Merge branch 'master' into av-test

2025-05-13 05:47:23 +00:00 · 2019-05-31 09:52:59 -07:00 · 2019-05-31 09:52:59 -07:00 · 7389efe2bb
commit 7389efe2bb
parent db75edea4c ad9e203ac8
69 changed files with 797 additions and 1057 deletions
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@ -1,17 +1,24 @@
 # [Microsoft HoloLens](index.md)
-## [What's new in Microsoft HoloLens](hololens-whats-new.md)
+# [What's new in HoloLens](hololens-whats-new.md)
-## [HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md)
+# [HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md)
-## [Insider preview for Microsoft HoloLens](hololens-insider.md)
+# [Set up HoloLens](hololens-setup.md)
-## [Set up HoloLens](hololens-setup.md)
+
-## [Install localized version of HoloLens](hololens-install-localized.md)
+# Device Management
 ## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md)
 ## [Install localized version of HoloLens](hololens-install-localized.md)
 ## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
 ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
 ## [Manage updates to HoloLens](hololens-updates.md)
 ## [Set up HoloLens in kiosk mode](hololens-kiosk.md)
 ## [Share HoloLens with multiple people](hololens-multiple-users.md)
 ## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
 ## [Install apps on HoloLens](hololens-install-apps.md)
 ## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
 ## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md)
 # Application Management 
 ## [Install apps on HoloLens](hololens-install-apps.md)
 ## [Share HoloLens with multiple people](hololens-multiple-users.md)
 # User/Access Management
 ## [Set up single application access](hololens-kiosk.md)
 ## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
 ## [How HoloLens stores data for spaces](hololens-spaces.md)
-## [Change history for Microsoft HoloLens documentation](change-history-hololens.md)
+
 # [Insider preview for Microsoft HoloLens](hololens-insider.md)
 # [Change history for Microsoft HoloLens documentation](change-history-hololens.md)
--- a/devices/surface-hub/create-a-device-account-using-office-365.md
+++ b/devices/surface-hub/create-a-device-account-using-office-365.md
@ -217,6 +217,8 @@ In order to enable Skype for Business, your environment will need to meet the fo
 ## <a href="" id="create-device-acct-eac"></a>Create a device account using the Exchange Admin Center
 >[!NOTE]
 >This method will only work if you are syncing from an on-premises Active Directory.
 You can use the Exchange Admin Center to create a device account:
--- a/windows/client-management/advanced-troubleshooting-boot-problems.md
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@ -385,6 +385,6 @@ If the dump file shows an error that is related to a driver (for example, window
        1. Start WinRE, and open a Command Prompt window.
        2. Start a text editor, such as Notepad.
-        3. Navigate to C\Windows\System32\Config\.
+        3. Navigate to C:\Windows\System32\Config\.
        4. Rename the all five hives by appending ".old" to the name.
        5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode.
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@ -245,6 +245,7 @@
 #### [RestrictedGroups](policy-csp-restrictedgroups.md)
 #### [Search](policy-csp-search.md)
 #### [Security](policy-csp-security.md)
 #### [ServiceControlManager](policy-csp-servicecontrolmanager.md)
 #### [Settings](policy-csp-settings.md)
 #### [SmartScreen](policy-csp-smartscreen.md)
 #### [Speech](policy-csp-speech.md)
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@ -35,7 +35,7 @@ The auto-enrollment relies of the presence of an MDM service and the Azure Activ
 When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure  Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
-In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy is take precedence over MDM). In the future release of Windows 10, we are considering a feature that allows the admin to control which policy takes precedence.
+In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. See [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/) to learn more.
 For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices.
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@ -115,6 +115,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>[Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery)</li>
 <li>[Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)</li>
 <li>[Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles)</li>
 <li>[ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)</li>
 <li>[System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)</li>
 <li>[System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory)</li>
 <li>[Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup)</li>
@ -1868,16 +1869,17 @@ How do I turn if off? | The service can be stopped from the "Services" console o
 |New or updated topic | Description|
 |--- | ---|
 |[DeviceStatus CSP](devicestatus-csp.md)|Updated description of the following nodes:<br>DeviceStatus/Antivirus/SignatureStatus, DeviceStatus/Antispyware/SignatureStatus.|
 |[EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md)|Added new CSP in Windows 10, version 1903.|
 |[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added the following new policies:<br> DODelayCacheServerFallbackBackground, DODelayCacheServerFallbackForeground.<br><br>Updated description of the following policies:<br>DOMinRAMAllowedToPeer, DOMinFileSizeToCache, DOMinDiskSizeAllowedToPeer.|
 |[Policy CSP - Experience](policy-csp-experience.md)|Added the following new policy:<br>ShowLockOnUserTile.|
 |[Policy CSP - InternetExplorer](policy-csp-internetexplorer.md)|Added the following new policies:<br>AllowEnhancedSuggestionsInAddressBar, DisableActiveXVersionListAutoDownload, DisableCompatView, DisableFeedsBackgroundSync, DisableGeolocation, DisableWebAddressAutoComplete, NewTabDefaultPage.|
 |[Policy CSP - Power](policy-csp-power.md)|Added the following new policies:<br>EnergySaverBatteryThresholdOnBattery, EnergySaverBatteryThresholdPluggedIn, SelectLidCloseActionOnBattery, SelectLidCloseActionPluggedIn, SelectPowerButtonActionOnBattery, SelectPowerButtonActionPluggedIn, SelectSleepButtonActionOnBattery, SelectSleepButtonActionPluggedIn, TurnOffHybridSleepOnBattery, TurnOffHybridSleepPluggedIn, UnattendedSleepTimeoutOnBattery, UnattendedSleepTimeoutPluggedIn.|
 |[Policy CSP - Search](policy-csp-search.md)|Added the following new policy:<br>AllowFindMyFiles.|
 |[Policy CSP - ServiceControlManager](policy-csp-servicecontrolmanager.md)|Added the following new policy:<br>SvchostProcessMitigation.|
 |[Policy CSP - System](policy-csp-system.md)|Added the following new policies:<br>AllowCommercialDataPipeline, TurnOffFileHistory.|
 |[Policy CSP - Update](policy-csp-update.md)|Added the following new policies:<br>AutomaticMaintenanceWakeUp, ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod, ConfigureDeadlineNoAutoReboot.|
 |[Policy CSP - WindowsLogon](policy-csp-windowslogon.md)|Added the following new policies:<br>AllowAutomaticRestartSignOn, ConfigAutomaticRestartSignOn, EnableFirstLogonAnimation.|
 |[DeviceStatus CSP](devicestatus-csp.md)|Updated description of the following nodes:<br>DeviceStatus/Antivirus/SignatureStatus, DeviceStatus/Antispyware/SignatureStatus.|
 ### April 2019
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@ -36,7 +36,7 @@ The following diagram shows the PassportForWork configuration service provider i
 Root node for PassportForWork configuration service provider.
 <a href="" id="tenantid"></a>***TenantId***  
-A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management.
+A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet [Get-AzureAccount](https://docs.microsoft.com/powershell/module/servicemanagement/azure/get-azureaccount). For more information see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell).
 <a href="" id="tenantid-policies"></a>***TenantId*/Policies**  
 Node for defining the Windows Hello for Business policy settings.
