From b3f65549b8a03795c6119989a449c423e01004fe Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Fri, 27 Dec 2019 15:41:37 +0200
Subject: [PATCH 01/51] add note about Office requirement

https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5632
---
 .../threat-protection/microsoft-defender-atp/evaluation-lab.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
index c7ae3aac79..c57aaa4f25 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@@ -130,6 +130,9 @@ You can also use [Advanced hunting](advanced-hunting-query-language.md) to query
 >[!NOTE]
 >The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
 
+>[!NOTE]
+>Microsoft Office needs to be installed on the test machines for all the simulations to work.
+
 1. Connect to your machine and run an attack simulation by selecting **Connect**. 
 
     ![Image of the connect button for test machines](images/test-machine-table.png)

From 99465074cfc870e6c68d49a01359dfb10a5889e7 Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Tue, 31 Dec 2019 10:29:56 +0200
Subject: [PATCH 02/51] Update
 windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
 .../threat-protection/microsoft-defender-atp/evaluation-lab.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
index c57aaa4f25..7c12abf5ca 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@@ -127,7 +127,7 @@ If you are looking for a pre-made simulation, you can use our ["Do It Yourself"
 
 You can also use [Advanced hunting](advanced-hunting-query-language.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats.
 
->[!NOTE]
+> [!NOTE]
 >The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
 
 >[!NOTE]
@@ -182,4 +182,3 @@ Your feedback helps us get better in protecting your environment from advanced a
 Let us know what you think, by selecting **Provide feedback**.
 
 ![Image of provide feedback](images/send-us-feedback-eval-lab.png)
-

From 8223224f467e69c9af6f4c362535f29c6faabe07 Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Tue, 31 Dec 2019 10:30:02 +0200
Subject: [PATCH 03/51] Update
 windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
 .../threat-protection/microsoft-defender-atp/evaluation-lab.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
index 7c12abf5ca..e72267221c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@@ -128,7 +128,7 @@ If you are looking for a pre-made simulation, you can use our ["Do It Yourself"
 You can also use [Advanced hunting](advanced-hunting-query-language.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats.
 
 > [!NOTE]
->The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
+> The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
 
 >[!NOTE]
 >Microsoft Office needs to be installed on the test machines for all the simulations to work.

From 26c6318fe1c01bf7a2e9f849990e89b38d410f5c Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Tue, 31 Dec 2019 10:30:07 +0200
Subject: [PATCH 04/51] Update
 windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
 .../threat-protection/microsoft-defender-atp/evaluation-lab.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
index e72267221c..243b2fe6a5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@@ -130,7 +130,7 @@ You can also use [Advanced hunting](advanced-hunting-query-language.md) to query
 > [!NOTE]
 > The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
 
->[!NOTE]
+> [!NOTE]
 >Microsoft Office needs to be installed on the test machines for all the simulations to work.
 
 1. Connect to your machine and run an attack simulation by selecting **Connect**. 

From 3468922d71fa68b13657fb729a2c37e4866fecf1 Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Tue, 31 Dec 2019 10:30:13 +0200
Subject: [PATCH 05/51] Update
 windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
 .../threat-protection/microsoft-defender-atp/evaluation-lab.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
index 243b2fe6a5..925e7e0ce3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@@ -131,7 +131,7 @@ You can also use [Advanced hunting](advanced-hunting-query-language.md) to query
 > The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
 
 > [!NOTE]
->Microsoft Office needs to be installed on the test machines for all the simulations to work.
+> Microsoft Office needs to be installed on the test machines for all the simulations to work.
 
 1. Connect to your machine and run an attack simulation by selecting **Connect**. 
 

From c6d57cb3d14babe7249af004bec1af419728d7d5 Mon Sep 17 00:00:00 2001
From: isbrahm <43386070+isbrahm@users.noreply.github.com>
Date: Tue, 7 Jan 2020 15:21:52 -0800
Subject: [PATCH 06/51] Update recommended block list to explain not blocking
 1903 files

msxml3.dll, msxml6.dll, and jscript9.dll do not have to be blocked if using 1903, as the previous issue was fixed in this release
---
 .../microsoft-recommended-block-rules.md                     | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index fc2d28a1c6..044f402da2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -160,9 +160,8 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
   <Deny ID="ID_DENY_MS_BUILD" FriendlyName="Microsoft.Build.dll" FileName="Microsoft.Build.dll" MinimumFileVersion="65535.65535.65535.65535" /> 
   <Deny ID="ID_DENY_MS_BUILD_FMWK" FriendlyName="Microsoft.Build.Framework.dll" FileName="Microsoft.Build.Framework.dll" MinimumFileVersion="65535.65535.65535.65535" /> 
 
-  <!-- msxml3.dll pick correct version based on release you are supporting -->
-  <!-- msxml6.dll pick correct version based on release you are supporting -->     
-  <!-- jscript9.dll pick correct version based on release you are supporting -->
+  <!-- pick correct version of msxml3.dll, msxml6.dll, and jscript9.dll based on release you are supporting -->
+  <!-- the versions of these files in the 1903 release have this issue fixed, so they don’t need to be blocked -->
   <!-- RS1 Windows 1607
   <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.14393.2550"/>
   <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.14393.2550"/>

From 70e91d02b028f0cc9036acc3353609b34aa1f131 Mon Sep 17 00:00:00 2001
From: illfated <illfated@users.noreply.github.com>
Date: Wed, 15 Jan 2020 01:46:45 +0100
Subject: [PATCH 07/51] WDAC policy/Rule option 18: clarify ambiguity

Description:

According to the latest feedback from Air-Git in issue ticket #5462
(Option 18 is ambiguous), in the last part of the Rule option
Description, the wording is now precise, but not accurate.

An accurate statement is as follows:
"[...] for any FileRule that allows a file based on FilePath."

Thanks to Air-Git for the continued valuable feedback to MS Docs
articles in need of improvement and suggested solutions.

Proposed change:
- Adjust the end part of the sentence to be accurate.

issue ticket closure or reference:

Closes #5462
---
 .../select-types-of-rules-to-create.md                          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 26bd6f527f..21ccdcbb4e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -67,7 +67,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
 | **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically re-validate the reputation for files that were authorized by the ISG.| 
 | **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. |
 | **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. |
-| **18 Disabled:Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for the path specified in the FilePathRule parameter of the New-CIPolicyRule cmdlet. |
+| **18 Disabled:Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. |
 | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically-loaded libraries. |
 
 ## Windows Defender Application Control file rule levels

From d22bebd30ac19e93a2344853112e39f16c790367 Mon Sep 17 00:00:00 2001
From: illfated <illfated@users.noreply.github.com>
Date: Wed, 15 Jan 2020 04:14:58 +0100
Subject: [PATCH 08/51] Windows/Deployment: VAMT System Requirements

Description:

As per user feedback in issue ticket #5818 (Operating System
Requirements), it is desirable to allow for later versions of Windows
Server to be shown in the list of Operating Systems under "Minimum
system requirement".

There is also a visible defect in last row of the table, breaking the
last one and a half sentence over to the first column of the next row.

Thanks to laolive382 for posting this request and making me notice the
(ever so slightly) broken table.

Changes proposed:
- change "2008 R2, or Windows Server 2012" to
  "2008 R2, Windows Server 2012, or later"
- remove line break in the last row to restore the row structure
- add MarkDown spacing in the table for readability/editing

issue ticket closure or reference:

Closes #5818
---
 .../volume-activation/vamt-requirements.md    | 21 +++++++++----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md
index 264ebca94c..7cd74fcf79 100644
--- a/windows/deployment/volume-activation/vamt-requirements.md
+++ b/windows/deployment/volume-activation/vamt-requirements.md
@@ -31,17 +31,16 @@ The Volume Activation Management Tool (VAMT) can be used to perform activations
 
 The following table lists the system requirements for the VAMT host computer.
 
-|Item |Minimum system requirement |
-|-----|---------------------------|
-|Computer and Processor |1 GHz x86 or x64 processor |
-|Memory |1 GB RAM for x86 or 2 GB RAM for x64 |
-|Hard Disk |16 GB available hard disk space for x86 or 20 GB for x64 |
-|External Drive|Removable media (Optional) |
-|Display |1024x768 or higher resolution monitor |
-|Network |Connectivity to remote computers via Windows® Management Instrumentation (TCP/IP) and Microsoft® Activation Web Service on the Internet via HTTPS |
-|Operating System |Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, or Windows Server 2012. |
-|Additional Requirements |<ul><li>Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).</li><li>PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server® 2012, PowerShell is included in the installation. For previous versions of Windows and 
-Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](https://go.microsoft.com/fwlink/p/?LinkId=218356).</li><li>If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.</li></ul> |
+| Item | Minimum system requirement |
+| ---- | ---------------------------|
+| Computer and Processor | 1 GHz x86 or x64 processor |
+| Memory | 1 GB RAM for x86 or 2 GB RAM for x64 |
+| Hard Disk | 16 GB available hard disk space for x86 or 20 GB for x64 |
+| External Drive | Removable media (Optional) |
+| Display | 1024x768 or higher resolution monitor |
+| Network |Connectivity to remote computers via Windows® Management Instrumentation (TCP/IP) and Microsoft® Activation Web Service on the Internet via HTTPS |
+| Operating System | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, or later. |
+| Additional Requirements | <ul><li>Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).</li><li>PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server® 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](https://go.microsoft.com/fwlink/p/?LinkId=218356).</li><li>If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.</li></ul> |
 
