Merge branch 'master' into kwekua-cortana

devices/hololens/hololens-identity.md

@@ -32,7 +32,7 @@ HoloLens supports several kinds of user identities. You can use one or more user
 
 | Identity type | Accounts per device | Authentication options |
 | --- | --- | --- |
-| [Azure Active Directory (AAD)](https://docs.microsoft.com/azure/active-directory/) | 32 (see details) | <ul><li>Azure web credential provider</li><li>Azure Authenticator App</li><li>Biometric (Iris) &ndash; HoloLens 2 only</li><li>PIN &ndash; Optional for HoloLens (1st gen), required for HoloLens 2</li><li>Password</li></ul> |
+| [Azure Active Directory (AAD)](https://docs.microsoft.com/azure/active-directory/) | 64 | <ul><li>Azure web credential provider</li><li>Azure Authenticator App</li><li>Biometric (Iris) &ndash; HoloLens 2 only</li><li>PIN &ndash; Optional for HoloLens (1st gen), required for HoloLens 2</li><li>Password</li></ul> |
 | [Microsoft Account (MSA)](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts) | 1 | <ul><li>Biometric (Iris) &ndash; HoloLens 2 only</li><li>PIN &ndash; Optional for HoloLens (1st gen), required for HoloLens 2</li><li>Password</li></ul> |
 | [Local account](https://docs.microsoft.com/windows/security/identity-protection/access-control/local-accounts) | 1 | Password |
 

devices/hololens/hololens2-hardware.md

@@ -133,7 +133,11 @@ In order to maintain/advance Internal Battery Charge Percentage while the device
 
 ### Safety
 
-HoloLens 2 has been tested and conforms to the basic impact protection requirements of ANSI Z87.1, CSA Z94.3 and EN 166.
+[Product Safety](https://support.microsoft.com/en-us/help/4023454/safety-information)
+Eye safety: HoloLens 2 has been tested and conforms to the basic impact protection requirements of ANSI Z87.1, CSA Z94.3 and EN 166.
+
+### Regulatory Information
+[HoloLens Regulatory](https://support.microsoft.com/en-us/help/13761/hololens-regulatory-information)
 
 ## Next step
 

devices/surface-hub/surface-hub-2s-recover-reset.md

@@ -60,16 +60,6 @@ Using Surface Hub 2S, you can reinstall the device by using a recovery image. By
 
 When the first-time setup screen appears,remove the USB drive.
 
-## Recover a locked Surface Hub
-
-At the end of a session, Surface Hub 2S may occasionally encounter an error during the cleanup of user and app data at the end of a session. If this occurs, the device automatically reboots and resumes the data cleanup. However, if this operation repeatedly fails, the device automatically locks to protect user data.
-
-**To unlock a Surface Hub 2S:** <br>
-- Reset or recover the device from the Windows Recovery Environment. For more information, see [What is Windows RE?](https://technet.microsoft.com/library/cc765966.aspx)
-
-> [!NOTE]
-> To enter recovery mode, unplug the power cord and plug it in again three times.
-
 ## Contact Support
 
 If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).

devices/surface/ethernet-adapters-and-surface-device-deployment.md

@@ -28,7 +28,7 @@ Network deployment to Surface devices can pose some unique challenges for system
 
 Before you can address the concerns of how you will boot to your deployment environment or how devices will be recognized by your deployment solution, you have to use a wired network adapter.
 
-The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using Microsoft Endpoint Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. See the [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) section of this article for more information on potential conflicts with shared adapters.
+The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using Microsoft Endpoint Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. For more information on potential conflicts with shared adapters, see [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) later in this article.
 
 Booting from the network (PXE boot) is only supported when you use an Ethernet adapter or docking station from Microsoft. To boot from the network, the chipset in the Ethernet adapter or dock must be detected and configured as a boot device in the firmware of the Surface device. Microsoft Ethernet adapters, such as the Surface Ethernet Adapter and the [Surface Dock](https://www.microsoft.com/surface/accessories/surface-dock) use a chipset that is compatible with the Surface firmware.
 
@@ -67,7 +67,6 @@ For Windows 10, version 1511 and later – including the Windows Assessment and
 
 ## <a href="" id="manage-mac-addresses"></a>Manage MAC addresses with removable Ethernet adapters
 
-
 Another consideration for administrators performing Windows deployment over the network is how you will identify computers when you use the same Ethernet adapter to deploy to more than one computer. A common identifier used by deployment technologies is the Media Access Control (MAC) address that is associated with each Ethernet adapter. However, when you use the same Ethernet adapter to deploy to multiple computers, you cannot use a deployment technology that inspects MAC addresses because there is no way to differentiate the MAC address of the removable adapter when used on the different computers.
 
 The simplest solution to avoid MAC address conflicts is to provide a dedicated removable Ethernet adapter for each Surface device. This can make sense in many scenarios where the Ethernet adapter or the additional functionality of the docking station will be used regularly. However, not all scenarios call for the additional connectivity of a docking station or support for wired networks.
@@ -85,7 +84,7 @@ To access the firmware of a Surface device, follow these steps:
 
 When deploying with WDS, the MAC address is only used to identify a computer when the deployment server is configured to respond only to known, pre-staged clients. When pre-staging a client, an administrator creates a computer account in Active Directory and defines that computer by the MAC address or the System UUID. To avoid the identity conflicts caused by shared Ethernet adapters, you should use [System UUID to define pre-staged clients](https://technet.microsoft.com/library/cc742034). Alternatively, you can configure WDS to respond to unknown clients that do not require definition by either MAC address or System UUID by selecting the **Respond to all client computers (known and unknown)** option on the [**PXE Response** tab](https://technet.microsoft.com/library/cc732360) in **Windows Deployment Server Properties**.
 
