From 9dfedafced656a65e13e646fb6ae4e2f7c0f9d2b Mon Sep 17 00:00:00 2001
From: ManikaDhiman <v-madhi@microsoft.com>
Date: Wed, 12 Feb 2020 14:17:41 -0800
Subject: [PATCH 01/49] Added 20H1 Update policy

---
 .../policy-configuration-service-provider.md  |  4 +
 .../mdm/policy-csp-update.md                  | 77 ++++++++++++++++++-
 2 files changed, 80 insertions(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 6e8652ff9c..0bd0a890e1 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -3725,6 +3725,10 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-update.md#update-setedurestart" id="update-setedurestart">Update/SetEDURestart</a>
   </dd>
+  <dd> 
+    <a href="./policy-csp-update.md#update-targetreleaseversion"id="update-targetreleaseversion">Update/TargetReleaseVersion</a> 
+  </dd>
+  <dd>
   <dd>
     <a href="./policy-csp-update.md#update-updatenotificationlevel" id="update-updatenotificationlevel">Update/UpdateNotificationLevel</a>
   </dd>
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 9d98a92f10..58e4f4e255 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -7,13 +7,16 @@ ms.prod: w10
 ms.technology: windows
 author: manikadhiman
 ms.localizationpriority: medium
-ms.date: 10/04/2019
+ms.date: 02/10/2020
 ms.reviewer: 
 manager: dansimp
 ---
 
 # Policy CSP - Update
 
+> [!WARNING] 
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
 > [!NOTE]
 > If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
 
@@ -194,6 +197,9 @@ manager: dansimp
   <dd>
     <a href="#update-setedurestart">Update/SetEDURestart</a>
   </dd>
+  <dd> 
+    <a href="#update-targetreleaseversion">Update/TargetReleaseVersion</a> 
+  </dd>
   <dd>
     <a href="#update-updatenotificationlevel">Update/UpdateNotificationLevel</a>
   </dd>
@@ -4126,6 +4132,74 @@ The following list shows the supported values:
 
 <hr/>
 
+<!--Policy-->
+<a href="" id="update-targetreleaseversion"></a>**Update/TargetReleaseVersion**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+-   GP English name: *Select the target Feature Update version*
+-   GP name: *TargetReleaseVersion*
+-   GP element: *TargetReleaseVersionId*
+-   GP path: *Windows Components/Windows Update/Windows Update for Business*
+-   GP ADMX file name: *WindowsUpdate.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+Value type is a string containing Windows 10 version number. For example, 1809, 1903.
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="update-updatenotificationlevel"></a>**Update/UpdateNotificationLevel**  
 
@@ -4373,5 +4447,6 @@ Footnotes:
 -   4 - Added in Windows 10, version 1803.
 -   5 - Added in Windows 10, version 1809.
 -   6 - Added in Windows 10, version 1903.
+-   7 - Added in the next major release of Windows 10.
 <!--/Policies-->
 

From 0c75da031f6532d37b5370ca7c12769416d44d5a Mon Sep 17 00:00:00 2001
From: ManikaDhiman <v-madhi@microsoft.com>
Date: Thu, 16 Apr 2020 14:14:30 -0700
Subject: [PATCH 02/49] added backporting info to TargetReleaseVersion

---
 windows/client-management/mdm/policy-csp-update.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 6f29611528..c0774fbced 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -4151,19 +4151,19 @@ The following list shows the supported values:
 </tr>
 <tr>
     <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup></sup></td>
 </tr>
 <tr>
     <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup></sup></td>
 </tr>
 <tr>
     <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup></sup></td>
 </tr>
 <tr>
     <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup></sup></td>
 </tr>
 </table>
 
@@ -4180,7 +4180,7 @@ The following list shows the supported values:
 
 <!--/Scope-->
 <!--Description-->
-Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).
+Added in the next major release of Windows 10. Also available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  

From de1e07ad50f8b9376ad427e73c53fd05be7cd4b2 Mon Sep 17 00:00:00 2001
From: rogersoMS <44718379+rogersoMS@users.noreply.github.com>
Date: Sat, 2 May 2020 01:55:20 +1000
Subject: [PATCH 03/49] Deep Link examples are wrong (text wrapped)

The following examples are technically accurate, but unlike the preview here where they display correctly as two seperate line items:
**ms-device-enrollment:?mode=mdm**
**ms-device-enrollment:?mode=mdm&username=someone@example.com&servername=<https://example.server.com>**

When viewing the page externally they are 'appended' to each other and wrapped, which is misleading as it makes them appear to be one long command as follows:
**ms-device-enrollment:?mode=mdm ms-device-enrollment:?mode=mdm&username=someone@example.com&servername=<https://example.server.com>**

Can we please fix the layout to ensure they appear as follows: (also, perhaps we can change the mode=mdm in the first line to mode=awa just to provide some variety in the examples please)
**ms-device-enrollment:?mode=mdm**
**ms-device-enrollment:?mode=mdm&username=someone@example.com&servername=<https://example.server.com>**
---
 .../client-management/mdm/mdm-enrollment-of-windows-devices.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
index 87c13cbc3e..ffcc4f3baa 100644
--- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
@@ -313,7 +313,7 @@ The deep link used for connecting your device to work will always use the follow
 > **Note** Deep links only work with Internet Explorer or Edge browsers.
 When connecting to MDM using a deep link, the URI you should use is
 
-**ms-device-enrollment:?mode=mdm**
+**ms-device-enrollment:?mode=mdm** 
 **ms-device-enrollment:?mode=mdm&username=someone@example.com&servername=<https://example.server.com>**
 
 The following procedure describes how users can connect their devices to MDM using deep links.

From 4f477b059f7d55ee7ee7b8d847c4990b20130da6 Mon Sep 17 00:00:00 2001
From: Sergii Cherkashyn <secherka@microsoft.com>
Date: Mon, 11 May 2020 12:21:20 -0400
Subject: [PATCH 04/49] Update
 network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md

Per multiple cases with AAD Auth support, the PKU2U policy has to be enabled on the client as well. Proposing to update the mentioned Note and add "and the client"

    > [!NOTE]
    > KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client.
---
 ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index 4870151b22..9fef84e4b2 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -40,7 +40,7 @@ This policy isn't configured by default on domain-joined devices. This would dis
 -   **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use of online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
 
     > [!NOTE]
-    > KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server.
+    > KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client.
 
 -   **Disabled**: This setting prevents online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship.
 

From a1c6a026055cbb99394aa091c6c6ecdbdadc403c Mon Sep 17 00:00:00 2001
From: sairashariff <57646455+sairashariff@users.noreply.github.com>
Date: Mon, 11 May 2020 14:50:18 -0700
Subject: [PATCH 05/49] Update hololens2-hardware.md

---
 devices/hololens/hololens2-hardware.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/devices/hololens/hololens2-hardware.md b/devices/hololens/hololens2-hardware.md
index 6b8175e59d..048dd790da 100644
--- a/devices/hololens/hololens2-hardware.md
+++ b/devices/hololens/hololens2-hardware.md
@@ -133,7 +133,11 @@ In order to maintain/advance Internal Battery Charge Percentage while the device
 
 ### Safety
 
-HoloLens 2 has been tested and conforms to the basic impact protection requirements of ANSI Z87.1, CSA Z94.3 and EN 166.
+[Product Safety](https://support.microsoft.com/en-us/help/4023454/safety-information)
+Eye safety: HoloLens 2 has been tested and conforms to the basic impact protection requirements of ANSI Z87.1, CSA Z94.3 and EN 166.
+
+### Regulatory Information
+[HoloLens Regulatory](https://support.microsoft.com/en-us/help/13761/hololens-regulatory-information)
 
 ## Next step
 

From 2495d870fe59fddeb64e9dbc4d8459911219206e Mon Sep 17 00:00:00 2001
From: John Kaiser <35939694+CoveMiner@users.noreply.github.com>
Date: Tue, 12 May 2020 10:14:01 -0700
Subject: [PATCH 06/49] Updates to landing & tools pages

---
 devices/surface/get-started.yml               | 54 ++++++++-----------
 .../surface/microsoft-surface-data-eraser.md  |  4 +-
 .../surface-diagnostic-toolkit-business.md    |  4 +-
 .../surface-enterprise-management-mode.md     |  2 +-
 4 files changed, 27 insertions(+), 37 deletions(-)

diff --git a/devices/surface/get-started.yml b/devices/surface/get-started.yml
index 9b0bd74d7e..86beba22d0 100644
--- a/devices/surface/get-started.yml
+++ b/devices/surface/get-started.yml
@@ -28,20 +28,9 @@ landingContent:
             url: https://www.microsoft.com/surface/business/surface-go-2
           - text: Surface Book 3 for Business
             url: https://www.microsoft.com/surface/business/surface-book-3
-          - text: Surface Pro 7 for Business
-            url: https://www.microsoft.com/surface/business/surface-pro-7
-          - text: Surface Pro X for Business
-            url: https://www.microsoft.com/surface/business/surface-pro-x
-          - text: Surface Laptop 3 for Business
-            url: https://www.microsoft.com/surface/business/surface-laptop-3
-          - text: Surface Studio 2 for Business
-            url: https://www.microsoft.com/surface/business/surface-studio-2
+          - text: Explore all Surface family products
+            url: https://www.microsoft.com/surface/business
           
-      - linkListType: video
-        links:
-          - text: Microsoft Mechanics Surface videos
-            url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ
-
   # Card (optional)
   - title: Get started
     linkLists:
@@ -53,18 +42,14 @@ landingContent:
            url: surface-book-quadro.md
          - text: What’s new in Surface Dock 2
            url: surface-dock-whats-new.md
-         - text: Surface and Endpoint Configuration Manager considerations
-           url: considerations-for-surface-and-system-center-configuration-manager.md
-         - text: Wake On LAN for Surface devices
-           url: wake-on-lan-for-surface-devices.md
-
+    
   # Card
   - title: Deploy Surface devices
     linkLists:
       - linkListType: deploy
         links:
-          - text: Manage and deploy Surface driver and firmware updates
-            url: manage-surface-driver-and-firmware-updates.md
+          - text: Surface Deployment Accelerator tool
+            url: microsoft-surface-deployment-accelerator.md
           - text: Autopilot and Surface devices
             url: windows-autopilot-and-surface-devices.md
           - text: Deploying, managing, and servicing Surface Pro X
@@ -75,15 +60,15 @@ landingContent:
     linkLists:
       - linkListType: how-to-guide
         links:
-          - text: Optimize Wi-Fi connectivity for Surface devices
-            url: surface-wireless-connect.md
+			text: Manage and deploy Surface driver and firmware updates
+            url: manage-surface-driver-and-firmware-updates.md
           - text: Best practice power settings for Surface devices
             url: maintain-optimal-power-settings-on-Surface-devices.md
-          - text: Manage battery limit with UEFI
-            url: battery-limit.md
+          - text: Optimize Wi-Fi connectivity for Surface devices
+            url: surface-wireless-connect.md
 
   # Card
-  - title: Secure Surface devices
+  - title: Explore security topics
     linkLists:
       - linkListType: how-to-guide
         links:
@@ -99,31 +84,34 @@ landingContent:
     linkLists:
       - linkListType: how-to-guide
         links:
-          - text: Surface Dock Firmware Update
-            url: surface-dock-firmware-update.md
           - text: Surface Diagnostic Toolkit for Business
             url: surface-diagnostic-toolkit-for-business-intro.md
           - text: SEMM and UEFI
             url: surface-enterprise-management-mode.md
-          - text: Surface Brightness Control
-            url: microsoft-surface-brightness-control.md
           - text: Battery Limit setting
             url: battery-limit.md         
 
   # Card
-  - title: Support and community 
+  - title: Browse Support topics
     linkLists:
       - linkListType: learn
         links:
           - text: Top support solutions
             url: support-solutions-surface.md
-          - text: Maximize your Surface battery life
-            url: https://support.microsoft.com/help/4483194/maximize-surface-battery-life
+		      - text: Protecting your data during Surface repair or service
+            url: https://support.microsoft.com/en-us/help/4023508/surface-faq-protecting-your-data-service	
           - text: Troubleshoot Surface Dock and docking stations
             url: https://support.microsoft.com/help/4023468/surface-troubleshoot-surface-dock-and-docking-stations
-      - linkListType: reference
+     
+# Card
+  - title: Participate in Surface Community 
+    linkLists:
+      - linkListType: learn
         links:
+           links:
           - text: Surface IT Pro blog
             url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro
           - text: Surface Devices Tech Community
             url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices
+		      - text: Microsoft Mechanics Surface videos
+            url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ
\ No newline at end of file
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index ca46b58a8b..1ad32d8518 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -168,7 +168,9 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
 Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following:
 
 ### 3.30.139
-This version of Surface Data Eraser to be released May 11, 2020 adds support for: 
+*Release Date: 11 May 2020*
+
+This version of Surface Data Eraser adds support for: 
 - Surface Book 3
 - Surface Go 2
 - New SSD in Surface Go
diff --git a/devices/surface/surface-diagnostic-toolkit-business.md b/devices/surface/surface-diagnostic-toolkit-business.md
index d916f7d91b..f67a1290d0 100644
--- a/devices/surface/surface-diagnostic-toolkit-business.md
+++ b/devices/surface/surface-diagnostic-toolkit-business.md
@@ -175,8 +175,8 @@ You can select to run a wide range of logs across applications, drivers, hardwar
 ## Changes and updates
 
 ### Version 2.94.139.0
-
-This version of Surface Diagnostic Toolkit for Business to be released May 11, 2020 adds support for the following:
+*Release date: May 11, 2020*<br>
+This version of Surface Diagnostic Toolkit for Business adds support for the following:
 
 - Ability to skip Windows Update to perform hardware check.
 - Ability to receive notifications for about the latest version update
diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md
index 819ef39b6a..d8d1715907 100644
--- a/devices/surface/surface-enterprise-management-mode.md
+++ b/devices/surface/surface-enterprise-management-mode.md
@@ -228,7 +228,7 @@ create a reset package using PowerShell to reset SEMM.
 
 ## Version History
 
-The latest version of SEMM to be released May 11, 2020 includes: 
+The latest version of SEMM released May 11, 2020 includes: 
 - Support for Surface Go 2
 - Support for Surface Book 3
 - Bug fixes

From 1b7e2385c4cda6682c3bab7d949baaf1b8baabd1 Mon Sep 17 00:00:00 2001
From: amirsc3 <42802974+amirsc3@users.noreply.github.com>
Date: Tue, 12 May 2020 21:25:44 +0300
Subject: [PATCH 07/49] Update machine-tags.md

Adjusting note to avoid any potential customer confusion.
---
 .../threat-protection/microsoft-defender-atp/machine-tags.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
index e54b496b2c..23a14e3ccd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
@@ -72,7 +72,7 @@ You can also delete tags from this view.
 >- Windows 7 SP1
 
 > [!NOTE] 
-> The maximum number of characters in a tag is 30.
+> The maximum number of characters that can be set in a tag from the registry is 30.
 
 Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines.
 