 ## Related topics
 - [Install and Configure VAMT](install-configure-vamt.md)

From 9655ddbe762e84e22442f3b6c7fc362c8bce26fd Mon Sep 17 00:00:00 2001
From: illfated <illfated@users.noreply.github.com>
Date: Wed, 15 Jan 2020 18:32:41 +0100
Subject: [PATCH 09/51] =?UTF-8?q?Remove=20registered=20=C2=AE=20trade=20ma?=
 =?UTF-8?q?rk=20symbol?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From @JohanFreelancer9:
> Copy Review - copy looks good. Although not really part of the PR,
> please remove trademark symbols.
---
 windows/deployment/volume-activation/vamt-requirements.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md
index 7cd74fcf79..e9c0da934f 100644
--- a/windows/deployment/volume-activation/vamt-requirements.md
+++ b/windows/deployment/volume-activation/vamt-requirements.md
@@ -38,9 +38,9 @@ The following table lists the system requirements for the VAMT host computer.
 | Hard Disk | 16 GB available hard disk space for x86 or 20 GB for x64 |
 | External Drive | Removable media (Optional) |
 | Display | 1024x768 or higher resolution monitor |
-| Network |Connectivity to remote computers via Windows® Management Instrumentation (TCP/IP) and Microsoft® Activation Web Service on the Internet via HTTPS |
+| Network | Connectivity to remote computers via Windows Management Instrumentation (TCP/IP) and Microsoft Activation Web Service on the Internet via HTTPS |
 | Operating System | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, or later. |
-| Additional Requirements | <ul><li>Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).</li><li>PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server® 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](https://go.microsoft.com/fwlink/p/?LinkId=218356).</li><li>If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.</li></ul> |
+| Additional Requirements | <ul><li>Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).</li><li>PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](https://go.microsoft.com/fwlink/p/?LinkId=218356).</li><li>If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.</li></ul> |
 
 ## Related topics
 - [Install and Configure VAMT](install-configure-vamt.md)

From 8673500b224a773e04e401b643587a8cc2f041bd Mon Sep 17 00:00:00 2001
From: isbrahm <43386070+isbrahm@users.noreply.github.com>
Date: Wed, 15 Jan 2020 14:43:04 -0800
Subject: [PATCH 10/51] Update LOB Win32 apps on s mode

Add brief testing information, correct spelling mistakes, add errata section
---
 .../LOB-win32-apps-on-s.md                        | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index 4095a6a122..edd54678bf 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -32,7 +32,8 @@ Refer to the below video for an overview and brief demo.
 
 ## Policy Authorization Process
 ![Policy Authorization](images/wdac-intune-policy-authorization.png)
-The general steps for expanding the S mode base policy on your devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups.
+The general steps for expanding the S mode base policy on your Intune-managed devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups. Because you need access to WDAC PowerShell cmdlets to generate your supplemental policy, you should create and manage your policies on a non-S mode device. Once the policy has been uploaded to Intune, we recommend assigning it to a single test S-mode device to verify expected functioning before deploying the policy more broadly.
+
 1. Generate a supplemental policy with WDAC tooling
 
     This policy will expand the S mode base policy to authorize additional applications. Anything authorized by either the S mode base policy or your supplemental policy will be allowed to run. Your supplemental policies can specify filepath rules, trusted publishers, and more. 
@@ -60,7 +61,7 @@ The general steps for expanding the S mode base policy on your devices are to ge
     -  Since you'll be signing your policy, you must authorize the signing certificate you will use to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. For more information, refer to Section 2, Sign policy. Use Add-SignerRule to add the signing certificate to the WDAC policy: 
        
         ```powershell
-        Add-SignerRule -FilePath <policypath> -CertificatePath <certpath> -User -Update`
+        Add-SignerRule -FilePath <policypath> -CertificatePath <certpath> -User -Update
         ```
     - Convert to .bin using [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps)
 
@@ -91,7 +92,7 @@ Your supplemental policy can be used to significantly relax the S mode base poli
 
 Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) through the use of signed catalogs. This works for apps which may be unsigned or even signed apps when you don’t want to trust all apps that may share the same signing certificate.
 
-The basic process is to generate a catalog file for each app using Package Inspector, then sign the catalog files using the DGSS or a custom PKI. After that, IT Pros can use the standard Intune app deployment process outlined above. Refer to [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md) for more in-depth guidance on generating catalogs. 
+The basic process is to generate a catalog file for each app using Package Inspector, then sign the catalog files using the DGSS or a custom PKI. Use the Add-SignerRule PowerShell cmdlet as shown above to authorize the catalog signing certificate in the supplemental policy. After that, IT Pros can use the standard Intune app deployment process outlined above. Refer to [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md) for more in-depth guidance on generating catalogs. 
 
 > [!Note] 
 > Every time an app updates, you will need to deploy an updated catalog. Because of this, IT Pros should try to avoid using catalog files for applications that auto-update and direct users not to update applications on their own.
@@ -180,8 +181,11 @@ Below is a sample policy that allows kernel debuggers, PowerShell ISE, and Regis
 </SiPolicy>
 ```
 ## Policy removal
+In order to revert users to an unmodified S mode policy, an IT Pro can remove a user or users from the targeted Intune group which received the policy, which will trigger a removal of both the policy and the authorization token from the device.
+
+IT Pros also have the choice of deleting a supplemental policy through Intune.
 > [!Note]
-> This feature currently has a known a policy deletion bug, with a fix expected in the 2D update in late February 2020. Devices of users who are unenrolled will still have their WDAC policies removed. In the mentime, IT Pros are recommended to update their policy with the below 'empty' policy which makes no changes to S mode.
+> This feature currently has a known bug which occurs when an S mode supplemental policy is deleted through Intune, in which the policy is not immediately removed from the devices to which it was deployed. A fix is expected in the 2D update in late February 2020. In the meantime, IT Pros are recommended to update their policy with the below 'empty' policy which makes no changes to S mode.
 
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
@@ -233,3 +237,6 @@ Below is a sample policy that allows kernel debuggers, PowerShell ISE, and Regis
   </Settings>
 </SiPolicy>
 ```
+
+## Errata
+If an S-mode device with a policy authorization token and supplemental policy is rolled back from the 1909 update to the 1903 build, it will not revert to locked-down S mode until the next policy refresh. To achieve an immediate change to a locked-down S mode state, IT Pros should delete any tokens in %SystemRoot%\System32\CI\Tokens\Active.

From 8b0e9983d011cca6eb7ea90a910a46a1039e1c6b Mon Sep 17 00:00:00 2001
From: Rick Munck <33725928+jmunck@users.noreply.github.com>
Date: Wed, 15 Jan 2020 21:10:37 -0800
Subject: [PATCH 11/51] Update security-compliance-toolkit-10.md

---
 .../threat-protection/security-compliance-toolkit-10.md      | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 8d134aaa46..4c475c71c0 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -41,7 +41,10 @@ The Security Compliance Toolkit consists of:
     -   Windows Server 2012 R2
 
 -   Microsoft Office security baseline
-    -   Office365 ProPlus (Sept 2019)
+    -   Office 365 ProPlus (Sept 2019)
+
+-   Microsoft Edge security baseline
+    -   Version 79
 
 -   Tools
     -   Policy Analyzer tool

From ff8ffa82791ab6b9e8fd0b793d150405d60fcda4 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 16 Jan 2020 16:54:52 -0800
Subject: [PATCH 12/51] Update
 prevent-changes-to-security-settings-with-tamper-protection.md

---
 ...event-changes-to-security-settings-with-tamper-protection.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index 21736ff5a6..a787ce0cd1 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -121,7 +121,7 @@ Here's what you see in the Windows Security app:
 
 If you are using Windows OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled.
 
-#### Use PowerShell to determine whether tamper protection is turned
+#### Use PowerShell to determine whether tamper protection is turned on
 
 1. Open the Windows PowerShell app.
 

From 4f796e885ca5adb9cf17d9033844de6fcbc8725c Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sat, 18 Jan 2020 19:18:21 +0500
Subject: [PATCH 13/51] Update
 upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md

---
 ...de-to-windows-10-with-the-microsoft-deployment-toolkit.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
index 2a7e01c1d8..ee85dd816a 100644
--- a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -11,7 +11,8 @@ ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: mdt
-audience: itpro
author: greg-lindsay
+audience: itpro
+author: greg-lindsay
 ms.topic: article
 ---
 
@@ -24,7 +25,7 @@ The simplest path to upgrade PCs that are currently running Windows 7, Windows
 
 ## Proof-of-concept environment
 
-For the purposes of this topic, we will use four machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
 
 ![fig 1](../images/upgrademdt-fig1-machines.png)
 

From f4966d1cd3111aae1c8739a0da3430836c3703ef Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Sat, 18 Jan 2020 21:12:20 +0500
Subject: [PATCH 14/51] Removed the link

As the link is not pointing to a proper source and there is no other information is available on Microsoft docs so I have removed this link. The link provided was pointing to the LinkedIn course intro video and doesn't fit with the context of the article.

Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5854
---
 .../credential-guard/credential-guard-requirements.md          | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 68102f6e49..d0124ff8cf 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -78,9 +78,6 @@ Applications may cause performance issues when they attempt to hook the isolated
 
 Services or protocols that rely on Kerberos, such as file shares, remote desktop, or BranchCache, continue to work and are not affected by Windows Defender Credential Guard.
 
-See this video: [Credentials Protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
-
-
 ## Security considerations
 
 All computers that meet baseline protections for hardware, firmware, and software can use Windows Defender Credential Guard.