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -3000,6 +3000,13 @@ The following diagram shows the Policy configuration service provider in tree fo
  </dd>
 </dl>
 ### ServiceControlManager policies
 <dl>
  <dd>
    <a href="./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation" id="servicecontrolmanager-svchostprocessmitigation">ServiceControlManager/SvchostProcessMitigation</a>
  </dd>
 </dl>
 ### Settings policies
 <dl>
@ -4219,6 +4226,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses)
 -   [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells)
 -   [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
 -   [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
 -   [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices)
 -   [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization)
 -   [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
@ -4963,6 +4971,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [Search/PreventIndexingLowDiskSpaceMB](./policy-csp-search.md#search-preventindexinglowdiskspacemb)
 -   [Search/PreventRemoteQueries](./policy-csp-search.md#search-preventremotequeries)
 -   [Security/ClearTPMIfNotReady](./policy-csp-security.md#security-cleartpmifnotready)
 -   [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
 -   [Settings/AllowOnlineTips](./policy-csp-settings.md#settings-allowonlinetips)
 -   [Settings/ConfigureTaskbarCalendar](./policy-csp-settings.md#settings-configuretaskbarcalendar)
 -   [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist)
--- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
+++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
@ -0,0 +1,112 @@
 ---
 title: Policy CSP - ServiceControlManager
 description: Policy CSP - ServiceControlManager
 ms.author: Heidi.Lohr
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: Heidilohr
 ms.date: 05/21/2019
 ---
 # Policy CSP - ServiceControlManager
 <hr/>
 <!--Policies-->
 ## ServiceControlManager policies  
 <dl>
  <dd>
    <a href="#servicecontrolmanager-svchostprocessmitigation">ServiceControlManager/SvchostProcessMitigation</a>
  </dd>
 </dl>
 <hr/>
 <!--Policy-->
 <a href="" id="servicecontrolmanager-svchostprocessmitigation"></a>**ServiceControlManager/SvchostProcessMitigation**  
 <!--SupportedSKUs-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 	<td></td>
 	<td></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting enables process mitigation options on svchost.exe processes.
 If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them.
 This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, as well as a policy disallowing dynamically-generated code.  
 If you disable or do not configure this policy setting, the stricter security settings will not be applied.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP English name: *Enable svchost.exe mitigation options*
 -   GP name: *SvchostProcessMitigationEnable*
 -   GP path: *System/Service Control Manager Settings/Security Settings*
 -   GP ADMX file name: *ServiceControlManager.admx*
 <!--/ADMXBacked-->
 <!--SupportedValues-->
 Supported values:  
 - disabled - Do not add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes.
 - enabled - Add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes.
 <!--/SupportedValues-->
 <!--Example-->
 <!--/Example-->
 <!--Validation-->
 <!--/Validation-->
 <!--/Policy-->
 <!--/Policies-->
 <hr/>
 Footnotes:
 -   1 - Added in Windows 10, version 1607.
 -   2 - Added in Windows 10, version 1703.
 -   3 - Added in Windows 10, version 1709.
 -   4 - Added in Windows 10, version 1803.
 -   5 - Added in Windows 10, version 1809.
 -   6 - Added in Windows 10, version 1903.
--- a/windows/client-management/new-policies-for-windows-10.md
+++ b/windows/client-management/new-policies-for-windows-10.md
@ -254,6 +254,7 @@ No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId=
 ## Related topics
 [Group Policy Settings Reference Spreadsheet Windows 1803](https://www.microsoft.com/download/details.aspx?id=56946)
 [Manage corporate devices](manage-corporate-devices.md)
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@ -83,7 +83,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a
 ## Export the Start layout
-When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell to export the Start layout to an .xml file.
+When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell to export the Start layout to an .xml file. Start layout is located by default at C:\Users\username\AppData\Local\Microsoft\Windows\Shell\
 >[!IMPORTANT]
 >If you include secondary Microsoft Edge tiles (tiles that link to specific websites in Microsoft Edge), see [Add custom images to Microsoft Edge secondary tiles](start-secondary-tiles.md) for instructions.
@ -155,6 +155,8 @@ When you have the Start layout that you want your users to see, use the [Export-
 >* If you place executable files or scripts in the \ProgramData\Microsoft\Windows\Start Menu\Programs folder, they will not pin to Start.
 >
 >* Start on Windows 10 does not support subfolders. We only support one folder. For example, \ProgramData\Microsoft\Windows\Start Menu\Programs\Folder. If you go any deeper than one folder, Start will compress the contents of all the subfolder to the top level.
 >
 >* Three additional shortcuts are pinned to the start menu after the export. These are shortcuts to %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs, %APPDATA%\Microsoft\Windows\Start Menu\Programs, and %APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\.
 ## Configure a partial Start layout
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@ -74,7 +74,7 @@ You can use Group Policy or an MDM solution like Intune to configure Delivery Op
 You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
 In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**.
-Starting with Windows Intune version 1902, you can set many Delivery Optimization policies as a profile which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](https://docs.microsoft.com/intune/delivery-optimization-windows))
+Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](https://docs.microsoft.com/intune/delivery-optimization-windows))
 **Starting with Windows 10, version 1903,** you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@ -45,7 +45,7 @@ Semi-Annual Channel is the default servicing channel for all Windows 10 devices
 >The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
 >[!NOTE]
->Semi-Annual Channel (Targeted) should be used only by the customers that are using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). For those, who don't use Windows Update for Business, Semi-Annual Channel (Targeted) would be the same as Semi-Annual Channel.
+>Semi-Annual Channel (Targeted) should be used only by the customers that are using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). For those who don't use Windows Update for Business, Semi-Annual Channel (Targeted) would be the same as Semi-Annual Channel.
 ## Assign devices to Semi-Annual Channel
--- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
+++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
@ -84,11 +84,13 @@ If you have devices that appear in other solutions, but not Device Health (the D
 1. Using the Azure portal, remove the Device Health (appears as DeviceHealthProd on some pages) solution from your Log Analytics workspace. After completing this, add the Device Health solution to you workspace again.
 2. Confirm that the devices are running Windows 10.
 3. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551).
-4. Confirm that devices have opted in to provide diagnostic data by checking in the registry that **AllowTelemetry** is set to 2 (Enhanced) or 3 (Full) in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which takes precedence if set).
+4. Confirm that devices are opted in to send diagnostic data by checking in the registry that **AllowTelemetry** is set to either 2 (Enhanced) or 3 (Full). 
    - **AllowTelemetry** under **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is the location set by Group Policy or MDM
    - **AllowTelemetry** under **HKLM\Software\Policies\Microsoft\Windows\DataCollection** is the location set by local tools such as the Settings app.
    - By convention the Group Policy location would take precedence if both are set. Starting with Windows 10, version 1803, the default precedence is modified to enable a device user to lower the diagnostic data level from that set by IT. For organizations which have no requirement to allow the user to override IT, the conventional (IT wins) behavior can be re-enabled using **DisableTelemetryOptInSettingsUx**. This policy can be set via Group Policy as  **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface**.
 5. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information.
-6. Add the Device Health solution back to your Log Analytics workspace.
+6. Wait 48 hours for activity to appear in the reports.
-7. Wait 48 hours for activity to appear in the reports.
+7. If you need additional troubleshooting, contact Microsoft Support.