From b2f9665372c38b098dd2537853df2662e386bb35 Mon Sep 17 00:00:00 2001
From: Zach Willson <zachcwillson@users.noreply.github.com>
Date: Tue, 12 May 2020 11:32:16 -0700
Subject: [PATCH 08/49] Update policy-csp-userrights.md

---
 windows/client-management/mdm/policy-csp-userrights.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index 09b30b65c0..719f00b4c6 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -1285,12 +1285,16 @@ GP Info:
 <!--Description-->
 This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
 
+
 <!--/Description-->
 <!--DbMapped-->
 GP Info:  
 -   GP English name: *Perform volume maintenance tasks*
 -   GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
+> [!Warning]  
+> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.  
+>  
+> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission.
 <!--/DbMapped-->
 <!--/Policy-->
 

From 603e52a612199228890670198806e31b49e41b32 Mon Sep 17 00:00:00 2001
From: Zach Willson <zachcwillson@users.noreply.github.com>
Date: Tue, 12 May 2020 11:33:45 -0700
Subject: [PATCH 09/49] Update policy-csp-userrights.md

---
 windows/client-management/mdm/policy-csp-userrights.md | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index 719f00b4c6..0278d07a34 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -1095,6 +1095,11 @@ GP Info:
 -   GP English name: *Increase scheduling priority*
 -   GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
 
+> [!Warning]  
+> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.  
+>  
+> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission.
+
 <!--/DbMapped-->
 <!--/Policy-->
 
@@ -1291,10 +1296,7 @@ This user right determines which users and groups can run maintenance tasks on a
 GP Info:  
 -   GP English name: *Perform volume maintenance tasks*
 -   GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-> [!Warning]  
-> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.  
->  
-> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission.
+
 <!--/DbMapped-->
 <!--/Policy-->
 

From 1eab3da419c5874210a5ce3ac3101204d7f8fa5e Mon Sep 17 00:00:00 2001
From: Zach Willson <zachcwillson@users.noreply.github.com>
Date: Tue, 12 May 2020 11:35:33 -0700
Subject: [PATCH 10/49] Update policy-csp-userrights.md

---
 windows/client-management/mdm/policy-csp-userrights.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index 0278d07a34..cd9fa29f64 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -1290,7 +1290,6 @@ GP Info:
 <!--Description-->
 This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
 
-
 <!--/Description-->
 <!--DbMapped-->
 GP Info:  

From 891e5841ef30959d66187bb6e476e0ac58d8cd60 Mon Sep 17 00:00:00 2001
From: John Kaiser <35939694+CoveMiner@users.noreply.github.com>
Date: Tue, 12 May 2020 13:43:52 -0700
Subject: [PATCH 11/49] Update surface-hub-2s-recover-reset.md

---
 devices/surface-hub/surface-hub-2s-recover-reset.md | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/devices/surface-hub/surface-hub-2s-recover-reset.md b/devices/surface-hub/surface-hub-2s-recover-reset.md
index 7493e10c3c..44912c169c 100644
--- a/devices/surface-hub/surface-hub-2s-recover-reset.md
+++ b/devices/surface-hub/surface-hub-2s-recover-reset.md
@@ -60,16 +60,6 @@ Using Surface Hub 2S, you can reinstall the device by using a recovery image. By
 
 When the first-time setup screen appears,remove the USB drive.
 
-## Recover a locked Surface Hub
-
-At the end of a session, Surface Hub 2S may occasionally encounter an error during the cleanup of user and app data at the end of a session. If this occurs, the device automatically reboots and resumes the data cleanup. However, if this operation repeatedly fails, the device automatically locks to protect user data.
-
-**To unlock a Surface Hub 2S:** <br>
-- Reset or recover the device from the Windows Recovery Environment. For more information, see [What is Windows RE?](https://technet.microsoft.com/library/cc765966.aspx)
-
-> [!NOTE]
-> To enter recovery mode, unplug the power cord and plug it in again three times.
-
 ## Contact Support
 
 If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).

From 0ba6a072fdb0e185bc417c43967edc0651c6dee7 Mon Sep 17 00:00:00 2001
From: John Kaiser <35939694+CoveMiner@users.noreply.github.com>
Date: Tue, 12 May 2020 14:14:20 -0700
Subject: [PATCH 12/49] Update get-started.yml

---
 devices/surface/get-started.yml | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/devices/surface/get-started.yml b/devices/surface/get-started.yml
index 86beba22d0..d35baf3ac6 100644
--- a/devices/surface/get-started.yml
+++ b/devices/surface/get-started.yml
@@ -30,7 +30,6 @@ landingContent:
             url: https://www.microsoft.com/surface/business/surface-book-3
           - text: Explore all Surface family products
             url: https://www.microsoft.com/surface/business
-          
   # Card (optional)
   - title: Get started
     linkLists:
@@ -41,8 +40,7 @@ landingContent:
          - text: Surface Book 3 Quadro RTX 3000 technical overview
            url: surface-book-quadro.md
          - text: What’s new in Surface Dock 2
-           url: surface-dock-whats-new.md
-    
+           url: surface-dock-whats-new.md    
   # Card
   - title: Deploy Surface devices
     linkLists:
@@ -54,19 +52,17 @@ landingContent:
             url: windows-autopilot-and-surface-devices.md
           - text: Deploying, managing, and servicing Surface Pro X
             url: surface-pro-arm-app-management.md
-
   # Card
   - title: Manage Surface devices
     linkLists:
       - linkListType: how-to-guide
         links:
-			text: Manage and deploy Surface driver and firmware updates
+			    - text: Manage and deploy Surface driver and firmware updates
             url: manage-surface-driver-and-firmware-updates.md
           - text: Best practice power settings for Surface devices
             url: maintain-optimal-power-settings-on-Surface-devices.md
           - text: Optimize Wi-Fi connectivity for Surface devices
             url: surface-wireless-connect.md
-
   # Card
   - title: Explore security topics
     linkLists:
@@ -78,7 +74,6 @@ landingContent:
             url: surface-enterprise-management-mode.md
           - text: Surface Data Eraser tool
             url: microsoft-surface-data-eraser.md
-
   # Card
   - title: Discover Surface tools
     linkLists:
@@ -90,8 +85,7 @@ landingContent:
             url: surface-enterprise-management-mode.md
           - text: Battery Limit setting
             url: battery-limit.md         
-
-  # Card
+# Card
   - title: Browse Support topics
     linkLists:
       - linkListType: learn
@@ -102,7 +96,6 @@ landingContent:
             url: https://support.microsoft.com/en-us/help/4023508/surface-faq-protecting-your-data-service	
           - text: Troubleshoot Surface Dock and docking stations
             url: https://support.microsoft.com/help/4023468/surface-troubleshoot-surface-dock-and-docking-stations
-     
 # Card
   - title: Participate in Surface Community 
     linkLists:

From 1d90b8cb60ad81de4a98489863909051c86dda1d Mon Sep 17 00:00:00 2001
From: John Kaiser <35939694+CoveMiner@users.noreply.github.com>
Date: Tue, 12 May 2020 14:58:52 -0700
Subject: [PATCH 13/49] Update get-started.yml

---
 devices/surface/get-started.yml | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/devices/surface/get-started.yml b/devices/surface/get-started.yml
index d35baf3ac6..344d214bae 100644
--- a/devices/surface/get-started.yml
+++ b/devices/surface/get-started.yml
@@ -30,6 +30,7 @@ landingContent:
             url: https://www.microsoft.com/surface/business/surface-book-3
           - text: Explore all Surface family products
             url: https://www.microsoft.com/surface/business
+  
   # Card (optional)
   - title: Get started
     linkLists:
@@ -52,17 +53,19 @@ landingContent:
             url: windows-autopilot-and-surface-devices.md
           - text: Deploying, managing, and servicing Surface Pro X
             url: surface-pro-arm-app-management.md
+  
   # Card
   - title: Manage Surface devices
     linkLists:
       - linkListType: how-to-guide
         links:
-			    - text: Manage and deploy Surface driver and firmware updates
+		  - text: Manage and deploy Surface driver and firmware updates
             url: manage-surface-driver-and-firmware-updates.md
           - text: Best practice power settings for Surface devices
             url: maintain-optimal-power-settings-on-Surface-devices.md
           - text: Optimize Wi-Fi connectivity for Surface devices
             url: surface-wireless-connect.md
+  
   # Card
   - title: Explore security topics
     linkLists:
@@ -74,7 +77,8 @@ landingContent:
             url: surface-enterprise-management-mode.md
           - text: Surface Data Eraser tool
             url: microsoft-surface-data-eraser.md
-  # Card
+ 
+ # Card
   - title: Discover Surface tools
     linkLists:
       - linkListType: how-to-guide
@@ -85,6 +89,7 @@ landingContent:
             url: surface-enterprise-management-mode.md
           - text: Battery Limit setting
             url: battery-limit.md         
+
 # Card
   - title: Browse Support topics
     linkLists:
@@ -92,10 +97,11 @@ landingContent:
         links:
           - text: Top support solutions
             url: support-solutions-surface.md
-		      - text: Protecting your data during Surface repair or service
+		  - text: Protecting your data during Surface repair or service
             url: https://support.microsoft.com/en-us/help/4023508/surface-faq-protecting-your-data-service	
           - text: Troubleshoot Surface Dock and docking stations
             url: https://support.microsoft.com/help/4023468/surface-troubleshoot-surface-dock-and-docking-stations
+
 # Card
   - title: Participate in Surface Community 
     linkLists:
@@ -106,5 +112,5 @@ landingContent:
             url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro
           - text: Surface Devices Tech Community
             url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices
-		      - text: Microsoft Mechanics Surface videos
+		  - text: Microsoft Mechanics Surface videos
             url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ
\ No newline at end of file

From 454e8cc273a2e4e14face0e0e9ed48493980a49f Mon Sep 17 00:00:00 2001
From: John Kaiser <35939694+CoveMiner@users.noreply.github.com>
Date: Tue, 12 May 2020 15:33:52 -0700
Subject: [PATCH 14/49] Update get-started.yml

---
 devices/surface/get-started.yml | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/devices/surface/get-started.yml b/devices/surface/get-started.yml
index 344d214bae..0a02e29fec 100644
--- a/devices/surface/get-started.yml
+++ b/devices/surface/get-started.yml
@@ -42,6 +42,7 @@ landingContent:
            url: surface-book-quadro.md
          - text: What’s new in Surface Dock 2
            url: surface-dock-whats-new.md    
+ 
   # Card
   - title: Deploy Surface devices
     linkLists:
@@ -54,18 +55,18 @@ landingContent:
           - text: Deploying, managing, and servicing Surface Pro X
             url: surface-pro-arm-app-management.md
   
-  # Card
+    # Card
   - title: Manage Surface devices
     linkLists:
       - linkListType: how-to-guide
         links:
-		  - text: Manage and deploy Surface driver and firmware updates
+          - text: Manage and deploy Surface driver and firmware updates
             url: manage-surface-driver-and-firmware-updates.md
           - text: Best practice power settings for Surface devices
             url: maintain-optimal-power-settings-on-Surface-devices.md
           - text: Optimize Wi-Fi connectivity for Surface devices
             url: surface-wireless-connect.md
-  
+
   # Card
   - title: Explore security topics
     linkLists:
@@ -90,27 +91,24 @@ landingContent:
           - text: Battery Limit setting
             url: battery-limit.md         
 
-# Card
+ # Card
   - title: Browse Support topics
     linkLists:
       - linkListType: learn
         links:
           - text: Top support solutions
             url: support-solutions-surface.md
-		  - text: Protecting your data during Surface repair or service
-            url: https://support.microsoft.com/en-us/help/4023508/surface-faq-protecting-your-data-service	
+          - text: Protecting your data during Surface repair or service
+            url: https://support.microsoft.com/help/4023508/surface-faq-protecting-your-data-service
           - text: Troubleshoot Surface Dock and docking stations
             url: https://support.microsoft.com/help/4023468/surface-troubleshoot-surface-dock-and-docking-stations
-
+            
 # Card
   - title: Participate in Surface Community 
     linkLists:
       - linkListType: learn
         links:
-           links:
           - text: Surface IT Pro blog
             url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro
           - text: Surface Devices Tech Community
             url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices
-		  - text: Microsoft Mechanics Surface videos
-            url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ
\ No newline at end of file

From 8e1a5afb94dc468482224c4581c7fb465d645d02 Mon Sep 17 00:00:00 2001
From: rogersoMS <44718379+rogersoMS@users.noreply.github.com>
Date: Wed, 13 May 2020 08:58:33 +1000
Subject: [PATCH 15/49] Added Teams as an enlightened app

@DulceMontemayor & @Dansimp
@derek adam & @way vadhanasin & @rick james (ENS) as tech reviewers

Microsoft Teams desktop app from build 1.3.00.12058 (rolled out ~ 10th May 2020) now has full support for WIP. I believe it should be added to this list as an enlightened app. Please cofirm with suggested tech reviewers before publishing
---
 .../enlightened-microsoft-apps-and-wip.md                       | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 48c612f49d..89f484d7e5 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -73,6 +73,8 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
 
 - Microsoft Remote Desktop
 
+- Microsoft Teams (build 1.3.00.12058 and later)
+
 > [!NOTE]
 > Microsoft Visio, Microsoft Office Access and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining.
 

From cf8d4f39597f682ca895e05d82d8cd105ca5328b Mon Sep 17 00:00:00 2001
From: John Kaiser <35939694+CoveMiner@users.noreply.github.com>
Date: Tue, 12 May 2020 16:25:59 -0700
Subject: [PATCH 16/49] Update get-started.yml

---
 devices/surface/get-started.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/devices/surface/get-started.yml b/devices/surface/get-started.yml
index 0a02e29fec..9d70d7a59d 100644
--- a/devices/surface/get-started.yml
+++ b/devices/surface/get-started.yml
@@ -68,7 +68,7 @@ landingContent:
             url: surface-wireless-connect.md
 
   # Card
-  - title: Explore security topics
+  - title: Explore security guidance
     linkLists:
       - linkListType: how-to-guide
         links:
@@ -92,7 +92,7 @@ landingContent:
             url: battery-limit.md         
 
  # Card
-  - title: Browse Support topics
+  - title: Browse support solutions
     linkLists:
       - linkListType: learn
         links:
@@ -112,3 +112,5 @@ landingContent:
             url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro
           - text: Surface Devices Tech Community
             url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices
+          - text: Surface Devices Tech Community
+            url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices

From 61554aeb8a2c3e23236552bfb2cef1e1fef0de23 Mon Sep 17 00:00:00 2001
From: rogersoMS <44718379+rogersoMS@users.noreply.github.com>
Date: Wed, 13 May 2020 10:22:47 +1000
Subject: [PATCH 17/49] Corrected Teams 'WIP enlightened' to 'WIP work only'

Verified technical changes with Narendra Acharya. No additional tech reviewers are required.
Corrected Teams from WIP enlightened to WIP work aware
---
 .../enlightened-microsoft-apps-and-wip.md                   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 89f484d7e5..85d9523c9b 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -71,9 +71,7 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
 
 - Microsoft Messaging
 
-- Microsoft Remote Desktop
-
-- Microsoft Teams (build 1.3.00.12058 and later)
+- Microsoft Remote Desktop 
 
 > [!NOTE]
 > Microsoft Visio, Microsoft Office Access and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining.
@@ -83,6 +81,8 @@ Microsoft still has apps that are unenlightened, but which have been tested and
 
 - Skype for Business
 
+- Microsoft Teams (build 1.3.00.12058 and later)
+
 ## Adding enlightened Microsoft apps to the allowed apps list
 
 > [!NOTE]

From b832f0649f7e40ea71cbc8de9991223b7b3fb4fc Mon Sep 17 00:00:00 2001
From: Andre Della Monica <andredm@microsoft.com>
Date: Tue, 12 May 2020 18:10:40 -0700
Subject: [PATCH 18/49] Box update to reflect live device data

---
 .../microsoft-defender-atp/configure-machines-onboarding.md    | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
index 1f672b58a6..d3f378cce2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
@@ -52,6 +52,9 @@ From the **Onboarding** card, select **Onboard more machines** to create and ass
 >[!TIP]
 >Alternatively, you can navigate to the Microsoft Defender ATP onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**.
 