From aac0c2b8d7e67c6f8dbae166045e046a049c9a05 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Sat, 18 Jan 2020 21:42:40 +0500
Subject: [PATCH 15/51] Correction in RegKey

Verified and made a correction in the Reg Key.

Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5550
---
 .../configure-server-exclusions-windows-defender-antivirus.md   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
index 85b7b015a3..6c817499da 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
@@ -266,7 +266,7 @@ This section lists the exclusions that are delivered automatically when you inst
 
   - %windir%\Ntds\ntds.pat
 
-- The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files`
+- The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
 
   - %windir%\Ntds\EDB*.log
 

From 2ea2afc8df9c45c3ecc0ebc2ec71f0ef7574f8dc Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Sat, 18 Jan 2020 21:59:42 +0500
Subject: [PATCH 16/51] Removed the note

As mentioned in the document https://docs.microsoft.com/en-us/surface/surface-pro-arm-app-management PXE boot is supported in Surface Pro X

Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5856
---
 .../surface/ethernet-adapters-and-surface-device-deployment.md | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
index 1b1216cd8d..d04ad089fc 100644
--- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md
+++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
@@ -33,9 +33,6 @@ The primary concern when selecting an Ethernet adapter is how that adapter will
 
 Booting from the network (PXE boot) is only supported when you use an Ethernet adapter or docking station from Microsoft. To boot from the network, the chipset in the Ethernet adapter or dock must be detected and configured as a boot device in the firmware of the Surface device. Microsoft Ethernet adapters, such as the Surface Ethernet Adapter and the [Surface Dock](https://www.microsoft.com/surface/accessories/surface-dock) use a chipset that is compatible with the Surface firmware.
 
-> [!NOTE]
->  PXE boot is not supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md)
-
 The following Ethernet devices are supported for network boot with Surface devices:
 
 -   Surface USB-C to Ethernet and USB 3.0 Adapter

From 0d1a9197d67d6e3373b8113906821c20aa092332 Mon Sep 17 00:00:00 2001
From: Carol Bailey <carol.bailey@microsoft.com>
Date: Sun, 19 Jan 2020 18:48:18 -0800
Subject: [PATCH 17/51] Add link to new how-to article (create label)

---
 .../windows-information-protection/how-wip-works-with-labels.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
index 5b2d65942a..116ddd8e14 100644
--- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
+++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
@@ -47,7 +47,7 @@ Microsoft information protection technologies include:
 ## How WIP protects sensitivity labels with endpoint data loss prevention
 
 You can create and manage [sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) in the Microsoft 365 compliance center. 
-When you create a sensitivity label, you can specify that endpoint data loss prevention applies to content with that label. 
+When you [create a sensitivity label](https://docs.microsoft.com/microsoft-365/compliance/create-sensitivity-labels), you can specify that endpoint data loss prevention applies to content with that label. 
 
 ![Endpoint data loss prevention](images/sensitivity-label-endpoint-dlp.png)
 

From d2cd44e10988ca98dec5259560c1f341be298527 Mon Sep 17 00:00:00 2001
From: Bill Mcilhargey <19168174+computeronix@users.noreply.github.com>
Date: Tue, 21 Jan 2020 11:20:52 -0500
Subject: [PATCH 18/51] Added keyword - third party av

Added keyword third party av for easier finding this document
---
 .../windows-defender-antivirus/why-use-microsoft-antivirus.md   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
index 392bc3f8e3..57b00a8aa0 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
@@ -1,7 +1,7 @@
 ---
 title: Why you should use Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection
 description: For best results, use Windows Defender Antivirus together with your other Microsoft offerings.
-keywords: windows defender, antivirus
+keywords: windows defender, antivirus, third party av
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10

From d034371f9b6bee8cfb6393a258a8b399dd0fcdb9 Mon Sep 17 00:00:00 2001
From: isbrahm <43386070+isbrahm@users.noreply.github.com>
Date: Tue, 21 Jan 2020 09:34:51 -0800
Subject: [PATCH 19/51] Minor edits for readability

---
 .../microsoft-recommended-block-rules.md                      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 044f402da2..465dfec3fb 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -160,7 +160,7 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
   <Deny ID="ID_DENY_MS_BUILD" FriendlyName="Microsoft.Build.dll" FileName="Microsoft.Build.dll" MinimumFileVersion="65535.65535.65535.65535" /> 
   <Deny ID="ID_DENY_MS_BUILD_FMWK" FriendlyName="Microsoft.Build.Framework.dll" FileName="Microsoft.Build.Framework.dll" MinimumFileVersion="65535.65535.65535.65535" /> 
 
-  <!-- pick correct version of msxml3.dll, msxml6.dll, and jscript9.dll based on release you are supporting -->
+  <!-- pick the correct version of msxml3.dll, msxml6.dll, and jscript9.dll based on the release you are supporting -->
   <!-- the versions of these files in the 1903 release have this issue fixed, so they don’t need to be blocked -->
   <!-- RS1 Windows 1607
   <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.14393.2550"/>
@@ -892,7 +892,7 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
   <FileRuleRef RuleID="ID_DENY_WMIC"/>
   <FileRuleRef RuleID="ID_DENY_MWFC" /> 
   <FileRuleRef RuleID="ID_DENY_WFC" /> 
-  <!-- Uncomment the relevant line(s) below if you have uncommented them in the rule definitions above.
+  <!-- uncomment the relevant line(s) below if you have uncommented them in the rule definitions above
   <FileRuleRef RuleID="ID_DENY_MSXML3" /> 
   <FileRuleRef RuleID="ID_DENY_MSXML6" /> 
   <FileRuleRef RuleID="ID_DENY_JSCRIPT9" />

From 7dadcefbe0a03fc62c32932337ca438c3ecbe693 Mon Sep 17 00:00:00 2001
From: isbrahm <43386070+isbrahm@users.noreply.github.com>
Date: Wed, 22 Jan 2020 11:20:42 -0800
Subject: [PATCH 20/51] Add abbreviation for DGSS

---
 .../windows-defender-application-control/LOB-win32-apps-on-s.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index edd54678bf..4ead268500 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -71,7 +71,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de
 
 2. Sign policy
     
-    Supplemental S mode policies must be digitally signed. To sign your policy, you can choose to use the Device Guard Signing Service or your organization's custom Public Key Infrastructure (PKI). Refer to [Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) for guidance on using DGSS and [Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) for guidance on signing using an internal CA.
+    Supplemental S mode policies must be digitally signed. To sign your policy, you can choose to use the Device Guard Signing Service (DGSS) or your organization's custom Public Key Infrastructure (PKI). Refer to [Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) for guidance on using DGSS and [Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) for guidance on signing using an internal CA.
 
     Rename your policy to "{PolicyID}.p7b" after you've signed it. PolicyID can be found by inspecting the Supplemental Policy XML.
 

From 4faec041f396c1d20d25af1e1304e9db5d76ff42 Mon Sep 17 00:00:00 2001
From: isbrahm <43386070+isbrahm@users.noreply.github.com>
Date: Wed, 22 Jan 2020 12:07:14 -0800
Subject: [PATCH 21/51] Document WDAC signer key restrictions

---
 .../select-types-of-rules-to-create.md                    | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 26bd6f527f..feb46cf416 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -83,11 +83,6 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
 | **Hash** | Specifies individual hash values for each discovered binary. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
 | **FileName** | Specifies individual binary file names. Although the hash values for an application are modified when updated, the file names are typically not. This offers less specific security than the hash level but does not typically require a policy update when any binary is modified. |
 | **FilePath** | Beginning with Windows 10 version 1903, this specifies rules that allow execution of binaries contained under specific file path locations. Additional information about FilePath level rules can be found below. |
-> [!NOTE]
-> Due to an existing bug, you can not combine Path-based ALLOW rules with any DENY rules in a single policy. Instead, either separate DENY rules into a separate Base policy or move the Path-based ALLOW rules into a supplemental policy as described in [Deploy multiple WDAC policies.](deploy-multiple-windows-defender-application-control-policies.md) 
-
-| Rule level | Description |
-|----------- | ----------- |
 | **SignedVersion** | This combines the publisher rule with a version number. This option allows anything from the specified publisher, with a version at or above the specified version number, to run. |
 | **Publisher** | This is a combination of the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. This rule level allows organizations to trust a certificate from a major CA (such as Symantec), but only if the leaf certificate is from a specific company (such as Intel, for device drivers). |
 | **FilePublisher** | This is a combination of the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
@@ -101,6 +96,9 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
 > [!NOTE]
 > When you create WDAC policies with [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy), you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
 
+> [!NOTE]
+> WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits.
+
 ## Example of file rule levels in use
 
 For example, consider some IT professionals in a department that runs many servers. They decide they want their servers to run only software signed by the providers of their software and drivers, that is, the companies that provide their hardware, operating system, antivirus, and other important software. They know that their servers also run an internally written application that is unsigned but is rarely updated. They want to allow this application to run.

