index 0000000000..3d718d1226
Binary files /dev/null and b/devices/surface-hub/images/sh-55-bottom.png differ
diff --git a/devices/surface-hub/images/sh-55-clearance.png b/devices/surface-hub/images/sh-55-clearance.png
new file mode 100644
index 0000000000..12fc35ec49
Binary files /dev/null and b/devices/surface-hub/images/sh-55-clearance.png differ
diff --git a/devices/surface-hub/images/sh-55-front.png b/devices/surface-hub/images/sh-55-front.png
new file mode 100644
index 0000000000..e1268ee328
Binary files /dev/null and b/devices/surface-hub/images/sh-55-front.png differ
diff --git a/devices/surface-hub/images/sh-55-hand-rear.png b/devices/surface-hub/images/sh-55-hand-rear.png
new file mode 100644
index 0000000000..b1ff007ec2
Binary files /dev/null and b/devices/surface-hub/images/sh-55-hand-rear.png differ
diff --git a/devices/surface-hub/images/sh-55-hand.png b/devices/surface-hub/images/sh-55-hand.png
new file mode 100644
index 0000000000..6f8d96ba8e
Binary files /dev/null and b/devices/surface-hub/images/sh-55-hand.png differ
diff --git a/devices/surface-hub/images/sh-55-rear.png b/devices/surface-hub/images/sh-55-rear.png
new file mode 100644
index 0000000000..840b941e03
Binary files /dev/null and b/devices/surface-hub/images/sh-55-rear.png differ
diff --git a/devices/surface-hub/images/sh-55-top.png b/devices/surface-hub/images/sh-55-top.png
new file mode 100644
index 0000000000..f8c93f5d1b
Binary files /dev/null and b/devices/surface-hub/images/sh-55-top.png differ
diff --git a/devices/surface-hub/images/sh-84-bottom.png b/devices/surface-hub/images/sh-84-bottom.png
new file mode 100644
index 0000000000..d7252537e4
Binary files /dev/null and b/devices/surface-hub/images/sh-84-bottom.png differ
diff --git a/devices/surface-hub/images/sh-84-clearance.png b/devices/surface-hub/images/sh-84-clearance.png
new file mode 100644
index 0000000000..8fd0cd2c32
Binary files /dev/null and b/devices/surface-hub/images/sh-84-clearance.png differ
diff --git a/devices/surface-hub/images/sh-84-front.png b/devices/surface-hub/images/sh-84-front.png
new file mode 100644
index 0000000000..8afa0de18b
Binary files /dev/null and b/devices/surface-hub/images/sh-84-front.png differ
diff --git a/devices/surface-hub/images/sh-84-hand-top.png b/devices/surface-hub/images/sh-84-hand-top.png
new file mode 100644
index 0000000000..1e52446eb0
Binary files /dev/null and b/devices/surface-hub/images/sh-84-hand-top.png differ
diff --git a/devices/surface-hub/images/sh-84-hand.png b/devices/surface-hub/images/sh-84-hand.png
new file mode 100644
index 0000000000..3e84a8a434
Binary files /dev/null and b/devices/surface-hub/images/sh-84-hand.png differ
diff --git a/devices/surface-hub/images/sh-84-rear.png b/devices/surface-hub/images/sh-84-rear.png
new file mode 100644
index 0000000000..5837d4e185
Binary files /dev/null and b/devices/surface-hub/images/sh-84-rear.png differ
diff --git a/devices/surface-hub/images/sh-84-side.png b/devices/surface-hub/images/sh-84-side.png
new file mode 100644
index 0000000000..6b1ad8385b
Binary files /dev/null and b/devices/surface-hub/images/sh-84-side.png differ
diff --git a/devices/surface-hub/images/sh-84-top.png b/devices/surface-hub/images/sh-84-top.png
new file mode 100644
index 0000000000..badc94af0b
Binary files /dev/null and b/devices/surface-hub/images/sh-84-top.png differ
diff --git a/devices/surface-hub/images/sh-84-wall.png b/devices/surface-hub/images/sh-84-wall.png
new file mode 100644
index 0000000000..15d2e5a848
Binary files /dev/null and b/devices/surface-hub/images/sh-84-wall.png differ
diff --git a/devices/surface-hub/images/ssd-click.PNG b/devices/surface-hub/images/ssd-click.PNG
new file mode 100644
index 0000000000..5dfcc57c42
Binary files /dev/null and b/devices/surface-hub/images/ssd-click.PNG differ
diff --git a/devices/surface-hub/images/ssd-lift-door.PNG b/devices/surface-hub/images/ssd-lift-door.PNG
new file mode 100644
index 0000000000..d395ce91aa
Binary files /dev/null and b/devices/surface-hub/images/ssd-lift-door.PNG differ
diff --git a/devices/surface-hub/images/ssd-location.PNG b/devices/surface-hub/images/ssd-location.PNG
new file mode 100644
index 0000000000..9b774456b1
Binary files /dev/null and b/devices/surface-hub/images/ssd-location.PNG differ
diff --git a/devices/surface-hub/images/ssd-lock-tab.PNG b/devices/surface-hub/images/ssd-lock-tab.PNG
new file mode 100644
index 0000000000..17c11dc7a2
Binary files /dev/null and b/devices/surface-hub/images/ssd-lock-tab.PNG differ
diff --git a/devices/surface-hub/images/ssd-pull-tab.PNG b/devices/surface-hub/images/ssd-pull-tab.PNG
new file mode 100644
index 0000000000..a306f08a13
Binary files /dev/null and b/devices/surface-hub/images/ssd-pull-tab.PNG differ
diff --git a/devices/surface-hub/images/switch.png b/devices/surface-hub/images/switch.png
new file mode 100644
index 0000000000..5ea0d21909
Binary files /dev/null and b/devices/surface-hub/images/switch.png differ
diff --git a/devices/surface-hub/images/usb.png b/devices/surface-hub/images/usb.png
new file mode 100644
index 0000000000..a743c6b634
Binary files /dev/null and b/devices/surface-hub/images/usb.png differ
diff --git a/devices/surface-hub/images/vga.png b/devices/surface-hub/images/vga.png
new file mode 100644
index 0000000000..016b42d1f4
Binary files /dev/null and b/devices/surface-hub/images/vga.png differ
diff --git a/devices/surface-hub/images/~$rface-hub-site-readiness-guide-en-us.docx b/devices/surface-hub/images/~$rface-hub-site-readiness-guide-en-us.docx
new file mode 100644
index 0000000000..1d44312447
Binary files /dev/null and b/devices/surface-hub/images/~$rface-hub-site-readiness-guide-en-us.docx differ
diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
index f91b3e81bf..82f19b1a90 100644
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@@ -46,7 +46,7 @@ In some ways, adding your new Surface Hub is just like adding any other Microsof
 | [Top support solutions for Surface Hub](support-solutions-surface-hub.md) | These are the top Microsoft Support solutions for common issues experienced using Surface Hub. |
 | [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) | Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. |
 | [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md) | Learn how to resolve Miracast issues. |
-| [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) | This topic provides links to useful Surface Hub documents, such as product datasheets, the site readiness guide, and user's guide. |
+| [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) | This topic provides links to useful Surface Hub documents. |
 | [Change history for Surface Hub](change-history-surface-hub.md) | This topic lists new and updated topics in the Surface Hub documentation library. |
 
 
diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md
index da29b06c9d..3761627ee5 100644
--- a/devices/surface-hub/manage-surface-hub.md
+++ b/devices/surface-hub/manage-surface-hub.md
@@ -41,6 +41,7 @@ Learn about managing and updating Surface Hub.
  [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md) | 802.1x Wired Authentication MDM policies have been enabled on Surface Hub devices. 
 | [Using a room control system](https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.|
 [Using the Surface Hub Recovery Tool](surface-hub-recovery-tool.md) | Use the Surface Hub Recovery Tool to re-image the Surface Hub SSD.
+[Surface Hub SSD replacement](surface-hub-ssd-replacement.md) | Learn how to remove and replace the solid state drive in your Surface Hub.
 
 ## Related topics
 
diff --git a/devices/surface-hub/physically-install-your-surface-hub-device.md b/devices/surface-hub/physically-install-your-surface-hub-device.md
index f750d07a4f..9c22a5b744 100644
--- a/devices/surface-hub/physically-install-your-surface-hub-device.md
+++ b/devices/surface-hub/physically-install-your-surface-hub-device.md
@@ -15,7 +15,7 @@ ms.localizationpriority: medium
 # Physically install Microsoft Surface Hub
 
 
-The Microsoft Surface Hub Readiness Guide will help make sure that your site is ready for the installation. You can download the Guide from the [Microsoft Download Center](https://go.microsoft.com/fwlink/?LinkId=718144). It includes planning information for both the 55" and 84" devices, as well as info on moving the Surface Hub from receiving to the installation location, mounting options, and a list of what's in the box.
+The [Microsoft Surface Hub Readiness Guide](surface-hub-site-readiness-guide.md) will help make sure that your site is ready for the installation. It includes planning information for both the 55" and 84" devices, as well as info on moving the Surface Hub from receiving to the installation location, mounting options, and a list of what's in the box.
 
 You may also want to check out the Unpacking Guide. It will show you how to unpack the devices efficiently and safely. There are two guides, one for the 55" and one for the 84". A printed version of the Unpacking Guide is attached to the outside front of each unit's shipping crate.
 
diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md
index 689358891c..fd4d2c9332 100644
--- a/devices/surface-hub/surface-hub-downloads.md
+++ b/devices/surface-hub/surface-hub-downloads.md
@@ -12,16 +12,14 @@ ms.localizationpriority: medium
 
 # Useful downloads for Microsoft Surface Hub
 
-This topic provides links to useful Surface Hub documents, such as product datasheets, the site readiness guide, and user's guide.
+This topic provides links to useful Surface Hub documents, such as product datasheets and user's guide.
 
 | Link | Description |
 | --- | --- |
-| [Surface Hub Site Readiness Guide (PDF)](https://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf)  | Make sure your site is ready for Surface Hub, including structural and power requirements, and get technical specs for Surface Hub. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov)  |
 | [Surface Hub Setup Guide (English, French, Spanish) (PDF)](https://download.microsoft.com/download/0/1/6/016363A4-8602-4F01-8281-9BE5C814DC78/Setup-Guide_EN-FR-SP.pdf) | Get a quick overview of how to set up the environment for your new Surface Hub. |
 | [Surface Hub Quick Reference Guide (PDF)](https://download.microsoft.com/download/9/E/E/9EE660F8-3FC6-4909-969E-89EA648F06DB/Surface%20Hub%20Quick%20Reference%20Guide_en-us.pdf)  | Use this quick reference guide to get information about key features and functions of the Surface Hub. |
 | [Surface Hub User Guide (PDF)](https://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf) | Learn how to use Surface Hub in scheduled or ad-hoc meetings. Invite remote participants, use the built-in tools, save data from your meeting, and more. |
 | [Surface Hub Replacement PC Drivers](https://www.microsoft.com/download/details.aspx?id=52210) | The Surface Hub Replacement PC driver set is available for those customers who have chosen to disable the Surface Hub’s internal PC and use an external computer with their 84” or 55” Surface Hub. This download is meant to be used with the Surface Hub Admin Guide , which contains further details on configuring a Surface Hub Replacement PC.  |
-| [Surface Hub SSD Replacement Guide (PDF)](https://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf) | Learn how to replace the solid state drive (SSD) for the 55- and 84-inch Surface Hub. |
 | [Microsoft Surface Hub Rollout and Adoption Success Kit (ZIP)](https://download.microsoft.com/download/F/A/3/FA3ADEA4-4966-456B-8BDE-0A594FD52C6C/Surface_Hub_Adoption_Kit_Final_0519.pdf) | Best practices for generating awareness and implementing change management to maximize adoption, usage, and benefits of Microsoft Surface Hub. The Rollout and Adoption Success Kit zip file includes the Rollout and Adoption Success Kit detailed document, Surface Hub presentation, demo guidance, awareness graphics, and more. |
 | [Unpacking Guide for 84-inch Surface Hub (PDF)](https://download.microsoft.com/download/5/2/B/52B4007E-D8C8-4EED-ACA9-FEEF93F6055C/84_Unpacking_Guide_English_French-Spanish.pdf) | Learn how to unpack your 84-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/75/2b/752b73dc-6e9d-4692-8ba1-0f9fc03bff6b.mov?n=04.07.16_installation_video_03_unpacking_84.mov) |
 | [Unpacking Guide for 55-inch Surface Hub (PDF)](https://download.microsoft.com/download/2/E/7/2E7616A2-F936-4512-8052-1E2D92DFD070/55_Unpacking_Guide_English-French-Spanish.PDF) | Learn how to unpack your 55-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/a9/d6/a9d6b4d7-d33f-4e8b-be92-28f7fc2c06d7.mov?n=04.07.16_installation_video_02_unpacking_55.mov) |
diff --git a/devices/surface-hub/surface-hub-recovery-tool.md b/devices/surface-hub/surface-hub-recovery-tool.md
index e6e0eeb5c1..866a2de12f 100644
--- a/devices/surface-hub/surface-hub-recovery-tool.md
+++ b/devices/surface-hub/surface-hub-recovery-tool.md
@@ -16,7 +16,7 @@ ms.localizationpriority: medium
 
 The [Microsoft Surface Hub Recovery Tool](https://www.microsoft.com/download/details.aspx?id=52210) helps you re-image your Surface Hub Solid State Drive (SSD) using a Windows 10 desktop device, without calling support or replacing the SSD. With this tool, you can reimage an SSD that has an unknown Administrator password, boot errors, was unable to complete a cloud recovery, or for a device that has an older version of the operating system. The tool will not fix physically damaged SSDs.
 
-To re-image the Surface Hub SSD using the Recovery Tool, you'll need to remove the SSD from the Surface Hub, connect the drive to the USB-to-SATA cable, and then connect the cable to the desktop PC on which the Recovery Tool is installed. For more information on how to remove the existing drive from your Surface Hub, please refer to the [Surface Hub SSD Replacement Guide (PDF)](https://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf).
+To re-image the Surface Hub SSD using the Recovery Tool, you'll need to remove the SSD from the Surface Hub, connect the drive to the USB-to-SATA cable, and then connect the cable to the desktop PC on which the Recovery Tool is installed. For more information on how to remove the existing drive from your Surface Hub, see [Surface Hub SSD replacement](surface-hub-ssd-replacement.md).
 
 >[!IMPORTANT]
 >Do not let the device go to sleep or interrupt the download of the image file.
@@ -73,7 +73,8 @@ Install Surface Hub Recovery Tool on the host PC.
 
     ![Download the image?](images/shrt-download.png)
 
-5. When the download is complete, the tool instructs you to connect an SSD drive. If the tool is unable to locate the attached drive, there is a good chance that the cable being used is not reporting the name of the SSD to Windows.  The imaging tool must find the name of the drive as "LITEON L CH-128V2S USB Device" before it can continue.  For more information on how to remove the existing drive from your Surface Hub, please refer to the [Surface Hub SSD Replacement Guide (PDF)](https://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf).
+5. When the download is complete, the tool instructs you to connect an SSD drive. If the tool is unable to locate the attached drive, there is a good chance that the cable being used is not reporting the name of the SSD to Windows.  The imaging tool must find the name of the drive as "LITEON L CH-128V2S USB Device" before it can continue.  For more information on how to remove the existing drive from your Surface Hub, see [Surface Hub SSD replacement](surface-hub-ssd-replacement.md).
+
 