-The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://blogs.technet.microsoft.com/askpfeplat/2014/07/27/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm-osd/) blog post on the Ask Premier Field Engineering (PFE) Platforms TechNet blog.
+The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm/ba-p/257374), a blog post on the Core Infrastructure and Security Blog.
 
  
 

devices/surface/get-started.yml

@@ -28,20 +28,9 @@ landingContent:
             url: https://www.microsoft.com/surface/business/surface-go-2
           - text: Surface Book 3 for Business
             url: https://www.microsoft.com/surface/business/surface-book-3
-          - text: Surface Pro 7 for Business
-            url: https://www.microsoft.com/surface/business/surface-pro-7
-          - text: Surface Pro X for Business
-            url: https://www.microsoft.com/surface/business/surface-pro-x
-          - text: Surface Laptop 3 for Business
-            url: https://www.microsoft.com/surface/business/surface-laptop-3
-          - text: Surface Studio 2 for Business
-            url: https://www.microsoft.com/surface/business/surface-studio-2
-          
-      - linkListType: video
-        links:
-          - text: Microsoft Mechanics Surface videos
-            url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ
-
+          - text: Explore all Surface family products
+            url: https://www.microsoft.com/surface/business
+  
   # Card (optional)
   - title: Get started
     linkLists:
@@ -52,38 +41,34 @@ landingContent:
          - text: Surface Book 3 Quadro RTX 3000 technical overview
            url: surface-book-quadro.md
          - text: What’s new in Surface Dock 2
-           url: surface-dock-whats-new.md
-         - text: Surface and Endpoint Configuration Manager considerations
-           url: considerations-for-surface-and-system-center-configuration-manager.md
-         - text: Wake On LAN for Surface devices
-           url: wake-on-lan-for-surface-devices.md
-
+           url: surface-dock-whats-new.md    
+ 
   # Card
   - title: Deploy Surface devices
     linkLists:
       - linkListType: deploy
         links:
-          - text: Manage and deploy Surface driver and firmware updates
-            url: manage-surface-driver-and-firmware-updates.md
+          - text: Surface Deployment Accelerator tool
+            url: microsoft-surface-deployment-accelerator.md
           - text: Autopilot and Surface devices
             url: windows-autopilot-and-surface-devices.md
           - text: Deploying, managing, and servicing Surface Pro X
             url: surface-pro-arm-app-management.md
-
-  # Card
+  
+    # Card
   - title: Manage Surface devices
     linkLists:
       - linkListType: how-to-guide
         links:
-          - text: Optimize Wi-Fi connectivity for Surface devices
-            url: surface-wireless-connect.md
+          - text: Manage and deploy Surface driver and firmware updates
+            url: manage-surface-driver-and-firmware-updates.md
           - text: Best practice power settings for Surface devices
             url: maintain-optimal-power-settings-on-Surface-devices.md
-          - text: Manage battery limit with UEFI
-            url: battery-limit.md
+          - text: Optimize Wi-Fi connectivity for Surface devices
+            url: surface-wireless-connect.md
 
   # Card
-  - title: Secure Surface devices
+  - title: Explore security guidance
     linkLists:
       - linkListType: how-to-guide
         links:
@@ -93,37 +78,39 @@ landingContent:
             url: surface-enterprise-management-mode.md
           - text: Surface Data Eraser tool
             url: microsoft-surface-data-eraser.md
-
-  # Card
+ 
+ # Card
   - title: Discover Surface tools
     linkLists:
       - linkListType: how-to-guide
         links:
-          - text: Surface Dock Firmware Update
-            url: surface-dock-firmware-update.md
           - text: Surface Diagnostic Toolkit for Business
             url: surface-diagnostic-toolkit-for-business-intro.md
           - text: SEMM and UEFI
             url: surface-enterprise-management-mode.md
-          - text: Surface Brightness Control
-            url: microsoft-surface-brightness-control.md
           - text: Battery Limit setting
             url: battery-limit.md         
 
-  # Card
-  - title: Support and community 
+ # Card
+  - title: Browse support solutions
     linkLists:
       - linkListType: learn
         links:
           - text: Top support solutions
             url: support-solutions-surface.md
-          - text: Maximize your Surface battery life
-            url: https://support.microsoft.com/help/4483194/maximize-surface-battery-life
+          - text: Protecting your data during Surface repair or service
+            url: https://support.microsoft.com/help/4023508/surface-faq-protecting-your-data-service
           - text: Troubleshoot Surface Dock and docking stations
             url: https://support.microsoft.com/help/4023468/surface-troubleshoot-surface-dock-and-docking-stations
-      - linkListType: reference
+            
+# Card
+  - title: Participate in Surface Community 
+    linkLists:
+      - linkListType: learn
         links:
           - text: Surface IT Pro blog
             url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro
           - text: Surface Devices Tech Community
             url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices
+          - text: Microsoft Mechanics Surface videos
+            url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ

devices/surface/microsoft-surface-data-eraser.md

@@ -168,7 +168,9 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
 Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following:
 
 ### 3.30.139
-This version of Surface Data Eraser to be released May 11, 2020 adds support for: 
+*Release Date: 11 May 2020*
+
+This version of Surface Data Eraser adds support for: 
 - Surface Book 3
 - Surface Go 2
 - New SSD in Surface Go

devices/surface/surface-diagnostic-toolkit-business.md

@@ -176,8 +176,8 @@ You can select to run a wide range of logs across applications, drivers, hardwar
 ## Changes and updates
 
 ### Version 2.94.139.0
-
-This version of Surface Diagnostic Toolkit for Business to be released May 11, 2020 adds support for the following:
+*Release date: May 11, 2020*<br>
+This version of Surface Diagnostic Toolkit for Business adds support for the following:
 
 - Ability to skip Windows Update to perform hardware check.
 - Ability to receive notifications for about the latest version update

devices/surface/surface-enterprise-management-mode.md

@@ -228,7 +228,7 @@ create a reset package using PowerShell to reset SEMM.
 