From 031fbe2588a6aa2769fe54d3af7d1fb92a3a0484 Mon Sep 17 00:00:00 2001
From: Lucas Gabriel Schneider <casdpa@gmail.com>
Date: Wed, 22 Jan 2020 20:44:01 +0000
Subject: [PATCH 22/51] fixed typo at surface hub file

---
 .../use-surface-hub-diagnostic-test-device-account.md           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
index 40a5768d27..0e5600c12c 100644
--- a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
+++ b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
@@ -93,7 +93,7 @@ Internet Connectivity |Device does have Internet connectivity |Device does not h
 HTTP Version |1.1 |1.0 |If HTTP 1.0 found, it will cause issue with WU and Store |
 Direct Internet Connectivity |Device has a Proxy configured Device has no Proxy configured |N/A |Informational. Is your device behind a proxy? |
 Proxy Address | | |If configured, returns proxy address. |
-Proxy Authentication |Proxy does not require Authentication |Proxy requires Proxy Auth |Result may be a false positive if a user already has an open session in Edge and has authenticated thru the proxy. |[Configuring a proxy for your Surface Hub](https://blogs.technet.microsoft.com/y0av/2017/12/03/7/)
+Proxy Authentication |Proxy does not require Authentication |Proxy requires Proxy Auth |Result may be a false positive if a user already has an open session in Edge and has authenticated through the proxy. |[Configuring a proxy for your Surface Hub](https://blogs.technet.microsoft.com/y0av/2017/12/03/7/)
 Proxy Auth Types | | |If proxy authentication is used, return the Authentication methods advertised by the proxy.  |
 
 #### Environment

From 73d0184517f272a65390e12530c3ea1c5b902b8b Mon Sep 17 00:00:00 2001
From: Lucas Gabriel Schneider <casdpa@gmail.com>
Date: Wed, 22 Jan 2020 20:45:10 +0000
Subject: [PATCH 23/51] Update
 considerations-for-surface-and-system-center-configuration-manager.md

---
 ...tions-for-surface-and-system-center-configuration-manager.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
index 2513abc0f9..87ae58a8b0 100644
--- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
+++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
@@ -30,7 +30,7 @@ Although the deployment and management of Surface devices is fundamentally the s
 ## Updating Surface device drivers and firmware
 
 
-For devices that recieve updates through Windows Update, drivers for Surface components (and even firmware updates) are applied automatically as part of the Windows Update process. For devices with managed updates, such as those updated through Windows Server Update Services (WSUS) or System Center Configuration Manager, see [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates/).
+For devices that receive updates through Windows Update, drivers for Surface components (and even firmware updates) are applied automatically as part of the Windows Update process. For devices with managed updates, such as those updated through Windows Server Update Services (WSUS) or System Center Configuration Manager, see [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates/).
 
 
 > [!NOTE]

From 0f27965a1f67d5971d172bde8cfccf2f9bfe4ae9 Mon Sep 17 00:00:00 2001
From: Lucas Gabriel Schneider <casdpa@gmail.com>
Date: Wed, 22 Jan 2020 20:46:44 +0000
Subject: [PATCH 24/51] Update troubleshooting-mbam-installation.md

---
 mdop/mbam-v25/troubleshooting-mbam-installation.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/mdop/mbam-v25/troubleshooting-mbam-installation.md b/mdop/mbam-v25/troubleshooting-mbam-installation.md
index d8e8d0fc89..f2d0494b7f 100644
--- a/mdop/mbam-v25/troubleshooting-mbam-installation.md
+++ b/mdop/mbam-v25/troubleshooting-mbam-installation.md
@@ -335,7 +335,7 @@ The MBAM agent will be unable to post any updates to the database if connectivit
     User:          SYSTEM
     Computer:      TESTLABS.CONTOSO.COM
     Description:
-    An error occured while applying MBAM policies.
+    An error occurred while applying MBAM policies.
     Volume ID:\\?\Volume{871c5858-2467-4d0b-8c83-d68af8ce10e5}\ 
     Error code:
     0x803D0010 
@@ -352,7 +352,7 @@ The MBAM agent will be unable to post any updates to the database if connectivit
     User:          SYSTEM
     Computer:      TESTLABS.CONTOSO.COM
     Description:
-    An error occured while applying MBAM policies.
+    An error occurred while applying MBAM policies.
     Volume ID:\\?\Volume{871c5858-2467-4d0b-8c83-d68af8ce10e5}\ 
     Error code:
     0x803D0006 
@@ -420,7 +420,7 @@ The MBAM services may be unable to connect to the database server because of a n
     Computer:      MBAM2-Admin.contoso.com
     Description:
     Event code: 100001
-    Event message: SQL error occured
+    Event message: SQL error occurred
     Event time: 7/11/2013 6:16:34 PM
     Event time (UTC): 7/11/2013 12:46:34 PM
     Event ID: 6615fb8eb9d54e778b933d5bb7ca91ed
@@ -552,7 +552,7 @@ Review the activity in the service trace log for any error or warning entries. B
     <Channel />
     <Computer>XXXXXXXXXXX</Computer>
     </System>
-    <ApplicationData>AddUpdateVolume: While executing sql transaction for add volume to store exception occured Key Recovery Data Store processing error: Violation of UNIQUE KEY constraint 'UniqueRecoveryKeyId'. Cannot insert duplicate key in object 'RecoveryAndHardwareCore.Keys'. The duplicate key value is (8637036e-b379-4798-bd9e-5a0b36296de3).
+    <ApplicationData>AddUpdateVolume: While executing sql transaction for add volume to store exception occurred Key Recovery Data Store processing error: Violation of UNIQUE KEY constraint 'UniqueRecoveryKeyId'. Cannot insert duplicate key in object 'RecoveryAndHardwareCore.Keys'. The duplicate key value is (8637036e-b379-4798-bd9e-5a0b36296de3).
     </ApplicationData>
     </E2ETraceEvent>
 

From c073d4990727945210dba52a32c7533403e91b0b Mon Sep 17 00:00:00 2001
From: Herbert Mauerer <41573578+HerbertMauerer@users.noreply.github.com>
Date: Thu, 23 Jan 2020 10:14:23 +0100
Subject: [PATCH 25/51] Update active-directory-accounts.md

wrong event ID is mentioned. it's really 9:
          <event
              keywords="win:EventlogClassic"
              message="$(string.event_KDCEVENT_KRBTGT_PASSWORD_CHANGED)"
              symbol="KDCEVENT_KRBTGT_PASSWORD_CHANGED"
              value="0x00000009"
              />
---
 .../access-control/active-directory-accounts.md                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
index 50958f0314..c712073a39 100644
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@@ -334,7 +334,7 @@ A strong password is assigned to the KRBTGT and trust accounts automatically. Li
 
 Resetting the password requires you either to be a member of the Domain Admins group, or to have been delegated with the appropriate authority. In addition, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
 
-After you reset the KRBTGT password, ensure that event ID 6 in the (Kerberos) Key-Distribution-Center event source is written to the System event log.
+After you reset the KRBTGT password, ensure that event ID 9 in the (Kerberos) Key-Distribution-Center event source is written to the System event log.
 
 ### Security considerations
 

From 054f4a556b039adda7831fca48d69eb09bdad514 Mon Sep 17 00:00:00 2001
From: Lucas Gabriel Schneider <casdpa@gmail.com>
Date: Thu, 23 Jan 2020 18:11:08 +0000
Subject: [PATCH 26/51] MED-V fix typo

---
 mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md b/mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md
index 665b8f08a0..d501b3826f 100644
--- a/mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md
+++ b/mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md
@@ -81,7 +81,7 @@ When you install updates to Windows XP, make sure that you remain on the version
 Although it is optional, we recommend that you install the following update for [hotfix KB972435](https://go.microsoft.com/fwlink/?LinkId=201077) (https://go.microsoft.com/fwlink/?LinkId=201077). This update increases the performance of shared folders in a Terminal Services session:
 
 **Note**  
-The update is publically available. However, you might be prompted to accept an agreement for Microsoft Services. Follow the prompts on the successive webpages to retrieve this hotfix.
+The update is publicly available. However, you might be prompted to accept an agreement for Microsoft Services. Follow the prompts on the successive webpages to retrieve this hotfix.
 
  
 

From aa97638ed80682353628e9d0c1b7e2a7ebdec0ff Mon Sep 17 00:00:00 2001
From: Lucas Gabriel Schneider <casdpa@gmail.com>
Date: Thu, 23 Jan 2020 18:12:19 +0000
Subject: [PATCH 27/51] Update
 how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md

---
 ...kspace-through-an-electronic-software-distribution-system.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md
index 06b7cfbe45..e2ebe0a01f 100644
--- a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md
+++ b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md
@@ -29,7 +29,7 @@ If you are using System Center Configuration Manager 2007 SP2 and your MED-V wor
 
 The [hotfix to improve the functionality for VMs that are managed by MED-V](https://go.microsoft.com/fwlink/?LinkId=201088) (https://go.microsoft.com/fwlink/?LinkId=201088) adds new functionality to virtual machines that are managed by MED-V and that are configured to operate in **NAT** mode. The new functionality lets virtual machines access the closest distribution points. Therefore, the administrator can manage the virtual machine and the host computer in the same manner. This hotfix must be installed first on the site server and then on the client.
 
-The update is publically available. However, you might be prompted to accept an agreement for Microsoft Services. Follow the prompts on the successive webpages to retrieve this hotfix.
+The update is publicly available. However, you might be prompted to accept an agreement for Microsoft Services. Follow the prompts on the successive webpages to retrieve this hotfix.
 