     ![Connect SSD](images/shrt-drive.png)
 
diff --git a/devices/surface-hub/surface-hub-site-readiness-guide.md b/devices/surface-hub/surface-hub-site-readiness-guide.md
new file mode 100644
index 0000000000..2d6c5d82de
--- /dev/null
+++ b/devices/surface-hub/surface-hub-site-readiness-guide.md
@@ -0,0 +1,135 @@
+---
+title: Surface Hub Site Readiness Guide  
+description: Use this Site Readiness Guide to help plan your Surface Hub installation. 
+ms.prod: surface-hub
+ms.sitesec: library
+author: jdeckerms
+ms.author: jdecker
+ms.topic: article
+ms.localizationpriority: medium
+---
+
+# Surface Hub Site Readiness Guide 
+
+Use this Site Readiness Guide to help plan your Surface Hub installation. In this guide, you’ll find: 
+- Site readiness topics 
+- Detailed hardware specifications on power, ports, and cables
+- Recommendations for moving and storage 
+- Links to guidance on unpacking and mounting 
+
+## Site readiness planning
+
+The room needs to be large enough to provide good viewing angles, but small enough for the microphones to pick up clear signals from the people in the room. Most rooms that are about 22 feet (seven meters) long will provide a good meeting experience. In the conference area, mount Surface Hub where:
+
+- Everyone in the room can see it.
+- People can reach all four edges of the touchscreen.
+- The screen is not in direct sunlight, which could affect viewing or damage the screen.
+- Ventilation openings are not blocked.
+- Microphones are not affected by noise sources, such as fans or vents.
+You can find more details in the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections.  For cleaning, care, and safety information, see the mounting guides and user guide at http://www.microsoft.com/surface/support/surface-hub.
+
+### Hardware considerations
+
+Surface Hub arrives with:
+- Two Microsoft Surface Hub pens
+- A Microsoft wireless keyboard, customized for Surface Hub
+- A 9-foot NEMA 5-15P (US Standard) to C13 power cable
+
+You’ll need to provide:
+- Cat-5e or Cat-6 network cables
+- Display cables (optional)
+- Audio cable (optional)
+- Type A to B USB cable (optional)
+
+For details about cable ports, see the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections. For details about cables, see [Wired Connect](#wired). 
+
+Microsoft Surface Hub has an internal PC and does not require an external computer system. 
+
+For power recommendations, see [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md). For power cable safety warnings, see the mounting guides at http://www.microsoft.com/surface/support/surface-hub.
+
+### Data and other connections
+
+To use Surface Hub, you need an active Ethernet port and a standard power outlet. In addition, you may want to:
+
+- Equip the conference table for Wired Connect.
+- Expand the wall outlet configuration to include:
+    - Additional AC outlets 
+    - Ethernetports 
+    - Audio ports 
+    - Video ports (DisplayPort, HDMI, VGA, etc.) 
+
+
+## When Surface Hub arrives
+
+Surface Hub is large and heavy, so let Receiving know when it will arrive and what they should do to handle it safely. For details on the packing weights and other specifications, see [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md).
+
+Consider the following: 
+- Wait to unpack Surface Hub from the shipping container until you’ve moved it to the conference area where you plan to install it.
+- Make sure your loading dock can accept a shipment on a pallet and hold it securely until it can be installed.
+- Check for local labor union rules that would require you to use union labor to unload or move Surface Hub.   
+- Do not leave Surface Hub in a hot or humid environment. As with any computer-based or display equipment, heat and humidity can damage Surface Hub. The recommended storage temperatures are 32°F to 95°F with a relative humidity of less than 70 percent. 
+
+### Moving Surface Hub
+
+Before you move Surface Hub, make sure that all the doorways, thresholds, hallways, and elevators are big enough to accommodate it. For information on the dimensions and weight of your Surface Hub in its shipping container, see [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md).
+
+### Unpacking Surface Hub
+
+For unpacking information, refer to the unpacking guide included in the shipping container. You can open the unpacking instructions before you open the shipping container.  These instructions can also be found here: http://www.microsoft.com/surface/support/surface-hub
+
+>[!IMPORTANT]
+>Retain and store all Surface Hub shipping materials—including the pallet, container, and screws—in case you need to ship Surface Hub to a new location or send it
+for repairs. For the 84” Surface Hub, retain the lifting handles. 
+
+### Lifting Surface Hub
+
+The 55” Surface Hub requires two people to safely lift and mount. The 84” Surface Hub requires four people to safely lift and mount. Those assisting must be able to lift 70 pounds to waist height. Review the unpacking and mounting guide for details on lifting Surface Hub. You can find it at http://www.microsoft.com/surface/support/surface-hub.
+
+## Mounting and setup
+
+See the [Technical information]() section, or your mounting guide at http://www.microsoft.com/surface/support/surface-hub, for detailed instructions. 
+
+There are three ways to mount your Surface Hub:
+
+- **Wall mount**: Lets you permanently hang Surface Hub on a conference space wall.
+- **Floor support mount**: Supports Surface Hub on the floor while it is permanently anchored to a conference space wall.
+- **Rolling stand**: Supports Surface Hub and lets you move it to other conference locations. For links to guides that provide details about each mounting method, including building requirements, see http://www.microsoft.com/surface/support/surface-hub.
+
+
+## The Connect experience
+
+Connect lets people project their laptop, tablet, or phone to the Surface Hub screen. Connect allows wireless or wired connection types.
+
+#### Wireless connect 
+
+Since wireless connect is based on Miracast, you don’t need cables or additional setup planning to use it. Your users can load Miracast on most Miracast-enabled Windows 8.1 and Windows 10 devices. Then they can project their display from their computer or phone to the Surface Hub screen.
+
+<span id="wired" />
+#### Wired connect
+
+With wired connect, a cable transmits information from computers, tablets, or phones to Surface Hub. There are three video cable options, and they all use the same USB 2.0 cable. The cable bundle can include one or all of these connection options.
+
+- DisplayPort (DisplayPort cable + USB 2.0 cable)
+- HDMI (HDMI cable + USB 2.0 cable)
+- VGA (VGA cable + 3.5mm audio cable + USB 2.0 cable)
+
+For example, to provide audio, video, and touchback capability to all three video options, your Wired Connect cable bundle must include:
+
+- A DisplayPort cable 
+- An HDMI cable
+- A VGA cable
+- A USB 2.0 cable
+- A 3.5mm cable
+
+When you create your wired connect cable bundles, check the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections for specific technical and physical details and port locations for each type of Surface Hub. Make the cables long enough to reach from Surface Hub to where the presenter will sit or stand.
+
+For details on Touchback and Inkback, see the user guide at http://www.microsoft.com/surface/support/surface-hub. 
+
+
+
+## See also
+
+[Watch the video (opens in a pop-up media player)][http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov)  
+
+
+
diff --git a/devices/surface-hub/surface-hub-ssd-replacement.md b/devices/surface-hub/surface-hub-ssd-replacement.md
new file mode 100644
index 0000000000..277ceef816
--- /dev/null
+++ b/devices/surface-hub/surface-hub-ssd-replacement.md
@@ -0,0 +1,52 @@
+---
+title: Surface Hub SSD replacement
+description: Learn how to replace the solid state drive in a Surface Hub.
+ms.prod: surface-hub
+ms.sitesec: library
+author: jdeckerms
+ms.author: jdecker
+ms.topic: article
+ms.localizationpriority: medium
+---
+
+# Surface Hub SSD replacement
+
+You might need to remove the solid state drive (SSD) from your Surface Hub so that you can reimage it using the [Surface Hub Recovery Tool](surface-hub-recovery-tool.md) or because you've been sent a replacement drive. You would reimage your SSD when the operating system is no longer bootable, such as from a Windows update failure, BitLocker issues, reset failure, or hardware failure. 
+
+
+>[!WARNING]
+>Make sure the Surface Hub is turned off at the AC switch.
+
+1. Locate the SSD compartment door on the rear, upper portion of the Surface Hub in the locations illustrated below. The door is identifiable as it doesn't have open ventilation slots.
+
+    ![SSD compartment door](images/ssd-location.png)
+
+    *Surface Hub hard drive locations*
+
+2. Locate the locking tab on the hard drive compartment door. On the Surface Hub 55, the locking tab will be located on the left-hand side of the door. On the Surface Hub 84, it will be on the right-hand side as shown in the illustration.
+
+    ![SSD compartment locking tab](images/ssd-lock-tab.png)
+
+    *Locking tab on hard drive compartment door*
+
+3. Lift open the compartment door to access the hard drive.
+
+    ![Lift](images/ssd-lift-door.png)
+
+    *Lift compartment door*
+
+4. Locate the pull tab, which may be partially hidden under the rear cover. Pull on the tab to eject the hard drive from the compartment.
+
+    ![Pull](images/ssd-pull-tab.png)
+
+    *Pull tab*
+
+5. Slide the replacement drive into place until you hear it click.
+
+    ![Slide in drive](images/ssd-click.png)
+    
+    *Slide replacement drive into place*
+
+6. Close the compartment door.
+
+7. Apply power to the Surface Hub.
diff --git a/devices/surface-hub/surface-hub-technical-55.md b/devices/surface-hub/surface-hub-technical-55.md
new file mode 100644
index 0000000000..bfcca2c16f
--- /dev/null
+++ b/devices/surface-hub/surface-hub-technical-55.md
@@ -0,0 +1,151 @@
+---
+title: Technical information for 55" Surface Hub   
+description: Specifications for the 55" Surface Hub
+ms.prod: surface-hub
+ms.sitesec: library
+author: jdeckerms
+ms.author: jdecker
+ms.topic: article
+ms.localizationpriority: medium
+---
+
+# Technical information for 55" Surface Hub
+
+## Measurements 
+
+|
+--- | ---
+Pricing	| Starting at $8,999 
+Size |	31.75” x 59.62” x 3.38” (806.4mm x 1514.3mm x 85.8mm)
+Storage/RAM	| SSD 128GB with 8GB RAM
+Processor |	4th Generation Intel® Core™ i5 
+Graphics |	Intel® HD 4600 
+Ports |	**Internal PC**<br>• (1) USB 3.0 (bottom) + (1) USB 3.0 (side access) <br>• (2) USB 2.0<br>• Ethernet 1000 Base-T<br>• DisplayPort <br>• Video Output<br>• 3.5mm Stereo Out<br>• RJ11 Connector for system-level control<br>**Alternate PC**<br>• (2) USB 2.0 type B output<br>• Connection for Camera, Sensors, Microphone, Speakers<br>• (1) DisplayPort Video Input<br>**Guest PC**<br>• DisplayPort Video Input<br>• HDMI Video Input<br>• VGA Video Input<br>• 3.5mm Stereo Input<br>• (1) USB 2.0 type B Touchback™ Output
+Sensors |	(2) Passive Infrared Presence Sensors, Ambient Light Sensors 
+Speakers |	(2) Front-facing stereo speakers 
+Microphone |	High-Performance, 4-Element Array 
+Camera |	(2) Wide angle HD cameras 1080p @ 30fps 
+Pen	 | (2) Powered, active, subpixel accuracy 
+Physical side buttons |	Power, Input Select, Volume, Brightness 
+Software |	Windows 10 + Office (Word, PowerPoint, Excel) 
+What’s in the box |	• Surface Hub 55”<br>• (2) Surface Hub Pens<br>• Power Cable<br>• Setup Guide<br>• Start Guide<br>• Safety and Warranty documents<br>• Wireless All-in-One Keyboard
+Mounting features	| 4X VESA standard, 400mm x 400mm plus 1150mm x 400mm pattern, 8X M6 X 1.0 threaded mounting locations
+Display height from floor	| Recommended height of 55 inches (139.7 cm) to center of screen
+Product weight |	Approx. 105 lb. (47.6 kg) without accessories
+Product shipping weight	 | Approx. 150 lb. (68 kg)
+Product dimensions HxWxD | 	31.63 x 59.62 x 3.2 inches (80.34 x 151.44 x 8.14 cm)
+Product shipping dimensions HxWxD |	43 x 65 x 20 inches (109 x 165 x 51 cm)
+Product thickness	| Touch surface to mounting surface: ≤ 2.4 inches (6 cm)
+Orientation	 | Landscape only. Display cannot be used in a portrait orientation.
+BTU	 | 1706 BTU/h
+Image resolution |	1920 x 1080
+Frame rate |	120Hz
+EDID preferred timing, replacement PC |	1920 x 1080, 120Hz vertical refresh
+EDID preferred timing, wired connect |	1920 x 1080, 60Hz vertical refresh
+Input voltage | (50/60Hz)	110/230v nominal, 90-265v max
+Input power, operating |	500W max
+Input power, standby    |  	5W nominal
+
+
+## Replacement PC connections 
+
+Connector and location | Label | Description
+--- | --- | ---
+Switch, bottom I/O | ![](images/switch.png) | Switches the function between using internal PC or external PC.
+Display port, bottom I/O | ![](images/dport.png) | Provides input for replacement PC.
+USB type B, bottom I/O | ![](images/usb.png) | Provides USB connection for replacement PC to internal peripherals. 
+USB type B, bottom I/O | ![](images/usb.png) | Provides USB connection for integrated hub.
+
+
+## Wired connect connections
+
+Connector and location | Label | Description
+--- | --- | ---
+Display port, bottom I/O | ![](images/dportio.png) | Provides input for wired connect PC.
+HDMI, bottom I/O | ![](images/hdmi.png) | Provides HDMI input for wired connect PC.
+VGA, bottom I/O | ![](images/vga.png) | Provides VGA input for wired connect PC.
+3.5mm, bottom I/O | ![](images/35mm.png) | Provides analog audio input.
+USB type B, bottom I/O | ![](images/usb.png) | Provides USB connection for video ingest touchback.
+
+## Additional connections
+
+Connector and location | Label | Description
+--- | --- | ---
+USB type A, side I/O | ![](images/usb.png) | Provides 1 USB 3.0 connection for USB devices. Wake-on USB capable.
+USB type A, bottom I/O with blue insulator | ![](images/usb.png) | Provides USB 3.0 connection.
+3.5mm, bottom I/O | ![](images/analog.png) | Provides analog audio out.
+Display port, bottom I/O | ![](images/dportout.png) | Provides mirrored video out function to another display.
+IEC/EN60320-C13 receptable with hard switch | ![](images/iec.png) | Provides AC input and compliance with EU power requirements.
+RJ45, bottom I/O | ![](images/rj45.png) | Connects to Ethernet.
+RJ11, bottom I/O | ![](images/rj11.png) | Connects to room control systems.
+
+
+
+
+
+
+
+## Diagrams of ports and clearances
+
+***Top view of 55" Surface Hub***
+
+![](images/sh-55-top.png)
+
+---
+
+
+***Front view of 55" Surface Hub***
+
+![](images/sh-55-front.png)
+
+
+---
+
+***Bottom view of 55" Surface Hub***
+
+![](images/sh-55-bottom.png)
+
+
+---
+
+***Replacement PC ports on 55" Surface Hub***
+
+![](images/sh-55-rpc-ports.png)
+
+
+---
+
+***Keypad on right side of 55" Surface Hub***
+
+![](images/key-55.png)
+
+
+---
+
+***Rear view of 55" Surface Hub***
+
+![](images/sh-55-rear.png)
+
+
+---
+
+***Clearances for 55" Surface Hub***
+
+![](images/sh-55-clearance.png)
+
+---
+
+
+***Front and bottom handholds and clearances for 55" Surface Hub***
+
+![](images/sh-55-hand.png)
+
+
+---
+
+
+***Rear handholds and clearances for 55" Surface Hub***
+
+![](images/sh-55-hand-rear.png)
+
+
diff --git a/devices/surface-hub/surface-hub-technical-84.md b/devices/surface-hub/surface-hub-technical-84.md
new file mode 100644
index 0000000000..b4c17e178c
--- /dev/null
+++ b/devices/surface-hub/surface-hub-technical-84.md
@@ -0,0 +1,157 @@
+---
+title: Technical information for 84" Surface Hub  
+description: Specifications for the 84" Surface Hub
+ms.prod: surface-hub
+ms.sitesec: library
+author: jdeckerms
+ms.author: jdecker
+ms.topic: article
+ms.localizationpriority: medium
+---
+
+# Technical information for 84" Surface Hub
+
+## Measurements 
+
+|
+--- | ---
+Pricing	| Starting at $21,999 
+Size |	46.12” x 86.7” x 4.15” (1171.5mm x 2202.9mm x 105.4mm)
+Storage/RAM	| SSD 128GB with 8GB RAM
+Processor	| 4th Generation Intel® Core™ i7 
+Graphics |	NVIDIA Quadro K2200 
+Ports |	**Internal PC**<br>• (1) USB 3.0 (bottom) + (1) USB 3.0 (side access)<br>• (4) USB 2.0<br>•  Ethernet 1000 Base-T<br>• DisplayPort Video Output<br>• 3.5mm Stereo Out<br>• RJ11 Connector for system-level control<br>**Alternate PC**<br>• (2) USB 2.0 type B output<br>•  connection for Camera, Sensors, Microphone, Speakers<br>• (2) DisplayPort Video Input<br>**Guest PC**<br>• DisplayPort Video Input<br>• HDMI Video Input<br>• VGA Video Input<br>• 3.5mm Stereo Input<br>• (1) USB 2.0 type B Touchback™ Output
+Sensors	 | (2) Passive Infrared Presence Sensors, Ambient Light Sensors 
+Speakers |	(2) Front-facing stereo speakers 
+Microphone |	High-Performance, 4-Element Array 
+Camera |	(2) Wide angle HD cameras 1080p @ 30fps 
+Pen |	(2) Powered, active, subpixel accuracy 
+Physical side buttons |	Power, Input Select, Volume, Brightness 
+Software |	Windows 10 + Office (Word, PowerPoint, Excel) 
+What’s in the box |	• Surface Hub 84”<br>• (2) Surface Hub Pens<br>• Power Cable<br>• Setup Guide<br>• Safety and Warranty documents<br>• Wireless All-in-One Keyboard
+Mounting features	| 4X VESA standard, 1200mm x 600mm pattern, 8X M8 X 1.25 threaded mounting locations
+Display height from floor	| Recommended height of 54 inches (139.7 cm) to center of screen
+Product weight |	Approx. 280 lb. (127 kg.)
+Product shipping weight	 | Approx. 580 lb. (263 kg.)
+Product dimensions HxWxD | 	46 x 86.9 x 4.1 inches (116.8 x 220.6 x 10.4 cm)
+Product shipping dimensions HxWxD |	66.14 x 88.19 x 24.4 inches (168 x 224 x 62 cm)
+Product thickness	| Touch surface to mounting surface: ≤ 3.1 inches (7.8 cm)
+Orientation	 | Landscape only. Display cannot be used in a portrait orientation.
+BTU	 | 3070.8 BTU/h
+Image resolution |	3840 x 2160
+Frame rate |	120Hz
+Contrast Ratio | 1400:1
+EDID preferred timing, replacement PC |	3840 x 2140, 120Hz vertical refresh
+EDID preferred timing, wired connect |	1920 x 1080, 60Hz vertical refresh
+Input voltage | 110/230v nominal, 90-265v max
+Input power, operating |	900W max
+Input power, standby    |  	5W nominal, 1-10W max
+
+
+## Replacement PC connections 
+
+Connector and location | Label | Description
+--- | --- | ---
+Switch, bottom I/O | ![](images/switch.png) | Switches the function between using internal PC or external PC.
+Display port, bottom I/O | ![](images/dport.png) | Provides input for replacement PC.
+Display port, bottom I/O | ![](images/dport.png) | Provides second input for replacement PC.
+USB type B, bottom I/O | ![](images/usb.png) | Provides USB connection for replacement PC to internal peripherals. 
+USB type B, bottom I/O | ![](images/usb.png) | Provides USB connection for integrated hub.
+
+
+## Wired connect connections
+
+Connector and location | Label | Description
+--- | --- | ---
+Display port, bottom I/O | ![](images/dportio.png) | Provides input for wired connect PC.
+HDMI, bottom I/O | ![](images/hdmi.png) | Provides HDMI input for wired connect PC.
+VGA, bottom I/O | ![](images/vga.png) | Provides VGA input for wired connect PC.
+3.5mm, bottom I/O | ![](images/35mm.png) | Provides analog audio input.
+USB type B, bottom I/O | ![](images/usb.png) | Provides USB connection for video ingest touchback.
+
+## Additional connections
+
+Connector and location | Label | Description
+--- | --- | ---
+USB type A, side I/O | ![](images/usb.png) | Provides 1 USB 3.0 connection for USB devices. Wake-on USB capable.
+USB type A, bottom I/O with blue insulator | ![](images/usb.png) | Provides USB 3.0 connection.
+3.5mm, bottom I/O | ![](images/analog.png) | Provides analog audio out.
+Display port, bottom I/O | ![](images/dportout.png) | Provides mirrored video out function to another display.
+IEC/EN60320-C13 receptable with hard switch | ![](images/iec.png) | Provides AC input and compliance with EU power requirements.
+RJ45, bottom I/O | ![](images/rj45.png) | Connects to Ethernet.
+RJ11, bottom I/O | ![](images/rj11.png) | Connects to room control systems.
+
+
+
+
+
+
+
+## Diagrams of ports and clearances
+
+***Top view of 84" Surface Hub***
+
+![](images/sh-84-top.png)
+
+---
+
+
+***Front view of 84" Surface Hub***
+
+![](images/sh-84-front.png)
+
+
+---
+
+***Bottom view of 84" Surface Hub***
+
+![](images/sh-84-bottom.png)
+
+
+---
+
+***Replacement PC ports on 84" Surface Hub***
+
+![](images/sh-84-rpc-ports.png)
+
+
+
+---
+
+***Rear view of 84" Surface Hub***
+
+![](images/sh-84-rear.png)
+
+
+---
+
+***Clearances for 84" Surface Hub***
+
+![](images/sh-84-clearance.png)
+
+---
+
+
+***Removable lifting handles on 84” Surface Hub ***
+
+![](images/sh-84-hand.png)
+
+
+---
+
+
+***Wall mount threads on back of 84” Surface Hub ***
+
+![](images/sh-84-wall.png)
+
+---
+***Lifting handles in top view of 84” Surface Hub***
+
+![](images/sh-84-hand-top.png)
+
+---
+***Side view of 84” Surface Hub***
+
+![](images/sh-84-side.png)
+
+
diff --git a/devices/surface-hub/surface-hub.yml b/devices/surface-hub/surface-hub.yml
index 0a9e948ca5..dac70e8f37 100644
--- a/devices/surface-hub/surface-hub.yml
+++ b/devices/surface-hub/surface-hub.yml
@@ -34,7 +34,7 @@ sections:
   - type: markdown
     text: "
       Prepare to deploy Surface Hub in your organization. Explore site readiness, assembly, configuration, and Exchange and ActiveSync policies. <br> 
-      <table><tr><td><img src='images/plan1.png' width='192' height='192'><br>**Get ready for Surface Hub**<br>Explore the steps you'll need to take to set up Surface Hub.<br><a href='https://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf'>Surface Hub Site Readiness Guide</a> (PDF, 1.48 MB)<br><a href='https://docs.microsoft.com/surface-hub/surface-hub-downloads'>Unpacking guides</a></td><td><img src='images/plan2.png' width='192' height='192'><br>**Assembly for Surface Hub**<br>Learn how to assemble your Surface Hub.<br><a href='https://download.microsoft.com/download/0/1/6/016363A4-8602-4F01-8281-9BE5C814DC78/Setup-Guide_EN-FR-SP.pdf'>Surface Hub Setup Guide</a> (PDF, 1.43 MB)<br><a href='https://docs.microsoft.com/surface-hub/surface-hub-downloads'>Mounting and assembling guides</a></td><td><img src='images/plan3.png' width='192' height='192'><br>**Prepare your environment**<br>Learn about setup dependencies and account requirements.<br><a href='https://docs.microsoft.com/surface-hub/prepare-your-environment-for-surface-hub'>Prepare your environment</a><br><a href='https://docs.microsoft.com/surface-hub/create-and-test-a-device-account-surface-hub'>Create and test a device account</a></td></tr>
+      <table><tr><td><img src='images/plan1.png' width='192' height='192'><br>**Get ready for Surface Hub**<br>Explore the steps you'll need to take to set up Surface Hub.<br><a href='https://docs.microsoft.com/surface-hub/surface-hub-site-readiness.guide'>Surface Hub Site Readiness Guide</a> (PDF, 1.48 MB)<br><a href='https://docs.microsoft.com/surface-hub/surface-hub-downloads'>Unpacking guides</a></td><td><img src='images/plan2.png' width='192' height='192'><br>**Assembly for Surface Hub**<br>Learn how to assemble your Surface Hub.<br><a href='https://download.microsoft.com/download/0/1/6/016363A4-8602-4F01-8281-9BE5C814DC78/Setup-Guide_EN-FR-SP.pdf'>Surface Hub Setup Guide</a> (PDF, 1.43 MB)<br><a href='https://docs.microsoft.com/surface-hub/surface-hub-downloads'>Mounting and assembling guides</a></td><td><img src='images/plan3.png' width='192' height='192'><br>**Prepare your environment**<br>Learn about setup dependencies and account requirements.<br><a href='https://docs.microsoft.com/surface-hub/prepare-your-environment-for-surface-hub'>Prepare your environment</a><br><a href='https://docs.microsoft.com/surface-hub/create-and-test-a-device-account-surface-hub'>Create and test a device account</a></td></tr>
       </table>
       "
 - title: Deploy
diff --git a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
index 7c9ec9ded2..703010dfa2 100644
--- a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
+++ b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
@@ -14,7 +14,7 @@ ms.date: 04/23/2017
 # How to Enable BitLocker by Using MBAM as Part of a Windows Deployment
 