+>[!NOTE]
+> If you want to view the most up-to-date device data, click on **List of devices without ATP sensor**.
+
 From the device compliance page, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the machines you want to onboard. To do this, you can either:
 
 - Select **Create a device configuration profile to configure ATP sensor** to start with a predefined device configuration profile.

From 0691f6fbfcc3bc27c2331189c5cdfb1282febb25 Mon Sep 17 00:00:00 2001
From: Herbert Mauerer <41573578+HerbertMauerer@users.noreply.github.com>
Date: Wed, 13 May 2020 16:08:30 +0200
Subject: [PATCH 19/49] Update
 interactive-logon-prompt-user-to-change-password-before-expiration.md

The description of the value at zero is incorrect.
I verified in the source of Winlogon that you never get a reminder when the value is 0, only when the password expires the same day or when it has expired already.
---
 ...ve-logon-prompt-user-to-change-password-before-expiration.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
index 300344160d..cbc2288db2 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
@@ -37,7 +37,7 @@ This policy setting determines when users are warned that their passwords are ab
 
 -  Configure user passwords to expire periodically. Users need warning that their password is going to expire, or they might  get locked out of the system.
 -  Set **Interactive logon: Prompt user to change password before expiration** to five days. When their password expiration date is five or fewer days away, users will see a dialog box each time that they log on to the domain.
--  Don't set the value to zero, which displays the password expiration warning every time the user logs on.
+-  When you set the policy to zero, there is no password expiration warning when the user logs on. During a long-running logon session, you would get the warning on the day the password expires or when it is already expired.
 
 ### Location
 

From e04a974e1f0c8daadc8205abe979ad51a142b17b Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Wed, 13 May 2020 19:46:50 +0300
Subject: [PATCH 20/49] add link

https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5904
---
 .../surface/ethernet-adapters-and-surface-device-deployment.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
index c35dbe0630..24cf375474 100644
--- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md
+++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
@@ -85,7 +85,7 @@ To access the firmware of a Surface device, follow these steps:
 
 When deploying with WDS, the MAC address is only used to identify a computer when the deployment server is configured to respond only to known, pre-staged clients. When pre-staging a client, an administrator creates a computer account in Active Directory and defines that computer by the MAC address or the System UUID. To avoid the identity conflicts caused by shared Ethernet adapters, you should use [System UUID to define pre-staged clients](https://technet.microsoft.com/library/cc742034). Alternatively, you can configure WDS to respond to unknown clients that do not require definition by either MAC address or System UUID by selecting the **Respond to all client computers (known and unknown)** option on the [**PXE Response** tab](https://technet.microsoft.com/library/cc732360) in **Windows Deployment Server Properties**.
 
-The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://blogs.technet.microsoft.com/askpfeplat/2014/07/27/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm-osd/) blog post on the Ask Premier Field Engineering (PFE) Platforms TechNet blog.
+The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm/ba-p/257374) blog post on the Ask Premier Field Engineering (PFE) Platforms TechNet blog.
 
  
 

From dfa2880a69f48995d846056a7301f7d95b5cd8bf Mon Sep 17 00:00:00 2001
From: John Kaiser <35939694+CoveMiner@users.noreply.github.com>
Date: Wed, 13 May 2020 10:06:44 -0700
Subject: [PATCH 21/49] Update get-started.yml

---
 devices/surface/get-started.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/devices/surface/get-started.yml b/devices/surface/get-started.yml
index 9d70d7a59d..a11e35c584 100644
--- a/devices/surface/get-started.yml
+++ b/devices/surface/get-started.yml
@@ -112,5 +112,5 @@ landingContent:
             url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro
           - text: Surface Devices Tech Community
             url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices
-          - text: Surface Devices Tech Community
-            url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices
+          - text: Microsoft Mechanics Surface videos
+            url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ

From 84b4df63dc9a4fa5ca322c798f0a834dbd03a458 Mon Sep 17 00:00:00 2001
From: John Kaiser <35939694+CoveMiner@users.noreply.github.com>
Date: Wed, 13 May 2020 10:15:46 -0700
Subject: [PATCH 22/49] Create cloud-desktop-surface.md

---
 devices/surface/cloud-desktop-surface.md | 175 +++++++++++++++++++++++
 1 file changed, 175 insertions(+)
 create mode 100644 devices/surface/cloud-desktop-surface.md

diff --git a/devices/surface/cloud-desktop-surface.md b/devices/surface/cloud-desktop-surface.md
new file mode 100644
index 0000000000..14f3e92b65
--- /dev/null
+++ b/devices/surface/cloud-desktop-surface.md
@@ -0,0 +1,175 @@
+---
+title: Cloud Desktop on Surface
+description: This article explains how Surface devices deliver an ideal end node for Windows Virtual Desktop solutions, providing customers with flexible form factors, Windows 10 modern device security and manageability, and support for persistent, on-demand & just-in-time work scenarios. 
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.localizationpriority: medium
+ms.sitesec: library
+author: coveminer
+ms.author: greglin
+ms.topic: article
+ms.date: 5/15/2020
+ms.reviewer: rohenr
+manager: laurawi
+audience: itpro
+---
+# Cloud Desktop on Surface
+
+## Introduction
+
+Cloud Desktop on Surface represents another milestone in the evolution of computing, combining Microsoft 365 -- virtualized in the Azure cloud -- with the advanced security protections, enterprise-level manageability, and enhanced productivity tools of Windows 10 on Surface. This fusion of premium form factor and Virtual Desktop Infrastructure (VDI) in Azure provides exceptional customer value that spans user experiences, portability, security, business continuity, and modern management. Surface blurs the lines between the local desktop experience and the virtual desktop where touch, pen and ink and biometric authentication span both physical and virtual environments.
+
+### Virtual Desktop Infrastructure on Azure
+
+Customers can take advantage of VDI on Azure with first party Microsoft solutions such as Windows Virtual Desktop (WVD) or third-party desktop as a service (DaaS) offerings from partners like Workspot and Rackspace.
+
+### Windows Virtual Desktop
+
+Windows Virtual Desktop (WVD) is a Platform as a Service (PaaS) solution providing a comprehensive desktop and app virtualization service running in the Azure cloud. It’s the only virtual desktop infrastructure that delivers simplified management, multi-session Windows 10, optimizations for Office 365 ProPlus, and support for Remote Desktop Services (RDS) environments. Deploy and scale Windows desktops and apps on Azure in minutes and get built-in security and compliance features.
+This model of cloud desktop still requires customers to maintain and manage updates of Windows virtual machines.
+
+###Virtual Desktop as a Service
+
+Virtual Desktop as a Service (DaaS) frees customers from having to maintain their own virtual machines (VMs) by providing a fully managed, turnkey desktop and virtualization service. The ability to deliver customized desktops to users anywhere in the world enables companies to quickly adjust to changing market conditions by spinning up cloud desktops on-demand - when and where they’re needed.
+ 
+
+## Microsoft Surface Devices
+
+Surface engineering has long set new standards for innovation by going beyond the keyboard and mouse to imagine more natural ways of interacting with devices, whether by touch, voice, ink, or Surface Dial. And with chip-to-cloud integration of Microsoft 365 and the security and manageability of Windows 10 Pro, we’ve seamlessly connected hardware, software, apps, and services the way they were intended.
+Although you can run Windows Virtual Desktop on Windows 7, Windows Server 2012 R2, or virtual machines, or Windows OEM devices, running WVD on Microsoft Surface devices provides unique advantages including support for:
+
+- **Flexible form factors** - like 2-in-1 devices such as Surface Go 2, Surface Pro 7 and Surface Pro X with pen, touch and detachable keyboard.
+- **Persistent, on-demand and just-in-time work scenarios** - with offline and on-device access for more productive experiences.
+- **Windows 10 modern device security and manageability** - providing the flexibility to be productive anywhere.
+- **Reducing your carbon footprint –** to support your efforts to cut carbon emissions and drive towards environmental sustainability.
+
+### Flexible form factors and premium user experience
+
+The Microsoft Surface for Business family comprises a diverse portfolio of form factors including traditional laptops, all-in-one machines, and 2-in-1 devices. Surface devices deliver experiences people love with the choice and flexibility they need in order to work on their terms.
+
+#### Transforming the virtual desktop endpoint
+
+Surface 2-in-1 devices, including [Surface Go 2](https://www.microsoft.com/p/surface-go/ (10.5”), [Surface Pro 7](https://www.microsoft.com/surface/devices/surface-pro-7/) (12”) and [Surface Pro X](https://www.microsoft.com/p/surface-pro-x/) (13”), provide users with the ideal cloud desktop endpoint bringing together the optimal balance of portability, versatility, power, and all-day battery. From site engineers relying on Surface Go 2 in tablet mode to financial advisors attaching Surface Pro 7 to a dock and multiple monitors, 2-in-1 devices deliver the versatility that has come to define the modern workplace.
+
+Unlike traditional, fixed VDI “terminals”, Surface devices allow users to work from anywhere and enable companies to remain viable and operational during unforeseen events -- from severe weather to public health emergencies. With support for persistent, on-demand and just-in-time scenarios, Surface devices effectively help companies sustain ongoing operations and mitigate risk from disruptive events.
+
+Features designed to enhance productivity on Surface 2-in-1 devices include:
+
+- Vibrant, high resolution displays with 3:2 aspect ratio to get work done.
+- Natural inking and multi-touch for more immersive experiences.
+- With a wide variety of built-in and third-party accessibility features, Surface devices let you choose how to interact with your device, express ideas, and get work done.
+- Far-field mics and high-performance speakers for improved virtual meetings.
+- Biometric security including built-in, Windows Hello camera that comes standard on every Surface device.
+- Longer battery life[[1]](#) and fast charging.
+- LTE options[[2]](#), on modern devices like Surface Pro X and Surface Go 2 for hassle-free and secure connectivity.
+- Support for a wide range of peripherals such as standard printers, 3D printers, cameras, credit card readers, barcode scanners, and many others. A large ecosystem of Designed for Surface partners provides licensed and certified Surface accessories.
+- Broad range of Device Redirection support.
+
+#### VDI Device Redirection Support
+
+The Surface-centric productivity experiences listed above become even more compelling in VDI environments by taking advantage of device redirection capabilities with Windows 10. Surface provides a broad range of device redirection support, especially when compared to OEM thin clients and fixed terminals, Android, iOS/macOS and Web-based access. The Windows Inbox (MSTSC) and Windows Desktop (MSRDC) clients provide the most Device Redirection capabilities including Input Redirection (keyboard, mouse, pen and touch), Port Redirection (serial and USB) and Other Redirections (cameras, clipboard, local drive/storage, location, microphones, printers, scanners, smart cards and speakers). For a detailed comparison of Device Redirection support refer to the [Device Redirection documentation](https://docs.microsoft.com/windows-server/remote/remote-desktop-services/clients/remote-desktop-app-compare#redirection-support).
+
+#### Familiar Desktop Experience
+
+Not only does running the Windows Desktop Client on Surface devices provide users with the broadest set of Device Redirection capabilities but it also provides the additional capability to use the apps in the way that is familiar to the end users – by launching an app directly from the Start Menu or launch the apps by searching it in the search bar.
+
+### Persistent, on-demand and just-in-time work scenarios
+
+Cloud Desktop on Surface helps customers meet increasingly complex business and security requirements across industries, employee roles, and work environments. These include:
+
+- Multi-layered security of access to data and organizational resources.
+- Compliance with industry regulations.
+- Support for an increasingly elastic workforce.
+- Employee-specific needs across a variety of job functions.
+- Ability to support specialized, processor-intensive workloads.
+- Resilience for sustaining operations during disruptions.
+
+ 
+**Table 1. Windows Virtual Desktop business conversations**
+