 
 

From fbce8b8f6865b6180592a497d4959d50a1040154 Mon Sep 17 00:00:00 2001
From: Lucas Gabriel Schneider <casdpa@gmail.com>
Date: Thu, 23 Jan 2020 18:14:13 +0000
Subject: [PATCH 28/51] Update
 how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md

---
 ...onents-through-an-electronic-software-distribution-system.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md b/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
index 0ec14a0a96..5dfe7451d7 100644
--- a/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
+++ b/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
@@ -29,7 +29,7 @@ If you are using System Center Configuration Manager 2007 SP2 and your MED-V wor
 
 The [hotfix to improve the functionality for VMs that are managed by MED-V](https://go.microsoft.com/fwlink/?LinkId=201088) (https://go.microsoft.com/fwlink/?LinkId=201088) adds new functionality to virtual machines that are managed by MED-V and that are configured to operate in **NAT** mode. The new functionality lets virtual machines access the closest distribution points. Therefore, the administrator can manage the virtual machine and the host computer in the same manner. This hotfix must be installed first on the site server and then on the client.
 
-The update is publically available. However, you might be prompted to accept an agreement for Microsoft Services. Follow the prompts on the successive webpages to retrieve this hotfix.
+The update is publicly available. However, you might be prompted to accept an agreement for Microsoft Services. Follow the prompts on the successive webpages to retrieve this hotfix.
 
 
 

From 4a5cea61dcd75cbf1c209167de0cbf3738161420 Mon Sep 17 00:00:00 2001
From: Lucas Gabriel Schneider <casdpa@gmail.com>
Date: Thu, 23 Jan 2020 18:15:08 +0000
Subject: [PATCH 29/51] Update diagnosticlog-ddf.md

---
 windows/client-management/mdm/diagnosticlog-ddf.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md
index c4591652a5..8bedac1205 100644
--- a/windows/client-management/mdm/diagnosticlog-ddf.md
+++ b/windows/client-management/mdm/diagnosticlog-ddf.md
@@ -1806,7 +1806,7 @@ The content below are the latest versions of the DDF files:
                     <Replace />
                   </AccessType>
                   <DefaultValue>4</DefaultValue>
-                  <Description>This node is used for setting or getting the block size (in Kilobytes) for the download of assoicated log file. The value range is 1~16. Default value is 4.</Description>
+                  <Description>This node is used for setting or getting the block size (in Kilobytes) for the download of associated log file. The value range is 1~16. Default value is 4.</Description>
                   <DFFormat>
                     <int />
                   </DFFormat>

From efa355c521c09e59fbbfd12ec1e96ac7a4924f9d Mon Sep 17 00:00:00 2001
From: Lucas Gabriel Schneider <casdpa@gmail.com>
Date: Thu, 23 Jan 2020 18:16:17 +0000
Subject: [PATCH 30/51] Update dmclient-ddf-file.md

---
 windows/client-management/mdm/dmclient-ddf-file.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md
index c93fe4da96..15b21d0197 100644
--- a/windows/client-management/mdm/dmclient-ddf-file.md
+++ b/windows/client-management/mdm/dmclient-ddf-file.md
@@ -957,7 +957,7 @@ The XML below is for Windows 10, version 1803.
                   <Get />
                   <Replace />
                 </AccessType>
-                <Description>Number of days after last sucessful sync to unenroll</Description>
+                <Description>Number of days after last successful sync to unenroll</Description>
                 <DFFormat>
                   <int />
                 </DFFormat>

From 2f1a4c16d4ab418d00c75eeca0706b0cedd84111 Mon Sep 17 00:00:00 2001
From: Lucas Gabriel Schneider <casdpa@gmail.com>
Date: Thu, 23 Jan 2020 18:17:24 +0000
Subject: [PATCH 31/51] Update enterpriseappvmanagement-csp.md

---
 windows/client-management/mdm/enterpriseappvmanagement-csp.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md
index 1fe417dd0f..ab13935f66 100644
--- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md
+++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md
@@ -89,7 +89,7 @@ The following diagram shows the EnterpriseAppVManagement configuration service p
 - SYNC\_ERR\_PUBLISH\_GROUP_PACKAGES (3) - Publish group packages failed during publish.
 - SYNC\_ERR\_UNPUBLISH_PACKAGES (4) - Unpublish packages failed during publish.
 - SYNC\_ERR\_NEW_POLICY_WRITE (5) - New policy write failed during publish.
-- SYNC\_ERR\_MULTIPLE\_DURING_PUBLISH (6) - Multiple non-fatal errors occured during publish.
+- SYNC\_ERR\_MULTIPLE\_DURING_PUBLISH (6) - Multiple non-fatal errors occurred during publish.
 
 <p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
 

From 58186fc354d35c7a308d9b5d8362203bbc8cadb9 Mon Sep 17 00:00:00 2001
From: Lucas Gabriel Schneider <casdpa@gmail.com>
Date: Thu, 23 Jan 2020 18:19:12 +0000
Subject: [PATCH 32/51] Update wcd-calling.md

---
 windows/configuration/wcd/wcd-calling.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/configuration/wcd/wcd-calling.md b/windows/configuration/wcd/wcd-calling.md
index 186d34e8ec..ea77470ed5 100644
--- a/windows/configuration/wcd/wcd-calling.md
+++ b/windows/configuration/wcd/wcd-calling.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: dansimp
-ms.localizationpriority: medium
+ms.localizationpriority: medium 
 ms.author: dansimp
 ms.topic: article
 ms.date: 04/30/2018
@@ -57,7 +57,7 @@ See [Dialer codes to launch diagnostic applications](https://docs.microsoft.com/
 
 ## PerSimSettings
 
-Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, select **Add**, and then configure the folowing settings. 
+Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, select **Add**, and then configure the following settings. 
 
 ### Critical
 

From afb846aa4aa5c438e99d0260a4abb4f4a87f7b47 Mon Sep 17 00:00:00 2001
From: Lucas Gabriel Schneider <casdpa@gmail.com>
Date: Thu, 23 Jan 2020 20:46:10 +0000
Subject: [PATCH 33/51] Update wcd-messaging.md

---
 windows/configuration/wcd/wcd-messaging.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/wcd/wcd-messaging.md b/windows/configuration/wcd/wcd-messaging.md
index 67158a5f0c..f556155dc7 100644
--- a/windows/configuration/wcd/wcd-messaging.md
+++ b/windows/configuration/wcd/wcd-messaging.md
@@ -81,7 +81,7 @@ SyncSender | Specify a value for SyncSender that is greater than 3 characters bu
 
 ## PerSimSettings 
 
-Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, click **Add**, and then configure the folowing settings.
+Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, click **Add**, and then configure the following settings.
 
 ### AllowMmsIfDataIsOff
 

From 6c987c8179e5ec9bee1c1130695180b0fc99ff84 Mon Sep 17 00:00:00 2001
From: Lucas Gabriel Schneider <casdpa@gmail.com>
Date: Thu, 23 Jan 2020 20:47:45 +0000
Subject: [PATCH 34/51] Update waas-manage-updates-wsus.md

---
 windows/deployment/update/waas-manage-updates-wsus.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index e24cc6ff0b..08c96719aa 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -272,7 +272,7 @@ For clients that should have their feature updates approved as soon as they’re
 Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
 
 > [!WARNING]
-> The auto approval rule runs after synchronization occurs. This means that the *next* upgrade for each Windows 10 version will be approved. If you select **Run Rule**, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actualy want--which can be a problem when the download sizes are very large.
+> The auto approval rule runs after synchronization occurs. This means that the *next* upgrade for each Windows 10 version will be approved. If you select **Run Rule**, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actually want--which can be a problem when the download sizes are very large.
 
 ## Manually approve and deploy feature updates
 

From 12e224150dd13b0885b1305ff9461dece4c37b60 Mon Sep 17 00:00:00 2001
From: Lucas Gabriel Schneider <casdpa@gmail.com>
Date: Thu, 23 Jan 2020 20:51:38 +0000
Subject: [PATCH 35/51] Update live-response.md

---
 .../threat-protection/microsoft-defender-atp/live-response.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
index 3003c707b4..ddd34985a3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
@@ -119,11 +119,11 @@ The following commands are available for user roles that's been granted the abil
 Command | Description 
 :---|:---
 analyze | Analyses the entity with various incrimination engines to reach a verdict.
-getfile | Gets a file from the machine. <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `getfile` to automatically run the prerequisite command. 
+getfile | Gets a file from the machine. <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command. 
 run | Runs a PowerShell script from the library on the machine.
 library | Lists files that were uploaded to the live response library.
 putfile | Puts a file from the library to the machine. Files are saved in a working folder and are deleted when the machine restarts by default.
-remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:<br>- File: delete<br>- Process: stop, delete image file<br>- Service: stop, delete image file<br>- Registry entry: delete<br>- Scheduled task: remove<br>- Startup folder item: delete file <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `remediate` to automatically run the prerequisite command. 
+remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:<br>- File: delete<br>- Process: stop, delete image file<br>- Service: stop, delete image file<br>- Registry entry: delete<br>- Scheduled task: remove<br>- Startup folder item: delete file <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command. 
 undo | Restores an entity that was remediated. 
 
 

From 45b93f0dcaaecdf19e0bfae7ceef83e16a44b124 Mon Sep 17 00:00:00 2001
From: Michael Niehaus <niehaus@live.com>
Date: Fri, 24 Jan 2020 10:50:06 +0000
Subject: [PATCH 36/51] Update existing-devices.md

Edited the note about USMT to indicate that there isn't a good way to do state migration, while maintaining the comment about USMT not supporting AAD Join.
---
 windows/deployment/windows-autopilot/existing-devices.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md
index a5c02be0ef..60c7ebc084 100644
--- a/windows/deployment/windows-autopilot/existing-devices.md
+++ b/windows/deployment/windows-autopilot/existing-devices.md
@@ -215,7 +215,7 @@ See the following examples.
    - Click **Next**.
 