 
-This topic explains how to enable BitLocker on an end user's computer by using MBAM as part of your Windows imaging and deployment process. If you see a black screen at restart (after Install phase concludes) indicating that the drive cannot be unlocked, see [Windows versions prior Windows 10 build 1511 fail to start after "Setup Windows and Configuration Manager" step when Pre-Provision BitLocker is used with Windows PE 10.0.586.0 (1511)](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2016/03/30/windows-versions-prior-windows-10-build-1511-fail-to-start-after-setup-windows-and-configuration-manager-step-when-pre-provision-bitlocker-is-used-with-windows-pe-10-0-586-0-1511/).
+This topic explains how to enable BitLocker on an end user's computer by using MBAM as part of your Windows imaging and deployment process. If you see a black screen at restart (after Install phase concludes) indicating that the drive cannot be unlocked, see [Earlier Windows versions don't start after "Setup Windows and Configuration Manager" step if Pre-Provision BitLocker is used with Windows 10, version 1511](https://support.microsoft.com/en-us/help/4494799/earlier-windows-versions-don-t-start-after-you-use-pre-provision-bitlo).
 
 **Prerequisites:**
 
@@ -330,4 +330,4 @@ Here are a list of common error messages:
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring).
-- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
\ No newline at end of file
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md
index 276c980fae..0bf1fdc2d4 100644
--- a/store-for-business/microsoft-store-for-business-overview.md
+++ b/store-for-business/microsoft-store-for-business-overview.md
@@ -360,7 +360,7 @@ Customers in these markets can use Microsoft Store for Business and Education to
 - Ukraine 
 
 ### Support to only manage products
-Customers in these markets can use Microsoft Store for Business and Education only to manage products that they've purchased from other channels. For example, they might have purchased products through Volume Licensing Service Center. However, they can't purhcase apps directly from Microsoft Store for Business and Education. 
+Customers in these markets can use Microsoft Store for Business and Education only to manage products that they've purchased from other channels. For example, they might have purchased products through Volume Licensing Service Center. However, they can't purchase apps directly from Microsoft Store for Business and Education. 
 - Puerto Rico
 
 This table summarize what customers can purchase, depending on which Microsoft Store they are using. 
diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
index 2b6e890314..48a7bcf332 100644
--- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md
+++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
@@ -81,6 +81,6 @@ This table lists the roles and their permissions.
     >You need to be a Global Administrator, or have the Billing account owner role to access **Permissions**. 
     
 2.  Select **Manage**, and then select **Permissions**.
-3.  On **Roles**, or **Purchasing roles**, select **Assing roles**. 
+3.  On **Roles**, or **Purchasing roles**, select **Assign roles**. 
 4.  Enter a name, choose the role you want to assign, and select **Save**.
-    If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts](manage-users-and-groups-microsoft-store-for-business.md).
\ No newline at end of file
+    If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts](manage-users-and-groups-microsoft-store-for-business.md).
diff --git a/store-for-business/settings-reference-microsoft-store-for-business.md b/store-for-business/settings-reference-microsoft-store-for-business.md
index fa03ac4ff7..8109fc1389 100644
--- a/store-for-business/settings-reference-microsoft-store-for-business.md
+++ b/store-for-business/settings-reference-microsoft-store-for-business.md
@@ -24,8 +24,8 @@ The Microsoft Store for Business and Education has a group of settings that admi
 | Private store | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md). | **Settings - Distribute** |
 | Offline licensing  | Configure whether or not to make offline-licensed apps available in the Microsoft Store for Business and Education. For more information, see [Distribute offline apps](distribute-offline-apps.md). | **Settings - Shop** |
 | Allow users to shop  | Configure whether or not people in your organization or school can see and use the shop function in Store for Business or Store for Education. For more information, see [Allow users to shop](acquire-apps-microsoft-store-for-business.md#allow-users-to-shop). | **Settings - Shop** |
-| Make everyone a Basic Purchaser  | Allow everyone in your organization to automatically become a Basic Purchaser. This allows them to purchase apps and manage them. For more information, see [Make everyone a Basic Purchaser](https://docs.microsoft.com/education/windows/education-scenarios-store-for-business#basic-purchaser-role). </br> **Make everyone a Basic Purchaser** is only available in Microsoft Store for Education.  | **Settings - Shop** |
-| App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-microsoft-store-for-business.md). | **Settings - Distribute** |
+| Make everyone a Basic Purchaser  | Allow everyone in your organization to automatically become a Basic Purchaser. This allows them to purchase apps and manage them. For more information, see [Make everyone a Basic Purchaser](https://docs.microsoft.com/education/windows/education-scenarios-store-for-business#basic-purchaser-role). | **Settings - Shop** |
+| App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-microsoft-store-for-business.md). | **Settings - Shop** |
 | Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md). | **Settings - Distribute** |
 | Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Settings - Devices**  |
 | Permissions   | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md). | **Permissions - Roles**, **Permissions - Purchasing roles**, and **Permissions - Blocked basic purchasers** |
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index 8eed696dd9..637e02d729 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -61,7 +61,7 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an
 | Microsoft.OneConnect                   | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe)                            | x    | x    | x    | x    | No                    |
 | Microsoft.People                       | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe)                                     | x    | x    | x    | x    | No                    |
 | Microsoft.Print3D                      | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe)                                            |      | x    | x    | x    | No                    |
-| Microsoft.SkreenSketch                 | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe)                                  |      |      |      | x    | No                    |
+| Microsoft.ScreenSketch                 | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe)                                  |      |      |      | x    | No                    |
 | Microsoft.SkypeApp                     | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c)                                              | x    | x    | x    | x    | No                    |
 | Microsoft.StorePurchaseApp             | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe)                         | x    | x    | x    | x    | No                    |
 | Microsoft.VP9VideoExtensions           |                                                                                                                    |      |      |      | x    | No                    |
@@ -181,4 +181,4 @@ Here are the typical installed Windows apps in Windows 10 versions 1709, 1803, a
 |                    | Microsoft.VCLibs.140.00                  | x    | x    | x    | Yes                  |
 |                    | Microsoft.VCLibs.120.00.Universal        | x    |      |      | Yes                  |
 |                    | Microsoft.VCLibs.140.00.UWPDesktop       |      | x    |      | Yes                  |
----
\ No newline at end of file
+---
diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md
index 489c97927a..b41972de75 100644
--- a/windows/application-management/remove-provisioned-apps-during-update.md
+++ b/windows/application-management/remove-provisioned-apps-during-update.md
@@ -17,17 +17,20 @@ When you update a computer running Windows 10, version 1703 or 1709, you might s
 >[!NOTE]
 >* This issue only occurs after a feature update (from one version to the next), not monthly updates or security-related updates.
 >* This only applies to first-party apps that shipped with Windows 10. This doesn't apply to third-party apps, Microsoft Store apps, or LOB apps.
+>* This issue can occur whether you removed the app using `Remove-appxprovisionedpackage` or `Get-AppxPackage -allusers | Remove-AppxPackage -Allusers`.
 
-To remove a provisioned app, you need to remove the provisioning package. The apps might reappear if you removed the packages in one of the following ways:
+To remove a provisioned app, you need to remove the provisioning package. The apps might reappear if you [removed the packages](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage) in one of the following ways:
 
 * If you removed the packages while the wim file was mounted when the device was offline.
 * If you removed the packages by running a PowerShell cmdlet on the device while Windows was online. Although the apps won't appear for new users, you'll still see the apps for the user account you signed in as.
 
-When you remove a provisioned app, we create a registry key that tells Windows not to reinstall or update that app the next time Windows is updated. If the computer isn't online when you deprovision the app, then we don't create that registry key. (This behavior is fixed in Windows 10, version 1803. If you're running Windows 10, version 1709, apply the latest security update to fix it.)
+When you [remove a provisioned app](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage), we create a registry key that tells Windows not to reinstall or update that app the next time Windows is updated. If the computer isn't online when you deprovision the app, then we don't create that registry key. (This behavior is fixed in Windows 10, version 1803. If you're running Windows 10, version 1709, apply the latest security update to fix it.)
+
 
 >[!NOTE]
 >If you remove a provisioned app while Windows is online, it's only removed for *new users*—the user that you signed in as will still have that provisioned app. That's because the registry key created when you deprovision the app only applies to new users created *after* the key is created. This doesn't happen if you remove the provisioned app while Windows is offline.
 
+
 To prevent these apps from reappearing at the next update, manually create a registry key for each app, then update the computer.
 
 ## Create registry keys for deprovisioned apps
@@ -38,7 +41,7 @@ Use the following steps to create a registry key:
 2. Create a .reg file to generate a registry key for each app. Use [this list of Windows 10, version 1709 registry keys](#registry-keys-for-provisioned-apps) as your starting point.
     1. Paste the list of registry keys into Notepad (or a text editor).
     2. Remove the registry keys belonging to the apps you want to keep. For example, if you want to keep the Bing Weather app, delete this registry key:
-       ```
+       ```yaml
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\A ppxAllUserStore\Deprovisioned\Microsoft.BingWeather_8wekyb3d8bbwe]
        ```
     3. Save the file with a .txt extension, then right-click the file and change the extension to .reg.
@@ -158,3 +161,9 @@ Windows Registry Editor Version 5.00
 