 8. If you need additional troubleshooting, contact Microsoft Support.
 ### Device crashes not appearing in Device Health Device Reliability
--- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md
+++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md
@ -45,4 +45,10 @@ In order to enable this scenario, you need:
 - Set the reg key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection\DisableEnterpriseAuthProxy to 0. If the value does not exist, create a new DWORD, name it DisableEnterpriseAuthProxy and set the value to 0. The deployment script will check this is configured correctly.
 - Set ClientProxy=User in bat.
 >[!IMPORTANT]
 > Using **Logged-in user's internet connection** with **DisableEnterpriseAuthProxy = 0** scenario is incompatible with ATP where the required value of that attribute is 1.(Read more here)[https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection]
--- a/windows/deployment/windows-autopilot/white-glove.md
+++ b/windows/deployment/windows-autopilot/white-glove.md
@ -15,13 +15,13 @@ ms.topic: article
 # Windows Autopilot for white glove deployment
-**Applies to: Windows 10, version 1903**
+**Applies to: Windows 10, version 1903** (preview)
 Windows Autopilot enables organizations to easily provision new devices - leveraging the preinstalled OEM image and drivers with a simple process that can be performed by the end user to help get their device business-ready.
 ![OEM](images/wg01.png)
-Windows Autopilot can also provide a <I>white glove</I> service that enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster.
+Windows Autopilot can also provide a <I>white glove</I> service that enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster.
 With **Windows Autopilot for white glove deployment**, the provisioning process is split. The time-consuming portions are performed by IT, partners, or OEMs. The end user simply completes a few neceesary settings and polices and then they can begin using their device.
@ -34,7 +34,7 @@ Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove
 In addition to [Windows Autopilot requirements](windows-autopilot-requirements.md), Windows Autopilot for white glove deployment adds the following:
 - Windows 10, version 1903 or later is required.
- An Intune subscription with additional flighted features that are not yet available publicly is currently required. Note: This feature will change soon from flighted to preview. Prior to this feature switching to preview status, attempts to perform white glove deployment without t flighted features will fail with an Intune enrollment error.
+- An Intune subscription.
 - Physical devices that support TPM 2.0 and device attestation; virtual machines are not supported.  The white glove provisioning process leverages Windows Autopilot self-deploying capabilities, hence the TPM 2.0 requirements.
 - Physical devices with Ethernet connectivity; Wi-fi connectivity is not supported due to the requirement to choose a language, locale, and keyboard to make that Wi-fi connection; doing that in a pre-provisioning process could prevent the user from choosing their own language, locale, and keyboard when they receive the device.
@ -49,12 +49,12 @@ If these scenarios cannot be completed, Windows Autopilot for white glove deploy
 To enable white glove deployment, an additional Autopilot profile setting must be configured:
 >[!TIP]
 >To see the white glove deployment Autopilot profile setting, use this URL to access the Intune portal: https://portal.azure.com/?microsoft_intune_enrollment_enableWhiteGlove=true. This is a temporary requirement.
 ![allow white glove](images/allow-white-glove-oobe.png)
-The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune.  That includes certificates, security templates, settings, apps, and more – anything targeting the device.  Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed.  **Note**: other user-targeted policies will not apply until the user signs into the device.  To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users.
+The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune.  That includes certificates, security templates, settings, apps, and more – anything targeting the device.  Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed.  
 >[!NOTE]
 >Other user-targeted policies will not apply until the user signs into the device.  To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users.
 ## Scenarios
@ -82,16 +82,16 @@ Regardless of the scenario, the process to be performed by the technician is the
 ![landing](images/landing.png)
 - Click **Provision** to begin the provisioning process.
 If the pre-provisioning process completes successfully:
 - A green status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps.
 ![white-glove-result](images/white-glove-result.png)
 - Click **Reseal** to shut the device down.  At that point, the device can be shipped to the end user.
 If the pre-provisioning process fails:
 - A red status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps.
 - Diagnostic logs can be gathered from the device, and then it can be reset to start the process over again.
 ![white-glove-result](images/white-glove-result.png)
 ### User flow
 If the pre-provisioning process completed successfully and the device was resealed, it can be delivered to the end user to complete the normal Windows Autopilot user-driven process.  They will perform a standard set of steps:
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@ -666,7 +666,7 @@ To remove the News app:
  -or-
 >[!IMPORTANT]
-> If you have any issues with these commands, do a system reboot and try the scripts again.
+> If you have any issues with these commands, restart the system and try the scripts again.
 >
 - Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
--- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
+++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
@ -70,7 +70,6 @@ sections:
      <tr><td><div id='423msg'></div><b>Unable to access some gov.uk websites</b><br>gov.uk websites that don’t support “HSTS” may not be accessible<br><br><a href = '#423msgdesc'>See details ></a></td><td>OS Build 14393.2969<br><br>May 14, 2019<br><a href ='https://support.microsoft.com/help/4494440' target='_blank'>KB4494440</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4505052' target='_blank'>KB4505052</a></td><td>May 19, 2019 <br>02:00 PM PT</td></tr>
      <tr><td><div id='379msg'></div><b>Layout and cell size of Excel sheets may change when using MS UI Gothic </b><br>When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. <br><br><a href = '#379msgdesc'>See details ></a></td><td>OS Build 14393.2941<br><br>April 25, 2019<br><a href ='https://support.microsoft.com/help/4493473' target='_blank'>KB4493473</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4494440' target='_blank'>KB4494440</a></td><td>May 14, 2019 <br>10:00 AM PT</td></tr>
      <tr><td><div id='360msg'></div><b>Zone transfers over TCP may fail</b><br>Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.<br><br><a href = '#360msgdesc'>See details ></a></td><td>OS Build 14393.2941<br><br>April 25, 2019<br><a href ='https://support.microsoft.com/help/4493473' target='_blank'>KB4493473</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4494440' target='_blank'>KB4494440</a></td><td>May 14, 2019 <br>10:00 AM PT</td></tr>
      <tr><td><div id='191msg'></div><b>Custom URI schemes may not start corresponding application</b><br>Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.<br><br><a href = '#191msgdesc'>See details ></a></td><td>OS Build 14393.2848<br><br>March 12, 2019<br><a href ='https://support.microsoft.com/help/4489882' target='_blank'>KB4489882</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4493473' target='_blank'>KB4493473</a></td><td>April 25, 2019 <br>02:00 PM PT</td></tr>
      </table>
      "
@ -109,7 +108,6 @@ sections:
      <table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='238msgdesc'></div><b>Issue using PXE to start a device from WDS</b><div>After installing <a href=\"https://support.microsoft.com/help/4489882\" target=\"_blank\">KB4489882</a>, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1</li><li>Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012</li></ul><div></div><div><strong>Workaround:</strong> To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:</div><div><br></div><div><strong>Option 1:</strong></div><div>Open an Administrator Command prompt and type the following:</div><pre class=\"ql-syntax\" spellcheck=\"false\">Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No