      >[!NOTE]
-     >The Autopilot for existing devices task sequence will result in an Azure Active Directory Domain (AAD) joined device. The User State Migration Toolkit (USMT) does not support AAD joined or hybrid AAD joined devices.
+     >Because the Autopilot for existing devices task sequence completes while in Windows PE, User State Migration Toolkit (USMT) data migration is not supported as there is no way to restore the user state into the new OS.  Also, the User State Migration Toolkit (USMT) does not support Azure AD-joined devices.
 
 7. On the Include Updates page, choose one of the three available options. This selection is optional.
 8. On the Install applications page, add applications if desired. This is optional.

From 97411f280dcebd685f58ab900f79b27ca03494f7 Mon Sep 17 00:00:00 2001
From: Evan Miller <v-evmill@microsoft.com>
Date: Fri, 24 Jan 2020 13:00:26 -0800
Subject: [PATCH 37/51] Updating Bloom to Start Gesture on Kiosk page

@scooley @yannisle
Updated the terms at top of doc to include new terms for HL2.
Doc also seems suspect of need of overhaul of instruction on need for XML files with Intune but I want to confirm before making those edits.
---
 devices/hololens/hololens-kiosk.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index 1ca366ecf5..d0dbb126b7 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -20,7 +20,7 @@ In Windows 10, version 1803, you can configure your HoloLens devices to run as m
 
 When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. 
 
-Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the bloom gesture and Cortana are disabled, and placed apps aren't shown in the user's surroundings. 
+Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the [start gestures](https://docs.microsoft.com/hololens/hololens2-basic-usage#start-gesture) (including [Bloom](https://docs.microsoft.com/hololens/hololens1-basic-usage) on HoloLens (1st Gen)) and Cortana are disabled, and placed apps aren't shown in the user's surroundings. 
 
 The following table lists the device capabilities in the different kiosk modes.
 

From ba45d82ba8f7bdd7c55edb0927a202a10956b19b Mon Sep 17 00:00:00 2001
From: Yannis Lempidakis <51840946+yannisle@users.noreply.github.com>
Date: Fri, 24 Jan 2020 15:46:46 -0800
Subject: [PATCH 38/51] Changes for proxy URLs

---
 devices/hololens/hololens-offline.md | 129 +++++++++++++++++++++++++--
 1 file changed, 122 insertions(+), 7 deletions(-)

diff --git a/devices/hololens/hololens-offline.md b/devices/hololens/hololens-offline.md
index 6ee4fb35c1..d14743559b 100644
--- a/devices/hololens/hololens-offline.md
+++ b/devices/hololens/hololens-offline.md
@@ -17,13 +17,11 @@ appliesto:
 - HoloLens 2
 ---
 
-# Use HoloLens offline
+Some HoloLens components, apps, and related services transfer data to Microsoft network endpoints. This article lists different endpoints and URLs that need to be whitelisted in your network configuratiion (e.g. proxy or firewall) for those components to be functional.    
 
-HoloLens support a limited set of offline experiences for connectivity conscious customers and for customers who have environmental limits on connectivity.
+# Near-offline setup
 
-## Near-offline setup
-
-HoloLens need a network connection to go through initial device set up.  If your corporate network has network restrictions, the following URLs will need to be available:
+HoloLens supports a limited set of offline experiences for customers who have network environment restrictions. However, HoloLens needs network connection to go through initial device set up and the following URLs have to be enabled:
 
 | Purpose | URL |
 |------|------|
@@ -35,9 +33,126 @@ HoloLens need a network connection to go through initial device set up.  If your
 | MSA | https://login.live.com/ppsecure/inlineconnect.srf?id=80600 |
 | MSA Pin | https://account.live.com/msangc?fl=enroll |
 
-Additional references:
+# Use HoloLens online 
+
+To take full advantage of HoloLens functionality, the following endpoints need to be enabled in your network configuration.
+
+
+| Purpose | URL |
+|------|------|
+| Azure                                               | wd-prod-fe.cloudapp.azure.com                                       |   |   |   
+|                                                     | ris-prod-atm.trafficmanager.net                                     |   |   |   |
+|                                                     | validation-v2.sls.trafficmanager.net                                |   |   |   |
+| Azure AD Multi-Factor Authentication                | https://secure.aadcdn.microsoftonline-p.com                         |   |   |   |
+| Intune and MDM Configurations                       | activation-v2.sls.microsoft.com/*                                   |   |   |   |
+|                                                     | cdn.onenote.net                                                     |   |   |   |
+|                                                     | client.wns.windows.com                                              |   |   |   |
+|                                                     | crl.microsoft.com/pki/crl/*                                         |   |   |   |
+|                                                     | ctldl.windowsupdate.com                                             |   |   |   |
+|                                                     | *displaycatalog.mp.microsoft.com                                    |   |   |   |
+|                                                     | dm3p.wns.windows.com                                                |   |   |   |
+|                                                     | *microsoft.com/pkiops/*                                             |   |   |   |
+|                                                     | ocsp.digicert.com/*                                                 |   |   |   |
+|                                                     | r.manage.microsoft.com                                              |   |   |   |
+|                                                     | tile-service.weather.microsoft.com                                  |   |   |   |
+|                                                     | settings-win.data.microsoft.com                                     |   |   |   |
+| Certificates                                        | activation-v2.sls.microsoft.com/*                                   |   |   |   |
+|                                                     | crl.microsoft.com/pki/crl/*                                         |   |   |   |
+|                                                     | ocsp.digicert.com/*                                                 |   |   |   |
+|                                                     | www.microsoft.com/pkiops/*                                          |   |   |   |
+| Cortana and Search                                  | store-images.*microsoft.com                                         |   |   |   |
+|                                                     | www.bing.com/client                                                 |   |   |   |
+|                                                     | www.bing.com                                                        |   |   |   |
+|                                                     | www.bing.com/proactive                                              |   |   |   |
+|                                                     | www.bing.com/threshold/xls.aspx                                     |   |   |   |
+|                                                     | exo-ring.msedge.net                                                 |   |   |   |
+|                                                     | fp.msedge.net                                                       |   |   |   |
+|                                                     | fp-vp.azureedge.net                                                 |   |   |   |
+|                                                     | odinvzc.azureedge.net                                               |   |   |   |
+|                                                     | spo-ring.msedge.net                                                 |   |   |   |
+| Device Authentication                               | login.live.com*                                                     |   |   |   |
+| Device metadata                                     | dmd.metaservices.microsoft.com                                      |   |   |   |
+| Location                                            | inference.location.live.net                                         |   |   |   |
+|                                                     | location-inference-westus.cloudapp.net                              |   |   |   |
+| Diagnostic Data                                     | v10.events.data.microsoft.com                                       |   |   |   |
+|                                                     | v10.vortex-win.data.microsoft.com/collect/v1                        |   |   |   |
+|                                                     | www.microsoft.com                                                   |   |   |   |
+|                                                     | co4.telecommand.telemetry.microsoft.com                             |   |   |   |
+|                                                     | cs11.wpc.v0cdn.net                                                  |   |   |   |
+|                                                     | cs1137.wpc.gammacdn.net                                             |   |   |   |
+|                                                     | modern.watson.data.microsoft.com*                                   |   |   |   |
+|                                                     | watson.telemetry.microsoft.com                                      |   |   |   |
+| Licensing                                           | licensing.mp.microsoft.com                                          |   |   |   |
+| Microsoft Account                                   | login.msa.akadns6.net                                               |   |   |   |
+|                                                     | us.configsvc1.live.com.akadns.net                                   |   |   |   |
+| Microsoft Edge                                      | iecvlist.microsoft.com                                              |   |   |   |
+| Microsoft forward link redirection service (FWLink) | go.microsoft.com                                                    |   |   |   |
+| Microsoft Store                                     | *.wns.windows.com                                                   |   |   |   |
+|                                                     | storecatalogrevocation.storequality.microsoft.com                   |   |   |   |
+|                                                     | img-prod-cms-rt-microsoft-com*                                      |   |   |   |
+|                                                     | store-images.microsoft.com                                          |   |   |   |
+|                                                     | .md.mp.microsoft.com -- @Ezeugo Anukem this is TLS v1.2 not HTTP(S) |   |   |   |
+|                                                     | *displaycatalog.mp.microsoft.com                                    |   |   |   |
+|                                                     | pti.store.microsoft.com                                             |   |   |   |
+|                                                     | storeedgefd.dsx.mp.microsoft.com                                    |   |   |   |
+|                                                     | markets.books.microsoft.com                                         |   |   |   |
+|                                                     | share.microsoft.com                                                 |   |   |   |
+| Network Connection Status Indicator (NCSI)          | www.msftconnecttest.com*                                            |   |   |   |
+| Office                                              | *.c-msedge.net                                                      |   |   |   |
+|                                                     | *.e-msedge.net                                                      |   |   |   |
+|                                                     | *.s-msedge.net                                                      |   |   |   |
+|                                                     | nexusrules.officeapps.live.com                                      |   |   |   |
+|                                                     | ocos-office365-s2s.msedge.net                                       |   |   |   |
+|                                                     | officeclient.microsoft.com                                          |   |   |   |
+|                                                     | outlook.office365.com                                               |   |   |   |
+|                                                     | client-office365-tas.msedge.net                                     |   |   |   |
+|                                                     | www.office.com                                                      |   |   |   |
+|                                                     | onecollector.cloudapp.aria                                          |   |   |   |
+|                                                     | v10.events.data.microsoft.com/onecollector/1.0/                     |   |   |   |
+|                                                     | self.events.data.microsoft.com                                      |   |   |   |
+|                                                     | to-do.microsoft.com                                                 |   |   |   |
+| OneDrive                                            | g.live.com/1rewlive5skydrive/*                                      |   |   |   |
+|                                                     | msagfx.live.com                                                     |   |   |   |
+|                                                     | oneclient.sfx.ms                                                    |   |   |   |
+| Photos App                                          | evoke-windowsservices-tas.msedge.net                                |   |   |   |
+| Settings                                            | cy2.settings.data.microsoft.com.akadns.net                          |   |   |   |
+|                                                     | settings.data.microsoft.com                                         |   |   |   |
+|                                                     | settings-win.data.microsoft.com                                     |   |   |   |
+| Windows Defender                                    | wdcp.microsoft.com                                                  |   |   |   |
+|                                                     | definitionupdates.microsoft.com                                     |   |   |   |
+|                                                     | go.microsoft.com                                                    |   |   |   |
+|                                                     | *smartscreen.microsoft.com                                          |   |   |   |
+|                                                     | smartscreen-sn3p.smartscreen.microsoft.com                          |   |   |   |
+|                                                     | unitedstates.smartscreen-prod.microsoft.com                         |   |   |   |
+| Windows Spotlight                                   | *.search.msn.com                                                    |   |   |   |
+|                                                     | arc.msn.com                                                         |   |   |   |
+|                                                     | g.msn.com*                                                          |   |   |   |
+|                                                     | query.prod.cms.rt.microsoft.com                                     |   |   |   |
+|                                                     | ris.api.iris.microsoft.com                                          |   |   |   |
+| Windows Update                                      | *.prod.do.dsp.mp.microsoft.com                                      |   |   |   |
+|                                                     | cs9.wac.phicdn.net                                                  |   |   |   |
+|                                                     | emdl.ws.microsoft.com                                               |   |   |   |
+|                                                     | *.dl.delivery.mp.microsoft.com                                      |   |   |   |
+|                                                     | *.windowsupdate.com                                                 |   |   |   |
+|                                                     | *.delivery.mp.microsoft.com                                         |   |   |   |
+|                                                     | *.update.microsoft.com                                              |   |   |   |
+
+
+
+## References
+
+>[!NOTE]
+> If you are deploying D365 Remote Assist, you will have to enable the endpoints on this [list] (https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams) 
+
+- [Configure Windows diagnostic data in your organization] (https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization)
+- [Manage connection endpoints for Windows 10 Enterprise, version 1903] (https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints)
+- [Manage connections from Windows 10 operating system components to Microsoft services] (https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+- [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server] (https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm)
+- [Intune network configuration requirements and bandwidth] (https://docs.microsoft.com/en-us/intune/fundamentals/network-bandwidth-use#network-communication-requirements)
+- [Network endpoints for Microsoft Intune] (https://docs.microsoft.com/en-us/intune/fundamentals/intune-endpoints)
+- [Office 365 URLs and IP address ranges] (https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges)
+- [Prerequisites for Azure AD Connect] (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites)
 