 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.ZuneVideo_8wekyb3d8bbwe]
 ```
+
+
+
+[Get-AppxPackage](https://docs.microsoft.com/powershell/module/appx/get-appxpackage)
+[Get-AppxPackage -allusers](https://docs.microsoft.com/powershell/module/appx/get-appxpackage)
+[Remove-AppxPackage](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage)
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index 3042e56449..7812898ee3 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -41,7 +41,7 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
   >[!NOTE]
   >You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once and then running the following PowerShell cmdlet:
   >
-  >`net localgroup "Remote Desktop Users" /add "AzureAD\FirstnameLastname"`, where *FirstnameLastname* is the name of the user profile in C:\Users\, which is created based on DisplayName attribute in Azure AD.
+  >`net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"`, where *FirstnameLastname* is the name of the user profile in C:\Users\, which is created based on DisplayName attribute in Azure AD.
   >
   >In Windows 10, version 1709, the user does not have to sign in to the remote device first.
   >
@@ -50,7 +50,7 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
   4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.
 
   >[!TIP]
-  >When you connect to the remote PC, enter your account name in this format: `AzureADName\YourAccountName`.
+  >When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant.
 
  
 ## Supported configurations
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index e6004a22a5..13f0987eca 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -895,6 +895,7 @@ Status Get
             <xs:enumeration value="RestartShell" />
             <xs:enumeration value="RestartDevice" />
             <xs:enumeration value="ShutdownDevice" />
+            <xs:enumeration value="DoNothing" />
         </xs:restriction>
     </xs:simpleType>
 
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index 271a9a0054..9b75fbd479 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -50,6 +50,12 @@ ms.date: 03/15/2018
 	<td></td>
 </tr>
 </table>
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+-   4 - Added in Windows 10, version 1803.
 
 <!--/SupportedSKUs-->
 <!--Scope-->
@@ -132,15 +138,7 @@ Here is an example:
 <hr/>
 
 Take note:
-* You must include the local administrator in the administrators group or the policy will fail
+* You should include the local administrator while modifying the administrators group to prevent accidental loss of access
 * Include the entire UPN after AzureAD
 
-Footnote:
-
--   1 - Added in Windows 10, version 1607.
--   2 - Added in Windows 10, version 1703.
--   3 - Added in Windows 10, version 1709.
--   4 - Added in Windows 10, version 1803.
-
-<!--/Policies-->
 
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index bbbecfc8b2..ee31dd0aa6 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -666,6 +666,13 @@ The following list shows the supported values:
 Enabling this policy prevents context menus from being invoked in the Start Menu.
 
 <!--/Description-->
+<!--SupportedValues-->
+The following list shows the supported values:
+
+-   0 (default) – False (Do not disable).
+-   1 - True (disable).
+
+<!--/SupportedValues-->
 <!--ADMXMapped-->
 ADMX Info:  
 -   GP English name: *Disable context menus in the Start Menu*
@@ -1091,6 +1098,13 @@ Added in Windows 10, version 1709. Enabling this policy removes the people icon
 Value type is integer.
 
 <!--/Description-->
+<!--SupportedValues-->
+The following list shows the supported values:
+
+-   0 (default) – False (do not hide).
+-   1 - True (hide).
+
+<!--/SupportedValues-->
 <!--ADMXMapped-->
 ADMX Info:  
 -   GP English name: *Remove the People Bar from the taskbar*
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index 42dc77dd56..101a8715e5 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -33,6 +33,9 @@ ms.date: 01/14/2019
   <dd>
     <a href="#storage-configstoragesensecloudcontentdehydrationthreshold">Storage/ConfigStorageSenseCloudContentDehydrationThreshold</a>
   </dd>
+  <dd>
+    <a href="#storage-configstoragesensedownloadscleanupthreshold">Storage/ConfigStorageSenseDownloadsCleanupThreshold</a>
+  </dd>
   <dd>
     <a href="#storage-configstoragesenseglobalcadence">Storage/ConfigStorageSenseGlobalCadence</a>
   </dd>
@@ -160,7 +163,7 @@ If you do not configure this policy setting, Storage Sense is turned off by defa
 ADMX Info:  
 -   GP English name: *Allow Storage Sense*
 -   GP name: *SS_AllowStorageSenseGlobal*
--   GP path: *SOFTWARE/Policies/Microsoft/Windows/StorageSense*
+-   GP path: *System/Storage Sense*
 -   GP ADMX file name: *StorageSense.admx*
 
 <!--/ADMXMapped-->
@@ -228,7 +231,7 @@ If you do not configure this policy setting, Storage Sense will delete the user
 ADMX Info:  
 -   GP English name: *Allow Storage Sense Temporary Files cleanup*
 -   GP name: *SS_AllowStorageSenseTemporaryFilesCleanup*
--   GP path: *System/StorageSense*
+-   GP path: *System/Storage Sense*
 -   GP ADMX file name: *StorageSense.admx*
 
 <!--/ADMXMapped-->
@@ -285,7 +288,7 @@ When Storage Sense runs, it can dehydrate cloud-backed content that hasn’t bee
 
 If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect.
 
-If you enable this policy setting, you must provide the number of days since a cloud-backed file has been opened before Storage Sense will dehydrate it. Supported values are: 0–365.
+If you enable this policy setting, you must provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates it. Supported values are: 0–365.
 
 If you set this value to zero, Storage Sense will not dehydrate any cloud-backed content. The default value is 0, which never dehydrates cloud-backed content.
 
@@ -296,7 +299,7 @@ If you disable or do not configure this policy setting, then Storage Sense will
 ADMX Info:  
 -   GP English name: *Configure Storage Sense Cloud Content dehydration threshold*
 -   GP name: *SS_ConfigStorageSenseCloudContentDehydrationThreshold*
--   GP path: *System/StorageSense*
+-   GP path: *System/Storage Sense*
 -   GP ADMX file name: *StorageSense.admx*
 
 <!--/ADMXMapped-->
@@ -350,11 +353,11 @@ ADMX Info:
 
 <!--/Scope-->
 <!--Description-->
-When Storage Sense runs, it can delete files in the user’s Downloads folder if they have been there for over a certain amount of days.
+When Storage Sense runs, it can delete files in the user’s Downloads folder if they haven’t been opened for more than a certain number of days.
 
 If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect.
 
-If you enable this policy setting, you must provide the minimum age threshold (in days) of a file in the Downloads folder before Storage Sense will delete it. Supported values are: 0–365.
+If you enable this policy setting, you must provide the minimum number of days a file can remain unopened before Storage Sense deletes it from the Downloads folder. Supported values are: 0-365.
 
 If you set this value to zero, Storage Sense will not delete files in the user’s Downloads folder. The default is 0, or never deleting files in the Downloads folder.
 
@@ -365,7 +368,7 @@ If you disable or do not configure this policy setting, then Storage Sense will
 ADMX Info:  
 -   GP English name: *Configure Storage Storage Downloads cleanup threshold*
 -   GP name: *SS_ConfigStorageSenseDownloadsCleanupThreshold*
--   GP path: *System/StorageSense*
+-   GP path: *System/Storage Sense*
 -   GP ADMX file name: *StorageSense.admx*
 
 <!--/ADMXMapped-->
@@ -438,8 +441,8 @@ If you do not configure this policy setting, then the Storage Sense cadence is s
 <!--ADMXMapped-->
 ADMX Info:  
 -   GP English name: *Configure Storage Sense cadence*
--   GP name: *RemovableDisks_DenyWrite_Access_2*
--   GP path: *SOFTWARE/Policies/Microsoft/Windows/StorageSense*
+-   GP name: *SS_ConfigStorageSenseGlobalCadence*
+-   GP path: *System/Storage Sense*
 -   GP ADMX file name: *StorageSense.admx*
 
 <!--/ADMXMapped-->
@@ -507,7 +510,7 @@ If you disable or do not configure this policy setting, Storage Sense will delet
 ADMX Info:  
 -   GP English name: *Configure Storage Sense Recycle Bin cleanup threshold*
 -   GP name: *SS_ConfigStorageSenseRecycleBinCleanupThreshold*
--   GP path: *System/StorageSense*
+-   GP path: *System/Storage Sense*
 -   GP ADMX file name: *StorageSense.admx*
 
 <!--/ADMXMapped-->
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index e1751117bd..16bfa23ec7 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -681,11 +681,13 @@ ADMX Info:
 
 <!--/Scope-->
 <!--Description-->
-Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination.
+Specifies whether to allow the user to factory reset the device by using control panel and hardware key combination.
 
 Most restricted value is 0.
 
 <!--/Description-->
+> [!TIP]
+> This policy is also applicable to Windows 10 and not exclusive to phone.
 <!--SupportedValues-->
 The following list shows the supported values:
 orted values:
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index 4142e8244f..b57e6e3f98 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -151,7 +151,7 @@ If set to True, this DomainName rule will trigger the VPN
 
 By default, this value is false.
 
-Value type is bool. Persistent
+Value type is bool.
 
 <a href="" id="vpnv2-profilename-domainnameinformationlist-dnirowid-persistent"></a>**VPNv2/***ProfileName***/DomainNameInformationList/***dniRowId***/Persistent**  
 Added in Windows 10, version 1607. A boolean value that specifies if the rule being added should persist even when the VPN is not connected. Value values:
@@ -624,10 +624,10 @@ Profile example
     </Authentication>
     <RoutingPolicyType>SplitTunnel</RoutingPolicyType>
   </NativeProfile>
-  <DomainNameInformation>
+  <DomainNameInformationList>
     <DomainName>.contoso.com</DomainName>
     <DNSServers>10.5.5.5</DNSServers>
-  </DomainNameInformation>
+  </DomainNameInformationList>
  <TrafficFilter>  
     <App>%ProgramFiles%\Internet Explorer\iexplore.exe</App> 
   </TrafficFilter> 
diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md
index eb942f3643..543252e8f2 100644
--- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md
+++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md
@@ -47,6 +47,9 @@ When the ADMX policies are imported, the registry keys to which each policy is w
 - software\policies\microsoft\vba\security\
 - software\microsoft\onedrive 
 
+> [!Warning]
+> Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined.
+
 ## <a href="" id="ingesting-an-app-admx-file"></a>Ingesting an app ADMX file
 
 The following ADMX file example shows how to ingest a Win32 or Desktop Bridge app ADMX file and set policies from the file. The ADMX file defines eight policies.
diff --git a/windows/client-management/mdm/windowssecurityauditing-csp.md b/windows/client-management/mdm/windowssecurityauditing-csp.md
index c7ebdf2171..74aa8f8b40 100644
--- a/windows/client-management/mdm/windowssecurityauditing-csp.md
+++ b/windows/client-management/mdm/windowssecurityauditing-csp.md
@@ -13,7 +13,7 @@ ms.date: 06/26/2017
 # WindowsSecurityAuditing CSP
 
 
-The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511.
+The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511 for Mobile and Mobile Enterprise. Make sure to consult the [Configuration service provider reference](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference) to see if this CSP and others are supported on your Windows installation.
 
 The following diagram shows the WindowsSecurityAuditing configuration service provider in tree format.
 
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index 52fa2a92d0..6004911395 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -10,13 +10,18 @@ ms.localizationpriority: medium
 author: jdeckerms
 ms.author: jdecker
 ms.topic: article
-ms.date: 11/07/2018
 ---
 
 # Change history for Configure Windows 10
 
 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
 
+## April 2019
+
+New or changed topic | Description
+--- | ---
+[Prepare a device for kiosk configuration](kiosk-prepare.md) | Added new recommendations for policies to manage updates.
+
 ## February 2019
 
 New or changed topic | Description
diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index 06a64d0755..fdbc8f522a 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -49,6 +49,8 @@ In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app
 
 >[!NOTE]
 >Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs.
+>
+>Kiosk Browser cannot access intranet websites.
 
 
 **Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education).
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
index f484267983..436a96f0a8 100644
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@@ -8,7 +8,6 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 01/09/2019
 ms.topic: article
 ---
 
@@ -31,12 +30,14 @@ ms.topic: article
 
 ## Configuration recommendations
 
-For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk:
+For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: 
 
 Recommendation | How to
 --- | ---
-Hide update notifications<br>(New in Windows 10, version 1809)   | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**<br>-or-<br>Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)<br>-or-<br>Add the following registry keys as DWORD (32-bit) type:</br>`HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetUpdateNotificationLevel` with a value of `1`, and `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateNotificationLevel` with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings.
-Replace "blue screen" with blank screen for OS errors   | Add the following registry key as DWORD (32-bit) type with a value of `1`:</br></br>`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`
+Hide update notifications<br>(New in Windows 10, version 1809)   | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**<br>-or-<br>Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)<br>-or-<br>Add the following registry keys as type DWORD (32-bit) in the path of **HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate**:<br>**\SetUpdateNotificationLevel** with a value of `1`, and **\UpdateNotificationLevel** with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings.
+Enable and schedule automatic updates | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates**, and select `option 4 (Auto download and schedule the install)`<br>-or-<br>Use the MDM setting **Update/AllowAutoUpdate** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate), and select `option 3 (Auto install and restart at a specified time)`<br><br>**Note:** Installations can take from between 30 minutes and 2 hours, depending on the device, so you should schedule updates to occur when a block of 3-4 hours is available.<br><br>To schedule the automatic update, configure **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**.
+Enable automatic restart at the scheduled time | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Always automatically restart at the scheduled time**
+Replace "blue screen" with blank screen for OS errors   | Add the following registry key as DWORD (32-bit) type with a value of `1`:</br></br>**HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled**
 Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign.
 Hide **Ease of access** feature on the sign-in screen. |     See [how to disable the Ease of Access button in the registry.](https://docs.microsoft.com/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen)
 Disable the hardware power button. |     Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
@@ -67,7 +68,7 @@ In addition to the settings in the table, you may want to set up **automatic log
     >[!NOTE]  
     >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
   
-
+ 
 2.  Go to
 
     **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon**
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index 439acaa52b..fa82263c0a 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -42,6 +42,8 @@ Method | Description
 
 >[!TIP]
 >You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile).  
+>
+>Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
 
 
 
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index c38433c752..29a60bc3f3 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -39,7 +39,8 @@ New features and improvements | In update
 
 You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision).
 
-
+>[!TIP]
+>Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
 
 
 <span id="intune"/>
@@ -516,8 +517,6 @@ Provisioning packages can be applied to a device during the first-run experience
 
 
 
-
-
 <span id="alternate-methods" />
 ### Use MDM to deploy the multi-app configuration 
 
diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md
index 3e25afe52b..61d63683e0 100644
--- a/windows/configuration/setup-digital-signage.md
+++ b/windows/configuration/setup-digital-signage.md
@@ -25,6 +25,8 @@ For digital signage, simply select a digital sign player as your kiosk app. You
 
 >[!TIP]
 >Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). 
+>
+>Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
 
 Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 10, version 1803.
 
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index a184ef28cb..dea2ca7516 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -73,7 +73,6 @@
 ###### [Using the Sdbinst.exe Command-Line Tool](planning/using-the-sdbinstexe-command-line-tool.md)
 ##### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
 
-#### [Change history for Plan for Windows 10 deployment](planning/change-history-for-plan-for-windows-10-deployment.md)
 
 ### [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
 #### [Get started with the Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md)
@@ -211,7 +210,6 @@
 ####### [XML Elements Library](usmt/usmt-xml-elements-library.md)
 ###### [Offline Migration Reference](usmt/offline-migration-reference.md)
 ### [Install fonts in Windows 10](windows-10-missing-fonts.md)
-### [Change history for deploy Windows 10](change-history-for-deploy-windows-10.md)
 
 ## [Update Windows 10](update/index.md)
 ### [Windows as a service](update/windows-as-a-service.md)
@@ -250,7 +248,6 @@
 ### [Manage device restarts after updates](update/waas-restart.md)
 ### [Manage additional Windows Update settings](update/waas-wu-settings.md)
 ### [Determine the source of Windows updates](update/windows-update-sources.md)
-### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
 
 ## [Windows Analytics](update/windows-analytics-overview.md)
 ### [Windows Analytics in the Azure Portal](update/windows-analytics-azure-portal.md)
diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md
index 9803bd8551..67561a162b 100644
--- a/windows/deployment/deploy-m365.md
+++ b/windows/deployment/deploy-m365.md
@@ -34,10 +34,10 @@ For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor
 
 You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below. 
 
-1. Obtain a free EMS 90-day trial by visiting the following link. Provide your email address and answer a few simple questions.
-
-    [Free Trial - Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security-trial)
+>[!NOTE]
+>If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected.
 
+1. [Obtain a free M365 trial](https://docs.microsoft.com/office365/admin/try-or-buy-microsoft-365).
 2. Check out the [Microsoft 365 deployment advisor](https://portal.office.com/onboarding/Microsoft365DeploymentAdvisor#/).
 3. Also check out the [Windows Analytics deployment advisor](https://portal.office.com/onboarding/WindowsAnalyticsDeploymentAdvisor#/). This advisor will walk you through deploying [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness), [Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), and [Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor). 
 
@@ -52,7 +52,7 @@ Examples of these two deployment advisors are shown below.
 ![Microsoft 365 deployment advisor](images/m365da.png)
 
 ## Windows Analytics deployment advisor example
-![Windows Analytics deployment advisor](images/wada.png)
+
 
 ## M365 Enterprise poster
 
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index c75048f117..1750d67101 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -488,7 +488,7 @@ Like the MDT Build Lab deployment share, the MDT Production deployment share nee
  
 ## <a href="" id="sec08"></a>Step 8: Deploy the Windows 10 client image
 
-These steps will walk you throug the process of using task sequences to deploy Windows 10 images through a fully automated process. First, you need to add the boot image to Windows Deployment Services (WDS) and then start the deployment. In contrast with deploying images from the MDT Build Lab deployment share, we recommend using the Pre-Installation Execution Environment (PXE) to start the full deployments in the datacenter, even though you technically can use an ISO/CD or USB to start the process.
+These steps will walk you through the process of using task sequences to deploy Windows 10 images through a fully automated process. First, you need to add the boot image to Windows Deployment Services (WDS) and then start the deployment. In contrast with deploying images from the MDT Build Lab deployment share, we recommend using the Pre-Installation Execution Environment (PXE) to start the full deployments in the datacenter, even though you technically can use an ISO/CD or USB to start the process.
 
 ### Configure Windows Deployment Services
 
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index c96216fab7..de0cd33bf5 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -48,7 +48,7 @@ These steps assume that you have the MDT01 member server installed and configure
     3.  User State Migration Tool (USMT)
 
     >[!IMPORTANT]
-    >Starting with Windows 10, version 1809, Windows PE is released separately from the AFK. See [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) for more information.
+    >Starting with Windows 10, version 1809, Windows PE is released separately from the ADK. See [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) for more information.
 
 ## <a href="" id="sec03"></a>Install MDT
 
diff --git a/windows/deployment/images/m365da.PNG b/windows/deployment/images/m365da.png
similarity index 100%
rename from windows/deployment/images/m365da.PNG
rename to windows/deployment/images/m365da.png
diff --git a/windows/deployment/images/wada.PNG b/windows/deployment/images/wada.PNG
new file mode 100644
index 0000000000..1c715e8f0e
Binary files /dev/null and b/windows/deployment/images/wada.PNG differ
diff --git a/windows/deployment/images/wada.png b/windows/deployment/images/wada.png
new file mode 100644
index 0000000000..1c715e8f0e
Binary files /dev/null and b/windows/deployment/images/wada.png differ
diff --git a/windows/deployment/planning/TOC.md b/windows/deployment/planning/TOC.md
index cf1fef543a..0e2810b1b7 100644
--- a/windows/deployment/planning/TOC.md
+++ b/windows/deployment/planning/TOC.md
@@ -3,17 +3,13 @@
 ## [Windows 10 deployment considerations](windows-10-deployment-considerations.md)
 ## [Windows 10 compatibility](windows-10-compatibility.md)
 ## [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
-## [Windows 10, version 1809 - Features removed or planned for replacement](windows-10-1809-removed-features.md)
-## [Windows 10, version 1803 - Features removed or planned for replacement](windows-10-1803-removed-features.md)
-## [Fall Creators update (version 1709) - deprecated features](windows-10-fall-creators-deprecation.md)
-## [Creators update (version 1703) - deprecated features](windows-10-creators-update-deprecation.md)
 
-## [Windows To Go: feature overview](windows-to-go-overview.md)
-### [Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
-### [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-### [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
-### [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-### [Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
+## Features removed or planned for replacement
+### [Windows 10, version 1809](windows-10-1809-removed-features.md)
+### [Windows 10, version 1803](windows-10-1803-removed-features.md)
+### [Windows 10, version 1709](windows-10-fall-creators-deprecation.md)
+### [Windows 10, version 1703](windows-10-creators-update-deprecation.md)
+
 ## [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md)
 ### [SUA User's Guide](sua-users-guide.md)
 #### [Using the SUA Wizard](using-the-sua-wizard.md)
@@ -39,4 +35,10 @@
 ##### [Testing Your Application Mitigation Packages](testing-your-application-mitigation-packages.md)
 #### [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md)
 ### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
-## [Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md)
\ No newline at end of file
+
+## [Windows To Go: feature overview](windows-to-go-overview.md)
+### [Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
+### [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
+### [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
+### [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
+### [Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
\ No newline at end of file
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
index bebac9fa94..cd611c67ef 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
@@ -109,7 +109,7 @@ To find out which version of Windows 10 is right for your organization, you can
 
 ### How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1?
 
-Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 for Business Onboarding Kit](https://blogs.technet.microsoft.com/windowsitpro/2016/06/28/windows-10-for-business-onboarding-kit/) and see our [end user readiness](https://technet.microsoft.com/windows/dn621092) resources.
+Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 Adoption Planning Kit](https://info.microsoft.com/Windows10AdoptionPlanningKit) and see our [end user readiness](https://technet.microsoft.com/windows/dn621092) resources.
 
 ### How does Windows 10 help people work with applications and data across a variety of devices?
 
@@ -127,4 +127,4 @@ Use the following resources for additional information about Windows 10.
 - If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet.
 - If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum/windows_10).
 - If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev) or [Windows and Windows phone apps forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsapps) on MSDN.
-- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet.
\ No newline at end of file
+- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet.
diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md
index 5cab04e4ba..e520727586 100644
--- a/windows/deployment/update/device-health-get-started.md
+++ b/windows/deployment/update/device-health-get-started.md
@@ -46,7 +46,7 @@ Device Health is offered as a *solution* which you link to a new or existing [Az
         - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*.
         - For the resource group setting select **Create new** and use the same name you chose for your new workspace.
         - For the location setting, choose the Azure region where you would prefer the data to be stored.
-        - For the pricing tier select **Free**.
+        - For the pricing tier select **per GB**.
 4. Now that you have selected a workspace, you can go back to the Device Health blade and select **Create**.
     ![Azure portal showing workspace selected and with Create button highlighted](images/CreateSolution-Part4-WorkspaceSelected.png)
 5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.DeviceHealth' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear.
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 4de6b50ffd..8c901a3962 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -53,7 +53,7 @@ Update Compliance is offered as a solution which is linked to a new or existing
         - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*.
         - For the resource group setting select **Create new** and use the same name you chose for your new workspace.
         - For the location setting, choose the Azure region where you would prefer the data to be stored.
-        - For the pricing tier select **Free**.
+        - For the pricing tier select **per GB**.
 
 ![Update Compliance workspace creation](images/UC_02_workspace_create.png)
 
diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md
index f9b506d216..e846ff795e 100644
--- a/windows/deployment/update/waas-delivery-optimization-setup.md
+++ b/windows/deployment/update/waas-delivery-optimization-setup.md
@@ -48,7 +48,7 @@ Quick-reference table:
 For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group is the authenticated domain or Active Directory site. If your domain-based group is too wide, or your Active Directory sites aren’t aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter.
 
 
-[//]: # is there a topic on GroupIDSrc we can link to?
+[//]: # (is there a topic on GroupIDSrc we can link to?)
 
 To do this in Group Policy go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
 
@@ -77,7 +77,7 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**
 
 Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you have more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you have more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB.
 
-[//]: # default of 50 aimed at consumer
+[//]: # (default of 50 aimed at consumer)
 
 To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices).
 
@@ -91,11 +91,11 @@ To do this in Group Policy, go to **Configuration\Policies\Administrative Templa
 
 To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DOMaxCacheAge to 7 or more (up to 30 days).
 
-[//]: # material about "preferred" devices; remove MinQos/MaxCacheAge; table format?
+[//]: # (material about "preferred" devices; remove MinQos/MaxCacheAge; table format?)
 
 
 ## Monitor Delivery Optimization
-[//]: # How to tell if it’s working? What values are reasonable; which are not? If not, which way to adjust and how? -- check PercentPeerCaching for files > minimum >= 50%
+[//]: # (How to tell if it’s working? What values are reasonable; which are not? If not, which way to adjust and how? -- check PercentPeerCaching for files > minimum >= 50%)
 
 ### Windows PowerShell cmdlets for analyzing usage
 **Starting in Windows 10, version 1703**, you can use two new PowerShell cmdlets to check the performance of Delivery Optimization:
diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md
index 60c1580556..59ac096f8d 100644
--- a/windows/deployment/update/waas-morenews.md
+++ b/windows/deployment/update/waas-morenews.md
@@ -14,7 +14,28 @@ ms.topic: article
 Here's more news about [Windows as a service](windows-as-a-service.md):
 
 <ul>
-
+<li><a href="https://blogs.windows.com/windowsexperience/2018/12/19/driver-quality-in-the-windows-ecosystem/#ktuodfovWAMAkssM.97">Driver quality in the Windows ecosystem</a> - December 19, 2018</li>
+<li><a href="http://m365mdp.mpsn.libsynpro.com/001-windows-10-monthly-quality-updates">Modern Desktop Podcast - Episode 001 – Windows 10 Monthly Quality Updates</a> - December 18, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Measuring-Delivery-Optimization-and-its-impact-to-your-network/ba-p/301809#M409">Measuring Delivery Optimization and its impact to your network</a> - December 13, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181">LTSC: What is it, and when should it be used?</a> - November 29, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Local-Experience-Packs-What-are-they-and-when-should-you-use/ba-p/286841">Local Experience Packs: What are they and when should you use them?</a> - November 14, 2018</li>
+<li><a href="https://blogs.windows.com/windowsexperience/2018/11/13/resuming-the-rollout-of-the-windows-10-october-2018-update/#amAFU5YS1igMQRoB.97">Resuming the Rollout of the Windows 10 October 2018 Update</a> - November 13, 2018</li>
+<li><a href="https://blogs.windows.com/windowsexperience/2018/11/13/windows-10-quality-approach-for-a-complex-ecosystem/#9VlPpT2qGIlPAg5a.97">Windows 10 Quality Approach for a Complex Ecosystem</a> - November 13, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Delivery-Optimization-Scenarios-and-configuration-options/ba-p/280195">Delivery Optimization: Scenarios and Configuration Options</a> - October 30, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Language-pack-acquisition-and-retention-for-enterprise-devices/ba-p/275404">Language Pack Acquisition and Retention for Enterprise Devices</a> - October 18, 2018</li>
+<li><a href="https://blogs.windows.com/windowsexperience/2018/10/09/updated-version-of-windows-10-october-2018-update-released-to-windows-insiders/#MDZYGkj6ZehHyF1g.97">Updated Version of Windows 10 October 2018 Update Released to Windows Insiders</a> - October 9, 2018</li>
+<li><a href="https://blogs.windows.com/windowsexperience/2018/10/02/how-to-get-the-windows-10-october-2018-update/#T4LJQ3OzDkCR72em.97">How to get the Windows 10 October 2018 Update</a> - October 2, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Reduced-Windows-10-package-size-downloads-for-x64-systems/ba-p/262386">Reducing Windows 10 Package Size Downloads for x64 Systems</a> - September 26, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434">Windows 7 Servicing Stack Updates: Managing Change and Appreciating Cumulative Updates</a> - September 21, 2018</li>
+<li><a href="https://www.microsoft.com/en-us/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop/">Helping customers shift to a modern desktop</a> - September 6, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-amp-Windows-Analytics-a-real-world/ba-p/242417#M228">Windows Update for Business & Windows Analytics: a real-world experience</a> - September 5, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-next-for-Windows-10-and-Windows-Server-quality-updates/ba-p/229461">What's next for Windows 10 and Windows Server quality updates</a> - August 16, 2018</li>
+<li><a href="https://www.youtube-nocookie.com/watch/BwB10v55WSk">Windows 10 monthly updates</a> - August 1, 2018 (**video**)</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376">Windows 10 update servicing cadence</a> - August 1, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-quality-updates-explained-amp-the-end-of-delta/ba-p/214426">Windows 10 quality updates explained and the end of delta updates</a> - July 11, 2018</li>
+<li><a href="https://blogs.windows.com/windowsexperience/2018/06/14/ai-powers-windows-10-april-2018-update-rollout/#67LrSyWdwgTyciSG.97">AI Powers Windows 10 April 2018 Update Rollout</a> - June 14, 2018</li>
+<li><a href="https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/">Windows Server 2008 SP2 Servicing Changes</a> - June 12, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-Enhancements-diagnostics/ba-p/201978">Windows Update for Business - Enhancements, diagnostics, configuration</a> - June 7, 2018</li>
 <li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747">Windows 10 and the disappearing SAC-T</a> - May 31, 2018
 <li><a href="https://www.youtube.com/watch?v=EVzFIg_MhaE&t=5s">Manage update download size using Windows as a service</a> - March 30, 2018</li>
-</ul>
\ No newline at end of file
+</ul>
diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md
index 5db6f96bc8..20a86bd384 100644
--- a/windows/deployment/update/waas-servicing-differences.md
+++ b/windows/deployment/update/waas-servicing-differences.md
@@ -53,7 +53,7 @@ This cumulative update model for Windows 10 has helped provide the Windows ecosy
 - [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in the Windows 10 LCU. They are separate packages with different behaviors depending on the version of .NET Framework being updated, and on which OS. As of October 2018, .NET Framework updates for Windows 10 will be separate and have their own cumulative update model.
 - For Windows 10, available update types vary by publishing channel: 
    - For customers using Windows Server Update Services (WSUS) and for the Update Catalog, several different updates types for Windows 10 are rolled together for the core OS in a single LCU package, with exception of Servicing Stack Updates.
-   - Servicing Stack Updates (SSU) are available for download from the Update Catalog and can be imported through WSUS, but will not be automatically synced. (See this example for Windows 10, version 1709)   For more information on Servicing Stack Updates, please see this blog.
+   - Servicing Stack Updates (SSU) are available for download from the Update Catalog and can be imported through WSUS. Servicing Stack Updates (SSU) will be synced automatically (See this example for Windows 10, version 1709). Learn more about [Servicing Stack Updates](https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates).
    - For customers connecting to Windows Update, the new cloud update architecture uses a database of updates which break out all the different update types, including Servicing Stack Updates (SSU) and Dynamic Updates (DU). The update scanning in the Windows 10 servicing stack on the client automatically takes only the updates that are needed by the device to be completely up to date.
 - Windows 7 and other legacy operating systems have cumulative updates that operate differently than in Windows 10 (see next section).
 
diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md
index e5432caaa9..f0ee52dd38 100644
--- a/windows/deployment/update/windows-analytics-get-started.md
+++ b/windows/deployment/update/windows-analytics-get-started.md
@@ -151,7 +151,7 @@ When you run the deployment script, it initiates a full scan. The daily schedule
 
 ### Distribute the deployment script at scale
 
-Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see [New version of the Upgrade Analytics Deployment Script available](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/) on the Upgrade Readiness blog. For information on how to deploy PowerShell scripts by using Windows Intune, see [Manage PowerShell scripts in Intune for Windows 10 devices](https://docs.microsoft.com/intune/intune-management-extension).
+Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see [Upgrade Readiness deployment script](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-deployment-script). For information on how to deploy PowerShell scripts by using Windows Intune, see [Manage PowerShell scripts in Intune for Windows 10 devices](https://docs.microsoft.com/intune/intune-management-extension).
 
 ### Distributing policies at scale
 There are a number of policies that can be centrally managed to control Windows Analytics device configuration. All of these policies have *preference* registry key equivalents that can be set by using the deployment script. Policy settings override preference settings if both are set.
diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md
index f49645a75a..0b1327b761 100644
--- a/windows/deployment/update/windows-as-a-service.md
+++ b/windows/deployment/update/windows-as-a-service.md
@@ -25,34 +25,13 @@ Everyone wins when transparency is a top priority. We want you to know when upda
 
 The latest news:
 <ul compact style="list-style: none"> 
+<li><a href="https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency">Improving the Windows 10 update experience with control, quality and transparency</a> - April 4, 2019</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-broad-deployment/ba-p/389540">Windows 10, version 1809 designated for broad deployment</a> - March 28, 2019</li>
 <li><a href="https://blogs.windows.com/windowsexperience/2019/03/06/data-insights-and-listening-to-improve-the-customer-experience">Data, insights and listening to improve the customer experience</a> - March 6, 2019</li>
 <li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Getting-to-know-the-Windows-update-history-pages/ba-p/355079">Getting to know the Windows update history pages</a> - February 21, 2019</li>
 <li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523">Windows Update for Business and the retirement of SAC-T</a> - February 14, 2019</li>
 <li><a href="https://blogs.windows.com/windowsexperience/2019/01/15/application-compatibility-in-the-windows-ecosystem/#A8urpp1QEp6DHzmP.97">Application compatibility in the Windows ecosystem</a> - January 15, 2019</li>
 <li><a href="https://blogs.windows.com/windowsexperience/2018/12/10/windows-monthly-security-and-quality-updates-overview/#UJJpisSpvyLokbHm.97">Windows monthly security and quality updates overview</a> - January 10, 2019</li>
-<li><a href="https://blogs.windows.com/windowsexperience/2018/12/19/driver-quality-in-the-windows-ecosystem/#ktuodfovWAMAkssM.97">Driver quality in the Windows ecosystem</a> - December 19, 2018</li>
-<li><a href="http://m365mdp.mpsn.libsynpro.com/001-windows-10-monthly-quality-updates">Modern Desktop Podcast - Episode 001 – Windows 10 Monthly Quality Updates</a> - December 18, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Measuring-Delivery-Optimization-and-its-impact-to-your-network/ba-p/301809#M409">Measuring Delivery Optimization and its impact to your network</a> - December 13, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181">LTSC: What is it, and when should it be used?</a> - November 29, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Local-Experience-Packs-What-are-they-and-when-should-you-use/ba-p/286841">Local Experience Packs: What are they and when should you use them?</a> - November 14, 2018</li>
-<li><a href="https://blogs.windows.com/windowsexperience/2018/11/13/resuming-the-rollout-of-the-windows-10-october-2018-update/#amAFU5YS1igMQRoB.97">Resuming the Rollout of the Windows 10 October 2018 Update</a> - November 13, 2018</li>
-<li><a href="https://blogs.windows.com/windowsexperience/2018/11/13/windows-10-quality-approach-for-a-complex-ecosystem/#9VlPpT2qGIlPAg5a.97">Windows 10 Quality Approach for a Complex Ecosystem</a> - November 13, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Delivery-Optimization-Scenarios-and-configuration-options/ba-p/280195">Delivery Optimization: Scenarios and Configuration Options</a> - October 30, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Language-pack-acquisition-and-retention-for-enterprise-devices/ba-p/275404">Language Pack Acquisition and Retention for Enterprise Devices</a> - October 18, 2018</li>
-<li><a href="https://blogs.windows.com/windowsexperience/2018/10/09/updated-version-of-windows-10-october-2018-update-released-to-windows-insiders/#MDZYGkj6ZehHyF1g.97">Updated Version of Windows 10 October 2018 Update Released to Windows Insiders</a> - October 9, 2018</li>
-<li><a href="https://blogs.windows.com/windowsexperience/2018/10/02/how-to-get-the-windows-10-october-2018-update/#T4LJQ3OzDkCR72em.97">How to get the Windows 10 October 2018 Update</a> - October 2, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Reduced-Windows-10-package-size-downloads-for-x64-systems/ba-p/262386">Reducing Windows 10 Package Size Downloads for x64 Systems</a> - September 26, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434">Windows 7 Servicing Stack Updates: Managing Change and Appreciating Cumulative Updates</a> - September 21, 2018</li>
-<li><a href="https://www.microsoft.com/en-us/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop/">Helping customers shift to a modern desktop</a> - September 6, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-amp-Windows-Analytics-a-real-world/ba-p/242417#M228">Windows Update for Business & Windows Analytics: a real-world experience</a> - September 5, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-next-for-Windows-10-and-Windows-Server-quality-updates/ba-p/229461">What's next for Windows 10 and Windows Server quality updates</a> - August 16, 2018</li>
-<li><a href="https://www.youtube-nocookie.com/watch/BwB10v55WSk">Windows 10 monthly updates</a> - August 1, 2018 (**video**)</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376">Windows 10 update servicing cadence</a> - August 1, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-quality-updates-explained-amp-the-end-of-delta/ba-p/214426">Windows 10 quality updates explained and the end of delta updates</a> - July 11, 2018</li>