 ## Version History
 
-The latest version of SEMM to be released May 11, 2020 includes: 
+The latest version of SEMM released May 11, 2020 includes: 
 - Support for Surface Go 2
 - Support for Surface Book 3
 - Bug fixes

store-for-business/index.md

@@ -2,6 +2,7 @@
 title: Microsoft Store for Business and Education (Windows 10)
 description: Welcome to the Microsoft Store for Business and Education. You can use Microsoft Store, to find, acquire, distribute, and manage apps for your organization or school.
 ms.assetid: 527E611E-4D47-44F0-9422-DCC2D1ACBAB8
+manager: dansimp
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
@@ -10,7 +11,7 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: high
-ms.date: 10/17/2017
+ms.date: 05/14/2020
 ---
 
 # Microsoft Store for Business and Education

windows/client-management/advanced-troubleshooting-802-authentication.md

@@ -2,7 +2,7 @@
 title: Advanced Troubleshooting 802.1X Authentication
 ms.reviewer: 
 manager: dansimp
-description: Learn how 802.1X Authentication works
+description: Troubleshoot authentication flow by learning how 802.1X Authentication works for wired and wireless clients.
 keywords: advanced troubleshooting, 802.1X authentication, troubleshooting, authentication, Wi-Fi
 ms.prod: w10
 ms.mktglfcycl: 
@@ -73,7 +73,7 @@ The following article explains how to analyze CAPI2 event logs:
 
 When troubleshooting complex 802.1X authentication issues, it is important to understand the 802.1X authentication process. The following figure is an example of wireless connection process with 802.1X authentication:
 
-![authenticatior flow chart](images/authenticator_flow_chart.png)
+![authenticator flow chart](images/authenticator_flow_chart.png)
  
 If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter in for a client side capture, and **EAP** for an NPS side capture. See the following examples:
 

windows/client-management/index.md

@@ -1,6 +1,6 @@
 ---
 title: Client management (Windows 10)
-description: Windows 10 client management
+description: Learn about the administrative tools, tasks and best practices for managing Windows 10 and Windows 10 Mobile clients across your enterprise.
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library

windows/client-management/mdm/applocker-ddf-file.md

@@ -1,6 +1,6 @@
 ---
 title: AppLocker DDF file
-description: AppLocker DDF file
+description: See the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider.
 ms.assetid: 79E199E0-5454-413A-A57A-B536BDA22496
 ms.reviewer: 
 manager: dansimp

windows/client-management/mdm/certificatestore-csp.md

@@ -1,6 +1,6 @@
 ---
 title: CertificateStore CSP
-description: CertificateStore CSP
+description: Use the The CertificateStore configuration service provider (CSP) to add secure socket layers (SSL), intermediate, and self-signed certificates.
 ms.assetid: 0fe28629-3cc3-42a0-91b3-3624c8462fd3
 ms.reviewer: 
 manager: dansimp

windows/client-management/mdm/cmpolicy-csp.md

@@ -1,6 +1,6 @@
 ---
 title: CMPolicy CSP
-description: CMPolicy CSP
+description: Learn how the CMPolicy configuration service provider (CSP) is used to define rules that the Connection Manager uses to identify correct connections.
 ms.assetid: 62623915-9747-4eb1-8027-449827b85e6b
 ms.reviewer: 
 manager: dansimp

windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md

@@ -1,6 +1,6 @@
 ---
 title: Enable ADMX-backed policies in MDM
-description: Guide to configuring ADMX-backed policies in MDM
+description: Use this is a step-by-step guide to configuring ADMX-backed policies in MDM.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10

windows/client-management/mdm/mdm-enrollment-of-windows-devices.md

@@ -313,7 +313,7 @@ The deep link used for connecting your device to work will always use the follow
 > **Note** Deep links only work with Internet Explorer or Edge browsers.
 When connecting to MDM using a deep link, the URI you should use is
 
-**ms-device-enrollment:?mode=mdm**
+**ms-device-enrollment:?mode=mdm** 
 **ms-device-enrollment:?mode=mdm&username=someone@example.com&servername=<https://example.server.com>**
 
 The following procedure describes how users can connect their devices to MDM using deep links.

windows/client-management/mdm/mobile-device-enrollment.md

@@ -1,6 +1,6 @@
 ---
 title: Mobile device enrollment
-description: Mobile device enrollment is the first phase of enterprise management.
+description: Learn how  mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise.
 ms.assetid: 08C8B3DB-3263-414B-A368-F47B94F47A11
 ms.reviewer: 
 manager: dansimp