+| Security & regulation                                | Elastic workforce                                                            | Work Roles                                                        | Special workloads                                                            | Business continuity                                  |
+| ---------------------------------------------------- | ---------------------------------------------------------------------------- | ----------------------------------------------------------------- | ---------------------------------------------------------------------------- | ---------------------------------------------------- |
+| - Financial Services<br>- Healthcare<br>- Government | - Merger & acquisition<br>- Short term employees<br>- Contractors & partners | - BYOD & mobile<br>- Customer support/service<br>- Branch workers | - Design & engineering<br>- Support for legacy apps<br>- Software dev & test | - On demand<br>- Just-in-Time (JIT)<br>- Work @ Home |
+
+ 
+
+### Offline and on-device access for more productive experiences
+
+Traditionally, VDI solutions only work when the endpoint is connected to the internet. But what happens when the internet or power is unavailable for any reason (due to mobility, being on a plane, or power outages, and so on)?
+ 
+To support business continuity and keep employees productive, Surface devices can easily augment the virtual desktop experience with offline access to files, Microsoft 365 and third-party applications. Traditional apps like Microsoft Office, available across .x86, x64, Universal Windows Platform, ARM platforms, enable users to stay productive in “offline mode”. Files from the virtual desktop cloud environment can be synced locally on Surface using OneDrive for Business for offline access as well. You can have the confidence that all locally “cached” information is up-to-date and secure.
+ 
+In addition to adding support for offline access to apps and files, Surface devices are designed to optimize collaborative experiences like Microsoft Teams “On-Device”. Although some VDI solutions support the use of Teams through a virtual session, users can benefit from the more optimized experience provided by a locally installed instance of Teams. Localizing communications and collaboration apps for multimedia channels like voice, video, live captioning allows organizations to take full advantage of Surface devices’ ability to provide optimized Microsoft 365 experiences. The emergence of Surface artificial intelligence (AI) or “AI-on-device” brings new capabilities to life, such as eye gaze technology that adjusts the appearance of your eyes so the audience sees you looking directly at the camera when communicating via video.
+ 
+An alternative to locally installing traditional applications is to take advantage of the Chromium version of Microsoft Edge, which comes with support for Progressive Web Apps (PWA). PWAs are just websites that are progressively enhanced to function like native apps on supporting platforms. The qualities of a PWA combine the best of the web and native apps by additional features, such as push notifications, background data refresh, offline support, and more.
+
+### Virtual GPUs
+
+GPUs are ideal for [AI] compute and graphics-intensive workloads, helping customers to fuel innovation through scenarios like high-end remote visualization, deep learning, and predictive analytics.  However, this isn’t ideal for professionals who need to work remotely or while on the go because varying degrees of internal GPU horsepower are tied to the physical devices, limiting mobility and flexibility.
+ 
+To solve for this Azure offers the N-series family of Virtual Machines with NVIDIA GPU capabilities (vGPU). With vGPUs, IT can either share GPU performance across multiple virtual machines, or power demanding workloads by assigning multiple GPUs to a single virtual machine. For Surface this means that no matter what device you’re using, from the highly portable Surface Go 2 to the slim and stylish Surface Laptop 3, your device has access to powerful server-class graphics performance.  Surface and vGPUs allow you to combine all the things you love about Surface, to include pen, touch, keyboard, trackpad and PixelSense displays, with graphics capability only available in high performance computing environments. 
+ 
+Azure N-series brings these capabilities to life on your Surface device allowing you to work in any way you want, wherever you go.  [Learn more about Azure N-Series and GPU optimized virtual machine sizes.](https://docs.microsoft.com/azure/virtual-machines/sizes-gpu)
+ 
+### Microsoft 365 and Surface
+
+Even in a virtualized desktop environment, Microsoft 365 and Surface deliver the experiences employees love, the protection organizations demand, and flexibility for teams to work their way. According to Forrester Research3:
+
+- Microsoft 365-powered Surface devices give users up to 5 hours in weekly productivity gains with up to 9 hours saved per week for highly mobile workers, providing organizations with 112 percent ROI on Microsoft 365 with Surface
+- 75 percent agree Microsoft 365-powered Surface devices help improve employee satisfaction and retention
+- agree that Microsoft 365- powered Surface devices have helped improve employee satisfaction and retention.
+
+#### Security and management
+
+From chip to cloud, Microsoft 365 and Surface helps organizations stay protected and up to date.
+With both Surface hardware and software designed, built, and tested together by Microsoft, users can be confident they’re productive and protected by leading technologies from chip to cloud.  With increased numbers of users working remotely, protecting corporate data and intellectual property becomes more paramount than ever. Cloud Desktop on Surface is designed around a zero-trust security model in which every access request is strongly authenticated, authorized within policy constraints, and inspected for anomalies before granting access.
+ 
+By maximizing efficiencies from cloud computing, modern management enables IT to better serve the needs of users, stakeholders and customers in an increasingly competitive business environment. For example, you can get Surface devices up-and-running with minimal interaction from your team. Setup is automatic and self-serviced. Updates are quick and painless for both your team and your users. You can manage devices regardless of their physical location.
+ 
+Security and management features delivered Cloud Desktop on Surface include:
+
+- **Windows Update.** Keeping Windows up to date helps you stay ahead of new security threats. Windows 10 has been engineered from the ground up to be more secure and utilize the latest hardware capabilities to improve security. With a purpose-built UEFI[[3]](#) and Windows Update for Business that responds to evolving threats, end-to-end protection is secure and simplified.4
+
+- **Hardware encryption.** Device encryption lets you protect the data on your Surface so it can only be accessed by authorized individuals. All Surface for Business devices feature a discrete Trusted Platform Module (dTPM) that is hardware-protected against intrusion while software uses protected keys and measurements to verify software validity.
+- **Windows Defender.** Windows Defender Antivirus brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices.  The tool is built in and needs no extra agents to be deployed on-devices or in the VDI environment, simplifying management and optimizing device start up.
+- Windows Defender is built in and needs no extra agents to be deployed on-device or in the VDI environment, simplifying management and optimizing device start up. The true out-of-the-box experience.
+- **Removable drives** - A subset of newer Surface devices[[4]](#) feature removable SSD drives5 providing greater control over data retention.
+- **Modern authentication -** Microsoft 365 and Surface is a unified platform delivering every Windows security feature (subject to licensing and enablement). All Surface portfolio devices ship with a custom-built camera, designed for Windows Hello for Business providing biometric security that persists seamlessly from on-device to VDI-based experiences.
+- **Modern firmware management** - IT administrators can disable hardware elements at a firmware level such as mics, USB ports, SD card slots, cameras, and Bluetooth which removes power to the peripheral. Device Firmware Configuration Interface (DFCI) enables IT managers to manage UEFI via Microsoft Intune, for simple remote management. Windows Defender Credential Guard uses virtualization-based security so that only privileged system software can access them.
+- **Backward and forward compatibility** - Windows 10 devices provide backward and forward compatibility across hardware, software and services. Microsoft has a strong history of maintaining legacy support of hardware, peripherals, software and services while incorporating the latest technologies. Businesses can plan IT investments to have a long useful life.
+- **Bridge for legacy Windows 7 workloads** - For solution scenarios dependent on legacy Windows OS environments, enterprises can use VDI instances of Windows 7 running in Azure. This enables support on modern devices like Surface without the risk of relying on older Windows 7 machines that no longer receive the latest security updates.  In addition to these “future proofing” benefits, migration of any legacy workloads becomes greatly simplified when modern Windows 10 hardware is already deployed.
+- **Zero-Touch Deployment** - Autopilot is the recommended modern management deployment option for Surface devices. Windows Autopilot on Surface is a cloud-based deployment technology in Windows 10. You can use Windows Autopilot on Surface to remotely deploy and configure devices in a zero-touch process right out of the box. Windows Autopilot-registered devices are identified over the Internet at first startup through a unique device signature that's called a hardware hash. They're automatically enrolled and configured by using modern management solutions such as Azure Active Directory (Azure AD) and mobile device management.
+
+### Reduce your carbon footprint with Surface
+
+At Microsoft Devices, sustainability is integral to our mission to build products that create magical experiences while empowering every person and organization to achieve more. From product design through sourcing, manufacturing, delivery, and product end-of-life, we are driven to make a difference with our products both in how our customers create with them and in the impact their development has on our environment.
+
+- **Surface Environmental Impact** – For each Surface product we produce an ECO profile which consist of data about the environmental impact for the product. In the profile you can find the Product Carbon Footprint as well as the EnergyStar value. Taking the average values from those reports and comparing them to the average values from in market VDI desktop and VDI mobile devices. We can see some big differences. 565 percent difference in kg Co2 and a 158 percent in the energy use.
+- **Surface Packaging** - Integrating sustainability into our packaging designs and measuring results is a business priority. We focus on using less packaging and selecting the right materials for the environment. We are committed to designing and delivering packaging materials that achieve measurable sustainability gains. Wood-based fiber packaging materials contain an average of 65 percent post-consumer recycled content. Packaging is 93 percent recyclable. Packaging weight is minimized.
+
+ ![Surface ECO profiles](images/surface-eco-data.png)
+
+To download profiles for each Surface device, see [ECO Profiles](https://www.microsoft.com/download/details.aspx?id=55974) on the Microsoft Download Center.
+
+## Summary
+
+Cloud Desktop on Surface provides organizations with greater flexibility and resilience in meeting the diverse needs of users, stakeholders, and customers. Running WVD and Azure-based virtual desktop solutions on Surface devices provides unique advantages over continued reliance on legacy devices.  Flexible form factors like Surface Go 2 and Surface Pro 7 connected to the cloud (or offline), enable users to be productive from anywhere, at any time. Whether employees work in persistent, on-demand, or just-in-time scenarios, Cloud Desktop on Surface affords businesses with the versatility to sustain productivity throughout disruptions from public health emergencies or other unforeseen events. Using the built in, multi-layered security and modern manageability of Windows 10, companies can take advantage of an expanding ecosystem of cloud-based services to rapidly deploy and scale Windows desktops and apps. Simply put, Cloud Desktop on Surface delivers critically needed technology to organizations and businesses of all sizes
+
+## Learn more
+
+For more information, see the following resources:
+
+- [Windows Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/)
+- [Surface for Business](https://www.microsoft.com/surface/business)
+- [Zero-trust security model](https://www.microsoft.com/security/business/zero-trust)
+
+ 
+
+
+----------
+
+[[1]](#) Battery life varies significantly with settings, usage and other factors.
+[[2]](#) Service availability and performance subject to service provider’s network. Contact your service provider for details, compatibility, pricing, SIM card, and activation. See all specs and frequencies at surface.com.
+[[3]](#) Surface Go uses third party UEFI.
+[[4]](#) Hard drive is not user removable. Hard drive is only removable a by skilled technician following Microsoft instructions.
+