-<li><a href="https://blogs.windows.com/windowsexperience/2018/06/14/ai-powers-windows-10-april-2018-update-rollout/#67LrSyWdwgTyciSG.97">AI Powers Windows 10 April 2018 Update Rollout</a> - June 14, 2018</li>
-<li><a href="https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/">Windows Server 2008 SP2 Servicing Changes</a> - June 12, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-Enhancements-diagnostics/ba-p/201978">Windows Update for Business - Enhancements, diagnostics, configuration</a> - June 7, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747">Windows 10 and the “disappearing” SAC-T</a> - May 31, 2018</li>
 </ul>
 
 [See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog).
diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md
index 1e62227e0d..a966f7ad8e 100644
--- a/windows/deployment/upgrade/log-files.md
+++ b/windows/deployment/upgrade/log-files.md
@@ -55,7 +55,7 @@ Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.</td>
 
 ## Log entry structure
 
-A setupact.log or setuperr.log entry includes the following elements:
+A setupact.log or setuperr.log entry (files are located at C:\Windows) includes the following elements:
 
 <ol>
 <LI><B>The date and time</B> - 2016-09-08 09:20:05.
diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md
index 58c217bda4..a796d396d4 100644
--- a/windows/deployment/upgrade/upgrade-readiness-get-started.md
+++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md
@@ -59,7 +59,7 @@ Upgrade Readiness is offered as a *solution* which you link to a new or existing
         - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*.
         - For the resource group setting select **Create new** and use the same name you chose for your new workspace.
         - For the location setting, choose the Azure region where you would prefer the data to be stored.
-        - For the pricing tier select **Free**.
+        - For the pricing tier select **per GB**.
 4. Now that you have selected a workspace, you can go back to the Upgrade Readiness blade and select **Create**.
     ![Azure portal showing workspace selected and with Create button highlighted](../images/UR-Azureportal4.png)
 5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.CompatibilityAssessmentOMS' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear.
diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md
index 89e9a585ba..d2e6471454 100644
--- a/windows/deployment/windows-autopilot/enrollment-status.md
+++ b/windows/deployment/windows-autopilot/enrollment-status.md
@@ -62,7 +62,7 @@ The following types of policies and installations are not tracked:
 ## More information
 
 For more information on configuring the Enrollment Status page, see the [Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).<br>
-For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP docuementation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).<br>
+For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP documentation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).<br>
 For more information about blocking for app installation:
 - [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/).
-- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514).
\ No newline at end of file
+- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514).
diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md
index 643cfeb6bd..0996810392 100644
--- a/windows/deployment/windows-autopilot/existing-devices.md
+++ b/windows/deployment/windows-autopilot/existing-devices.md
@@ -20,7 +20,7 @@ ms.topic: article
 
 Modern desktop management with Windows Autopilot enables you to easily deploy the latest version of Windows 10 to your existing devices. The apps you need for work can be automatically installed. Your work profile is synchronized, so you can resume working right away.
 
-This topic describes how to convert Windows 7 domain-joined computers to Azure Active Directory-joined computers running Windows 10 by using Windows Autopilot.
+This topic describes how to convert Windows 7 or Windows 8.1 domain-joined computers to Azure Active Directory-joined computers running Windows 10 by using Windows Autopilot.
 
 ## Prerequisites
 
@@ -278,7 +278,7 @@ Next, ensure that all content required for the task sequence is deployed to dist
 
 ### Complete the client installation process
 
-1. Open the Software Center on the target Windows 7 client computer. You can do this by clicking Start and then typing **software** in the search box, or by typing the following at a Windows PowerShell or command prompt:
+1. Open the Software Center on the target Windows 7 or Windows 8.1 client computer. You can do this by clicking Start and then typing **software** in the search box, or by typing the following at a Windows PowerShell or command prompt:
 
     ```
     C:\Windows\CCM\SCClient.exe
diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md
index 70fa92e2a5..0d365a9cac 100644
--- a/windows/deployment/windows-autopilot/troubleshooting.md
+++ b/windows/deployment/windows-autopilot/troubleshooting.md
@@ -85,10 +85,12 @@ On Windows 10 version 1703 and above, ETW tracing can be used to capture detaile
 
 The most common issue joining a device to Azure AD is related to Azure AD permissions.  Ensure [the correct configuration is in place](windows-autopilot-requirements-configuration.md) to allow users to join devices to Azure AD.  Errors can also happen if the user has exceeded the number of devices that they are allowed to join, as configured in Azure AD.
 
-Error code 801C0003 will typically be reported on an error page titled "Something went wrong."  This error means that the Azure AD join failed.
+Error code 801C0003 will typically be reported on an error page titled "Something went wrong".  This error means that the Azure AD join failed.
 
 ### Troubleshooting Intune enrollment issues
 
 See [this knowledge base article](https://support.microsoft.com/help/4089533/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for assistance with Intune enrollment issues.  Common issues include incorrect or missing licenses assigned to the user or too many devices enrolled for the user.
 
-Error code 80180018 will typiclaly be reported on an error page titled "Something went wrong."  This error means that the MDM enrollment failed.
+Error code 80180018 will typically be reported on an error page titled "Something went wrong".  This error means that the MDM enrollment failed.
+
+If Autopilot Reset fails immediately with an error "Ran into trouble. Please sign in with an administrator account to see why and reset manually," see [Troubleshoot Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset#troubleshoot-autopilot-reset) for more help.
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md
index dc3de62a1b..f2b2c19fb8 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md
@@ -26,7 +26,12 @@ Windows Autopilot depends on a variety of internet-based services; access to the
 
 In environments that have more restrictive internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the needed services. For additional details about each of these services and their specific requirements, review the following details:
 
--   **Windows Autopilot Deployment Service (and Windows Activation).**  After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service using the same services used for Windows Activation. See the following link for details:
+-   **Windows Autopilot Deployment Service (and Windows Activation).**  After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service.  With Windows 10 builds 18204 and above, the following URLs are used:
+
+    -   https://ztd.dds.microsoft.com
+    -   https://cs.dds.microsoft.com
+    
+    For all supported Windows 10 releases, Windows Autopilot also uses Windows Activation services. See the following link for details:
 
     -   <https://support.microsoft.com/help/921471/windows-activation-or-validation-fails-with-error-code-0x8004fe33>
 
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
index fc304b4020..358e9fefd8 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
@@ -22,16 +22,26 @@ Windows Autopilot depends on specific capabilities available in Windows 10, Azur
 
 - Windows 10 version 1703 (semi-annual channel) or higher is required. 
 - The following editions are supported:
-    -   Pro
-    -   Pro Education
-    -   Pro for Workstations
-    -   Enterprise
-    -   Education
+    -   Windows 10 Pro
+    -   Windows 10 Pro Education
+    -   Windows 10 Pro for Workstations
+    -   Windows 10 Enterprise
+    -   Windows 10 Education
+    -   Windows 10 Enterprise 2019 LTSC
+    
+ - If you're using Autopilot for Surface devices, note that only the following Surface devices support Autopilot:
+    - Surface Go
+    - Surface Go with LTE Advanced
+    - Surface Pro (5th gen) 
+    - Surface Pro with LTE Advanced (5th gen) 
+    - Surface Pro 6
+    - Surface Laptop (1st gen)
+    - Surface Laptop 2
+    - Surface Studio (1st gen)
+    - Surface Studio 2
+    - Surface Book 2
 
-- Windows 10 Enterprise 2019 LTSC is also supported.
-
-See the following topics for details on licensing, network, and configuration requirements:
-- [Licensing requirements](windows-autopilot-requirements-licensing.md)
+See the following topics for details on network and configuration requirements:
 - [Networking requirements](windows-autopilot-requirements-network.md)
 - [Configuration requirements](windows-autopilot-requirements-configuration.md)
     - For details about specific configuration requirements to enable user-driven Hybrid Azure Active Directory join for Windows Autopilot, see [Intune Connector (preview) language requirements](intune-connector.md). This requirement is a temporary workaround, and will be removed in the next release of Intune Connector. 
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index d46ed8851c..0edce00395 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -177,6 +177,9 @@ To disable Windows Defender Credential Guard, you can use the following set of p
 > [!NOTE]
 > The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
 
+> [!NOTE]
+> Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs.
+
 For more info on virtualization-based security and Windows Defender Device Guard, see [Windows Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
 
 <span id="turn-off-with-hardware-readiness-tool" />
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 68c7ae9ccb..01d5a2d5a7 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -39,7 +39,7 @@ To provide basic protections against OS level attempts to read Credential Manage
 The Virtualization-based security requires:
 - 64-bit CPU
 - CPU virtualization extensions plus extended page tables
-- Windows hypervisor
+- Windows hypervisor (does not require Hyper-V Windows Feature to be installed)
 
 ### Windows Defender Credential Guard deployment in virtual machines
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index c7fd156e98..5ea3bbbae9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -131,9 +131,9 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
 5. In the content pane, right-click the **NDES Service Rights** Group Policy object and click **Edit**.
 6. In the navigation pane, expand **Policies** under **Computer Configuration**.
 7. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**.
-8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings**. and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** twice.
-9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings**. and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** twice.
-10. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings**. and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** three times.
+8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** twice.
+9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** twice.
+10. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** three times.
 11. Close the **Group Policy Management Editor**. 
 
 ### Configure security for the NDES Service User Rights Group Policy object
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index ed400300f7..2bfa7ac0bd 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -30,7 +30,7 @@ Enterprises can use either a key or a certificate to provide single-sign on for
 
 When using a key, the on-premises environment needs an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment.  Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 
-When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement.  However, single-sign on using a key requires additional infrastructure to issue a certificate when the user enrolls for Windows Hello for Business.  Azure AD joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM).  Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector.
+When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement.  However, single-sign on using a certificate requires additional infrastructure to issue a certificate when the user enrolls for Windows Hello for Business.  Azure AD joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM).  Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector.
 
 To deploy single sign-on for Azure AD joined devices using keys, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md).
 To deploy single sign-on for Azure AD joined devices using certificates, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) and then [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md).
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 461d86ca82..5350a7e35a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -59,7 +59,7 @@ The remainder of the provisioning includes Windows Hello for Business requesting
 > Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
 
 > [!NOTE]
-> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning.  With this update, users no longer need to wait for Azure AD Connect to sync their  public key on-premises.  Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. 
+> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning.  With this update, users no longer need to wait for Azure AD Connect to sync their  public key on-premises.  Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. The update needs to be installed on the federation servers.
   
 After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate.  Windows send the certificate request to the AD FS server for certificate enrollment.
   
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index b95f3a6b88..04dc168342 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -75,9 +75,9 @@ It’s fundamentally important to understand which deployment model to use for a
 
 A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory.  There are two trust types: key trust and certificate trust. 
   
-The key trust type does not require issuing authentication certificates to end users.  Users authenticate using a hardware-bound key created during an in-box provisioning experience, which requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment.  Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
+The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 
-The certificate trust type issues authentication certificates to end users.  Users authenticate using a certificate requested using a hardware-bound key created during the in-box provisioning experience.  Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers.  Users can authenticate using their certificate to any Windows Server 2008 R2 or later domain controller.
+The certificate trust type issues authentication certificates to end users.  Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience.  Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers.  Users can authenticate using their certificate to any Windows Server 2008 R2 or later domain controller.
 
 #### Device registration
 
@@ -85,11 +85,11 @@ All devices included in the Windows Hello for Business deployment must go throug
 
 #### Key registration
 
-The in-box Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user’s credentials. The private key is protected by the device’s security modules; however, the credential is a user key (not a device key).  The provisioning experience registers the user’s public key with the identity provider.  For cloud only and hybrid deployments, the identity provider is Azure Active Directory.  For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role.
+The built-in Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user’s credentials. The private key is protected by the device’s security modules; however, the credential is a user key (not a device key).  The provisioning experience registers the user’s public key with the identity provider.  For cloud only and hybrid deployments, the identity provider is Azure Active Directory.  For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role.
 
 #### Multifactor authentication
 
-The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication.  The in-box provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.  
+The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication.  The built-in provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.  
 
 Cloud only and hybrid deployments provide many choices for multi-factor authentication.  On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
 >[!NOTE]
@@ -105,7 +105,7 @@ Cloud only and hybrid deployments provide many choices for multi-factor authenti
 
 #### Directory synchronization
 
-Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose.  Hybrid deployments use Azure Active Directory Connect to synchronize Active Directory identities or credentials between itself and Azure Active Directory. This helps enable single sign-on to Azure Active Directory and its federated components.
+Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose.  Hybrid deployments use Azure Active Directory Connect to synchronize Active Directory identities or credentials between itself and Azure Active Directory. This helps enable single sign-on to Azure Active Directory and its federated components. On-premises deployments use directory synchronization to import users from Active Directory to the Azure MFA Server, which sends data to the Azure MFA cloud service to perform the verification.
 
 ### Management
 
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
index 2783e1edb2..101b9976ad 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
@@ -14,7 +14,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/26/2019
+ms.date: 04/05/2019
 ---
 
 # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
@@ -95,7 +95,7 @@ If you don't know the publisher or product name, you can find them for both desk
 
 **To find the Publisher and Product Name values for Store apps without installing them**
 
-1.	Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
+1.	Go to the [Microsoft Store for Business](https://businessstore.microsoft.com/store) website, and find your app. For example, Microsoft OneNote.
 
     >[!NOTE]
 
@@ -505,16 +505,11 @@ After you've finished configuring your policy, you can review all of your info o
 After you’ve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
 - [Operations and Maintenance for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708224)
 
-- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708225)
+- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708225)
 
-- [How to Deploy Configuration Baselines in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708226)
+- [How to Deploy Configuration Baselines in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708226)
 
 ## Related topics
-- [System Center Configuration Manager and Endpoint Protection (Version 1606)](https://go.microsoft.com/fwlink/p/?LinkId=717372)
-
-- [TechNet documentation for Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=691623)
-
-- [Manage mobile devices with Configuration Manager and Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=691624)
 
 - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
 
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
index 1e633ed77d..f3d8fb9489 100644
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@@ -12,7 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 03/06/2019
+ms.date: 04/05/2019
 ms.localizationpriority: medium
 ---
 
@@ -124,7 +124,16 @@ This table provides info about the most common problems you might encounter whil
         <td>If all apps need to be managed, enroll the device for MDM.
         </td>
     </tr>
+    <tr>
+        <td>By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encypted by one user, other users can't access it.  
+        </td>
+        <td>Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner. 
+        </td>
+        <td>If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.
+        </td>
+    </tr>
 </table>
 
 >[!NOTE]
 >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).       
+
diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md
index 651817d90c..1bd7c641e8 100644
--- a/windows/security/threat-protection/auditing/event-4716.md
+++ b/windows/security/threat-protection/auditing/event-4716.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: Mir0sh
-ms.date: 04/19/2017
+ms.date: 04/04/2019
 ---
 
 # 4716(S): Trusted domain information was modified.
@@ -132,7 +132,7 @@ This event is generated only on domain controllers.
 | 0x8   | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE                       | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.<br>Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater.                   |
 | 0x10  | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION                      | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/library/cc223991.aspx).<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater.                                                                                                                                        |
 | 0x20  | TRUST\_ATTRIBUTE\_WITHIN\_FOREST                           | If this bit is set, then the trusted domain is within the same forest.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| 0x40  | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL                      | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x40  | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL                      | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are [more stringently filtered](https://docs.microsoft.com/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
 | 0x80  | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION                    | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/library/cc223782.aspx).<br>Only evaluated on TRUST\_TYPE\_MIT                                                                                                                                                                                                                                          |
 | 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section 3.3.5.7.5.<br>Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
 | 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST                               | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.<br>Evaluated only on Windows Server 2016<br>Evaluated only if SID Filtering is used.<br>Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater.                                                                                                                                                                                                                                                                                                                                   |
diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md
index dfc09b4fc9..8e7744a439 100644
--- a/windows/security/threat-protection/intelligence/phishing.md
+++ b/windows/security/threat-protection/intelligence/phishing.md
@@ -84,6 +84,7 @@ Enterprises should educate and train their employees to be wary of any communica
 Here are several telltale signs of a phishing scam:
 
 * The links or URLs provided in emails are **not pointing to the correct location** or are attempting to have you access a third-party site that is not affiliated with the sender of the email. For example, in the image below the URL provided does not match the URL that you will be taken to.
+
     ![example of how exploit kits work](./images/URLhover.png)
 
 * There is a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email.
diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
index f8d9e40a73..c035c41d1f 100644
--- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
+++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
@@ -41,7 +41,7 @@ Windows Defender Antivirus is  part of the  [next generation](https://www.youtub
 
 The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
 
-- January - February 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) <sup>**Latest**</sup>
+- January - February 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2019/microsoft-windows-defender-antivirus-4.18-190611/) <sup>**Latest**</sup>
 
     Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 19,956 malware samples used. This is the fifth consecutive cycle that Windows Defender Antivirus achieved a perfect score.
 
diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
index a7425d8dc2..06d22fc8d2 100644
--- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
+++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
@@ -44,7 +44,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use
 
 ### Default values
 
-By default this setting is Administrators on domain controllers and on stand-alone servers.
+By default, this setting is Administrators and NT SERVICE\WdiServiceHost on domain controllers and on stand-alone servers.
 
 The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
index 9b5f2b9057..15865ca9fa 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
@@ -34,37 +34,34 @@ You should also have access to Windows Defender Security Center.
 Microsoft Defender ATP for Mac system requirements:
 - macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra)
 - Disk space during preview: 1GB 
-- The following URLs must be accessible from the Mac device:
-  - ```https://cdn.x.cp.wd.microsoft.com/ ```<br>
-  - ```https://eu-cdn.x.cp.wd.microsoft.com/ ```<br>
-  - ```https://wu-cdn.x.cp.wd.microsoft.com/ ``` <br>
-  - ```https://x.cp.wd.microsoft.com/ ``` <br>
-  - ```https://asia.x.cp.wd.microsoft.com/ ``` <br>
-  - ```https://australia.x.cp.wd.microsoft.com/ ``` <br>
-  - ```https://europe.x.cp.wd.microsoft.com/ ``` <br>
-  - ```https://unitedkingdom.x.cp.wd.microsoft.com/ ``` <br>
-  - ```https://unitedstates.x.cp.wd.microsoft.com/ ``` <br>
+
+After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
+
+The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them:
+
+| Service        | Description                          | URL                                                                  |
+| -------------- |:------------------------------------:| --------------------------------------------------------------------:|
+| ATP            | Advanced threat protection service   | `https://x.cp.wd.microsoft.com/`, `https://*.x.cp.wd.microsoft.com/` |
+
+To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://wu-cdn.x.cp.wd.microsoft.com/` in a browser, or run the following command in Terminal:
+
+```
+    mavel-mojave:~ testuser$ curl 'https://x.cp.wd.microsoft.com/api/report'
+    OK
+```
+
+We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. 
+SIP is a built-in macOS security feature that prevents low-level tampering with the OS.
 
 ## Installation and configuration overview
 There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. 
 In general you'll need to take the following steps:
-- [Register macOS devices](#register-macos-devices) with Windows Defender ATP
-- Deploy Microsoft Defender ATP for Mac using any of the following deployment methods and tools:
+  - [Register macOS devices](#register-macos-devices) with Windows Defender ATP
+  - Deploy Microsoft Defender ATP for Mac using any of the following deployment methods and tools:
   - [Microsoft Intune based deployment](#microsoft-intune-based-deployment)
   - [JAMF based deployment](#jamf-based-deployment)
   - [Manual deployment](#manual-deployment)
 
-## Register macOS devices
-To onboard your devices for Microsoft Defender ATP for Mac, you must register the devices with Windows Defender ATP and provide consent to submit telemetry.
-
-Use the following URL to give consent to submit telemetry: ```https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=f9eb614c-7a8e-422a-947d-2059e657d855&response_type=code&sso_reload=true```
-
-> [!NOTE]
-> You may get an error that a page on ```https://ppe.fresno.wd.microsoft.com``` cannot be opened. Disregard the error as it does not affect the onboarding process.
-
-
-![App registration permission screenshot](images/MDATP_1_RegisterApp.png)
-
 ## Deploy Microsoft Defender ATP for Mac
 Use any of the supported methods to deploy Microsoft Defender ATP for Mac
 
@@ -72,11 +69,11 @@ Use any of the supported methods to deploy Microsoft Defender ATP for Mac
 
 ### Download installation and onboarding packages
 Download the installation and onboarding packages from Windows Defender Security Center:
-1.	In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
-2.	In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**.
-3.	In Section 2 of the page, click **Download installation package**. Save it as wdav.pkg to a local directory.
-4.	In Section 2 of the page, click **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
-5.	Download IntuneAppUtil from https://docs.microsoft.com/en-us/intune/lob-apps-macos.
+1.  In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
+2.  In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**.
+3.  In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
+4.  In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
+5.  Download IntuneAppUtil from https://docs.microsoft.com/en-us/intune/lob-apps-macos.
 
     ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
 
@@ -97,7 +94,7 @@ Download the installation and onboarding packages from Windows Defender Security
       inflating: jamf/WindowsDefenderATPOnboarding.plist
     mavel-macmini:Downloads test$
     ```
-7.	Make IntuneAppUtil an executable:
+7.  Make IntuneAppUtil an executable:
 
     ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil```
 
@@ -124,10 +121,12 @@ You need no special provisioning for a Mac machine beyond a standard [Company Po
 
 ![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png)
 
-2. Click the **Continue** button, and your Management Profile is displayed as verified:
+Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**:
 
 ![Management profile screenshot](images/MDATP_4_ManagementProfile.png)
 
+2. Select the **Continue** button and complete the enrollment.
+
 You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned.
 
 3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine:
@@ -135,17 +134,17 @@ You can enroll additional machines. Optionally, you can do it later, after syste
 ![Add Devices screenshot](images/MDATP_5_allDevices.png)
 
 ### Create System Configuration profiles
-1.	In Intune open the **Manage > Device configuration** blade. Click **Manage > Profiles > Create Profile**.
-2.	Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Click **Configure**.
-3.	Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above.
-4.	Click **OK**.
+1.  In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**.
+2.  Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**.
+3.  Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above.
+4.  Select **OK**.
 
     ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png)
 
-5. **Click Manage > Assignments**. In the **Include** tab, click **Assign to All Users & All devices**.
-7.	Repeat these steps with the second profile.  
-8.	Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. 
-9.	Click **Manage > Assignments**.  In the Include tab, click **Assign to All Users & All devices**.
+5.  Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
+7.  Repeat these steps with the second profile.  
+8.  Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. 
+9.  Select **Manage > Assignments**.  In the Include tab, select **Assign to All Users & All devices**.
 
 After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade:
 
@@ -153,24 +152,24 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t
 
 ### Publish application
 
-1.	In Intune, open the **Manage > Client apps** blade. Click **Apps > Add**.
-2.	Select **App type=Other/Line-of-business app**.
-3.	Select **file=wdav.pkg.intunemac**. Click **OK** to upload.
-4.	Click **Configure** and add the required information.
-5.	Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value.
+1.  In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**.
+2.  Select **App type=Other/Line-of-business app**.
+3.  Select **file=wdav.pkg.intunemac**. Select **OK** to upload.
+4.  Select **Configure** and add the required information.
+5.  Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value.
 
     ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png)
 
-6. Click **OK** and **Add**.
+6. Select **OK** and **Add**.
  
     ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png)
 
-7. It will take a while to upload the package. After it's done, click the name and then go to **Assignments** and **Add group**.
+7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**.
 
     ![Client apps screenshot](images/MDATP_10_ClientApps.png)
 
 8. Change **Assignment type=Required**.
-9.	Click **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
+9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
 
     ![Intune assignments info screenshot](images/MDATP_11_Assignments.png)
 
@@ -179,7 +178,7 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t
     ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png)
 
 ### Verify client machine state
-1.	After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences  > Profiles**.
+1.  After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences  > Profiles**.
 
     ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png)
     ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png)
@@ -187,9 +186,9 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t
 2. Verify the three profiles listed there:
     ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png)
 
-3.	The **Management Profile** should be the Intune system profile.
-4.	wdav-config and wdav-kext are system configuration profiles that we added in Intune.
-5.	You should also see the Microsoft Defender icon in the top-right corner:
+3.  The **Management Profile** should be the Intune system profile.
+4.  wdav-config and wdav-kext are system configuration profiles that we added in Intune.
+5.  You should also see the Microsoft Defender icon in the top-right corner:
 
     ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png)
 
@@ -200,10 +199,10 @@ You need to be familiar with JAMF administration tasks, have a JAMF tenant, and
 
 ### Download installation and onboarding packages
 Download the installation and onboarding packages from Windows Defender Security Center:
-1.	In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
-2.	In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**.
-3.	In Section 2 of the page, click **Download installation package**. Save it as wdav.pkg to a local directory.
-4.	In Section 2 of the page, click **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
+1.  In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
+2.  In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**.
+3.  In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
+4.  In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
 
     ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
 
@@ -244,15 +243,15 @@ The configuration profile contains one custom settings payload that includes:
 #### Approved Kernel Extension
 
 To approve the kernel extension:
-1.	In **Computers > Configuration Profiles** click **Options > Approved Kernel Extensions**.
-2.	Use **UBF8T346G9** for Team Id.
+1.  In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**.
+2.  Use **UBF8T346G9** for Team Id.
 
 ![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png)
 
 #### Configuration Profile's Scope 
 Configure the appropriate scope to specify the machines that will receive this configuration profile.
 
-In the Configuration Profiles, click **Scope > Targets**. Select the appropriate Target computers. 
+Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. 
 
 ![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png)
 
@@ -283,7 +282,7 @@ You need no special provisioning for a macOS computer beyond the standard JAMF E
 > [!NOTE]
 >  After a computer is enrolled, it will show up in the Computers inventory (All Computers). 
 
-1.	Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and click **Approve** on the MDM Profile.
+1.  Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile.
 
 ![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png)
 ![MDM screenshot](images/MDATP_22_MDMProfileApproved.png)
@@ -384,10 +383,10 @@ This script returns 0 if Microsoft Defender ATP is registered with the Windows D
 
 ### Download installation and onboarding packages
 Download the installation and onboarding packages from Windows Defender Security Center:
-1.	In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
-2.	In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**.
-3.	In Section 2 of the page, click **Download installation package**. Save it as wdav.pkg to a local directory.
-4.	In Section 2 of the page, click **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
+1.  In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
+2.  In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**.
+3.  In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
+4.  In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
 
     ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
 
@@ -407,13 +406,11 @@ Download the installation and onboarding packages from Windows Defender Security
 ### Application installation
 To complete this process, you must have admin privileges on the machine.
 
-1. Download the wdav.pkg from: https://fresno.blob.core.windows.net/preview/macos/wdav.pkg.
-
-2. Navigate to the downloaded wdav.pkg in Finder and open it.
+1. Navigate to the downloaded wdav.pkg in Finder and open it.
 
     ![App install screenshot](images/MDATP_28_AppInstall.png)
 
-3. Click **Continue**, agree with the License terms, and enter the password when prompted.
+2. Select **Continue**, agree with the License terms, and enter the password when prompted.
 
     ![App install screenshot](images/MDATP_29_AppInstallLogin.png)
 
@@ -422,7 +419,7 @@ To complete this process, you must have admin privileges on the machine.
 
    ![App install screenshot](images/MDATP_30_SystemExtension.png)
 
-4. Click **Open Security Preferences**  or **Open System Preferences > Security & Privacy**. Click **Allow**:
+3. Select **Open Security Preferences**  or **Open System Preferences > Security & Privacy**. Select **Allow**:
 
     ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png)
 
@@ -430,10 +427,10 @@ To complete this process, you must have admin privileges on the machine.
 The installation will proceed.
 
 > [!NOTE]
-> If you don't click **Allow**, the installation will fail after 5 minutes. You can restart it again at any time.
+> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time.
 
 ### Client configuration
-1.	Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac.
+1.  Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac.
 
     The client machine is not associated with orgId.  Note that the orgid is blank.
 
@@ -442,14 +439,14 @@ The installation will proceed.
     uuid  : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
     orgid :
     ```
-2.	Install the configuration file on a client machine:
+2.  Install the configuration file on a client machine:
 
     ```
     mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py
     Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password)
     ```
 
-3.	Verify that the machine is now associated with orgId:
+3.  Verify that the machine is now associated with orgId:
 
     ```
     mavel-mojave:wdavconfig testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
@@ -472,17 +469,45 @@ Or, from a command line:
 
 ## Known issues
 - Microsoft Defender ATP is not yet optimized for performance or disk space.
-- Centrally managed uninstall using Intune/JAMF is still in development. To uninstall (as a workaround) an uninstall action has to be completed on each client device).
+- Centrally managed uninstall using Intune is still in development. To uninstall (as a workaround) a manual uninstall action has to be completed on each client device).
 - Geo preference for telemetry traffic is not yet supported. Cloud traffic (definition updates) routed to US only.
 - Full Windows Defender ATP integration is not yet available
 - Not localized yet
 - There might be accessibility issues 
 
+## Collecting diagnostic information
+If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default.
+
+1) Increase logging level:
+```
+    mavel-mojave:~ testuser$ mdatp log-level --verbose
+    Creating connection to daemon
+    Connection established
+    Operation succeeded
+```
+
+2) Reproduce the problem
+
+3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file.
+
+    ```
+    mavel-mojave:~ testuser$ mdatp --diagnostic
+    Creating connection to daemon
+    Connection established
+    "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip"
+    ```    
+   
+4) Restore logging level:
+```
+    mavel-mojave:~ testuser$ mdatp log-level --info
+    Creating connection to daemon
+    Connection established
+    Operation succeeded
+```
+
+   
 ### Installation issues
 If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. You can also contact _**xplatpreviewsupport@microsoft.com**_ for support on onboarding issues. 
 
  
 For feedback on the preview, contact: _**mdatpfeedback@microsoft.com**_.
-
-
-
diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
index b22dc34733..9a451f585c 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
@@ -75,7 +75,7 @@ Location | Setting | Description | Default setting (if not configured)
 Scan | Specify the scan type to use for a scheduled scan | Quick scan
 Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never
 Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am
-Root | Randomize scheduled task times | Randomize the start time of the scan to any interval from 0 to 4 hours, or to any interval plus or minus 30 minutes for non-Windows Defender Antivirus scans. This can be useful in VM or VDI deployments. | Enabled
+Root | Randomize scheduled task times |In Windows Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours. <br>In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled
 
 **Use PowerShell cmdlets to schedule scans:**
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 8522325f19..8b6d1d2ef7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 author: jsuther1974
-ms.date: 08/31/2018
+ms.date: 04/09/2019
 ---
 
 # Microsoft recommended block rules
@@ -76,7 +76,13 @@ These modules cannot be blocked by name or version, and therefore must be blocke
 
 For October 2017, we are announcing an update to system.management.automation.dll in which we are revoking older versions by hash values, instead of version rules.
 
-Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet:
+Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet. Beginning with the March 2019 quality update, each version of Windows requires blocking a specific version of the following files:
+
+- msxml3.dll
+- msxml6.dll
+- jscript9.dll
+
+Pick the correct version of each .dll for the Windows release you plan to support, and remove the other versions.
 