 </pre><div><br></div><div><strong>Option 2:</strong></div><div>Use the Windows Deployment Services UI to make the following adjustment:</div><ol><li>Open Windows Deployment Services from Windows Administrative Tools.</li><li>Expand Servers and right-click a WDS server.</li><li>Open its properties and clear the <strong>Enable Variable Window Extension</strong> box on the TFTP tab.</li></ol><div><strong>Option 3:</strong></div><div>Set the following registry value to 0:</div><div>HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension</div><div><br></div><div>Restart the WDSServer service after disabling the Variable Window Extension.</div><div><br></div><div><strong>Next steps:</strong> Microsoft is working on a resolution and will provide an update in an upcoming release.</div><br><a href ='#238msg'>Back to top</a></td><td>OS Build 14393.2848<br><br>March 12, 2019<br><a href ='https://support.microsoft.com/help/4489882' target='_blank'>KB4489882</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>Last updated:<br>April 25, 2019 <br>02:00 PM PT<br><br>Opened:<br>March 12, 2019 <br>10:00 AM PT</td></tr>
      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='191msgdesc'></div><b>Custom URI schemes may not start corresponding application</b><div>After installing <a href=\"https://support.microsoft.com/help/4489882\" target=\"_blank\">KB4489882</a>, Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.</div><div><br></div><div><strong>Affected platforms:&nbsp;</strong></div><ul><li>Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1&nbsp;</li><li>Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1</li></ul><div></div><div><strong>Resolution:</strong> This issue is resolved in <a href=\"https://support.microsoft.com/help/4493473\" target=\"_blank\">KB4493473</a>.&nbsp;</div><br><a href ='#191msg'>Back to top</a></td><td>OS Build 14393.2848<br><br>March 12, 2019<br><a href ='https://support.microsoft.com/help/4489882' target='_blank'>KB4489882</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4493473' target='_blank'>KB4493473</a></td><td>Resolved:<br>April 25, 2019 <br>02:00 PM PT<br><br>Opened:<br>March 12, 2019 <br>10:00 AM PT</td></tr>
      </table>
      "
--- a/windows/release-information/status-windows-10-1703.yml
+++ b/windows/release-information/status-windows-10-1703.yml
@ -63,7 +63,6 @@ sections:
      <tr><td><div id='321msg'></div><b>Certain operations performed on a Cluster Shared Volume may fail</b><br>Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".<br><br><a href = '#321msgdesc'>See details ></a></td><td>OS Build 15063.1563<br><br>January 08, 2019<br><a href ='https://support.microsoft.com/help/4480973' target='_blank'>KB4480973</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>April 25, 2019 <br>02:00 PM PT</td></tr>
      <tr><td><div id='423msg'></div><b>Unable to access some gov.uk websites</b><br>gov.uk websites that don’t support “HSTS” may not be accessible<br><br><a href = '#423msgdesc'>See details ></a></td><td>OS Build 15063.1805<br><br>May 14, 2019<br><a href ='https://support.microsoft.com/help/4499181' target='_blank'>KB4499181</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4505055' target='_blank'>KB4505055</a></td><td>May 19, 2019 <br>02:00 PM PT</td></tr>
      <tr><td><div id='379msg'></div><b>Layout and cell size of Excel sheets may change when using MS UI Gothic </b><br>When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. <br><br><a href = '#379msgdesc'>See details ></a></td><td>OS Build 15063.1784<br><br>April 25, 2019<br><a href ='https://support.microsoft.com/help/4493436' target='_blank'>KB4493436</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4499181' target='_blank'>KB4499181</a></td><td>May 14, 2019 <br>10:00 AM PT</td></tr>
      <tr><td><div id='190msg'></div><b>Custom URI schemes may not start corresponding application</b><br>Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.<br><br><a href = '#190msgdesc'>See details ></a></td><td>OS Build 15063.1689<br><br>March 12, 2019<br><a href ='https://support.microsoft.com/help/4489871' target='_blank'>KB4489871</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4493436' target='_blank'>KB4493436</a></td><td>April 25, 2019 <br>02:00 PM PT</td></tr>
      </table>
      "
@ -84,15 +83,6 @@ sections:
      </table>
      "
 - title: March 2019
 - items:
  - type: markdown
    text: "
      <table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='190msgdesc'></div><b>Custom URI schemes may not start corresponding application</b><div>After installing <a href=\"https://support.microsoft.com/help/4489871\" target=\"_blank\">KB4489871</a>, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1&nbsp;</li><li>Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1</li></ul><div></div><div><strong>Resolution:</strong> This issue is resolved in <a href=\"https://support.microsoft.com/help/4493436\" target=\"_blank\">KB4493436</a>.&nbsp;</div><br><a href ='#190msg'>Back to top</a></td><td>OS Build 15063.1689<br><br>March 12, 2019<br><a href ='https://support.microsoft.com/help/4489871' target='_blank'>KB4489871</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4493436' target='_blank'>KB4493436</a></td><td>Resolved:<br>April 25, 2019 <br>02:00 PM PT<br><br>Opened:<br>March 12, 2019 <br>10:00 AM PT</td></tr>
      </table>
      "
 - title: January 2019
 - items:
  - type: markdown
--- a/windows/release-information/status-windows-10-1709.yml
+++ b/windows/release-information/status-windows-10-1709.yml
@ -64,7 +64,6 @@ sections:
      <tr><td><div id='422msg'></div><b>Unable to access some gov.uk websites</b><br>gov.uk websites that don’t support “HSTS” may not be accessible<br><br><a href = '#422msgdesc'>See details ></a></td><td>OS Build 16299.1143<br><br>May 14, 2019<br><a href ='https://support.microsoft.com/help/4498946' target='_blank'>KB4498946</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4505062' target='_blank'>KB4505062</a></td><td>May 19, 2019 <br>02:00 PM PT</td></tr>
      <tr><td><div id='379msg'></div><b>Layout and cell size of Excel sheets may change when using MS UI Gothic </b><br>When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. <br><br><a href = '#379msgdesc'>See details ></a></td><td>OS Build 16299.1127<br><br>April 25, 2019<br><a href ='https://support.microsoft.com/help/4493440' target='_blank'>KB4493440</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4499179' target='_blank'>KB4499179</a></td><td>May 14, 2019 <br>10:00 AM PT</td></tr>
      <tr><td><div id='361msg'></div><b>Zone transfers over TCP may fail</b><br>Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.<br><br><a href = '#361msgdesc'>See details ></a></td><td>OS Build 16299.1127<br><br>April 25, 2019<br><a href ='https://support.microsoft.com/help/4493440' target='_blank'>KB4493440</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4499179' target='_blank'>KB4499179</a></td><td>May 14, 2019 <br>10:00 AM PT</td></tr>
      <tr><td><div id='347msg'></div><b>Custom URI schemes may not start corresponding application</b><br>Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.<br><br><a href = '#347msgdesc'>See details ></a></td><td>OS Build 16299.1029<br><br>March 12, 2019<br><a href ='https://support.microsoft.com/help/4489886' target='_blank'>KB4489886</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4493440' target='_blank'>KB4493440</a></td><td>April 25, 2019 <br>02:00 PM PT</td></tr>
      </table>
      "
@ -94,15 +93,6 @@ sections:
      </table>
      "
 - title: March 2019
 - items:
  - type: markdown
    text: "
      <table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='347msgdesc'></div><b>Custom URI schemes may not start corresponding application</b><div>After installing <a href=\"https://support.microsoft.com/help/4489886\" target=\"_blank\">KB4489886</a>, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1&nbsp;</li><li>Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1</li></ul><div></div><div><strong>Resolution:</strong> This issue is resolved in <a href=\"https://support.microsoft.com/help/4493440\" target=\"_blank\">KB4493440</a>.&nbsp;</div><br><a href ='#347msg'>Back to top</a></td><td>OS Build 16299.1029<br><br>March 12, 2019<br><a href ='https://support.microsoft.com/help/4489886' target='_blank'>KB4489886</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4493440' target='_blank'>KB4493440</a></td><td>Resolved:<br>April 25, 2019 <br>02:00 PM PT<br><br>Opened:<br>March 12, 2019 <br>10:00 AM PT</td></tr>
      </table>
      "
 - title: January 2019
 - items:
  - type: markdown
--- a/windows/release-information/status-windows-10-1803.yml