From 5cd251c6f806de98ed1248def16ffbf23af13091 Mon Sep 17 00:00:00 2001
From: John Kaiser <35939694+CoveMiner@users.noreply.github.com>
Date: Wed, 13 May 2020 10:25:43 -0700
Subject: [PATCH 23/49] Delete cloud-desktop-surface.md

---
 devices/surface/cloud-desktop-surface.md | 175 -----------------------
 1 file changed, 175 deletions(-)
 delete mode 100644 devices/surface/cloud-desktop-surface.md

diff --git a/devices/surface/cloud-desktop-surface.md b/devices/surface/cloud-desktop-surface.md
deleted file mode 100644
index 14f3e92b65..0000000000
--- a/devices/surface/cloud-desktop-surface.md
+++ /dev/null
@@ -1,175 +0,0 @@
----
-title: Cloud Desktop on Surface
-description: This article explains how Surface devices deliver an ideal end node for Windows Virtual Desktop solutions, providing customers with flexible form factors, Windows 10 modern device security and manageability, and support for persistent, on-demand & just-in-time work scenarios. 
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.localizationpriority: medium
-ms.sitesec: library
-author: coveminer
-ms.author: greglin
-ms.topic: article
-ms.date: 5/15/2020
-ms.reviewer: rohenr
-manager: laurawi
-audience: itpro
----
-# Cloud Desktop on Surface
-
-## Introduction
-
-Cloud Desktop on Surface represents another milestone in the evolution of computing, combining Microsoft 365 -- virtualized in the Azure cloud -- with the advanced security protections, enterprise-level manageability, and enhanced productivity tools of Windows 10 on Surface. This fusion of premium form factor and Virtual Desktop Infrastructure (VDI) in Azure provides exceptional customer value that spans user experiences, portability, security, business continuity, and modern management. Surface blurs the lines between the local desktop experience and the virtual desktop where touch, pen and ink and biometric authentication span both physical and virtual environments.
-
-### Virtual Desktop Infrastructure on Azure
-
-Customers can take advantage of VDI on Azure with first party Microsoft solutions such as Windows Virtual Desktop (WVD) or third-party desktop as a service (DaaS) offerings from partners like Workspot and Rackspace.
-
-### Windows Virtual Desktop
-
-Windows Virtual Desktop (WVD) is a Platform as a Service (PaaS) solution providing a comprehensive desktop and app virtualization service running in the Azure cloud. It’s the only virtual desktop infrastructure that delivers simplified management, multi-session Windows 10, optimizations for Office 365 ProPlus, and support for Remote Desktop Services (RDS) environments. Deploy and scale Windows desktops and apps on Azure in minutes and get built-in security and compliance features.
-This model of cloud desktop still requires customers to maintain and manage updates of Windows virtual machines.
-
-###Virtual Desktop as a Service
-
-Virtual Desktop as a Service (DaaS) frees customers from having to maintain their own virtual machines (VMs) by providing a fully managed, turnkey desktop and virtualization service. The ability to deliver customized desktops to users anywhere in the world enables companies to quickly adjust to changing market conditions by spinning up cloud desktops on-demand - when and where they’re needed.
- 
-
-## Microsoft Surface Devices
-
-Surface engineering has long set new standards for innovation by going beyond the keyboard and mouse to imagine more natural ways of interacting with devices, whether by touch, voice, ink, or Surface Dial. And with chip-to-cloud integration of Microsoft 365 and the security and manageability of Windows 10 Pro, we’ve seamlessly connected hardware, software, apps, and services the way they were intended.
-Although you can run Windows Virtual Desktop on Windows 7, Windows Server 2012 R2, or virtual machines, or Windows OEM devices, running WVD on Microsoft Surface devices provides unique advantages including support for:
-
-- **Flexible form factors** - like 2-in-1 devices such as Surface Go 2, Surface Pro 7 and Surface Pro X with pen, touch and detachable keyboard.
-- **Persistent, on-demand and just-in-time work scenarios** - with offline and on-device access for more productive experiences.
-- **Windows 10 modern device security and manageability** - providing the flexibility to be productive anywhere.
-- **Reducing your carbon footprint –** to support your efforts to cut carbon emissions and drive towards environmental sustainability.
-
-### Flexible form factors and premium user experience
-
-The Microsoft Surface for Business family comprises a diverse portfolio of form factors including traditional laptops, all-in-one machines, and 2-in-1 devices. Surface devices deliver experiences people love with the choice and flexibility they need in order to work on their terms.
-
-#### Transforming the virtual desktop endpoint
-
-Surface 2-in-1 devices, including [Surface Go 2](https://www.microsoft.com/p/surface-go/ (10.5”), [Surface Pro 7](https://www.microsoft.com/surface/devices/surface-pro-7/) (12”) and [Surface Pro X](https://www.microsoft.com/p/surface-pro-x/) (13”), provide users with the ideal cloud desktop endpoint bringing together the optimal balance of portability, versatility, power, and all-day battery. From site engineers relying on Surface Go 2 in tablet mode to financial advisors attaching Surface Pro 7 to a dock and multiple monitors, 2-in-1 devices deliver the versatility that has come to define the modern workplace.
-
-Unlike traditional, fixed VDI “terminals”, Surface devices allow users to work from anywhere and enable companies to remain viable and operational during unforeseen events -- from severe weather to public health emergencies. With support for persistent, on-demand and just-in-time scenarios, Surface devices effectively help companies sustain ongoing operations and mitigate risk from disruptive events.
-
-Features designed to enhance productivity on Surface 2-in-1 devices include:
-
-- Vibrant, high resolution displays with 3:2 aspect ratio to get work done.
-- Natural inking and multi-touch for more immersive experiences.
-- With a wide variety of built-in and third-party accessibility features, Surface devices let you choose how to interact with your device, express ideas, and get work done.
-- Far-field mics and high-performance speakers for improved virtual meetings.
-- Biometric security including built-in, Windows Hello camera that comes standard on every Surface device.
-- Longer battery life[[1]](#) and fast charging.
-- LTE options[[2]](#), on modern devices like Surface Pro X and Surface Go 2 for hassle-free and secure connectivity.
-- Support for a wide range of peripherals such as standard printers, 3D printers, cameras, credit card readers, barcode scanners, and many others. A large ecosystem of Designed for Surface partners provides licensed and certified Surface accessories.
-- Broad range of Device Redirection support.
-
-#### VDI Device Redirection Support
-
-The Surface-centric productivity experiences listed above become even more compelling in VDI environments by taking advantage of device redirection capabilities with Windows 10. Surface provides a broad range of device redirection support, especially when compared to OEM thin clients and fixed terminals, Android, iOS/macOS and Web-based access. The Windows Inbox (MSTSC) and Windows Desktop (MSRDC) clients provide the most Device Redirection capabilities including Input Redirection (keyboard, mouse, pen and touch), Port Redirection (serial and USB) and Other Redirections (cameras, clipboard, local drive/storage, location, microphones, printers, scanners, smart cards and speakers). For a detailed comparison of Device Redirection support refer to the [Device Redirection documentation](https://docs.microsoft.com/windows-server/remote/remote-desktop-services/clients/remote-desktop-app-compare#redirection-support).
-
-#### Familiar Desktop Experience
-
-Not only does running the Windows Desktop Client on Surface devices provide users with the broadest set of Device Redirection capabilities but it also provides the additional capability to use the apps in the way that is familiar to the end users – by launching an app directly from the Start Menu or launch the apps by searching it in the search bar.
-
-### Persistent, on-demand and just-in-time work scenarios
-
-Cloud Desktop on Surface helps customers meet increasingly complex business and security requirements across industries, employee roles, and work environments. These include:
-
-- Multi-layered security of access to data and organizational resources.
-- Compliance with industry regulations.
-- Support for an increasingly elastic workforce.
-- Employee-specific needs across a variety of job functions.
-- Ability to support specialized, processor-intensive workloads.
-- Resilience for sustaining operations during disruptions.
-
- 
-**Table 1. Windows Virtual Desktop business conversations**
-
-| Security & regulation                                | Elastic workforce                                                            | Work Roles                                                        | Special workloads                                                            | Business continuity                                  |
-| ---------------------------------------------------- | ---------------------------------------------------------------------------- | ----------------------------------------------------------------- | ---------------------------------------------------------------------------- | ---------------------------------------------------- |
-| - Financial Services<br>- Healthcare<br>- Government | - Merger & acquisition<br>- Short term employees<br>- Contractors & partners | - BYOD & mobile<br>- Customer support/service<br>- Branch workers | - Design & engineering<br>- Support for legacy apps<br>- Software dev & test | - On demand<br>- Just-in-Time (JIT)<br>- Work @ Home |
-
- 
-
-### Offline and on-device access for more productive experiences
-
-Traditionally, VDI solutions only work when the endpoint is connected to the internet. But what happens when the internet or power is unavailable for any reason (due to mobility, being on a plane, or power outages, and so on)?
- 
-To support business continuity and keep employees productive, Surface devices can easily augment the virtual desktop experience with offline access to files, Microsoft 365 and third-party applications. Traditional apps like Microsoft Office, available across .x86, x64, Universal Windows Platform, ARM platforms, enable users to stay productive in “offline mode”. Files from the virtual desktop cloud environment can be synced locally on Surface using OneDrive for Business for offline access as well. You can have the confidence that all locally “cached” information is up-to-date and secure.
- 
-In addition to adding support for offline access to apps and files, Surface devices are designed to optimize collaborative experiences like Microsoft Teams “On-Device”. Although some VDI solutions support the use of Teams through a virtual session, users can benefit from the more optimized experience provided by a locally installed instance of Teams. Localizing communications and collaboration apps for multimedia channels like voice, video, live captioning allows organizations to take full advantage of Surface devices’ ability to provide optimized Microsoft 365 experiences. The emergence of Surface artificial intelligence (AI) or “AI-on-device” brings new capabilities to life, such as eye gaze technology that adjusts the appearance of your eyes so the audience sees you looking directly at the camera when communicating via video.
- 
-An alternative to locally installing traditional applications is to take advantage of the Chromium version of Microsoft Edge, which comes with support for Progressive Web Apps (PWA). PWAs are just websites that are progressively enhanced to function like native apps on supporting platforms. The qualities of a PWA combine the best of the web and native apps by additional features, such as push notifications, background data refresh, offline support, and more.
-
-### Virtual GPUs
-
-GPUs are ideal for [AI] compute and graphics-intensive workloads, helping customers to fuel innovation through scenarios like high-end remote visualization, deep learning, and predictive analytics.  However, this isn’t ideal for professionals who need to work remotely or while on the go because varying degrees of internal GPU horsepower are tied to the physical devices, limiting mobility and flexibility.
- 
-To solve for this Azure offers the N-series family of Virtual Machines with NVIDIA GPU capabilities (vGPU). With vGPUs, IT can either share GPU performance across multiple virtual machines, or power demanding workloads by assigning multiple GPUs to a single virtual machine. For Surface this means that no matter what device you’re using, from the highly portable Surface Go 2 to the slim and stylish Surface Laptop 3, your device has access to powerful server-class graphics performance.  Surface and vGPUs allow you to combine all the things you love about Surface, to include pen, touch, keyboard, trackpad and PixelSense displays, with graphics capability only available in high performance computing environments. 
- 
-Azure N-series brings these capabilities to life on your Surface device allowing you to work in any way you want, wherever you go.  [Learn more about Azure N-Series and GPU optimized virtual machine sizes.](https://docs.microsoft.com/azure/virtual-machines/sizes-gpu)
- 
-### Microsoft 365 and Surface
-
-Even in a virtualized desktop environment, Microsoft 365 and Surface deliver the experiences employees love, the protection organizations demand, and flexibility for teams to work their way. According to Forrester Research3:
-
-- Microsoft 365-powered Surface devices give users up to 5 hours in weekly productivity gains with up to 9 hours saved per week for highly mobile workers, providing organizations with 112 percent ROI on Microsoft 365 with Surface
-- 75 percent agree Microsoft 365-powered Surface devices help improve employee satisfaction and retention
-- agree that Microsoft 365- powered Surface devices have helped improve employee satisfaction and retention.
-
-#### Security and management
-
-From chip to cloud, Microsoft 365 and Surface helps organizations stay protected and up to date.
-With both Surface hardware and software designed, built, and tested together by Microsoft, users can be confident they’re productive and protected by leading technologies from chip to cloud.  With increased numbers of users working remotely, protecting corporate data and intellectual property becomes more paramount than ever. Cloud Desktop on Surface is designed around a zero-trust security model in which every access request is strongly authenticated, authorized within policy constraints, and inspected for anomalies before granting access.
- 
-By maximizing efficiencies from cloud computing, modern management enables IT to better serve the needs of users, stakeholders and customers in an increasingly competitive business environment. For example, you can get Surface devices up-and-running with minimal interaction from your team. Setup is automatic and self-serviced. Updates are quick and painless for both your team and your users. You can manage devices regardless of their physical location.
- 
-Security and management features delivered Cloud Desktop on Surface include:
-
-- **Windows Update.** Keeping Windows up to date helps you stay ahead of new security threats. Windows 10 has been engineered from the ground up to be more secure and utilize the latest hardware capabilities to improve security. With a purpose-built UEFI[[3]](#) and Windows Update for Business that responds to evolving threats, end-to-end protection is secure and simplified.4
-
-- **Hardware encryption.** Device encryption lets you protect the data on your Surface so it can only be accessed by authorized individuals. All Surface for Business devices feature a discrete Trusted Platform Module (dTPM) that is hardware-protected against intrusion while software uses protected keys and measurements to verify software validity.
-- **Windows Defender.** Windows Defender Antivirus brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices.  The tool is built in and needs no extra agents to be deployed on-devices or in the VDI environment, simplifying management and optimizing device start up.
-- Windows Defender is built in and needs no extra agents to be deployed on-device or in the VDI environment, simplifying management and optimizing device start up. The true out-of-the-box experience.
-- **Removable drives** - A subset of newer Surface devices[[4]](#) feature removable SSD drives5 providing greater control over data retention.
-- **Modern authentication -** Microsoft 365 and Surface is a unified platform delivering every Windows security feature (subject to licensing and enablement). All Surface portfolio devices ship with a custom-built camera, designed for Windows Hello for Business providing biometric security that persists seamlessly from on-device to VDI-based experiences.
-- **Modern firmware management** - IT administrators can disable hardware elements at a firmware level such as mics, USB ports, SD card slots, cameras, and Bluetooth which removes power to the peripheral. Device Firmware Configuration Interface (DFCI) enables IT managers to manage UEFI via Microsoft Intune, for simple remote management. Windows Defender Credential Guard uses virtualization-based security so that only privileged system software can access them.
-- **Backward and forward compatibility** - Windows 10 devices provide backward and forward compatibility across hardware, software and services. Microsoft has a strong history of maintaining legacy support of hardware, peripherals, software and services while incorporating the latest technologies. Businesses can plan IT investments to have a long useful life.
-- **Bridge for legacy Windows 7 workloads** - For solution scenarios dependent on legacy Windows OS environments, enterprises can use VDI instances of Windows 7 running in Azure. This enables support on modern devices like Surface without the risk of relying on older Windows 7 machines that no longer receive the latest security updates.  In addition to these “future proofing” benefits, migration of any legacy workloads becomes greatly simplified when modern Windows 10 hardware is already deployed.
-- **Zero-Touch Deployment** - Autopilot is the recommended modern management deployment option for Surface devices. Windows Autopilot on Surface is a cloud-based deployment technology in Windows 10. You can use Windows Autopilot on Surface to remotely deploy and configure devices in a zero-touch process right out of the box. Windows Autopilot-registered devices are identified over the Internet at first startup through a unique device signature that's called a hardware hash. They're automatically enrolled and configured by using modern management solutions such as Azure Active Directory (Azure AD) and mobile device management.
-
-### Reduce your carbon footprint with Surface
-
-At Microsoft Devices, sustainability is integral to our mission to build products that create magical experiences while empowering every person and organization to achieve more. From product design through sourcing, manufacturing, delivery, and product end-of-life, we are driven to make a difference with our products both in how our customers create with them and in the impact their development has on our environment.
-
-- **Surface Environmental Impact** – For each Surface product we produce an ECO profile which consist of data about the environmental impact for the product. In the profile you can find the Product Carbon Footprint as well as the EnergyStar value. Taking the average values from those reports and comparing them to the average values from in market VDI desktop and VDI mobile devices. We can see some big differences. 565 percent difference in kg Co2 and a 158 percent in the energy use.
-- **Surface Packaging** - Integrating sustainability into our packaging designs and measuring results is a business priority. We focus on using less packaging and selecting the right materials for the environment. We are committed to designing and delivering packaging materials that achieve measurable sustainability gains. Wood-based fiber packaging materials contain an average of 65 percent post-consumer recycled content. Packaging is 93 percent recyclable. Packaging weight is minimized.
-
- ![Surface ECO profiles](images/surface-eco-data.png)
-
-To download profiles for each Surface device, see [ECO Profiles](https://www.microsoft.com/download/details.aspx?id=55974) on the Microsoft Download Center.
-
-## Summary
-
-Cloud Desktop on Surface provides organizations with greater flexibility and resilience in meeting the diverse needs of users, stakeholders, and customers. Running WVD and Azure-based virtual desktop solutions on Surface devices provides unique advantages over continued reliance on legacy devices.  Flexible form factors like Surface Go 2 and Surface Pro 7 connected to the cloud (or offline), enable users to be productive from anywhere, at any time. Whether employees work in persistent, on-demand, or just-in-time scenarios, Cloud Desktop on Surface affords businesses with the versatility to sustain productivity throughout disruptions from public health emergencies or other unforeseen events. Using the built in, multi-layered security and modern manageability of Windows 10, companies can take advantage of an expanding ecosystem of cloud-based services to rapidly deploy and scale Windows desktops and apps. Simply put, Cloud Desktop on Surface delivers critically needed technology to organizations and businesses of all sizes
-
-## Learn more
-
-For more information, see the following resources:
-
-- [Windows Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/)
-- [Surface for Business](https://www.microsoft.com/surface/business)
-- [Zero-trust security model](https://www.microsoft.com/security/business/zero-trust)
-
- 
-
-
-----------
-
-[[1]](#) Battery life varies significantly with settings, usage and other factors.
-[[2]](#) Service availability and performance subject to service provider’s network. Contact your service provider for details, compatibility, pricing, SIM card, and activation. See all specs and frequencies at surface.com.
-[[3]](#) Surface Go uses third party UEFI.
-[[4]](#) Hard drive is not user removable. Hard drive is only removable a by skilled technician following Microsoft instructions.
-

From 91896af97d29594b70aec0fc220a157a71f052cf Mon Sep 17 00:00:00 2001
From: ManikaDhiman <v-madhi@microsoft.com>
Date: Wed, 13 May 2020 11:44:35 -0700
Subject: [PATCH 24/49] Updated releease info

---
 ...ew-in-windows-mdm-enrollment-management.md |  1 +
 .../mdm/policy-csp-update.md                  | 25 ++++++++++---------
 2 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index d9beadf585..e7f3dc7a8c 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -429,6 +429,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
 <li>TextInput/TouchKeyboardSplitModeAvailability</li>
 <li>TextInput/TouchKeyboardWideModeAvailability</li>
 <li>Update/ConfigureFeatureUpdateUninstallPeriod</li>
+<li>Update/TargetReleaseVersion</li>
 <li>UserRights/AccessCredentialManagerAsTrustedCaller</li>
 <li>UserRights/AccessFromNetwork</li>
 <li>UserRights/ActAsPartOfTheOperatingSystem</li>
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index c0774fbced..9949285fca 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -4151,19 +4151,19 @@ The following list shows the supported values:
 </tr>
 <tr>
     <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup></sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 </tr>
 <tr>
     <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup></sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 </tr>
 <tr>
     <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup></sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 </tr>
 <tr>
     <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup></sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 </tr>
 </table>
 
@@ -4180,7 +4180,7 @@ The following list shows the supported values:
 
 <!--/Scope-->
 <!--Description-->
-Added in the next major release of Windows 10. Also available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).
+Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
@@ -4445,12 +4445,13 @@ ADMX Info:
 
 Footnotes:
 
--   1 - Added in Windows 10, version 1607.
--   2 - Added in Windows 10, version 1703.
--   3 - Added in Windows 10, version 1709.
--   4 - Added in Windows 10, version 1803.
--   5 - Added in Windows 10, version 1809.
--   6 - Added in Windows 10, version 1903.
--   7 - Added in the next major release of Windows 10.
+-   1 - Available in Windows 10, version 1607.
+-   2 - Available in Windows 10, version 1703.
+-   3 - Available in Windows 10, version 1709.
+-   4 - Available in Windows 10, version 1803.
+-   5 - Available in Windows 10, version 1809.
+-   6 - Available in Windows 10, version 1903.
+-   7 - Available in Windows 10, version 1909.
+
 <!--/Policies-->
 

From 3c20e5cf51fd43428cd7b8fa6f1b624753791493 Mon Sep 17 00:00:00 2001
From: ManikaDhiman <v-madhi@microsoft.com>
Date: Wed, 13 May 2020 12:14:47 -0700
Subject: [PATCH 25/49] Added the new policy in the lists per PR#6651

---
 .../mdm/new-in-windows-mdm-enrollment-management.md            | 1 +
 .../mdm/policy-configuration-service-provider.md               | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index d9beadf585..b642ea835c 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -2563,6 +2563,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
 <li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</li>
 <li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange</li>
 <li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</li>
+<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</li>
 <li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</li>
 <li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li>
 <li>LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</li>
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 4f6316b7c7..752518c6f8 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -2399,6 +2399,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel" id="localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel">LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</a>
+  </dd>
   <dd>
     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</a>
   </dd>

From cf7e9be3391b67e19e1656ff37067bedf9755667 Mon Sep 17 00:00:00 2001
From: Yannis Lempidakis <51840946+yannisle@users.noreply.github.com>
Date: Wed, 13 May 2020 12:29:39 -0700
Subject: [PATCH 26/49] Changing number of AAD accounts supported to 64