 ```xml
 <?xml version="1.0" encoding="utf-8" ?> 
@@ -137,7 +143,35 @@ Microsoft recommends that you block the following Microsoft-signed applications
   <Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535"/>
   <Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" /> 
   <Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />   
-  <Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />   
+  <Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />  
+  <! -- msxml3.dll pick correct version based on release you are supporting -->
+  <! -- msxml6.dll pick correct version based on release you are supporting -->     
+  <! -- jscript9.dll pick correct version based on release you are supporting -->
+  <! -- RS1 Windows 1607
+  <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.14393.2550"/>
+  <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.14393.2550"/>
+  <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.14393.2607"/>
+  -->
+  <! -- RS2 Windows 1703
+  <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.15063.1386"/>
+  <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.15063.1386"/>
+  <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.15063.1445"/>
+  -->
+  <! -- RS3 Windows 1709
+  <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.16299.725"/>
+  <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.16299.725"/>
+  <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.16299.785"/>
+  -->
+  <! -- RS4 Windows 1803
+  <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.17134.344"/>
+  <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.17134.344"/>
+  <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.17134.406"/>
+  -->
+  <! -- RS5 Windows 1809
+  <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.17763.54"/>
+  <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.17763.54"/>
+  <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.17763.133"/>
+  -->
   <Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="02BE82F63EE962BCD4B8303E60F806F6613759C6"/> 
   <Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="13765D9A16CC46B2113766822627F026A68431DF"/> 
   <Deny ID="ID_DENY_D_3" FriendlyName="Powershell 3" Hash="148972F670E18790D62D753E01ED8D22B351A57E45544D88ACE380FEDAF24A40"/> 
@@ -842,8 +876,11 @@ Microsoft recommends that you block the following Microsoft-signed applications
   <FileRuleRef RuleID="ID_DENY_KILL"/> 
   <FileRuleRef RuleID="ID_DENY_WMIC"/>
   <FileRuleRef RuleID="ID_DENY_MWFC" /> 
-  <FileRuleRef RuleID="ID_DENY_WFC" />   
-  <FileRuleRef RuleID="ID_DENY_D_1"/> 
+  <FileRuleRef RuleID="ID_DENY_WFC" /> 
+  <FileRuleRef RuleID="ID_DENY_MSXML3" /> 
+  <FileRuleRef RuleID="ID_DENY_MSXML6" /> 
+  <FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
+  <FileRuleRef RuleID="ID_DENY_D_1"/>
   <FileRuleRef RuleID="ID_DENY_D_2"/> 
   <FileRuleRef RuleID="ID_DENY_D_3"/> 
   <FileRuleRef RuleID="ID_DENY_D_4"/> 
diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
index 2f08cd9670..fc2f274410 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
@@ -36,6 +36,6 @@ Your environment needs the following software to run Windows Defender Applicatio
 