+++ b/windows/release-information/status-windows-10-1803.yml
@ -65,7 +65,6 @@ sections:
      <tr><td><div id='422msg'></div><b>Unable to access some gov.uk websites</b><br>gov.uk websites that don’t support “HSTS” may not be accessible<br><br><a href = '#422msgdesc'>See details ></a></td><td>OS Build 17134.765<br><br>May 14, 2019<br><a href ='https://support.microsoft.com/help/4499167' target='_blank'>KB4499167</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4505064' target='_blank'>KB4505064</a></td><td>May 19, 2019 <br>02:00 PM PT</td></tr>
      <tr><td><div id='379msg'></div><b>Layout and cell size of Excel sheets may change when using MS UI Gothic </b><br>When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. <br><br><a href = '#379msgdesc'>See details ></a></td><td>OS Build 17134.753<br><br>April 25, 2019<br><a href ='https://support.microsoft.com/help/4493437' target='_blank'>KB4493437</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4499167' target='_blank'>KB4499167</a></td><td>May 14, 2019 <br>10:00 AM PT</td></tr>
      <tr><td><div id='362msg'></div><b>Zone transfers over TCP may fail</b><br>Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.<br><br><a href = '#362msgdesc'>See details ></a></td><td>OS Build 17134.753<br><br>April 25, 2019<br><a href ='https://support.microsoft.com/help/4493437' target='_blank'>KB4493437</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4499167' target='_blank'>KB4499167</a></td><td>May 14, 2019 <br>10:00 AM PT</td></tr>
      <tr><td><div id='188msg'></div><b>Custom URI schemes may not start corresponding application</b><br>Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.<br><br><a href = '#188msgdesc'>See details ></a></td><td>OS Build 17134.648<br><br>March 12, 2019<br><a href ='https://support.microsoft.com/help/4489868' target='_blank'>KB4489868</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4493437' target='_blank'>KB4493437</a></td><td>April 25, 2019 <br>02:00 PM PT</td></tr>
      </table>
      "
@ -102,7 +101,6 @@ sections:
      <table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='237msgdesc'></div><b>Issue using PXE to start a device from WDS</b><div>After installing <a href=\"https://support.microsoft.com/help/4489868\" target=\"_blank\">KB4489868</a>, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.&nbsp;</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1</li><li>Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012</li></ul><div></div><div><strong>Workaround:</strong> To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:</div><div><br></div><div><strong>Option 1:</strong>&nbsp;</div><div>Open an Administrator Command prompt and type the following:&nbsp;&nbsp;</div><pre class=\"ql-syntax\" spellcheck=\"false\">Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No
 </pre><div><br></div><div>&nbsp;<strong>Option 2:</strong>&nbsp;</div><div>Use the Windows Deployment Services UI to make the following adjustment:&nbsp;&nbsp;</div><ol><li>Open Windows Deployment Services from Windows Administrative Tools.&nbsp;</li><li>Expand Servers and right-click a WDS server.&nbsp;</li><li>Open its properties and clear the <strong>Enable Variable Window Extension </strong>box on the TFTP tab.&nbsp;&nbsp;</li></ol><div><strong>Option 3:</strong>&nbsp;</div><div>Set the following registry value to 0:</div><div>HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension&nbsp;&nbsp;</div><div><br></div><div>Restart the WDSServer service after disabling the Variable Window Extension.&nbsp;</div><div>&nbsp;</div><div><strong>Next steps:</strong> Microsoft is working on a resolution and will provide an update in an upcoming release.&nbsp;</div><br><a href ='#237msg'>Back to top</a></td><td>OS Build 17134.648<br><br>March 12, 2019<br><a href ='https://support.microsoft.com/help/4489868' target='_blank'>KB4489868</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>Last updated:<br>April 25, 2019 <br>02:00 PM PT<br><br>Opened:<br>March 12, 2019 <br>10:00 AM PT</td></tr>
      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='188msgdesc'></div><b>Custom URI schemes may not start corresponding application</b><div>After installing <a href=\"https://support.microsoft.com/help/4489868\" target=\"_blank\">KB4489868</a>, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.&nbsp;</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1&nbsp;</li><li>Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1</li></ul><div></div><div><strong>Resolution:</strong> This issue is resolved in <a href=\"https://support.microsoft.com/help/4493437\" target=\"_blank\">KB4493437</a>.&nbsp;</div><br><a href ='#188msg'>Back to top</a></td><td>OS Build 17134.648<br><br>March 12, 2019<br><a href ='https://support.microsoft.com/help/4489868' target='_blank'>KB4489868</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4493437' target='_blank'>KB4493437</a></td><td>Resolved:<br>April 25, 2019 <br>02:00 PM PT<br><br>Opened:<br>March 12, 2019 <br>10:00 AM PT</td></tr>
      </table>
      "
--- a/windows/release-information/status-windows-10-1903.yml
+++ b/windows/release-information/status-windows-10-1903.yml
@ -65,8 +65,8 @@ sections:
  - type: markdown
    text: "<div>This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.</div><br>
      <table border ='0'><tr><td width='65%'>Summary</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>Last updated</td></tr>
-      <tr><td><div id='456msg'></div><b>Windows Sandbox may fail to start with error code “0x80070002”</b><br>Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates<br><br><a href = '#456msgdesc'>See details ></a></td><td>OS Build 18362.113<br><br>May 14, 2019<br><a href ='https://support.microsoft.com/help/4497936' target='_blank'>KB4497936</a></td><td>Acknowledged<br><a href = '' target='_blank'></a></td><td>May 24, 2019 <br>04:20 PM PT</td></tr>
+      <tr><td><div id='456msg'></div><b>Windows Sandbox may fail to start with error code “0x80070002”</b><br>Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates<br><br><a href = '#456msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 20, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Acknowledged<br><a href = '' target='_blank'></a></td><td>May 24, 2019 <br>04:20 PM PT</td></tr>
-      <tr><td><div id='455msg'></div><b>Loss of functionality in Dynabook Smartphone Link app</b><br>After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.<br><br><a href = '#455msgdesc'>See details ></a></td><td>OS Build 18362.113<br><br>May 14, 2019<br><a href ='https://support.microsoft.com/help/4497936' target='_blank'>KB4497936</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>May 24, 2019 <br>03:10 PM PT</td></tr>
+      <tr><td><div id='455msg'></div><b>Loss of functionality in Dynabook Smartphone Link app</b><br>After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.<br><br><a href = '#455msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 20, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>May 24, 2019 <br>03:10 PM PT</td></tr>
      <tr><td><div id='448msg'></div><b>Display brightness may not respond to adjustments</b><br>Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.<br><br><a href = '#448msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>May 21, 2019 <br>04:47 PM PT</td></tr>
      <tr><td><div id='433msg'></div><b>Audio not working with Dolby Atmos headphones and home theater </b><br>Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.<br><br><a href = '#433msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>May 21, 2019 <br>07:17 AM PT</td></tr>
      <tr><td><div id='426msg'></div><b>Duplicate folders and documents showing in user profile directory</b><br>If known folders (e.g. Desktop, Documents, or Pictures folders) are redirected, an empty folder with that same name may be created.<br><br><a href = '#426msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>May 21, 2019 <br>07:16 AM PT</td></tr>
@ -94,8 +94,8 @@ sections:
  - type: markdown
    text: "
      <table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
-      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='456msgdesc'></div><b>Windows Sandbox may fail to start with error code “0x80070002”</b><div>Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903</li></ul><div></div><div><strong>Next steps: </strong>We are working on a resolution and estimate a solution will be available in late June.</div><br><a href ='#456msg'>Back to top</a></td><td>OS Build 18362.113<br><br>May 14, 2019<br><a href ='https://support.microsoft.com/help/4497936' target='_blank'>KB4497936</a></td><td>Acknowledged<br><a href = '' target='_blank'></a></td><td>Last updated:<br>May 24, 2019 <br>04:20 PM PT<br><br>Opened:<br>May 24, 2019 <br>04:20 PM PT</td></tr>