---
 devices/hololens/hololens-identity.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devices/hololens/hololens-identity.md b/devices/hololens/hololens-identity.md
index e1fab33818..08af92c386 100644
--- a/devices/hololens/hololens-identity.md
+++ b/devices/hololens/hololens-identity.md
@@ -32,7 +32,7 @@ HoloLens supports several kinds of user identities. You can use one or more user
 
 | Identity type | Accounts per device | Authentication options |
 | --- | --- | --- |
-| [Azure Active Directory (AAD)](https://docs.microsoft.com/azure/active-directory/) | 32 (see details) | <ul><li>Azure web credential provider</li><li>Azure Authenticator App</li><li>Biometric (Iris) &ndash; HoloLens 2 only</li><li>PIN &ndash; Optional for HoloLens (1st gen), required for HoloLens 2</li><li>Password</li></ul> |
+| [Azure Active Directory (AAD)](https://docs.microsoft.com/azure/active-directory/) | 64 | <ul><li>Azure web credential provider</li><li>Azure Authenticator App</li><li>Biometric (Iris) &ndash; HoloLens 2 only</li><li>PIN &ndash; Optional for HoloLens (1st gen), required for HoloLens 2</li><li>Password</li></ul> |
 | [Microsoft Account (MSA)](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts) | 1 | <ul><li>Biometric (Iris) &ndash; HoloLens 2 only</li><li>PIN &ndash; Optional for HoloLens (1st gen), required for HoloLens 2</li><li>Password</li></ul> |
 | [Local account](https://docs.microsoft.com/windows/security/identity-protection/access-control/local-accounts) | 1 | Password |
 

From 00d2b4ba8c16aa7e7a75ffd16615663492e2386f Mon Sep 17 00:00:00 2001
From: Russ Rimmerman <russ.rimmerman@microsoft.com>
Date: Wed, 13 May 2020 15:11:18 -0500
Subject: [PATCH 27/49] Update waas-servicing-strategy-windows-10-updates.md

Fixed minor typo
---
 .../update/waas-servicing-strategy-windows-10-updates.md        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
index e82f2eebde..eb2d701314 100644
--- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
@@ -28,7 +28,7 @@ In the past, traditional Windows deployments tended to be large, lengthy, and ex
 
 Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like:
 
-- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-releas builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
+- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-release builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
 - **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. 
 - **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
 - **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)

From b4daee35004c411a642403530be8b06ecbd7704f Mon Sep 17 00:00:00 2001
From: Daniel Simpson <dansimp@microsoft.com>
Date: Wed, 13 May 2020 14:44:43 -0700
Subject: [PATCH 28/49] Update
 windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md

Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
 ...ve-logon-prompt-user-to-change-password-before-expiration.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
index cbc2288db2..b98d74a6bb 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
@@ -37,7 +37,7 @@ This policy setting determines when users are warned that their passwords are ab
 
 -  Configure user passwords to expire periodically. Users need warning that their password is going to expire, or they might  get locked out of the system.
 -  Set **Interactive logon: Prompt user to change password before expiration** to five days. When their password expiration date is five or fewer days away, users will see a dialog box each time that they log on to the domain.
--  When you set the policy to zero, there is no password expiration warning when the user logs on. During a long-running logon session, you would get the warning on the day the password expires or when it is already expired.
+-  When you set the policy to zero, there is no password expiration warning when the user logs on. During a long-running logon session, you would get the warning on the day the password expires or when it already has expired.
 
 ### Location
 

From d09038af9608a3d24442c86231968f864397faa8 Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Wed, 13 May 2020 16:19:51 -0700
Subject: [PATCH 29/49] Removed extraneous angle bracket

---
 .../update/waas-servicing-strategy-windows-10-updates.md    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
index eb2d701314..ae0773920a 100644
--- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
@@ -35,10 +35,10 @@ Windows 10 spreads the traditional deployment effort of a Windows upgrade, which
 - **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
 - **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md). 
 
->[!NOTE]
->This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md).
+> [!NOTE]
+> This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md).
 >
->>Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
+> Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
 
 Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
 

From 693cc50f42db700bfe509ffbc243b365e3e879e5 Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Wed, 13 May 2020 16:26:27 -0700
Subject: [PATCH 30/49] Tidied cross references

---
 .../ethernet-adapters-and-surface-device-deployment.md       | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
index 24cf375474..abc4672793 100644
--- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md
+++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
@@ -28,7 +28,7 @@ Network deployment to Surface devices can pose some unique challenges for system
 
 Before you can address the concerns of how you will boot to your deployment environment or how devices will be recognized by your deployment solution, you have to use a wired network adapter.
 
-The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using Microsoft Endpoint Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. See the [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) section of this article for more information on potential conflicts with shared adapters.
+The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using Microsoft Endpoint Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. For more information on potential conflicts with shared adapters, see [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) later in this article.
 
 Booting from the network (PXE boot) is only supported when you use an Ethernet adapter or docking station from Microsoft. To boot from the network, the chipset in the Ethernet adapter or dock must be detected and configured as a boot device in the firmware of the Surface device. Microsoft Ethernet adapters, such as the Surface Ethernet Adapter and the [Surface Dock](https://www.microsoft.com/surface/accessories/surface-dock) use a chipset that is compatible with the Surface firmware.
 
@@ -67,7 +67,6 @@ For Windows 10, version 1511 and later – including the Windows Assessment and
 
 ## <a href="" id="manage-mac-addresses"></a>Manage MAC addresses with removable Ethernet adapters
 
-
 Another consideration for administrators performing Windows deployment over the network is how you will identify computers when you use the same Ethernet adapter to deploy to more than one computer. A common identifier used by deployment technologies is the Media Access Control (MAC) address that is associated with each Ethernet adapter. However, when you use the same Ethernet adapter to deploy to multiple computers, you cannot use a deployment technology that inspects MAC addresses because there is no way to differentiate the MAC address of the removable adapter when used on the different computers.
 
 The simplest solution to avoid MAC address conflicts is to provide a dedicated removable Ethernet adapter for each Surface device. This can make sense in many scenarios where the Ethernet adapter or the additional functionality of the docking station will be used regularly. However, not all scenarios call for the additional connectivity of a docking station or support for wired networks.
@@ -85,7 +84,7 @@ To access the firmware of a Surface device, follow these steps:
 
 When deploying with WDS, the MAC address is only used to identify a computer when the deployment server is configured to respond only to known, pre-staged clients. When pre-staging a client, an administrator creates a computer account in Active Directory and defines that computer by the MAC address or the System UUID. To avoid the identity conflicts caused by shared Ethernet adapters, you should use [System UUID to define pre-staged clients](https://technet.microsoft.com/library/cc742034). Alternatively, you can configure WDS to respond to unknown clients that do not require definition by either MAC address or System UUID by selecting the **Respond to all client computers (known and unknown)** option on the [**PXE Response** tab](https://technet.microsoft.com/library/cc732360) in **Windows Deployment Server Properties**.
 
-The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm/ba-p/257374) blog post on the Ask Premier Field Engineering (PFE) Platforms TechNet blog.
+The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm/ba-p/257374), a blog post on the Core Infrastructure and Security Blog.
 
  
 

From ec8674b3c53ef89332e2dab4f09efb5e791e7cd7 Mon Sep 17 00:00:00 2001
From: "Jeff Reeds (Aquent LLC)" <v-jefree@microsoft.com>
Date: Wed, 13 May 2020 16:36:42 -0700
Subject: [PATCH 31/49] Updated meta descriptions

Note: I did not look at flow, spelling, grammar, etc., as such was out of scope for this task.
---
 windows/client-management/index.md                            | 2 +-
 windows/client-management/mdm/applocker-ddf-file.md           | 2 +-
 windows/client-management/mdm/certificatestore-csp.md         | 2 +-
 windows/client-management/mdm/cmpolicy-csp.md                 | 2 +-
 .../mdm/enable-admx-backed-policies-in-mdm.md                 | 2 +-
 windows/client-management/mdm/mobile-device-enrollment.md     | 2 +-
 windows/client-management/mdm/oma-dm-protocol-support.md      | 2 +-
 windows/client-management/mdm/policy-csp-activexcontrols.md   | 2 +-
 windows/client-management/mdm/policy-csp-bitlocker.md         | 2 +-
 windows/client-management/mdm/policy-csp-power.md             | 2 +-
 windows/client-management/mdm/pxlogical-csp.md                | 2 +-
 windows/client-management/mdm/sharedpc-csp.md                 | 2 +-
 .../mdm/windowsdefenderapplicationguard-ddf-file.md           | 2 +-
 .../configure-attack-surface-reduction.md                     | 2 +-
 .../microsoft-defender-atp/get-alert-related-files-info.md    | 4 ++--
 .../microsoft-defender-atp/get-ip-related-alerts.md           | 2 +-
 .../microsoft-defender-atp/get-machineactions-collection.md   | 2 +-
 .../microsoft-defender-atp/get-user-related-alerts.md         | 2 +-
 .../whats-new-in-microsoft-defender-atp.md                    | 2 +-
 .../windows-firewall/basic-firewall-policy-design.md          | 2 +-
 .../certificate-based-isolation-policy-design.md              | 2 +-
 .../change-rules-from-request-to-require-mode.md              | 2 +-
 .../checklist-implementing-a-basic-firewall-policy-design.md  | 2 +-
 ...ning-a-windows-firewall-with-advanced-security-strategy.md | 2 +-
 ...g-information-about-your-current-network-infrastructure.md | 2 +-
 .../windows-firewall/gpo-domiso-isolateddomain-clients.md     | 2 +-
 .../windows-firewall/gpo-domiso-isolateddomain-servers.md     | 2 +-
 .../restrict-access-to-only-specified-users-or-devices.md     | 2 +-
 28 files changed, 29 insertions(+), 29 deletions(-)

diff --git a/windows/client-management/index.md b/windows/client-management/index.md
index 3838366e1a..477c88252a 100644
--- a/windows/client-management/index.md
+++ b/windows/client-management/index.md
@@ -1,6 +1,6 @@
 ---
 title: Client management (Windows 10)
-description: Windows 10 client management
+description: Learn about the administrative tools, tasks and best practices for managing Windows 10 and Windows 10 Mobile clients across your enterprise.
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md
index fde531cbc9..ffd93b2784 100644
--- a/windows/client-management/mdm/applocker-ddf-file.md
+++ b/windows/client-management/mdm/applocker-ddf-file.md
@@ -1,6 +1,6 @@
 ---
 title: AppLocker DDF file
-description: AppLocker DDF file
+description: See the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider.
 ms.assetid: 79E199E0-5454-413A-A57A-B536BDA22496
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md
index 1ed78230d4..6e878defd1 100644
--- a/windows/client-management/mdm/certificatestore-csp.md
+++ b/windows/client-management/mdm/certificatestore-csp.md
@@ -1,6 +1,6 @@
 ---
 title: CertificateStore CSP
-description: CertificateStore CSP
+description: Use the The CertificateStore configuration service provider (CSP) to add secure socket layers (SSL), intermediate, and self-signed certificates.
 ms.assetid: 0fe28629-3cc3-42a0-91b3-3624c8462fd3
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md
index 1dfca8abb1..67872d03da 100644
--- a/windows/client-management/mdm/cmpolicy-csp.md
+++ b/windows/client-management/mdm/cmpolicy-csp.md
@@ -1,6 +1,6 @@
 ---
 title: CMPolicy CSP
-description: CMPolicy CSP
+description: Learn how the CMPolicy configuration service provider (CSP) is used to define rules that the Connection Manager uses to identify correct connections.
 ms.assetid: 62623915-9747-4eb1-8027-449827b85e6b
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
index 3a054f1155..00caaaa35d 100644
--- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
@@ -1,6 +1,6 @@
 ---
 title: Enable ADMX-backed policies in MDM
-description: Guide to configuring ADMX-backed policies in MDM
+description: Use this is a step-by-step guide to configuring ADMX-backed policies in MDM.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md
index 38e128bd28..1d91d3ec3b 100644
--- a/windows/client-management/mdm/mobile-device-enrollment.md
+++ b/windows/client-management/mdm/mobile-device-enrollment.md
@@ -1,6 +1,6 @@
 ---
 title: Mobile device enrollment
-description: Mobile device enrollment is the first phase of enterprise management.
+description: Learn how  mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise.
 ms.assetid: 08C8B3DB-3263-414B-A368-F47B94F47A11
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md
index e852fe64e8..40757af748 100644
--- a/windows/client-management/mdm/oma-dm-protocol-support.md
+++ b/windows/client-management/mdm/oma-dm-protocol-support.md
@@ -1,6 +1,6 @@
 ---
 title: OMA DM protocol support
-description: OMA DM protocol support
+description: See how the OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload.
 ms.assetid: e882aaae-447e-4bd4-9275-463824da4fa0
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md
index 98588acfa2..d14be473a2 100644
--- a/windows/client-management/mdm/policy-csp-activexcontrols.md
+++ b/windows/client-management/mdm/policy-csp-activexcontrols.md
@@ -1,6 +1,6 @@
 ---
 title: Policy CSP - ActiveXControls
-description: Policy CSP - ActiveXControls
+description: Learn the ins and outs of various Policy CSP - ActiveXControls settings, including SyncML, for Windows 10.
 ms.author: dansimp
 ms.localizationpriority: medium
 ms.topic: article
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md
index 3ab3d8246b..7e84c5ac84 100644
--- a/windows/client-management/mdm/policy-csp-bitlocker.md
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@@ -1,6 +1,6 @@
 ---
 title: Policy CSP - Bitlocker
-description: Policy CSP - Bitlocker
+description: Use the Policy configuration service provider (CSP) - Bitlocker to manage encryption of PCs and devices.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index e5adaec521..f0f51bdb9f 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -1,6 +1,6 @@
 ---
 title: Policy CSP - Power
-description: Policy CSP - Power
+description: Learn the ins and outs of various Policy CSP - Power settings, including SyncML, for Windows 10.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md
index 5e0bc0b2d9..48baff3fe8 100644
--- a/windows/client-management/mdm/pxlogical-csp.md
+++ b/windows/client-management/mdm/pxlogical-csp.md
@@ -1,6 +1,6 @@
 ---
 title: PXLOGICAL configuration service provider
-description: PXLOGICAL configuration service provider
+description: The PXLOGICAL configuration service provider is used to add, remove, or modify WAP logical and physical proxies by using WAP or the standard Windows techniques.
 ms.assetid: b5fc84d4-aa32-4edd-95f1-a6a9c0feb459
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md
index eaae458518..cf00680823 100644
--- a/windows/client-management/mdm/sharedpc-csp.md
+++ b/windows/client-management/mdm/sharedpc-csp.md
@@ -1,6 +1,6 @@
 ---
 title: SharedPC CSP
-description: SharedPC CSP
+description: Learn how the SharedPC configuration service provider is used to configure settings for Shared PC usage.
 ms.assetid: 31273166-1A1E-4F96-B176-CB42ECB80957
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
index 6b319f1404..e519d6dcd8 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
@@ -1,6 +1,6 @@
 ---
 title: WindowsDefenderApplicationGuard DDF file
-description: WindowsDefenderApplicationGuard DDF file
+description: See the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
index 2cdb364929..e959cf1bbf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
@@ -1,6 +1,6 @@
 ---
 title: Configure attack surface reduction
-description: Configure attack surface reduction
+description: Use Microsoft Intune, Microsoft Endpoint Configuration Manager, Powershell cmdlets, and Group Policy to configure attack surface reduction.
 keywords: asr, attack surface reduction, windows defender, microsoft defender, antivirus, av
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
index 89838eb90d..eb293e3f1c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
@@ -1,6 +1,6 @@
 ---
 title: Get alert related files information 
-description: Retrieves all files related to a specific alert.
+description: Retrieve all files related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
 keywords: apis, graph api, supported apis, get alert information, alert information, related files
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -97,7 +97,7 @@ Content-type: application/json
             "fileType": null,
             "isPeFile": true,
             "filePublisher": "Microsoft Corporation",
-            "fileProductName": "Microsoft� Windows� Operating System",
+            "fileProductName": "Microsoft� Windows� Operating System",
             "signer": "Microsoft Corporation",
             "issuer": "Microsoft Code Signing PCA",
             "signerHash": "9dc17888b5cfad98b3cb35c1994e96227f061675",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
index c0088b91f6..3313e63989 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
@@ -1,6 +1,6 @@
 ---
 title: Get IP related alerts API
-description: Retrieves a collection of alerts related to a given IP address.
+description: Retrieve a collection of alerts related to a given IP address using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
 keywords: apis, graph api, supported apis, get, ip, related, alerts
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
index c9883c2e4a..08f5fff7d0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
@@ -1,6 +1,6 @@
 ---
 title: List machineActions API
-description: Use this API to create calls related to get machineactions collection
+description: Use the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) API to create calls related to get machineactions collection.
 keywords: apis, graph api, supported apis, machineaction collection
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
index 0eaec5311d..b2e2bce19f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
@@ -1,6 +1,6 @@
 ---
 title: Get user related alerts API
-description: Retrieves a collection of alerts related to a given user ID.
+description: Retrieve a collection of alerts related to a given user ID using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
 keywords: apis, graph api, supported apis, get, user, related, alerts
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
index 2d474782f2..394a8eb887 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@@ -1,6 +1,6 @@
 ---
 title: What's new in Microsoft Defender ATP
-description: Lists the new features and functionality in Microsoft Defender ATP
+description: See what features are generally available (GA) in the latest release of Microsoft Defender ATP, as well as security features in Windows 10 and Windows Server.
 keywords: what's new in microsoft defender atp, ga, generally available, capabilities, available, new
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
index 2ddbd8ddd4..f8bce090ea 100644
--- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
@@ -1,6 +1,6 @@
 ---
 title: Basic Firewall Policy Design (Windows 10)
-description: Basic Firewall Policy Design
+description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design.
 ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
index 1be717ce49..71775ab476 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
@@ -1,6 +1,6 @@
 ---
 title: Certificate-based Isolation Policy Design (Windows 10)
-description: Certificate-based Isolation Policy Design
+description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design.
 ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
index 11af4131b4..d953de0a48 100644
--- a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
+++ b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
@@ -1,6 +1,6 @@
 ---
 title: Change Rules from Request to Require Mode (Windows 10)
-description: Change Rules from Request to Require Mode
+description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices.
 ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
index 6d74ea9356..2fec691406 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
@@ -1,6 +1,6 @@
 ---
 title: Checklist Implementing a Basic Firewall Policy Design (Windows 10)
-description: Checklist Implementing a Basic Firewall Policy Design
+description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation. 
 ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
index d67461d012..95428bb9b0 100644
--- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
+++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
@@ -1,6 +1,6 @@
 ---
 title: Designing a Windows Defender Firewall Strategy (Windows 10)
-description: Designing a Windows Defender Firewall with Advanced Security Strategy
+description: Answer the question in this article to design an effective Windows Defender Firewall with Advanced Security Strategy.
 ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
index 0c27975e1b..dc11219314 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
@@ -1,6 +1,6 @@
 ---
 title: Gathering Info about Your Network Infrastructure (Windows 10)
-description: Gathering Information about Your Current Network Infrastructure
+description: Learn how to gather info about your network infrastructure so that you can effectively plan for Windows Defender Firewall with Advanced Security deployment.
 ms.assetid: f98d2b17-e71d-4ffc-b076-118b4d4782f9
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
index eda2c2ccc5..bc1c471475 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
@@ -1,6 +1,6 @@
 ---
 title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows 10)
-description: GPO\_DOMISO\_IsolatedDomain\_Clients
+description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools.
 ms.assetid: 73cd9e25-f2f1-4ef6-b0d1-d36209518cd9
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
index bfe618f15f..de34b9c3ad 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
@@ -1,6 +1,6 @@
 ---
 title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows 10)
-description: GPO\_DOMISO\_IsolatedDomain\_Servers
+description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools.
 ms.assetid: 33aed8f3-fdc3-4f96-985c-e9d2720015d3
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
index b34c8d48ea..117070ef88 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
@@ -1,6 +1,6 @@
 ---
 title: Restrict Access to Only Specified Users or Devices (Windows 10)
-description: Restrict Access to Only Specified Users or Devices
+description: Restrict access to devices and users that are members of domain groups authorized to access that device using Windows Defender Firewall with Advanced Security.
 ms.assetid: a6106a07-f9e5-430f-8dbd-06d3bf7406df
 ms.reviewer: 
 ms.author: dansimp