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -429,6 +429,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
 <li>TextInput/TouchKeyboardSplitModeAvailability</li>
 <li>TextInput/TouchKeyboardWideModeAvailability</li>
 <li>Update/ConfigureFeatureUpdateUninstallPeriod</li>
+<li>Update/TargetReleaseVersion</li>
 <li>UserRights/AccessCredentialManagerAsTrustedCaller</li>
 <li>UserRights/AccessFromNetwork</li>
 <li>UserRights/ActAsPartOfTheOperatingSystem</li>
@@ -2563,6 +2564,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
 <li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</li>
 <li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange</li>
 <li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</li>
+<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</li>
 <li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</li>
 <li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li>
 <li>LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</li>

windows/client-management/mdm/oma-dm-protocol-support.md

@@ -1,6 +1,6 @@
 ---
 title: OMA DM protocol support
-description: OMA DM protocol support
+description: See how the OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload.
 ms.assetid: e882aaae-447e-4bd4-9275-463824da4fa0
 ms.reviewer: 
 manager: dansimp

windows/client-management/mdm/policy-configuration-service-provider.md

@@ -2399,6 +2399,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel" id="localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel">LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</a>
+  </dd>
   <dd>
     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</a>
   </dd>
@@ -3747,6 +3750,10 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-update.md#update-setedurestart" id="update-setedurestart">Update/SetEDURestart</a>
   </dd>
+  <dd> 
+    <a href="./policy-csp-update.md#update-targetreleaseversion"id="update-targetreleaseversion">Update/TargetReleaseVersion</a> 
+  </dd>
+  <dd>
   <dd>
     <a href="./policy-csp-update.md#update-updatenotificationlevel" id="update-updatenotificationlevel">Update/UpdateNotificationLevel</a>
   </dd>

windows/client-management/mdm/policy-csp-activexcontrols.md

@@ -1,6 +1,6 @@
 ---
 title: Policy CSP - ActiveXControls
-description: Policy CSP - ActiveXControls
+description: Learn the ins and outs of various Policy CSP - ActiveXControls settings, including SyncML, for Windows 10.
 ms.author: dansimp
 ms.localizationpriority: medium
 ms.topic: article

windows/client-management/mdm/policy-csp-bitlocker.md

@@ -1,6 +1,6 @@
 ---
 title: Policy CSP - Bitlocker
-description: Policy CSP - Bitlocker
+description: Use the Policy configuration service provider (CSP) - Bitlocker to manage encryption of PCs and devices.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10

windows/client-management/mdm/policy-csp-power.md

@@ -1,6 +1,6 @@
 ---
 title: Policy CSP - Power
-description: Policy CSP - Power
+description: Learn the ins and outs of various Policy CSP - Power settings, including SyncML, for Windows 10.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10

windows/client-management/mdm/policy-csp-update.md

@@ -7,13 +7,16 @@ ms.prod: w10
 ms.technology: windows
 author: manikadhiman
 ms.localizationpriority: medium
-ms.date: 10/04/2019
+ms.date: 02/10/2020
 ms.reviewer: 
 manager: dansimp
 ---
 
 # Policy CSP - Update
 
+> [!WARNING] 
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
 > [!NOTE]
 > If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
 
@@ -194,6 +197,9 @@ manager: dansimp
   <dd>
     <a href="#update-setedurestart">Update/SetEDURestart</a>
   </dd>
+  <dd> 
+    <a href="#update-targetreleaseversion">Update/TargetReleaseVersion</a> 
+  </dd>
   <dd>
     <a href="#update-updatenotificationlevel">Update/UpdateNotificationLevel</a>
   </dd>
@@ -4130,6 +4136,74 @@ The following list shows the supported values:
 
 <hr/>
 
+<!--Policy-->
+<a href="" id="update-targetreleaseversion"></a>**Update/TargetReleaseVersion**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+-   GP English name: *Select the target Feature Update version*
+-   GP name: *TargetReleaseVersion*
+-   GP element: *TargetReleaseVersionId*
+-   GP path: *Windows Components/Windows Update/Windows Update for Business*
+-   GP ADMX file name: *WindowsUpdate.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+Value type is a string containing Windows 10 version number. For example, 1809, 1903.
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="update-updatenotificationlevel"></a>**Update/UpdateNotificationLevel**  
 
@@ -4371,11 +4445,13 @@ ADMX Info:
 
 Footnotes:
 
--   1 - Added in Windows 10, version 1607.
--   2 - Added in Windows 10, version 1703.
--   3 - Added in Windows 10, version 1709.
--   4 - Added in Windows 10, version 1803.
--   5 - Added in Windows 10, version 1809.
--   6 - Added in Windows 10, version 1903.
+-   1 - Available in Windows 10, version 1607.
+-   2 - Available in Windows 10, version 1703.
+-   3 - Available in Windows 10, version 1709.
+-   4 - Available in Windows 10, version 1803.
+-   5 - Available in Windows 10, version 1809.
+-   6 - Available in Windows 10, version 1903.
+-   7 - Available in Windows 10, version 1909.
+
 <!--/Policies-->
 

windows/client-management/mdm/policy-csp-userrights.md

@@ -1260,6 +1260,11 @@ GP Info:
 -   GP English name: *Increase scheduling priority*
 -   GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
 
+> [!Warning]  
+> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.  
+>  
+> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission.
+
 <!--/DbMapped-->
 <!--/Policy-->
 

windows/client-management/mdm/pxlogical-csp.md

@@ -1,6 +1,6 @@
 ---
 title: PXLOGICAL configuration service provider
-description: PXLOGICAL configuration service provider
+description: The PXLOGICAL configuration service provider is used to add, remove, or modify WAP logical and physical proxies by using WAP or the standard Windows techniques.
 ms.assetid: b5fc84d4-aa32-4edd-95f1-a6a9c0feb459
 ms.reviewer: 
 manager: dansimp

windows/client-management/mdm/sharedpc-csp.md

@@ -1,6 +1,6 @@
 ---
 title: SharedPC CSP
-description: SharedPC CSP
+description: Learn how the SharedPC configuration service provider is used to configure settings for Shared PC usage.
 ms.assetid: 31273166-1A1E-4F96-B176-CB42ECB80957
 ms.reviewer: 
 manager: dansimp

windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md

@@ -1,6 +1,6 @@
 ---
 title: WindowsDefenderApplicationGuard DDF file
-description: WindowsDefenderApplicationGuard DDF file
+description: See the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10

windows/client-management/troubleshoot-windows-freeze.md

@@ -2,7 +2,7 @@
 title: Advanced troubleshooting for Windows-based computer freeze issues 
 ms.reviewer: 
 manager: dansimp
-description: Learn how to troubleshoot computer freeze issues. 
+description: Learn how to troubleshoot computer freeze issues on Windows-based computers and servers.
 ms.prod: w10 
 ms.mktglfcycl: 
 ms.sitesec: library 

windows/deployment/update/waas-overview.md

@@ -46,7 +46,7 @@ Application compatibility testing has historically been a burden when approachin
 