+      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='456msgdesc'></div><b>Windows Sandbox may fail to start with error code “0x80070002”</b><div>Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903</li></ul><div></div><div><strong>Next steps: </strong>We are working on a resolution and estimate a solution will be available in late June.</div><br><a href ='#456msg'>Back to top</a></td><td>OS Build 18362.116<br><br>May 20, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Acknowledged<br><a href = '' target='_blank'></a></td><td>Last updated:<br>May 24, 2019 <br>04:20 PM PT<br><br>Opened:<br>May 24, 2019 <br>04:20 PM PT</td></tr>
-      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='455msgdesc'></div><b>Loss of functionality in Dynabook Smartphone Link app</b><div>Some users may experience a loss of functionality after updating to Windows 10, version 1903 when using the Dynabook Smartphone Link application on Windows devices. Loss of functionality may affect the display of phone numbers in the Call menu and the ability to answer phone calls on the Windows PC.</div><div><br></div><div>To safeguard your update experience, we have applied a compatibility hold on devices with Dynabook Smartphone Link from being offered Windows 10, version 1903, until&nbsp;this issue is resolved.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903</li></ul><div></div><div><strong>Next steps: </strong>Microsoft and Dynabook are working on a resolution; the Dynabook Smartphone Link application may have a loss of functionality until this issue is resolved.</div><div><br></div><div><strong>Note&nbsp;</strong>We recommend that you do not attempt to manually update using the&nbsp;<strong>Update now</strong>&nbsp;button or the Media Creation Tool until this issue has been resolved.</div><br><a href ='#455msg'>Back to top</a></td><td>OS Build 18362.113<br><br>May 14, 2019<br><a href ='https://support.microsoft.com/help/4497936' target='_blank'>KB4497936</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>Last updated:<br>May 24, 2019 <br>03:10 PM PT<br><br>Opened:<br>May 24, 2019 <br>03:10 PM PT</td></tr>
+      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='455msgdesc'></div><b>Loss of functionality in Dynabook Smartphone Link app</b><div>Some users may experience a loss of functionality after updating to Windows 10, version 1903 when using the Dynabook Smartphone Link application on Windows devices. Loss of functionality may affect the display of phone numbers in the Call menu and the ability to answer phone calls on the Windows PC.</div><div><br></div><div>To safeguard your update experience, we have applied a compatibility hold on devices with Dynabook Smartphone Link from being offered Windows 10, version 1903, until&nbsp;this issue is resolved.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903</li></ul><div></div><div><strong>Next steps: </strong>Microsoft and Dynabook are working on a resolution; the Dynabook Smartphone Link application may have a loss of functionality until this issue is resolved.</div><div><br></div><div><strong>Note&nbsp;</strong>We recommend that you do not attempt to manually update using the&nbsp;<strong>Update now</strong>&nbsp;button or the Media Creation Tool until this issue has been resolved.</div><br><a href ='#455msg'>Back to top</a></td><td>OS Build 18362.116<br><br>May 20, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>Last updated:<br>May 24, 2019 <br>03:10 PM PT<br><br>Opened:<br>May 24, 2019 <br>03:10 PM PT</td></tr>
      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='448msgdesc'></div><b>Display brightness may not respond to adjustments</b><div>Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Window 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.</div><div><br></div><div>To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until&nbsp;this issue is resolved.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903</li></ul><div></div><div><strong>Workaround: </strong>Restart your device to apply changes to brightness.</div><div><br></div><div><strong>Note</strong> We recommend that you do not attempt to manually update using the <strong>Update now</strong> button or the Media Creation Tool until this issue has been resolved.</div><div><br></div><div><strong>Next steps: </strong>We are working on a resolution that will be made available in upcoming release.</div><br><a href ='#448msg'>Back to top</a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>Last updated:<br>May 21, 2019 <br>04:47 PM PT<br><br>Opened:<br>May 21, 2019 <br>07:56 AM PT</td></tr>
      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='433msgdesc'></div><b>Audio not working with Dolby Atmos headphones and home theater </b><div>After updating to Windows 10, version 1903, you may experience loss of audio with Dolby Atmos for home theater (free extension) or Dolby Atmos for headphones (paid extension) acquired through the Microsoft Store due to a licensing configuration error.</div><div>&nbsp;</div><div>This occurs due to an issue with a Microsoft Store licensing component, where license holders are not able to connect to the Dolby Access app and enable Dolby Atmos extensions.</div><div>&nbsp;</div><div>To safeguard your update experience, we have applied protective hold on devices from being offered Windows 10, version 1903 until&nbsp;this issue is resolved. This configuration error will not result in loss of access for the acquired license once the problem is resolved.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903</li></ul><div></div><div><strong>Next steps: </strong>We are working on a resolution for Microsoft Store and estimate a solution will be available in mid-June.</div><div><strong>Note</strong> We recommend you do not attempt to manually update using the <strong>Update now</strong> button or the Media Creation Tool until this issue has been resolved.&nbsp;</div><br><a href ='#433msg'>Back to top</a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>Last updated:<br>May 21, 2019 <br>07:17 AM PT<br><br>Opened:<br>May 21, 2019 <br>07:16 AM PT</td></tr>
      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='426msgdesc'></div><b>Duplicate folders and documents showing in user profile directory</b><div>If you have redirected known folders (e.g. Desktop, Documents, or Pictures folders) you may see an empty folder with the same name in your %userprofile% directories after updating to Windows 10, version 1903. This may occur if known folders were redirected when you chose to back up your content to OneDrive using the OneDrive wizard, or if you chose to back up your content during the Windows Out-of-Box-Experience (OOBE). This may also occur if you redirected your known folders manually through the Properties dialog box in File Explorer. This issue does not cause any user files to be deleted and a solution is in progress.</div><div><br></div><div>To safeguard your update experience, we have applied a quality hold on devices with redirected known folders from being offered Windows 10, version 1903, until&nbsp;this issue is resolved.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903</li></ul><div></div><div><strong>Next steps: </strong>Microsoft is working on a resolution and estimates a solution will be available in late May.</div><div><strong>Note </strong>We recommend that you do not attempt to manually update to Windows 10, version 1903 using the <strong>Update now</strong> button or the Media Creation Tool until this issue has been resolved.</div><br><a href ='#426msg'>Back to top</a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>Last updated:<br>May 21, 2019 <br>07:16 AM PT<br><br>Opened:<br>May 21, 2019 <br>07:16 AM PT</td></tr>
--- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
+++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
@ -66,7 +66,6 @@ sections:
      <tr><td><div id='370msg'></div><b>System unresponsive after restart if Sophos Endpoint Protection installed</b><br>Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.<br><br><a href = '#370msgdesc'>See details ></a></td><td>April 09, 2019<br><a href ='https://support.microsoft.com/help/4493472' target='_blank'>KB4493472</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>May 14, 2019 <br>01:22 PM PT</td></tr>