From f5596eef5c59da482ea9af49f4f542eae9228b4a Mon Sep 17 00:00:00 2001
From: Obi Eze Ajoku <62227226+linque1@users.noreply.github.com>
Date: Thu, 14 May 2020 02:00:50 -0700
Subject: [PATCH 32/49] Removed 1909 note as folder is now added

Removed 1909 note as folder is now added
---
 ...-operating-system-components-to-microsoft-services.md | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 2048fbf29b..4bbec23cef 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -9,12 +9,12 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.localizationpriority: high
 audience: ITPro
-author: medgarmedgar
-ms.author: robsize
+author: linque1
+ms.author: obezeajo
 manager: robsize
 ms.collection: M365-security-compliance
 ms.topic: article
-ms.date: 3/25/2020
+ms.date: 5/14/2020
 ---
 
 # Manage connections from Windows 10 operating system components to Microsoft services
@@ -36,9 +36,6 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline]
 > - It is recommended that you restart a device after making configuration changes to it. 
 > - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
 
->[!Note]
->Regarding the Windows Restricted Traffic Limited Functionality Baseline, the 1903 settings (folder) are applicable to 1909 Windows >Enterprise devices. There were no additional settings required for the 1909 release.
-
 > [!Warning] 
 > If a user executes the **Reset this PC** command (Settings -> Update & Security -> Recovery) with the **Keep my files option** (or the **Remove Everything** option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order to re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings.
 

From 80f3f3ae43be49cf66aeaa086129230ce2abaf6c Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 14 May 2020 12:03:28 -0700
Subject: [PATCH 33/49] Update edr-in-block-mode.md

---
 .../microsoft-defender-atp/edr-in-block-mode.md             | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
index adcfad4d3e..942f37ced7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
@@ -29,7 +29,7 @@ ms.collection:
 When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. 
 
 > [!NOTE]
-> EDR in block mode is currently in **[limited private preview](#can-i-participate-in-the-preview-of-edr-in-block-mode)**. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
+> EDR in block mode is currently in preview. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
 
 ## What happens when something is detected?
 
@@ -83,10 +83,6 @@ Because Windows Defender Antivirus detects and remediates malicious items, it's
 
 Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and machine learning models.
 
-### Can I participate in the preview of EDR in block mode?
-
-EDR in block mode is currently in limited private preview. If you would like to participate in this private preview program, send email to `shwjha@microsoft.com`. 
-
 ## Related articles
 
 [Behavioral blocking and containment](behavioral-blocking-containment.md)

From 029274fd76ead39bc4cca317821fd37d6ba03959 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 14 May 2020 12:04:27 -0700
Subject: [PATCH 34/49] Update
 utilize-microsoft-cloud-protection-windows-defender-antivirus.md

---
 ...ize-microsoft-cloud-protection-windows-defender-antivirus.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
index 68f8c4587a..71f811db7b 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
-ms.reviewer: 
+ms.reviewer: shwjha
 manager: dansimp
 ms.custom: nextgen
 ---

From 846151c8f566341dfe945b077ebe5ee81bccfab6 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 14 May 2020 12:37:41 -0700
Subject: [PATCH 35/49] Update
 utilize-microsoft-cloud-protection-windows-defender-antivirus.md

---
 ...d-protection-windows-defender-antivirus.md | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
index 71f811db7b..54ff42f744 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -54,20 +54,23 @@ Read the following blog posts for detailed protection stories involving cloud-pr
 
 Cloud-delivered protection is enabled by default. However, you may need to re-enable it if it has been disabled as part of previous organizational policies.
 
-Organizations running Windows 10 E5, version 1803 can also take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn cloud-delivered protection on, we can deliver a fix for a malware issue via the cloud within minutes instead of waiting for the next update.
+Organizations running Windows 10 E5 can also take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn cloud-delivered protection on, fixes for malware issues can be delivered via the cloud within minutes, instead of waiting for the next update.
 
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
 The following table describes the differences in cloud-delivered protection between recent versions of Windows and Configuration Manager.
 
-Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | System Center 2012 Configuration Manager | Microsoft Endpoint Configuration Manager (Current Branch) | Microsoft Intune
----|---|---|---|---|---|---
-Cloud-protection service label | Microsoft Advanced Protection Service | Microsoft Advanced Protection Service | Cloud-based Protection | NA | Cloud protection service | Microsoft Advanced Protection Service
-Reporting level (MAPS membership level) | Basic, Advanced | Advanced | Advanced | Dependent on Windows version | Dependent on Windows version | Dependent on Windows version
-Cloud block timeout period | No | No | Configurable | Not configurable | Configurable | Configurable
- 
-You can also [configure Windows Defender AV to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-windows-defender-antivirus.md#cloud-report-updates).
+|OS or Service  |Cloud-protection service label  |Reporting level (MAPS membership level)  |Cloud block timeout period  |
+|---------|---------|---------|---------|
+|Windows 8.1 (Group Policy)     |Microsoft Advanced Protection Service   |Basic, Advanced   |No         |
+|Windows 10, version 1607 (Group Policy)  |Microsoft Advanced Protection Service      |Advanced         |No         |
+|Windows 10, version 1703 or greater (Group Policy)	     |Cloud-based Protection      |Advanced         |Configurable         |
+|System Center 2012 Configuration Manager  |         |N/A         |Dependent on Windows version         |Not configurable
+|Microsoft Endpoint Configuration Manager (Current Branch)	     |Cloud protection service         |Dependent on Windows version          |Configurable         |
+|Microsoft Intune     |Microsoft Advanced Protection Service         |Dependent on Windows version         |Configurable         |
+
+You can also [configure Windows Defender Antivirus to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-windows-defender-antivirus.md#cloud-report-updates).
 
 
 ## In this section

From bc8abc567adfd85648073d02b43343b4dda26df9 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 14 May 2020 12:40:44 -0700
Subject: [PATCH 36/49] Update
 utilize-microsoft-cloud-protection-windows-defender-antivirus.md

---
 ...d-protection-windows-defender-antivirus.md | 22 ++++++++++---------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
index 54ff42f744..3f5dfd4f74 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -61,24 +61,26 @@ Organizations running Windows 10 E5 can also take advantage of emergency dynamic
 
 The following table describes the differences in cloud-delivered protection between recent versions of Windows and Configuration Manager.
 
-|OS or Service  |Cloud-protection service label  |Reporting level (MAPS membership level)  |Cloud block timeout period  |
+|OS version or service application |Cloud-protection service label  |Reporting level (MAPS membership level)  |Cloud block timeout period  |
 |---------|---------|---------|---------|
 |Windows 8.1 (Group Policy)     |Microsoft Advanced Protection Service   |Basic, Advanced   |No         |
 |Windows 10, version 1607 (Group Policy)  |Microsoft Advanced Protection Service      |Advanced         |No         |
 |Windows 10, version 1703 or greater (Group Policy)	     |Cloud-based Protection      |Advanced         |Configurable         |
-|System Center 2012 Configuration Manager  |         |N/A         |Dependent on Windows version         |Not configurable
+|System Center 2012 Configuration Manager  |      N/A         |Dependent on Windows version         |Not configurable |
 |Microsoft Endpoint Configuration Manager (Current Branch)	     |Cloud protection service         |Dependent on Windows version          |Configurable         |
 |Microsoft Intune     |Microsoft Advanced Protection Service         |Dependent on Windows version         |Configurable         |
 
 You can also [configure Windows Defender Antivirus to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-windows-defender-antivirus.md#cloud-report-updates).
 
 
-## In this section
+## Tasks
 
- Topic | Description 
----|---
-[Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with Microsoft Endpoint Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets.
-[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
-[Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
-[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy.
-[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy.
+- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md). You can enable cloud-delivered protection with Microsoft Endpoint Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets.
+
+- [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md). You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
+
+- [Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md). There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
+
+- [Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy.
+
+- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md). Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy.

From 253c4c83d46a776459d1f8aed1743c76d614e5f0 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 14 May 2020 12:44:47 -0700
Subject: [PATCH 37/49] Update
 utilize-microsoft-cloud-protection-windows-defender-antivirus.md

---
 ...ud-protection-windows-defender-antivirus.md | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
index 3f5dfd4f74..4bf7025062 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
 ---
-title: Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection
-description: Next-gen technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection.
-keywords: windows defender antivirus, next-gen technologies, next-gen av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection
+title: Use next-generation technologies in Windows Defender Antivirus through cloud-delivered protection
+description: next-generation technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection.
+keywords: windows defender antivirus, next-generation technologies, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -16,7 +16,7 @@ manager: dansimp
 ms.custom: nextgen
 ---
 
-# Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection
+# Use next-generation technologies in Windows Defender Antivirus through cloud-delivered protection
 
 **Applies to:**
 
@@ -27,17 +27,17 @@ Microsoft next-generation technologies in Windows Defender Antivirus provide nea
 Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
 ![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)  
 
-To take advantage of the power and speed of these next-gen technologies, Windows Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense. 
+To take advantage of the power and speed of these next-generation technologies, Windows Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense. 
 
 >[!NOTE]
 >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
 
-With cloud-delivered protection, next-gen technologies provide rapid identification of new threats, sometimes even before a single machine is infected. Watch the following video about Microsoft AI and Windows Defender Antivirus in action: 
+With cloud-delivered protection, next-generation technologies provide rapid identification of new threats, sometimes even before a single machine is infected. Watch the following video about Microsoft AI and Windows Defender Antivirus in action: 
  
 <iframe 
 src="https://www.microsoft.com/videoplayer/embed/RE1Yu4B" width="768" height="432" allowFullScreen="true" frameBorder="0" scrolling="no"></iframe>
 
-To understand how next-gen technologies shorten protection delivery time through the cloud, watch the following video: 
+To understand how next-generation technologies shorten protection delivery time through the cloud, watch the following video: 
  
 <iframe 
 src="https://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc62c59" width="768" height="432" allowFullScreen="true" frameBorder="0" scrolling="no"></iframe>
@@ -54,7 +54,7 @@ Read the following blog posts for detailed protection stories involving cloud-pr
 
 Cloud-delivered protection is enabled by default. However, you may need to re-enable it if it has been disabled as part of previous organizational policies.
 
-Organizations running Windows 10 E5 can also take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn cloud-delivered protection on, fixes for malware issues can be delivered via the cloud within minutes, instead of waiting for the next update.
+Organizations running Windows 10 E5 can also take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn on cloud-delivered protection, fixes for malware issues can be delivered via the cloud within minutes, instead of waiting for the next update.
 