 Most Windows 7–compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal.  Combined with valuable feedback via the Windows Insider Program and diagnostic data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10. 
 
-For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. If it’s unclear whether an application is compatible with Windows 10, IT pros can either consult with the ISV or check the supported software directory at [http://www.readyforwindows.com](http://www.readyforwindows.com).
+For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics s a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](https://docs.microsoft.com/mem/configmgr/desktop-analytics/ready-for-windows).
 
 ### Device compatibility
 

windows/deployment/update/waas-servicing-strategy-windows-10-updates.md

@@ -28,17 +28,17 @@ In the past, traditional Windows deployments tended to be large, lengthy, and ex
 
 Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like:
 
-- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-releas builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
+- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-release builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
 - **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. 
 - **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
 - **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
 - **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
 - **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md). 
 
->[!NOTE]
->This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md).
+> [!NOTE]
+> This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md).
 >
->>Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
+> Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
 
 Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
 

windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -9,12 +9,12 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.localizationpriority: high
 audience: ITPro
-author: medgarmedgar
-ms.author: robsize
+author: linque1
+ms.author: obezeajo
 manager: robsize
 ms.collection: M365-security-compliance
 ms.topic: article
-ms.date: 3/25/2020
+ms.date: 5/14/2020
 ---
 
 # Manage connections from Windows 10 operating system components to Microsoft services
@@ -36,9 +36,6 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline]
 > - It is recommended that you restart a device after making configuration changes to it. 
 > - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
 
->[!Note]
->Regarding the Windows Restricted Traffic Limited Functionality Baseline, the 1903 settings (folder) are applicable to 1909 Windows >Enterprise devices. There were no additional settings required for the 1909 release.
-
 > [!Warning] 
 > If a user executes the **Reset this PC** command (Settings -> Update & Security -> Recovery) with the **Keep my files option** (or the **Remove Everything** option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order to re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings.
 

windows/security/identity-protection/credential-guard/additional-mitigations.md

@@ -18,7 +18,7 @@ ms.reviewer:
 
 # Additional mitigations
 
-Windows Defender Credential Guard can provide mitigation against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Hypervisor-Protected Code Integrity, and abuse of management tools and weak application configurations. Because of this, additional mitigation also must be deployed to make the domain environment more robust.
+Windows Defender Credential Guard can provide mitigation against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Windows Defender Credential Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigation also must be deployed to make the domain environment more robust.
 
 ## Restricting domain users to specific domain-joined devices
 

windows/security/identity-protection/credential-guard/credential-guard-manage.md

@@ -24,7 +24,7 @@ ms.reviewer:
 
 
 ## Enable Windows Defender Credential Guard
-Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Hypervisor-Protected Code Integrity and Windows Defender Credential Guard [hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
+Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard [hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
 The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
 
 
@@ -113,15 +113,15 @@ You can do this by using either the Control Panel or the Deployment Image Servic
 
 <span id="hardware-readiness-tool"/>
 
-### Enable Windows Defender Credential Guard by using the Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool
+### Enable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool
 
-You can also enable Windows Defender Credential Guard by using the [Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
+You can also enable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
 
 ```
 DG_Readiness_Tool.ps1 -Enable -AutoReboot
 ```
 > [!IMPORTANT]
-> When running the Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
+> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
 > This is a known issue.
 
 ### Review Windows Defender Credential Guard performance
@@ -138,13 +138,13 @@ You can view System Information to check that Windows Defender Credential Guard
 
     ![System Information](images/credguard-msinfo32.png)
 
-You can also check that Windows Defender Credential Guard is running by using the [Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
+You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
 
 ```
 DG_Readiness_Tool_v3.6.ps1 -Ready
 ```
 > [!IMPORTANT]
-> When running the Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
+> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
 > This is a known issue.
 
 > [!NOTE]
@@ -209,20 +209,20 @@ To disable Windows Defender Credential Guard, you can use the following set of p
 > [!NOTE]
 > Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs.
 
-For more info on virtualization-based security and Hypervisor-Protected Code Integrity, see [Enable virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
+For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
 ).
 
 <span id="turn-off-with-hardware-readiness-tool"/>
 
-#### Disable Windows Defender Credential Guard by using the Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool
+#### Disable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool
 
-You can also disable Windows Defender Credential Guard by using the [Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
+You can also disable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
 
 ```
 DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
 ```
 > [!IMPORTANT]
-> When running the Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
+> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
 > This is a known issue.
 