      <tr><td><div id='366msg'></div><b>System may be unresponsive after restart if Avira antivirus software installed</b><br>Devices with Avira antivirus software installed may become unresponsive upon restart.<br><br><a href = '#366msgdesc'>See details ></a></td><td>April 09, 2019<br><a href ='https://support.microsoft.com/help/4493472' target='_blank'>KB4493472</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>May 14, 2019 <br>01:21 PM PT</td></tr>
      <tr><td><div id='357msg'></div><b>Authentication may fail for services after the Kerberos ticket expires</b><br>Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.<br><br><a href = '#357msgdesc'>See details ></a></td><td>March 12, 2019<br><a href ='https://support.microsoft.com/help/4489878' target='_blank'>KB4489878</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4499164' target='_blank'>KB4499164</a></td><td>May 14, 2019 <br>10:00 AM PT</td></tr>
      <tr><td><div id='268msg'></div><b>Devices may not respond at login or Welcome screen if running certain Avast software</b><br>Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.<br><br><a href = '#268msgdesc'>See details ></a></td><td>April 09, 2019<br><a href ='https://support.microsoft.com/help/4493472' target='_blank'>KB4493472</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>April 25, 2019 <br>02:00 PM PT</td></tr>
      </table>
      "
@ -95,7 +94,6 @@ sections:
      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='372msgdesc'></div><b>System may be unresponsive after restart if ArcaBit antivirus software installed</b><div>Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing <a href=\"https://support.microsoft.com/help/4493472\" target=\"_blank\">KB4493472</a>.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 8.1; Windows 7 SP1</li><li>Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1</li></ul><div></div><div><strong>Resolution:</strong>&nbsp;This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the <a href=\"https://www.arcabit.pl/wsparcie-techniczne.html\" target=\"_blank\">Arcabit support article</a>.</div><br><a href ='#372msg'>Back to top</a></td><td>April 09, 2019<br><a href ='https://support.microsoft.com/help/4493472' target='_blank'>KB4493472</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>Resolved:<br>May 14, 2019 <br>01:23 PM PT<br><br>Opened:<br>April 09, 2019 <br>10:00 AM PT</td></tr>
      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='370msgdesc'></div><b>System unresponsive after restart if Sophos Endpoint Protection installed</b><div>Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing <a href=\"https://support.microsoft.com/help/4493472\" target=\"_blank\">KB4493472</a>.</div><div><br></div><div><strong>Affected platforms:</strong>&nbsp;</div><ul><li>Client: Windows 8.1; Windows 7 SP1</li><li>Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2</li></ul><div></div><div><strong>Resolution:</strong>&nbsp;This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has&nbsp;released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the <a href=\"https://community.sophos.com/kb/133945\" target=\"_blank\">Sophos support article</a>.</div><br><a href ='#370msg'>Back to top</a></td><td>April 09, 2019<br><a href ='https://support.microsoft.com/help/4493472' target='_blank'>KB4493472</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>Resolved:<br>May 14, 2019 <br>01:22 PM PT<br><br>Opened:<br>April 09, 2019 <br>10:00 AM PT</td></tr>
      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='366msgdesc'></div><b>System may be unresponsive after restart if Avira antivirus software installed</b><div>Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing <a href=\"https://support.microsoft.com/help/4493472\" target=\"_blank\">KB4493472</a>.</div><div><br></div><div><strong>Affected platforms:</strong>&nbsp;</div><ul><li>Client: Windows 8.1; Windows 7 SP1&nbsp;</li><li>Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2</li></ul><div></div><div><strong>Resolution:</strong>&nbsp;This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the <a href=\"https://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1976\" target=\"_blank\">Avira support article</a>.</div><br><a href ='#366msg'>Back to top</a></td><td>April 09, 2019<br><a href ='https://support.microsoft.com/help/4493472' target='_blank'>KB4493472</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>Resolved:<br>May 14, 2019 <br>01:21 PM PT<br><br>Opened:<br>April 09, 2019 <br>10:00 AM PT</td></tr>
      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='268msgdesc'></div><b>Devices may not respond at login or Welcome screen if running certain Avast software</b><div>Microsoft and Avast have identified an issue on devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software after you install <a href=\"https://support.microsoft.com/help/4493472\" target=\"_blank\">KB4493472</a> and restart. Devices may become unresponsive at the login or Welcome screen. Additionally, you may be unable to log in or log in after an extended period of time.</div><div><br></div><div><strong>Affected platforms:</strong>&nbsp;</div><ul><li>Client: Windows 8.1; Windows 7 SP1&nbsp;</li><li>Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1&nbsp;</li></ul><div></div><div><strong>Resolution:</strong> Avast has released emergency updates to address this issue. For more information and AV update schedule, see the <a href=\"https://kb.support.business.avast.com/GetPublicArticle?title=Windows-machines-running-Avast-for-Business-and-Cloud-Care-Freezing-on-Start-up\" target=\"_blank\">Avast support KB article</a>.</div><br><a href ='#268msg'>Back to top</a></td><td>April 09, 2019<br><a href ='https://support.microsoft.com/help/4493472' target='_blank'>KB4493472</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>Resolved:<br>April 25, 2019 <br>02:00 PM PT<br><br>Opened:<br>April 09, 2019 <br>10:00 AM PT</td></tr>
      </table>
      "
--- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
+++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
@ -69,7 +69,6 @@ sections:
      <tr><td><div id='371msg'></div><b>System may be unresponsive after restart if ArcaBit antivirus software installed</b><br>Devices with ArcaBit antivirus software installed may become unresponsive upon restart.<br><br><a href = '#371msgdesc'>See details ></a></td><td>April 09, 2019<br><a href ='https://support.microsoft.com/help/4493446' target='_blank'>KB4493446</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>May 14, 2019 <br>01:22 PM PT</td></tr>
      <tr><td><div id='369msg'></div><b>System unresponsive after restart if Sophos Endpoint Protection installed</b><br>Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.<br><br><a href = '#369msgdesc'>See details ></a></td><td>April 09, 2019<br><a href ='https://support.microsoft.com/help/4493446' target='_blank'>KB4493446</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>May 14, 2019 <br>01:22 PM PT</td></tr>
      <tr><td><div id='365msg'></div><b>System may be unresponsive after restart if Avira antivirus software installed</b><br>Devices with Avira antivirus software installed may become unresponsive upon restart.<br><br><a href = '#365msgdesc'>See details ></a></td><td>April 09, 2019<br><a href ='https://support.microsoft.com/help/4493446' target='_blank'>KB4493446</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>May 14, 2019 <br>01:21 PM PT</td></tr>
      <tr><td><div id='284msg'></div><b>Devices may not respond at login or Welcome screen if running certain Avast software</b><br>Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.<br><br><a href = '#284msgdesc'>See details ></a></td><td>April 09, 2019<br><a href ='https://support.microsoft.com/help/4493446' target='_blank'>KB4493446</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>April 25, 2019 <br>02:00 PM PT</td></tr>
      </table>
      "
@ -100,7 +99,6 @@ sections:
      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='371msgdesc'></div><b>System may be unresponsive after restart if ArcaBit antivirus software installed</b><div>Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing <a href=\"https://support.microsoft.com/help/4493446\" target=\"_blank\">KB4493446</a>.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 8.1; Windows 7 SP1</li><li>Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1</li></ul><div></div><div><strong>Resolution:</strong>&nbsp;This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the <a href=\"https://www.arcabit.pl/wsparcie-techniczne.html\" target=\"_blank\">Arcabit support article</a>.</div><br><a href ='#371msg'>Back to top</a></td><td>April 09, 2019<br><a href ='https://support.microsoft.com/help/4493446' target='_blank'>KB4493446</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>Resolved:<br>May 14, 2019 <br>01:22 PM PT<br><br>Opened:<br>April 09, 2019 <br>10:00 AM PT</td></tr>