-- [Technical reference for AAD related IP ranges and URLs](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges)
 
 ## HoloLens limitations
 

From 1863700420456cae08eb6807125901b29225a795 Mon Sep 17 00:00:00 2001
From: Yannis Lempidakis <51840946+yannisle@users.noreply.github.com>
Date: Fri, 24 Jan 2020 15:52:57 -0800
Subject: [PATCH 39/51] Update devices/hololens/hololens-offline.md

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
 devices/hololens/hololens-offline.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devices/hololens/hololens-offline.md b/devices/hololens/hololens-offline.md
index d14743559b..de65b98837 100644
--- a/devices/hololens/hololens-offline.md
+++ b/devices/hololens/hololens-offline.md
@@ -141,7 +141,7 @@ To take full advantage of HoloLens functionality, the following endpoints need t
 
 ## References
 
->[!NOTE]
+> [!NOTE]
 > If you are deploying D365 Remote Assist, you will have to enable the endpoints on this [list] (https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams) 
 
 - [Configure Windows diagnostic data in your organization] (https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization)

From 6db34b9d0ee4f57cb73709a001bb666a9043b373 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Mon, 27 Jan 2020 12:30:13 +0500
Subject: [PATCH 40/51] Details updation

Updated the note and details to reflect the correct information

Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5867
---
 .../microsoft-defender-atp/enable-controlled-folders.md       | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
index 40cbdce038..1d64f68ed0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
@@ -101,11 +101,13 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
     * **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
     * **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
     * **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
+    * **Block disk modification only** - Attempts by untrusted apps to write to disk sectors. The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123.
+    * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124). Attempts to modify or delete files in protected folders will not be recorded.
 
       ![Screenshot of group policy option with Enabled and then Enable selected in the drop-down](../images/cfa-gp-enable.png)
 
 > [!IMPORTANT]
-> To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
+> To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and select **Block** in the options drop-down menu.
 
 ## PowerShell
 

From b72de47773f741fafe41df5852e239115c65ded3 Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Mon, 27 Jan 2020 12:00:04 +0200
Subject: [PATCH 41/51] Add note about firewall and RDP (exclude note about
 Office on VMs)

https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5632
---
 .../threat-protection/microsoft-defender-atp/evaluation-lab.md | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
index 925e7e0ce3..8db207b179 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@@ -130,9 +130,6 @@ You can also use [Advanced hunting](advanced-hunting-query-language.md) to query
 > [!NOTE]
 > The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
 
-> [!NOTE]
-> Microsoft Office needs to be installed on the test machines for all the simulations to work.
-
 1. Connect to your machine and run an attack simulation by selecting **Connect**. 
 
     ![Image of the connect button for test machines](images/test-machine-table.png)

From c15ddfcac2e27a4f9367aff01357646de01faae4 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Mon, 27 Jan 2020 16:46:08 +0500
Subject: [PATCH 42/51] Update
 windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
 .../microsoft-defender-atp/enable-controlled-folders.md         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
index 1d64f68ed0..5874f3b38e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
@@ -104,7 +104,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
     * **Block disk modification only** - Attempts by untrusted apps to write to disk sectors. The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123.
     * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124). Attempts to modify or delete files in protected folders will not be recorded.
 
-      ![Screenshot of group policy option with Enabled and then Enable selected in the drop-down](../images/cfa-gp-enable.png)
+      ![Screenshot of the group policy option Enabled and Audit Mode selected in the drop-down](../images/cfa-gp-enable.png)
 
 > [!IMPORTANT]
 > To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and select **Block** in the options drop-down menu.

From ecf43e471fcdb4f2bbf8cb71ca5ae1598f50ad3e Mon Sep 17 00:00:00 2001
From: Yannis Lempidakis <51840946+yannisle@users.noreply.github.com>
Date: Mon, 27 Jan 2020 15:57:38 -0800
Subject: [PATCH 43/51] Update hololens-offline.md

---
 devices/hololens/hololens-offline.md | 27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

diff --git a/devices/hololens/hololens-offline.md b/devices/hololens/hololens-offline.md
index de65b98837..aecf36fd16 100644
--- a/devices/hololens/hololens-offline.md
+++ b/devices/hololens/hololens-offline.md
@@ -1,5 +1,5 @@
 ---
-title: Use HoloLens offline
+title: Manage connection endpoints for HoloLens 
 description: To set up HoloLens, you'll need to connect to a Wi-Fi network
 keywords: hololens, offline, OOBE
 audience: ITPro
@@ -19,7 +19,7 @@ appliesto:
 
 Some HoloLens components, apps, and related services transfer data to Microsoft network endpoints. This article lists different endpoints and URLs that need to be whitelisted in your network configuratiion (e.g. proxy or firewall) for those components to be functional.    
 
-# Near-offline setup
+## Near-offline setup
 
 HoloLens supports a limited set of offline experiences for customers who have network environment restrictions. However, HoloLens needs network connection to go through initial device set up and the following URLs have to be enabled:
 
@@ -33,7 +33,7 @@ HoloLens supports a limited set of offline experiences for customers who have ne
 | MSA | https://login.live.com/ppsecure/inlineconnect.srf?id=80600 |
 | MSA Pin | https://account.live.com/msangc?fl=enroll |
 
-# Use HoloLens online 
+## Use HoloLens online 
 
 To take full advantage of HoloLens functionality, the following endpoints need to be enabled in your network configuration.
 