 #### Disable Windows Defender Credential Guard for a virtual machine

windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md

@@ -71,7 +71,7 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
 
 - Microsoft Messaging
 
-- Microsoft Remote Desktop
+- Microsoft Remote Desktop 
 
 > [!NOTE]
 > Microsoft Visio, Microsoft Office Access and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining.
@@ -81,6 +81,8 @@ Microsoft still has apps that are unenlightened, but which have been tested and
 
 - Skype for Business
 
+- Microsoft Teams (build 1.3.00.12058 and later)
+
 ## Adding enlightened Microsoft apps to the allowed apps list
 
 > [!NOTE]

windows/security/threat-protection/TOC.md

@@ -62,9 +62,8 @@
  
 
 #### [Device control]()
+##### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
 ##### [Control USB devices](device-control/control-usb-devices-using-intune.md)
-###### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-
 
 
 #### [Exploit protection]()

windows/security/threat-protection/index.md

@@ -44,6 +44,9 @@ ms.topic: conceptual
 
 <a name="tvm"></a>
 
+
+>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq]
+
 **[Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**<br>
 This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
 

windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md

@@ -38,7 +38,7 @@ Behavioral blocking and containment capabilities include the following:
 
 - **Feedback-loop blocking** (also referred to as rapid protection). Threat detections that are assumed to be false negatives are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
 
-- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in [limited private preview](edr-in-block-mode.md#can-i-participate-in-the-preview-of-edr-in-block-mode), is not enabled by default; you turn it on in the Microsoft Defender Security Center.)
+- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.)
 
 As Microsoft continues to improve threat protection features and capabilities, you can expect more to come in the area of behavioral blocking and containment. Visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap) to see what's rolling out now and what's in development.
 

windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md

@@ -1,6 +1,6 @@
 ---
 title: Configure attack surface reduction
-description: Configure attack surface reduction
+description: Use Microsoft Intune, Microsoft Endpoint Configuration Manager, Powershell cmdlets, and Group Policy to configure attack surface reduction.
 keywords: asr, attack surface reduction, windows defender, microsoft defender, antivirus, av
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150

windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md

@@ -52,6 +52,9 @@ From the **Onboarding** card, select **Onboard more machines** to create and ass
 >[!TIP]
 >Alternatively, you can navigate to the Microsoft Defender ATP onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**.
 
+>[!NOTE]
+> If you want to view the most up-to-date device data, click on **List of devices without ATP sensor**.
+
 From the device compliance page, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the machines you want to onboard. To do this, you can either:
 
 - Select **Create a device configuration profile to configure ATP sensor** to start with a predefined device configuration profile.

windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md

@@ -29,7 +29,7 @@ ms.collection:
 When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. 
 
 > [!NOTE]
-> EDR in block mode is currently in **[limited private preview](#can-i-participate-in-the-preview-of-edr-in-block-mode)**. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
+> EDR in block mode is currently in preview. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
 
 ## What happens when something is detected?
 
@@ -83,10 +83,6 @@ Because Windows Defender Antivirus detects and remediates malicious items, it's
 
 Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and machine learning models.
 
-### Can I participate in the preview of EDR in block mode?
-
-EDR in block mode is currently in limited private preview. If you would like to participate in this private preview program, send email to `shwjha@microsoft.com`. 
-
 ## Related articles
 
 [Behavioral blocking and containment](behavioral-blocking-containment.md)

windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md

@@ -1,6 +1,6 @@
 ---
 title: Get alert related files information 
-description: Retrieves all files related to a specific alert.
+description: Retrieve all files related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
 keywords: apis, graph api, supported apis, get alert information, alert information, related files
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -97,7 +97,7 @@ Content-type: application/json
             "fileType": null,
             "isPeFile": true,
             "filePublisher": "Microsoft Corporation",
-            "fileProductName": "Microsoft® Windows® Operating System",
+            "fileProductName": "Microsoft<EFBFBD> Windows<77> Operating System",
             "signer": "Microsoft Corporation",
             "issuer": "Microsoft Code Signing PCA",
             "signerHash": "9dc17888b5cfad98b3cb35c1994e96227f061675",

windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md

@@ -1,6 +1,6 @@
 ---
 title: Get IP related alerts API
-description: Retrieves a collection of alerts related to a given IP address.
+description: Retrieve a collection of alerts related to a given IP address using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
 keywords: apis, graph api, supported apis, get, ip, related, alerts
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10

windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md

@@ -1,6 +1,6 @@
 ---
 title: List machineActions API
-description: Use this API to create calls related to get machineactions collection
+description: Use the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) API to create calls related to get machineactions collection.
 keywords: apis, graph api, supported apis, machineaction collection
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10

windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md

@@ -1,6 +1,6 @@
 ---
 title: Get user related alerts API
-description: Retrieves a collection of alerts related to a given user ID.
+description: Retrieve a collection of alerts related to a given user ID using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
 keywords: apis, graph api, supported apis, get, user, related, alerts
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10

windows/security/threat-protection/microsoft-defender-atp/machine-tags.md

@@ -72,7 +72,7 @@ You can also delete tags from this view.
 >- Windows 7 SP1
 
 > [!NOTE] 
-> The maximum number of characters in a tag is 30.
+> The maximum number of characters that can be set in a tag from the registry is 30.
 
 Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines.
 