 |Software|Description|
 |--------|-----------|
-|Operating system|Windows 10 Enterprise edition, version 1709 or higher<br>Windows 10 Professional edition, version 1803|
+|Operating system|Windows 10 Enterprise edition, version 1709 or higher<br>Windows 10 Professional edition, version 1803 or higher<br>Windows 10 Education edition, version 1709 or higher<br>Windows 10 Pro Education edition, version 1803 or higher|
 |Browser|Microsoft Edge and Internet Explorer|
 |Management system<br> (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)<br><br>**-OR-**<br><br>[System Center Configuration Manager](https://docs.microsoft.com/sccm/)<br><br>**-OR-**<br><br>[Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)<br><br>**-OR-**<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
index 0964bd2cdc..03df5ce551 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
@@ -1,238 +1,238 @@
----
-title: Onboard servers to the Windows Defender ATP service
-description: Onboard servers so that they can send sensor data to the Windows Defender ATP sensor.
-keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, machine management, configure Windows ATP servers, onboard Windows Defender Advanced Threat Protection servers
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
----
-
-# Onboard servers to the Windows Defender ATP service
-
-**Applies to:**
-
-- Windows Server 2012 R2
-- Windows Server 2016
-- Windows Server, version 1803
-- Windows Server, 2019
-- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](prerelease.md)]
-
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink)
-
-
-Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console.
-
-The service supports the onboarding of the following servers:
-- Windows Server 2012 R2
-- Windows Server 2016
-- Windows Server, version 1803
-- Windows Server 2019
-
-
-For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Windows Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128).
-
-## Windows Server 2012 R2 and Windows Server 2016
-
-There are two options to onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP:
-
-- **Option 1**: Onboard through Azure Security Center
-- **Option 2**: Onboard through Windows Defender Security Center
-
-### Option 1: Onboard servers through Azure Security Center
-1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
-
-2. Select Windows Server 2012 R2 and 2016 as the operating system.
-
-3. Click **Onboard Servers in Azure Security Center**. 
-
-4. Follow the onboarding instructions in [Windows Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
-
-### Option 2: Onboard servers through Windows Defender Security Center
-You'll need to tak the following steps if you choose to onboard servers through Windows Defender Security Center. 
-
-- For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
-
-    >[!NOTE]
-    >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2.
-
-- Turn on server monitoring from Windows Defender Security Center.
-- If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through Multi Homing support. Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below.
-
->[!TIP]
-> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
-
-### Configure and update System Center Endpoint Protection clients
->[!IMPORTANT]
->This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2.
-
-Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. 
-
-The following steps are required to enable this integration: 
-- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) 
-- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
-
-
-### Turn on Server monitoring from the Windows Defender Security Center portal
-
-1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
-
-2. Select Windows Server 2012 R2 and 2016 as the operating system.
- 
-3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
-
-<span id="server-mma"/>
-### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP 
-
-1.	Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
-
-2.	Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server:
-    - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup) <br>
-    On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
-    - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). 
-
-3.	You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings).
-
-Once completed, you should see onboarded servers in the portal within an hour.
-
-<span id="server-proxy"/>
-### Configure server proxy and Internet connectivity settings
- 
-- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway).
-- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
-
-Agent Resource    |    Ports 
-:---|:---
-|    *.oms.opinsights.azure.com    |    443    |
-|    *.blob.core.windows.net    |    443    |
-|    *.azure-automation.net    |    443    |
-|    *.ods.opinsights.azure.com    |    443    |
-|    winatp-gw-cus.microsoft.com     |    443    |
-|    winatp-gw-eus.microsoft.com    |    443    |
-|    winatp-gw-neu.microsoft.com    |    443    |
-|    winatp-gw-weu.microsoft.com    |    443    |
-|winatp-gw-uks.microsoft.com | 443 |
-|winatp-gw-ukw.microsoft.com | 443 | 
-| winatp-gw-aus.microsoft.com | 443| 
-| winatp-gw-aue.microsoft.com |443 | 
-
-## Windows Server, version 1803 and Windows Server 2019
-To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines.
-
-Supported tools include:
-- Local script
-- Group Policy 
-- System Center Configuration Manager 2012 / 2012 R2  1511 / 1602
-- VDI onboarding scripts for non-persistent machines
-
- For more information, see  [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. 
-
-1. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). 
-
-2.	If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
-
-    a. Set the following registry entry:
-       - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
-       - Name: ForceDefenderPassiveMode
-       - Value: 1
-
-    b. Run the following PowerShell command to verify that the passive mode was configured:
-
-       ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}```
-
-    c. Confirm  that a recent event containing the passive mode event is found:
-       
-       ![Image of passive mode verification result](images/atp-verify-passive-mode.png)
-
-3. Run the following command to check if Windows Defender AV is installed:
-
-   ```sc query Windefend```
-
-    If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
-
-
-## Integration with Azure Security Center
-Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
-
->[!NOTE]
->You'll need to have the appropriate license to enable this feature. 
-
-The following capabilities are included in this integration:
-- Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
-
-    >[!NOTE]
-    > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
-
-- Servers monitored by  Azure Security Center will also be available in Windows Defender ATP - Azure Security Center seamlessly connects to the Windows Defender ATP tenant, providing a single view across clients and servers.  In addition, Windows Defender ATP alerts will be available in the Azure Security Center console.
-- Server investigation -  Azure Security Center customers can access Windows Defender Security Center to perform detailed investigation to uncover the scope of a potential breach
-
->[!IMPORTANT]
->- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. 
->- If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time.
-
-
-
-## Offboard servers 
-You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows 10 client machines. 
-
-For other server versions, you have two options to offboard servers from the service:
-- Uninstall the MMA agent
-- Remove the Windows Defender ATP workspace configuration
-
->[!NOTE]
->Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months.
-
-### Uninstall servers by uinstalling the MMA agent
-To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP.
-For more information, see [To disable an agent](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent).
-
-### Remove the Windows Defender ATP workspace configuration
-To offboard the server, you can use either of the following methods:
-
-- Remove the Windows Defender ATP workspace configuration from the MMA agent 
-- Run a PowerShell command to remove the configuration
-
-#### Remove the Windows Defender ATP workspace configuration from the MMA agent 
-
-1. In the **Microsoft Monitoring Agent Properties**, select the **Azure Log Analytics (OMS)** tab.
-
-2. Select the Windows Defender ATP workspace, and click **Remove**.
-
-    ![Image of Microsoft Monitoring Agen Properties](images/atp-mma.png)
-
-#### Run a PowerShell command to remove the configuration
-
-1. Get your Workspace ID:
-   a. In the navigation pane, select **Settings** > **Onboarding**.
-
-   b. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID:
-    
-        ![Image of server onboarding](images/atp-server-offboarding-workspaceid.png)
-
-2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:
-
-    ```
-    # Load agent scripting object
-    $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
-    # Remove OMS Workspace
-    $AgentCfg.RemoveCloudWorkspace($WorkspaceID)
-    # Reload the configuration and apply changes
-    $AgentCfg.ReloadConfiguration()
-    ```
-
-## Related topics
-- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
-- [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
-- [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-- [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md)
-- [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+---
+title: Onboard servers to the Windows Defender ATP service
+description: Onboard servers so that they can send sensor data to the Windows Defender ATP sensor.
+keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, machine management, configure Windows ATP servers, onboard Windows Defender Advanced Threat Protection servers
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Onboard servers to the Windows Defender ATP service
+
+**Applies to:**
+
+- Windows Server 2012 R2
+- Windows Server 2016
+- Windows Server, version 1803
+- Windows Server, 2019
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink)
+
+
+Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console.
+
+The service supports the onboarding of the following servers:
+- Windows Server 2012 R2
+- Windows Server 2016
+- Windows Server, version 1803
+- Windows Server 2019
+
+
+For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Windows Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128).
+
+## Windows Server 2012 R2 and Windows Server 2016
+
+There are two options to onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP:
+
+- **Option 1**: Onboard through Azure Security Center
+- **Option 2**: Onboard through Windows Defender Security Center
+
+### Option 1: Onboard servers through Azure Security Center
+1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
+
+2. Select Windows Server 2012 R2 and 2016 as the operating system.
+
+3. Click **Onboard Servers in Azure Security Center**. 
+
+4. Follow the onboarding instructions in [Windows Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
+
+### Option 2: Onboard servers through Windows Defender Security Center
+You'll need to tak the following steps if you choose to onboard servers through Windows Defender Security Center. 
+
+- For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
+
+    >[!NOTE]
+    >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2.
+
+- Turn on server monitoring from Windows Defender Security Center.
+- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through Multi Homing support. Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).

+
+>[!TIP]
+> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
+
+### Configure and update System Center Endpoint Protection clients
+>[!IMPORTANT]
+>This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2.
+
+Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. 
+
+The following steps are required to enable this integration: 
+- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) 
+- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
+
+
+### Turn on Server monitoring from the Windows Defender Security Center portal
+
+1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
+
+2. Select Windows Server 2012 R2 and 2016 as the operating system.
+ 
+3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
+
+<span id="server-mma"/>
+### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP 
+
+1.	Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
+
+2.	Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server:
+    - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup) <br>
+    On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
+    - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). 
+
+3.	You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings).
+
+Once completed, you should see onboarded servers in the portal within an hour.
+
+<span id="server-proxy"/>
+### Configure server proxy and Internet connectivity settings
+ 
+- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway).
+- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
+
+Agent Resource    |    Ports 
+:---|:---
+|    *.oms.opinsights.azure.com    |    443    |
+|    *.blob.core.windows.net    |    443    |
+|    *.azure-automation.net    |    443    |
+|    *.ods.opinsights.azure.com    |    443    |
+|    winatp-gw-cus.microsoft.com     |    443    |
+|    winatp-gw-eus.microsoft.com    |    443    |
+|    winatp-gw-neu.microsoft.com    |    443    |
+|    winatp-gw-weu.microsoft.com    |    443    |
+|winatp-gw-uks.microsoft.com | 443 |
+|winatp-gw-ukw.microsoft.com | 443 | 
+| winatp-gw-aus.microsoft.com | 443| 
+| winatp-gw-aue.microsoft.com |443 | 
+
+## Windows Server, version 1803 and Windows Server 2019
+To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines.
+
+Supported tools include:
+- Local script
+- Group Policy 
+- System Center Configuration Manager 2012 / 2012 R2  1511 / 1602
+- VDI onboarding scripts for non-persistent machines
+
+ For more information, see  [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. 
+
+1. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). 
+
+2.	If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
+
+    a. Set the following registry entry:
+       - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
+       - Name: ForceDefenderPassiveMode
+       - Value: 1
+
+    b. Run the following PowerShell command to verify that the passive mode was configured:
+
+       ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}```
+
+    c. Confirm  that a recent event containing the passive mode event is found:
+       
+       ![Image of passive mode verification result](images/atp-verify-passive-mode.png)
+
+3. Run the following command to check if Windows Defender AV is installed:
+
+   ```sc query Windefend```
+
+    If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
+
+
+## Integration with Azure Security Center
+Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
+
+>[!NOTE]
+>You'll need to have the appropriate license to enable this feature. 
+
+The following capabilities are included in this integration:
+- Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
+
+    >[!NOTE]
+    > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
+
+- Servers monitored by  Azure Security Center will also be available in Windows Defender ATP - Azure Security Center seamlessly connects to the Windows Defender ATP tenant, providing a single view across clients and servers.  In addition, Windows Defender ATP alerts will be available in the Azure Security Center console.
+- Server investigation -  Azure Security Center customers can access Windows Defender Security Center to perform detailed investigation to uncover the scope of a potential breach
+
+>[!IMPORTANT]
+>- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. 
+>- If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time.
+
+
+
+## Offboard servers 
+You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows 10 client machines. 
+
+For other server versions, you have two options to offboard servers from the service:
+- Uninstall the MMA agent
+- Remove the Windows Defender ATP workspace configuration
+
+>[!NOTE]
+>Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months.
+
+### Uninstall servers by uinstalling the MMA agent
+To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP.
+For more information, see [To disable an agent](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent).
+
+### Remove the Windows Defender ATP workspace configuration
+To offboard the server, you can use either of the following methods:
+
+- Remove the Windows Defender ATP workspace configuration from the MMA agent 
+- Run a PowerShell command to remove the configuration
+
+#### Remove the Windows Defender ATP workspace configuration from the MMA agent 
+
+1. In the **Microsoft Monitoring Agent Properties**, select the **Azure Log Analytics (OMS)** tab.
+
+2. Select the Windows Defender ATP workspace, and click **Remove**.
+
+    ![Image of Microsoft Monitoring Agen Properties](images/atp-mma.png)
+
+#### Run a PowerShell command to remove the configuration
+
+1. Get your Workspace ID:
+   a. In the navigation pane, select **Settings** > **Onboarding**.
+
+   b. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID:
+    
+        ![Image of server onboarding](images/atp-server-offboarding-workspaceid.png)
+
+2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:
+
+    ```
+    # Load agent scripting object
+    $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
+    # Remove OMS Workspace
+    $AgentCfg.RemoveCloudWorkspace($WorkspaceID)
+    # Reload the configuration and apply changes
+    $AgentCfg.ReloadConfiguration()
+    ```
+
+## Related topics
+- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
+- [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
+- [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+- [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md)
+- [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md
index b92bef3db5..86bf166722 100644
--- a/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md
@@ -80,3 +80,5 @@ For example, to show data about Windows 10 machines with Active sensor health st
 3. Select **Apply**.
 