@@ -91,7 +91,7 @@ To take full advantage of HoloLens functionality, the following endpoints need t
 |                                                     | storecatalogrevocation.storequality.microsoft.com                   |   |   |   |
 |                                                     | img-prod-cms-rt-microsoft-com*                                      |   |   |   |
 |                                                     | store-images.microsoft.com                                          |   |   |   |
-|                                                     | .md.mp.microsoft.com -- @Ezeugo Anukem this is TLS v1.2 not HTTP(S) |   |   |   |
+|                                                     | .md.mp.microsoft.com                                                |   |   |
 |                                                     | *displaycatalog.mp.microsoft.com                                    |   |   |   |
 |                                                     | pti.store.microsoft.com                                             |   |   |   |
 |                                                     | storeedgefd.dsx.mp.microsoft.com                                    |   |   |   |
@@ -142,16 +142,15 @@ To take full advantage of HoloLens functionality, the following endpoints need t
 ## References
 
 > [!NOTE]
-> If you are deploying D365 Remote Assist, you will have to enable the endpoints on this [list] (https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams) 
-
-- [Configure Windows diagnostic data in your organization] (https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization)
-- [Manage connection endpoints for Windows 10 Enterprise, version 1903] (https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints)
-- [Manage connections from Windows 10 operating system components to Microsoft services] (https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services)
-- [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server] (https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm)
-- [Intune network configuration requirements and bandwidth] (https://docs.microsoft.com/en-us/intune/fundamentals/network-bandwidth-use#network-communication-requirements)
-- [Network endpoints for Microsoft Intune] (https://docs.microsoft.com/en-us/intune/fundamentals/intune-endpoints)
-- [Office 365 URLs and IP address ranges] (https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges)
-- [Prerequisites for Azure AD Connect] (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites)
+> If you are deploying D365 Remote Assist, you will have to enable the endpoints on this [list](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams) 
+- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization)
+- [Manage connection endpoints for Windows 10 Enterprise, version 1903](https://docs.microsoft.com/windows/privacy/manage-windows-1903-endpoints)
+- [Manage connections from Windows 10 operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+- [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm)
+- [Intune network configuration requirements and bandwidth](https://docs.microsoft.com/intune/fundamentals/network-bandwidth-use#network-communication-requirements)
+- [Network endpoints for Microsoft Intune](https://docs.microsoft.com/intune/fundamentals/intune-endpoints)
+- [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges)
+- [Prerequisites for Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-install-prerequisites)
 
 
 ## HoloLens limitations

From 76d875391e2e243a0e9071897fa2586b3cc4a371 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Tue, 28 Jan 2020 05:45:34 +0500
Subject: [PATCH 44/51] Update
 windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
 .../microsoft-defender-atp/enable-controlled-folders.md         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
index 5874f3b38e..b112db0822 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
@@ -101,7 +101,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
     * **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
     * **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
     * **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
-    * **Block disk modification only** - Attempts by untrusted apps to write to disk sectors. The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123.
+    * **Block disk modification only** - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in **Applications and Services Logs** > Microsoft > Windows > Windows Defender > Operational > ID 1123.
     * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124). Attempts to modify or delete files in protected folders will not be recorded.
 
       ![Screenshot of the group policy option Enabled and Audit Mode selected in the drop-down](../images/cfa-gp-enable.png)

From a30b298dc381238f74efbf932975bf183aef240d Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Tue, 28 Jan 2020 05:45:56 +0500
Subject: [PATCH 45/51] Update
 windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
 .../microsoft-defender-atp/enable-controlled-folders.md         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
index b112db0822..b4ab6ff563 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
@@ -102,7 +102,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
     * **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
     * **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
     * **Block disk modification only** - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in **Applications and Services Logs** > Microsoft > Windows > Windows Defender > Operational > ID 1123.
-    * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124). Attempts to modify or delete files in protected folders will not be recorded.
+    * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders will not be recorded.
 
       ![Screenshot of the group policy option Enabled and Audit Mode selected in the drop-down](../images/cfa-gp-enable.png)
 

From 6cd020755d20f5104d8e3f72b513babeb454f11f Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Tue, 28 Jan 2020 12:09:34 +0200
Subject: [PATCH 46/51] Note about request hash vs certificate hash.

https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5657
---
 .../hello-for-business/hello-hybrid-key-whfb-settings-pki.md   | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index 41d11386b2..bbe8176263 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -55,6 +55,9 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.  Click **OK**. 
 8. Close the console.
 
+>[!NOTE]
+>Don't confuse the **Request hash** algorithm with the hash argorithm of the certificate.
+
 #### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template
 
 Many domain controllers may have an existing domain controller certificate.  The Active Directory Certificate Services provides a default certificate template for domain controllers--the domain controller certificate template.  Later releases provided a new certificate template--the domain controller authentication certificate template.  These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension.  

From ef9954826439bfe4c4bb2959d357cb27b8a8ee83 Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Tue, 28 Jan 2020 13:00:02 +0200
Subject: [PATCH 47/51] add info about newer Operating Systems

https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5672
---
 ...onfigure-encryption-types-allowed-for-kerberos.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
index 1ada850d3b..37700da3a6 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -20,7 +20,7 @@ ms.date: 04/19/2017
 # Network security: Configure encryption types allowed for Kerberos
 
 **Applies to**
--   Windows 10
+-   Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
 
 Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos** security policy setting.
 
@@ -35,11 +35,11 @@ The following table lists and explains the allowed encryption types.
  
 | Encryption type | Description and version support |
 | - | - |
-| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function<br/>Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10 and Windows Server 2008 R2 operating systems do not support DES by default. |
-| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function<br/>Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10 and Windows Server 2008 R2 operating systems do not support DES by default. |
-| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function<br/>Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2.|
-| AES128_HMAC_SHA1| Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).<br/>Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2. |
-| AES256_HMAC_SHA1| Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).<br/>Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2. |
+| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function<br/>Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2 and later operating systems do not support DES by default. |
+| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function<br/>Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2 and later operating systems do not support DES by default. |
+| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function<br/>Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2.|
+| AES128_HMAC_SHA1| Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).<br/>Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2. |
+| AES256_HMAC_SHA1| Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).<br/>Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2. |
 | Future encryption types| Reserved by Microsoft for additional encryption types that might be implemented.|
 
 ### Possible values

From 66f1092f83b2c64a3337fb646fe14e48ef17e8bc Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Tue, 28 Jan 2020 18:04:47 +0530
Subject: [PATCH 48/51] removed invalid link and replaced by new link

as per user report #5870.So  i removed invalid link  and replaced  new link

removed link
*https://go.microsoft.com/fwlink/?LinkID=158931*

added new link
*https://www.microsoft.com/en-us/download/details.aspx?id=13975*
---
 mdop/agpm/resources-for-agpm.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mdop/agpm/resources-for-agpm.md b/mdop/agpm/resources-for-agpm.md
index 3ebc42e3e4..36935b703f 100644
--- a/mdop/agpm/resources-for-agpm.md
+++ b/mdop/agpm/resources-for-agpm.md
@@ -19,7 +19,7 @@ ms.date: 08/30/2016
 
 ### Documents for download
 
--   [Advanced Group Policy Management 4.0 documents](https://go.microsoft.com/fwlink/?LinkID=158931)
+-   [Advanced Group Policy Management 4.0 documents](https://www.microsoft.com/en-us/download/details.aspx?id=139751)
 
 ### Microsoft Desktop Optimization Pack resources
 

From 9d47e5e81da88ee8f5cd5d10665eef1e68b0d977 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Tue, 28 Jan 2020 20:09:55 +0530
Subject: [PATCH 49/51] removed the video configuration file, added new link

its my own issue ,  i added below link

*https://www.youtube.com/embed/KYVptkpsOqs*
---
 .../windows-autopilot/windows-autopilot-requirements.md    | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
index b93eba2709..338d548271 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
@@ -121,8 +121,11 @@ Specific scenarios will then have additional requirements.  Generally, there are
 See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details.
 
 For a walkthrough for some of these and related steps, see this video:
-<br>&nbsp;<br>
-<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe> 
+
+</br>
+
+<iframe width="560" height="315" src="https://www.youtube.com/embed/KYVptkpsOqs" frameborder="0" allow="accelerometer; autoplay; encrypted-media" gyroscope; picture-in-picture" allowfullscreen></iframe>
+
 
 There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications).
 

From ecdd8296eb7e69e0efb8c9cf5e14814fa7897ca7 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Tue, 28 Jan 2020 10:51:58 -0800
Subject: [PATCH 50/51] Update resources-for-agpm.md

---
 mdop/agpm/resources-for-agpm.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mdop/agpm/resources-for-agpm.md b/mdop/agpm/resources-for-agpm.md
index 36935b703f..bd2fe5372b 100644
--- a/mdop/agpm/resources-for-agpm.md
+++ b/mdop/agpm/resources-for-agpm.md
@@ -19,7 +19,7 @@ ms.date: 08/30/2016
 
 ### Documents for download
 
--   [Advanced Group Policy Management 4.0 documents](https://www.microsoft.com/en-us/download/details.aspx?id=139751)
+-   [Advanced Group Policy Management 4.0 documents](https://www.microsoft.com/download/details.aspx?id=13975)
 
 ### Microsoft Desktop Optimization Pack resources
 

From 5c9a9a1bb5a0d7aea1ca5c86c0060b59e9c70364 Mon Sep 17 00:00:00 2001
From: Yannis Lempidakis <51840946+yannisle@users.noreply.github.com>
Date: Tue, 28 Jan 2020 11:08:38 -0800
Subject: [PATCH 51/51] Update hololens-offline.md

---
 devices/hololens/hololens-offline.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/devices/hololens/hololens-offline.md b/devices/hololens/hololens-offline.md
index aecf36fd16..4c468667f9 100644
--- a/devices/hololens/hololens-offline.md
+++ b/devices/hololens/hololens-offline.md
@@ -33,9 +33,9 @@ HoloLens supports a limited set of offline experiences for customers who have ne
 | MSA | https://login.live.com/ppsecure/inlineconnect.srf?id=80600 |
 | MSA Pin | https://account.live.com/msangc?fl=enroll |
 
-## Use HoloLens online 
+## Endpoint configuration
 
-To take full advantage of HoloLens functionality, the following endpoints need to be enabled in your network configuration.
+In addition to the list above, to take full advantage of HoloLens functionality, the following endpoints need to be enabled in your network configuration.
 
 
 | Purpose | URL |