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md

@@ -26,7 +26,7 @@ ms.topic: conceptual
 Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
 <p></p>
 
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq]
+>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4wDob]
 
 Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
 
@@ -67,6 +67,9 @@ Microsoft Defender ATP uses the following combination of technology built into W
 </table>
 <br>
 
+<p></p>
+
+>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4vnC4?rel=0] 
 
 > [!TIP]
 > - Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).

windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md

@@ -27,6 +27,10 @@ ms.topic: conceptual
 
 Help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
 
+<p></p>
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4woug]
+
+
 Article | Description
 -|-
 [Attack surface reduction](./attack-surface-reduction.md) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus).

windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md

@@ -1,6 +1,6 @@
 ---
 title: What's new in Microsoft Defender ATP
-description: Lists the new features and functionality in Microsoft Defender ATP
+description: See what features are generally available (GA) in the latest release of Microsoft Defender ATP, as well as security features in Windows 10 and Windows Server.
 keywords: what's new in microsoft defender atp, ga, generally available, capabilities, available, new
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150

windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md

@@ -37,7 +37,7 @@ This policy setting determines when users are warned that their passwords are ab
 
 -  Configure user passwords to expire periodically. Users need warning that their password is going to expire, or they might  get locked out of the system.
 -  Set **Interactive logon: Prompt user to change password before expiration** to five days. When their password expiration date is five or fewer days away, users will see a dialog box each time that they log on to the domain.
--  Don't set the value to zero, which displays the password expiration warning every time the user logs on.
+-  When you set the policy to zero, there is no password expiration warning when the user logs on. During a long-running logon session, you would get the warning on the day the password expires or when it already has expired.
 
 ### Location
 

windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md

@@ -40,7 +40,7 @@ This policy isn't configured by default on domain-joined devices. This would dis
 -   **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use of online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
 
     > [!NOTE]
-    > KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server.
+    > KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client.
 
 -   **Disabled**: This setting prevents online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship.
 

windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md

@@ -1,7 +1,7 @@
 ---
-title: Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection
-description: Next-gen technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection.
-keywords: windows defender antivirus, next-gen technologies, next-gen av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection
+title: Use next-generation technologies in Windows Defender Antivirus through cloud-delivered protection
+description: next-generation technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection.
+keywords: windows defender antivirus, next-generation technologies, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -11,12 +11,12 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
-ms.reviewer: 
+ms.reviewer: shwjha
 manager: dansimp
 ms.custom: nextgen
 ---
 
-# Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection
+# Use next-generation technologies in Windows Defender Antivirus through cloud-delivered protection
 
 **Applies to:**
 
@@ -27,17 +27,17 @@ Microsoft next-generation technologies in Windows Defender Antivirus provide nea
 Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
 ![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)  
 
-To take advantage of the power and speed of these next-gen technologies, Windows Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense. 
+To take advantage of the power and speed of these next-generation technologies, Windows Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense. 
 
 >[!NOTE]
 >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
 
-With cloud-delivered protection, next-gen technologies provide rapid identification of new threats, sometimes even before a single machine is infected. Watch the following video about Microsoft AI and Windows Defender Antivirus in action: 
+With cloud-delivered protection, next-generation technologies provide rapid identification of new threats, sometimes even before a single machine is infected. Watch the following video about Microsoft AI and Windows Defender Antivirus in action: 
  
 <iframe 
 src="https://www.microsoft.com/videoplayer/embed/RE1Yu4B" width="768" height="432" allowFullScreen="true" frameBorder="0" scrolling="no"></iframe>
 
-To understand how next-gen technologies shorten protection delivery time through the cloud, watch the following video: 
+To understand how next-generation technologies shorten protection delivery time through the cloud, watch the following video: 
  
 <iframe 
 src="https://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc62c59" width="768" height="432" allowFullScreen="true" frameBorder="0" scrolling="no"></iframe>
@@ -54,28 +54,33 @@ Read the following blog posts for detailed protection stories involving cloud-pr
 
 Cloud-delivered protection is enabled by default. However, you may need to re-enable it if it has been disabled as part of previous organizational policies.
 
-Organizations running Windows 10 E5, version 1803 can also take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn cloud-delivered protection on, we can deliver a fix for a malware issue via the cloud within minutes instead of waiting for the next update.
+Organizations running Windows 10 E5 can also take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn on cloud-delivered protection, fixes for malware issues can be delivered via the cloud within minutes, instead of waiting for the next update.
 
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
 The following table describes the differences in cloud-delivered protection between recent versions of Windows and Configuration Manager.
 
-Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | System Center 2012 Configuration Manager | Microsoft Endpoint Configuration Manager (Current Branch) | Microsoft Intune
----|---|---|---|---|---|---
-Cloud-protection service label | Microsoft Advanced Protection Service | Microsoft Advanced Protection Service | Cloud-based Protection | NA | Cloud protection service | Microsoft Advanced Protection Service
-Reporting level (MAPS membership level) | Basic, Advanced | Advanced | Advanced | Dependent on Windows version | Dependent on Windows version | Dependent on Windows version
-Cloud block timeout period | No | No | Configurable | Not configurable | Configurable | Configurable
- 
-You can also [configure Windows Defender AV to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-windows-defender-antivirus.md#cloud-report-updates).
+|OS version or service application |Cloud-protection service label  |Reporting level (MAPS membership level)  |Cloud block timeout period  |
+|---------|---------|---------|---------|
+|Windows 8.1 (Group Policy)     |Microsoft Advanced Protection Service   |Basic, Advanced   |No         |
+|Windows 10, version 1607 (Group Policy)  |Microsoft Advanced Protection Service      |Advanced         |No         |
+|Windows 10, version 1703 or greater (Group Policy)	     |Cloud-based Protection      |Advanced         |Configurable         |
+|System Center 2012 Configuration Manager  |      N/A         |Dependent on Windows version         |Not configurable |
+|Microsoft Endpoint Configuration Manager (Current Branch)	     |Cloud protection service         |Dependent on Windows version          |Configurable         |
+|Microsoft Intune     |Microsoft Advanced Protection Service         |Dependent on Windows version         |Configurable         |
+
+You can also [configure Windows Defender Antivirus to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-windows-defender-antivirus.md#cloud-report-updates).
 