 
+## Related topic
+- [Threat protection report ](threat-protection-reports-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md
index c11ff2b24d..150cd87e78 100644
--- a/windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md
@@ -57,7 +57,9 @@ On the top navigation you can:
 
 
 >[!NOTE]
->Blocking IPs, domains, or URLs is currently available on limited preview only. This requires sending your custom list to [network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection) to be enforeced. While the option is not yet generally available, it will only be used when identified during an investigation.
+>Blocking IPs, domains, or URLs is currently available on limited preview only.
+>This requires sending your custom list to [network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection) to be enforced which is an option that will be generally available soon. 
+>As it is not yet generally available, when Automated investigations finds this indicator during an investigation it will use the allowed/block list as the basis of its decision to automatically remediate (blocked list) or skip (allowed list) the entity.
 
 
 ## Manage indicators
diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index 5334c052ed..e5f643f908 100644
--- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 04/24/2018
 ---
 
 # Take response actions on a file
@@ -109,13 +108,17 @@ You can roll back and remove a file from quarantine if you’ve determined that
 You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
 
 >[!IMPORTANT]
->- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). </br></br>
+>- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
+>- The Antimalware client version must be 4.18.1901.x or later.
 >- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. 
 >- This response action is available for machines on Windows 10, version 1703 or later.
+>- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action.
+
+
 
 >[!NOTE]
 > The PE file needs to be in the machine timeline for you to be able to take this action.  
-
+>- There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
 
 ### Enable the block file feature
 Before you can block files, you'll need to enable the feature.
@@ -149,6 +152,9 @@ Before you can block files, you'll need to enable the feature.
 
 When the file is blocked, there will be a new event in the machine timeline.</br>
 
+>[!NOTE]
+>-If a file was scanned before the action was taken, it may take longer to be effective on the device.
+
 **Notification on machine user**:</br>
 When a file is being blocked on the machine, the following notification is displayed to inform the user that the file was blocked:
 
diff --git a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
index 6e0c39fbf7..bc0073bf43 100644
--- a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
@@ -31,7 +31,7 @@ ms.date: 11/12/2017
 You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization.
 
 >[!NOTE]
-> These response actions are only available for machines on Windows 10, version  1703 or higher.
+> The machine related response actions are only available for machines on Windows 10 (version 1703 or higher), Windows Server, version 1803 and Windows Server 2019.
 
 ## In this section
 Topic | Description
diff --git a/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md
index 5819c64883..c95bd47a62 100644
--- a/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md
@@ -76,4 +76,7 @@ For example, to show data about high-severity alerts only:
 
 1. Under **Filters > Severity**, select **High**
 2. Ensure that all other options under **Severity** are deselected.
-3. Select **Apply**. 
\ No newline at end of file
+3. Select **Apply**. 
+
+## Related topic
+- [Machine health and compliance report](machine-reports-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index a799cf3c7d..e16b905b59 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -36,6 +36,29 @@ Triggered rules display a notification on the device. You can [customize the not
 
 For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
 
+## Review attack surface reduction events in Windows Event Viewer
+
+You can review the Windows event log to view events that are created when attack surface reduction rules fire:
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
+
+2. Type **Event Viewer** in the Start menu to open the Windows Event Viewer.
+
+3. Click **Import custom view...** on the left panel, under **Actions**.
+   
+4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+5. Click **OK**.
+
+This will create a custom view that filters to only show the following events related to controlled folder access:
+
+Event ID | Description
+-|-
+5007 | Event when settings are changed
+1121 | Event when rule fires in Block-mode
+1122 | Event when rule fires in Audit-mode
+
+
 ## Attack surface reduction rules
 
 The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs:
@@ -152,7 +175,12 @@ This rule blocks the following file types from launching unless they either meet
 >[!NOTE]
 >You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
 
-Intune name: Executables that don't meet a prevalence, age, or trusted list criteria
+>[!IMPORTANT] 
+>The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
+>
+>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
+
+Intune name: Executables that don't meet a prevalence, age, or trusted list criteria.
 
 SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index c89bbdc0fa..c5d238cf59 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -36,6 +36,9 @@ You can exclude files and folders from being evaluated by most attack surface re
 
 You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to.
 
+>[!IMPORTANT] 
+>The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. 
+
 ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). 
 
 The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
@@ -176,3 +179,4 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
 
 - [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
 - [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
+- [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
index 3f018f31f7..8ffcfaf3cd 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
@@ -53,17 +53,11 @@ You can query Windows Defender ATP data by using [Advanced hunting](https://docs
 
 You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain:
 
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *np-events.xml* to an easily accessible location on the machine.
+1.  [Copy the XML directly](event-views-exploit-guard.md).
 
-1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+2. Click **OK**.
 
-2. On the left panel, under **Actions**, click **Import custom view...**
- 
-3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
-
-4. Click **OK**.
-
-5. This will create a custom view that filters to only show the following events related to network protection:
+3. This will create a custom view that filters to only show the following events related to network protection:
 
  Event ID | Description
 -|-
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index 8e77afeb8f..f50ed452fa 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -36,7 +36,7 @@ To learn more about Autopilot self-deploying mode and to see step-by-step instru
 
 ### SetupDiag
 
-[SetupDiag](/windows/deployment/upgrade/setupdiag.md) version 1.4 is released. SetupDiag is a standalone diagnostic tool that can be used to troubleshoot issues when a Windows 10 upgrade is unsuccessful. 
+[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) version 1.4 is released. SetupDiag is a standalone diagnostic tool that can be used to troubleshoot issues when a Windows 10 upgrade is unsuccessful. 
 
 ## Security
 
@@ -202,6 +202,9 @@ Do you have shared devices deployed in your work place? **Fast sign-in** enables
 
     ![fast sign-in](images/fastsignin.png "fast sign-in")
 
+>[!NOTE]
+>This is a preview feature and therefore not meant or recommended for production purposes.
+
 ## Web sign-in to Windows 10
 
 Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).
@@ -214,6 +217,9 @@ Until now, Windows logon only supported the use of identities federated to ADFS
 
     ![Web sign-in](images/websignin.png "web sign-in")
 
+>[!NOTE]
+>This is a preview feature and therefore not meant or recommended for production purposes.
+
 ## Your Phone app
 
 Android phone users, you can finally stop emailing yourself photos. With Your Phone you get instant access to your Android’s most recent photos on your PC. Drag and drop a photo from your phone onto your PC, then you can copy, edit, or ink on the photo.  Try it out by opening the **Your Phone** app. You’ll receive a text with a link to download an app from Microsoft to your phone. Android 7.0+ devices with ethernet or Wi-Fi on unmetered networks are compatible with the **Your Phone** app. For PCs tied to the China region, **Your Phone** app services will be enabled in the future.