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
@@ -79,7 +79,7 @@ You can also [configure Windows Defender Antivirus to automatically receive new
 
 - [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md). You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
 
-- [Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md). There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
+- [Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md). There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This article lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
 
 - [Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy.
 

From bd64fb1121dcba3e13246c1201804ce06403fdcc Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 14 May 2020 12:46:37 -0700
Subject: [PATCH 38/49] Update behavioral-blocking-containment.md

---
 .../microsoft-defender-atp/behavioral-blocking-containment.md   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
index db8a4231aa..4084d8b928 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
@@ -38,7 +38,7 @@ Behavioral blocking and containment capabilities include the following:
 
 - **Feedback-loop blocking** (also referred to as rapid protection). Threat detections that are assumed to be false negatives are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
 
-- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in [limited private preview](edr-in-block-mode.md#can-i-participate-in-the-preview-of-edr-in-block-mode), is not enabled by default; you turn it on in the Microsoft Defender Security Center.)
+- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.)
 
 As Microsoft continues to improve threat protection features and capabilities, you can expect more to come in the area of behavioral blocking and containment. Visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap) to see what's rolling out now and what's in development.
 

From f26a6e78e77c0af23738a1f9b5237d59c52d2b6c Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 14 May 2020 12:50:07 -0700
Subject: [PATCH 39/49] Update install-wd-app-guard.md

---
 .../install-wd-app-guard.md                                   | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
index cdf47d7a4a..69dbc2ae77 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
@@ -85,9 +85,7 @@ Application Guard functionality is turned off by default. However, you can quick
 > [!IMPORTANT]
 > Make sure your organization's devices meet [requirements](reqs-wd-app-guard.md) and are [enrolled in Intune](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment).
 
-:::image type="complex" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Endpoint protection profile":::
-
-:::image-end:::
+:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune":::
 
 1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in.
 

From 8be0356447beae8280ab5bdc2daa2abee3cca529 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Thu, 14 May 2020 13:25:57 -0700
Subject: [PATCH 40/49] add videos

---
 windows/security/threat-protection/index.md                  | 3 +++
 .../microsoft-defender-advanced-threat-protection.md         | 5 ++++-
 .../overview-attack-surface-reduction.md                     | 3 +++
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index f7ed889815..50eef5e7fc 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -44,6 +44,9 @@ ms.topic: conceptual
 
 <a name="tvm"></a>
 
+
+<center> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq]</center>
+
 **[Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**<br>
 This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
index a4991649d4..7ed525627b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
@@ -26,7 +26,7 @@ ms.topic: conceptual
 Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
 <p></p>
 
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq]
+<center> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4wDob] </center>
 
 Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
 
@@ -67,6 +67,9 @@ Microsoft Defender ATP uses the following combination of technology built into W
 </table>
 <br>
 
+<p></p>
+
+<center>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4vnC4?rel=0] </center>
 
 > [!TIP]
 > - Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
index 4fda24160f..283cc65805 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
@@ -27,6 +27,9 @@ ms.topic: conceptual
 
 Help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
 
+<p></p>
+<center> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4woug]</center>
+
 Article | Description
 -|-
 [Attack surface reduction](./attack-surface-reduction.md) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus).

From a268da7b48a768b0051e874d3d729f179ab14460 Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Thu, 14 May 2020 13:51:33 -0700
Subject: [PATCH 41/49] Fixed hanging indentation of second-level list items

To get hanging indentation of second-level items (with a, b, c), we need to rely on automatic numbering (which means 1, 1, 1).
---
 .../install-wd-app-guard.md                   | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
index 69dbc2ae77..e5630f24a3 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
@@ -89,15 +89,15 @@ Application Guard functionality is turned off by default. However, you can quick
 
 1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in.
 
-2. Choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following: <br/>
+1. Choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following: <br/>
 
-   a. In the **Platform** list, select **Windows 10 and later**. 
+   1. In the **Platform** list, select **Windows 10 and later**. 
    
-   b. In the **Profile** list, select **Endpoint protection**. 
+   1. In the **Profile** list, select **Endpoint protection**. 
    
-   c. Choose **Create**.
+   1. Choose **Create**.
 
-4. Specify the following settings for the profile:
+1. Specify the following settings for the profile:
 
    - **Name** and **Description**
 
@@ -107,17 +107,17 @@ Application Guard functionality is turned off by default. However, you can quick
 
    - Choose your preferences for **Clipboard behavior**, **External content**, and the remaining settings.
 
-5. Choose **OK**, and then choose **OK** again.
+1. Choose **OK**, and then choose **OK** again.
 
-6. Review your settings, and then choose **Create**.
+1. Review your settings, and then choose **Create**.
 
-7. Choose **Assignments**, and then do the following:
+1. Choose **Assignments**, and then do the following:
 
-   a. On the **Include** tab, in the **Assign to** list, choose an option.
+   1. On the **Include** tab, in the **Assign to** list, choose an option.
 
-   b. If you have any devices or users you want to exclude from this endpoint protection profile, specify those on the **Exclude** tab.
+   1. If you have any devices or users you want to exclude from this endpoint protection profile, specify those on the **Exclude** tab.
 
-   c. Click **Save**.
+   1. Click **Save**.
 
 After the profile is created, any devices to which the policy should apply will have Windows Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place.
 

From eab69304df20c11699d735a42ad6f3cb1a178e7f Mon Sep 17 00:00:00 2001
From: "Jeff Reeds (Aquent LLC)" <v-jefree@microsoft.com>
Date: Thu, 14 May 2020 13:55:03 -0700
Subject: [PATCH 42/49] changed Device guard mentions

---
 .../credential-guard-manage.md                | 20 +++++++++----------
 windows/security/threat-protection/TOC.md     |  3 +--
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index c0f08da439..7e98cba59b 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -24,7 +24,7 @@ ms.reviewer:
 
 
 ## Enable Windows Defender Credential Guard
-Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Hypervisor-Protected Code Integrity and Windows Defender Credential Guard [hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
+Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard [hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
 The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
 
 
@@ -113,15 +113,15 @@ You can do this by using either the Control Panel or the Deployment Image Servic
 
 <span id="hardware-readiness-tool"/>
 
-### Enable Windows Defender Credential Guard by using the Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool
+### Enable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool
 
-You can also enable Windows Defender Credential Guard by using the [Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
+You can also enable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
 
 ```
 DG_Readiness_Tool.ps1 -Enable -AutoReboot
 ```
 > [!IMPORTANT]
-> When running the Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
+> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
 > This is a known issue.
 
 ### Review Windows Defender Credential Guard performance
@@ -138,13 +138,13 @@ You can view System Information to check that Windows Defender Credential Guard
 
     ![System Information](images/credguard-msinfo32.png)
 
-You can also check that Windows Defender Credential Guard is running by using the [Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
+You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
 
 ```
 DG_Readiness_Tool_v3.6.ps1 -Ready
 ```
 > [!IMPORTANT]
-> When running the Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
+> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
 > This is a known issue.
 
 > [!NOTE]
@@ -209,20 +209,20 @@ To disable Windows Defender Credential Guard, you can use the following set of p
 > [!NOTE]
 > Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs.
 
-For more info on virtualization-based security and Hypervisor-Protected Code Integrity, see [Enable virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
+For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
 ).
 
 <span id="turn-off-with-hardware-readiness-tool"/>
 
-#### Disable Windows Defender Credential Guard by using the Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool
+#### Disable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool
 
-You can also disable Windows Defender Credential Guard by using the [Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
+You can also disable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
 
 ```
 DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
 ```
 > [!IMPORTANT]
-> When running the Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
+> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
 > This is a known issue.
 
 #### Disable Windows Defender Credential Guard for a virtual machine
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index c85b7dc141..dac2499b3b 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -62,9 +62,8 @@
  
 
 #### [Device control]()
+##### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
 ##### [Control USB devices](device-control/control-usb-devices-using-intune.md)
-###### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-
 
 
 #### [Exploit protection]()

From 4571448c1a0932ef9cac4533262f54e946a359d2 Mon Sep 17 00:00:00 2001
From: "Jeff Reeds (Aquent LLC)" <v-jefree@microsoft.com>
Date: Thu, 14 May 2020 13:57:50 -0700
Subject: [PATCH 43/49] Updated meta description

---
 .../advanced-troubleshooting-802-authentication.md              | 2 +-
 windows/client-management/troubleshoot-windows-freeze.md        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md
index 124846eb32..6b594a81fd 100644
--- a/windows/client-management/advanced-troubleshooting-802-authentication.md
+++ b/windows/client-management/advanced-troubleshooting-802-authentication.md
@@ -2,7 +2,7 @@
 title: Advanced Troubleshooting 802.1X Authentication
 ms.reviewer: 
 manager: dansimp
-description: Learn how 802.1X Authentication works
+description: Troubleshoot authentication flow by learning how 802.1X Authentication works for wired and wireless clients.
 keywords: advanced troubleshooting, 802.1X authentication, troubleshooting, authentication, Wi-Fi
 ms.prod: w10
 ms.mktglfcycl: 
diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md
index c9691539ef..3a584ddb8f 100644
--- a/windows/client-management/troubleshoot-windows-freeze.md
+++ b/windows/client-management/troubleshoot-windows-freeze.md
@@ -2,7 +2,7 @@
 title: Advanced troubleshooting for Windows-based computer freeze issues 
 ms.reviewer: 
 manager: dansimp
-description: Learn how to troubleshoot computer freeze issues. 
+description: Learn how to troubleshoot computer freeze issues on Windows-based computers and servers.
 ms.prod: w10 
 ms.mktglfcycl: 
 ms.sitesec: library 

From 8254710c530437f47a56c8a1d0b3d1032a55ff6a Mon Sep 17 00:00:00 2001
From: "Jeff Reeds (Aquent LLC)" <v-jefree@microsoft.com>
Date: Thu, 14 May 2020 14:10:10 -0700
Subject: [PATCH 44/49] Update index.md

---
 store-for-business/index.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/store-for-business/index.md b/store-for-business/index.md
index 71a8c271d1..9ec42cc879 100644
--- a/store-for-business/index.md
+++ b/store-for-business/index.md
@@ -2,6 +2,7 @@
 title: Microsoft Store for Business and Education (Windows 10)
 description: Welcome to the Microsoft Store for Business and Education. You can use Microsoft Store, to find, acquire, distribute, and manage apps for your organization or school.
 ms.assetid: 527E611E-4D47-44F0-9422-DCC2D1ACBAB8
+manager: dansimp
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
@@ -10,7 +11,7 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: high
-ms.date: 10/17/2017
+ms.date: 05/14/2020
 ---
 
 # Microsoft Store for Business and Education

From fc8bc9effc758fc93825b1614f46a7ce6fb41dcb Mon Sep 17 00:00:00 2001
From: "Jeff Reeds (Aquent LLC)" <v-jefree@microsoft.com>
Date: Thu, 14 May 2020 14:12:57 -0700
Subject: [PATCH 45/49] Update additional-mitigations.md

---
 .../credential-guard/additional-mitigations.md                  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index 03924d7205..5a88c7b645 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -18,7 +18,7 @@ ms.reviewer:
 
 # Additional mitigations
 
-Windows Defender Credential Guard can provide mitigation against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Hypervisor-Protected Code Integrity, and abuse of management tools and weak application configurations. Because of this, additional mitigation also must be deployed to make the domain environment more robust.
+Windows Defender Credential Guard can provide mitigation against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Windows Defender Credential Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigation also must be deployed to make the domain environment more robust.
 
 ## Restricting domain users to specific domain-joined devices
 

From 2ef3819c7bcb4eccb02820ba01ee4145da476134 Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Thu, 14 May 2020 14:17:40 -0700
Subject: [PATCH 46/49] Acrolinx spelling: "authenticatior"

---
 .../advanced-troubleshooting-802-authentication.md              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md
index 6b594a81fd..4af9868736 100644
--- a/windows/client-management/advanced-troubleshooting-802-authentication.md
+++ b/windows/client-management/advanced-troubleshooting-802-authentication.md
@@ -73,7 +73,7 @@ The following article explains how to analyze CAPI2 event logs:
 
 When troubleshooting complex 802.1X authentication issues, it is important to understand the 802.1X authentication process. The following figure is an example of wireless connection process with 802.1X authentication:
 
-![authenticatior flow chart](images/authenticator_flow_chart.png)
+![authenticator flow chart](images/authenticator_flow_chart.png)
  
 If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter in for a client side capture, and **EAP** for an NPS side capture. See the following examples:
 

From fe5c8369081c4132d3fafb439df998991a760829 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Thu, 14 May 2020 14:24:51 -0700
Subject: [PATCH 47/49] remove center

---
 windows/security/threat-protection/index.md                   | 2 +-
 .../microsoft-defender-advanced-threat-protection.md          | 4 ++--
 .../overview-attack-surface-reduction.md                      | 3 ++-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 50eef5e7fc..71fca8b044 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -45,7 +45,7 @@ ms.topic: conceptual
 <a name="tvm"></a>
 
 
-<center> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq]</center>
+>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq]
 
 **[Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**<br>
 This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
index 7ed525627b..8f19799fd0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
@@ -26,7 +26,7 @@ ms.topic: conceptual
 Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
 <p></p>
 
-<center> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4wDob] </center>
+>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4wDob]
 
 Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
 
@@ -69,7 +69,7 @@ Microsoft Defender ATP uses the following combination of technology built into W
 
 <p></p>
 
-<center>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4vnC4?rel=0] </center>
+>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4vnC4?rel=0] 
 
 > [!TIP]
 > - Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
index 283cc65805..967d14b25f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
@@ -28,7 +28,8 @@ ms.topic: conceptual
 Help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
 
 <p></p>
-<center> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4woug]</center>
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4woug]
+
 
 Article | Description
 -|-

From 57898931ff8a4182523d210b4b5ce144f432c63b Mon Sep 17 00:00:00 2001
From: Greg Lindsay <greg.lindsay@microsoft.com>
Date: Fri, 15 May 2020 08:36:03 -0700
Subject: [PATCH 48/49] typo

---
 windows/whats-new/whats-new-windows-10-version-1909.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index 5d019f5d03..6d20ec5fa7 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -78,7 +78,7 @@ Windows Virtual Desktop is a comprehensive desktop and app virtualization servic
 
 #### Microsoft Endpoint Manager
 
-Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now are [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
+Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
 
 ### Windows 10 Pro and Enterprise in S mode
 

From a54a1f5800367c578437bd05efa1394e4a0770bf Mon Sep 17 00:00:00 2001
From: jaimeo <jaimeo@microsoft.com>
Date: Fri, 15 May 2020 09:48:36 -0700
Subject: [PATCH 49/49] replaced readyforwindows with direct link to
 replacement article

---
 windows/deployment/update/waas-overview.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index cd447823e3..0f27e47a7e 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -46,7 +46,7 @@ Application compatibility testing has historically been a burden when approachin
 
 Most Windows 7–compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal.  Combined with valuable feedback via the Windows Insider Program and diagnostic data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10. 
 
-For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. If it’s unclear whether an application is compatible with Windows 10, IT pros can either consult with the ISV or check the supported software directory at [http://www.readyforwindows.com](http://www.readyforwindows.com).
+For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics s a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](https://docs.microsoft.com/mem/configmgr/desktop-analytics/ready-for-windows).
 
 ### Device compatibility