 
-## In this section
+## Tasks
 
- Topic | Description 
----|---
-[Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with Microsoft Endpoint Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets.
-[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
-[Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
-[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy.
-[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy.
+- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md). You can enable cloud-delivered protection with Microsoft Endpoint Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets.
+
+- [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md). You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
+
+- [Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md). There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This article lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
+
+- [Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy.
+
+- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md). Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy.

windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md

@@ -85,21 +85,19 @@ Application Guard functionality is turned off by default. However, you can quick
 > [!IMPORTANT]
 > Make sure your organization's devices meet [requirements](reqs-wd-app-guard.md) and are [enrolled in Intune](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment).
 
-:::image type="complex" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Endpoint protection profile":::
-
-:::image-end:::
+:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune":::
 
 1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in.
 
-2. Choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following: <br/>
+1. Choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following: <br/>
 
-   a. In the **Platform** list, select **Windows 10 and later**. 
+   1. In the **Platform** list, select **Windows 10 and later**. 
    
-   b. In the **Profile** list, select **Endpoint protection**. 
+   1. In the **Profile** list, select **Endpoint protection**. 
    
-   c. Choose **Create**.
+   1. Choose **Create**.
 
-4. Specify the following settings for the profile:
+1. Specify the following settings for the profile:
 
    - **Name** and **Description**
 
@@ -109,17 +107,17 @@ Application Guard functionality is turned off by default. However, you can quick
 
    - Choose your preferences for **Clipboard behavior**, **External content**, and the remaining settings.
 
-5. Choose **OK**, and then choose **OK** again.
+1. Choose **OK**, and then choose **OK** again.
 
-6. Review your settings, and then choose **Create**.
+1. Review your settings, and then choose **Create**.
 
-7. Choose **Assignments**, and then do the following:
+1. Choose **Assignments**, and then do the following:
 
-   a. On the **Include** tab, in the **Assign to** list, choose an option.
+   1. On the **Include** tab, in the **Assign to** list, choose an option.
 
-   b. If you have any devices or users you want to exclude from this endpoint protection profile, specify those on the **Exclude** tab.
+   1. If you have any devices or users you want to exclude from this endpoint protection profile, specify those on the **Exclude** tab.
 
-   c. Click **Save**.
+   1. Click **Save**.
 
 After the profile is created, any devices to which the policy should apply will have Windows Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place.
 

windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md

@@ -1,6 +1,6 @@
 ---
 title: Basic Firewall Policy Design (Windows 10)
-description: Basic Firewall Policy Design
+description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design.
 ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418
 ms.reviewer: 
 ms.author: dansimp

windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md

@@ -1,6 +1,6 @@
 ---
 title: Certificate-based Isolation Policy Design (Windows 10)
-description: Certificate-based Isolation Policy Design
+description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design.
 ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862
 ms.reviewer: 
 ms.author: dansimp

windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md

@@ -1,6 +1,6 @@
 ---
 title: Change Rules from Request to Require Mode (Windows 10)
-description: Change Rules from Request to Require Mode
+description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices.
 ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff
 ms.reviewer: 
 ms.author: dansimp

windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md

@@ -1,6 +1,6 @@
 ---
 title: Checklist Implementing a Basic Firewall Policy Design (Windows 10)
-description: Checklist Implementing a Basic Firewall Policy Design
+description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation. 
 ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3
 ms.reviewer: 
 ms.author: dansimp

windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md

@@ -1,6 +1,6 @@
 ---
 title: Designing a Windows Defender Firewall Strategy (Windows 10)
-description: Designing a Windows Defender Firewall with Advanced Security Strategy
+description: Answer the question in this article to design an effective Windows Defender Firewall with Advanced Security Strategy.
 ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71
 ms.reviewer: 
 ms.author: dansimp

windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md

@@ -1,6 +1,6 @@
 ---
 title: Gathering Info about Your Network Infrastructure (Windows 10)
-description: Gathering Information about Your Current Network Infrastructure
+description: Learn how to gather info about your network infrastructure so that you can effectively plan for Windows Defender Firewall with Advanced Security deployment.
 ms.assetid: f98d2b17-e71d-4ffc-b076-118b4d4782f9
 ms.reviewer: 
 ms.author: dansimp

windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md

@@ -1,6 +1,6 @@
 ---
 title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows 10)
-description: GPO\_DOMISO\_IsolatedDomain\_Clients
+description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools.
 ms.assetid: 73cd9e25-f2f1-4ef6-b0d1-d36209518cd9
 ms.reviewer: 
 ms.author: dansimp

windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md

@@ -1,6 +1,6 @@
 ---
 title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows 10)
-description: GPO\_DOMISO\_IsolatedDomain\_Servers
+description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools.
 ms.assetid: 33aed8f3-fdc3-4f96-985c-e9d2720015d3
 ms.reviewer: 
 ms.author: dansimp

windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md

@@ -1,6 +1,6 @@
 ---
 title: Restrict Access to Only Specified Users or Devices (Windows 10)
-description: Restrict Access to Only Specified Users or Devices
+description: Restrict access to devices and users that are members of domain groups authorized to access that device using Windows Defender Firewall with Advanced Security.
 ms.assetid: a6106a07-f9e5-430f-8dbd-06d3bf7406df
 ms.reviewer: 
 ms.author: dansimp

windows/whats-new/whats-new-windows-10-version-1909.md

@@ -78,7 +78,7 @@ Windows Virtual Desktop is a comprehensive desktop and app virtualization servic
 
 #### Microsoft Endpoint Manager
 
-Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now are [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
+Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
 
 ### Windows 10 Pro and Enterprise in S mode