      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='369msgdesc'></div><b>System unresponsive after restart if Sophos Endpoint Protection installed</b><div>Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing <a href=\"https://support.microsoft.com/help/4493446\" target=\"_blank\">KB4493446</a>.</div><div><br></div><div><strong>Affected platforms:</strong>&nbsp;</div><ul><li>Client: Windows 8.1; Windows 7 SP1</li><li>Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2</li></ul><div></div><div><strong>Resolution:</strong>&nbsp;This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has&nbsp;released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the <a href=\"https://community.sophos.com/kb/133945\" target=\"_blank\">Sophos support article</a>.</div><br><a href ='#369msg'>Back to top</a></td><td>April 09, 2019<br><a href ='https://support.microsoft.com/help/4493446' target='_blank'>KB4493446</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>Resolved:<br>May 14, 2019 <br>01:22 PM PT<br><br>Opened:<br>April 09, 2019 <br>10:00 AM PT</td></tr>
      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='365msgdesc'></div><b>System may be unresponsive after restart if Avira antivirus software installed</b><div>Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing <a href=\"https://support.microsoft.com/help/4493446\" target=\"_blank\">KB4493446</a>.</div><div><br></div><div><strong>Affected platforms:</strong>&nbsp;</div><ul><li>Client: Windows 8.1; Windows 7 SP1&nbsp;</li><li>Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2&nbsp;</li></ul><div></div><div><strong>Resolution:</strong>&nbsp;This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the <a href=\"https://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1976\" target=\"_blank\">Avira support article</a>.</div><br><a href ='#365msg'>Back to top</a></td><td>April 09, 2019<br><a href ='https://support.microsoft.com/help/4493446' target='_blank'>KB4493446</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>Resolved:<br>May 14, 2019 <br>01:21 PM PT<br><br>Opened:<br>April 09, 2019 <br>10:00 AM PT</td></tr>
      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='284msgdesc'></div><b>Devices may not respond at login or Welcome screen if running certain Avast software</b><div>Microsoft and Avast have identified an issue on devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software after you install <a href=\"https://support.microsoft.com/help/4493446\" target=\"_blank\">KB4493446 </a>and restart. Devices may become unresponsive at the login or Welcome screen. Additionally, you may be unable to log in or log in after an extended period of time.</div><div><br></div><div><strong>Affected platforms:</strong>&nbsp;</div><ul><li>Client: Windows 8.1; Windows 7 SP1&nbsp;</li><li>Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1&nbsp;</li></ul><div></div><div><strong>Resolution</strong>: Avast has released emergency updates to address this issue. For more information and AV update schedule, see the <a href=\"https://kb.support.business.avast.com/GetPublicArticle?title=Windows-machines-running-Avast-for-Business-and-Cloud-Care-Freezing-on-Start-up\" target=\"_blank\">Avast support KB article</a>.</div><br><a href ='#284msg'>Back to top</a></td><td>April 09, 2019<br><a href ='https://support.microsoft.com/help/4493446' target='_blank'>KB4493446</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>Resolved:<br>April 25, 2019 <br>02:00 PM PT<br><br>Opened:<br>April 09, 2019 <br>10:00 AM PT</td></tr>
      </table>
      "
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@ -64,7 +64,7 @@ By default, the Active Directory Certificate Authority provides and publishes th
 Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
 1.	Open the **Certificate Authority** management console.
 2.	Right-click **Certificate Templates** and click **Manage**.
-3.	In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
+3.	In the **Certificate Templates Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
 4.	On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
 5.	On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name.  Adjust the validity and renewal period to meet your enterprise’s needs.   
    **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
@ -81,7 +81,7 @@ The Kerberos Authentication certificate template is the most current certificate
 Sign-in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
 1.	Open the **Certificate Authority** management console.
 2.	Right-click **Certificate Templates** and click **Manage**.
-3.	In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**.
+3.	In the **Certificate Templates Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**.
 4.	Click the **Superseded Templates** tab. Click **Add**.
 5.	From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**.  Click **Add**.
 6.	From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**.
@ -98,7 +98,7 @@ Windows 10 clients use the https protocol when communicating with Active Directo
 Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
 1.	Open the **Certificate Authority** management console.
 2.	Right-click **Certificate Templates** and click **Manage**.
-3.	In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**.
+3.	In the **Certificate Templates Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**.
 4.	On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
 5.	On the **General** tab, type **Internal Web Server** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise’s needs.   
    **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
@ -168,11 +168,11 @@ You want to confirm your domain controllers enroll the correct certificates and
 #### Use the Event Logs
-Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers.  Using the Event Viewer, navigate to the **CertificateServices-Lifecycles-System** event log under **Application and Services/Microsoft/Windows**.
+Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers.  Using the Event Viewer, navigate to the **CertificateServicesClient-Lifecycle-System** event log under **Application and Services/Microsoft/Windows**.
 Look for an event indicating a new certificate enrollment (autoenrollment).  The details of the event include the certificate template on which the certificate was issued.  The name of the certificate template used to issue the certificate should match the certificate template name included in the event.  The certificate thumbprint and EKUs for the certificate are also included in the event.  The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template. 
-Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServices-Lifecycles-System event.  The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate.
+Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServicesClient-Lifecycle-System event.  The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate.
 #### Certificate Manager
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@ -34,8 +34,8 @@ ms.date: 10/08/2018
 - [Key Trust](#key-trust)
 - [Managed Environment](#managed-environment)
 - [On-premises Deployment](#on-premises-deployment)
- [Pass-through Authentication](#passthrough-authentication)
+- [Pass-through Authentication](#pass-through-authentication)
- [Password Hash Synchronization](#password-hash-synchronization)
+- [Password Hash Synchronization](#password-hash-sync)
 - [Primary Refresh Token](#primary-refresh-token) 
 - [Storage Root Key](#storage-root-key)
 - [Trust Type](#trust-type)
@ -212,9 +212,9 @@ The key trust model uses the user's Windows Hello for Business identity to authe
 Managed environments are for non-federated environments where Azure Active Directory manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services. 
 ### Related topics
-[Federated Environment](#federated-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Synchronization](#password-hash-synchronization)
+[Federated Environment](#federated-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Synchronization](#password-hash-sync)
-[Return to Top](#Technology-and-Terms)
+[Return to Top](#technology-and-terms)
 ## On-premises Deployment 
 The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities.  On-premises deployments support domain joined devices.  The on-premises deployment model supports two authentication trust types, key trust and certificate trust.
@ -229,13 +229,13 @@ The Windows Hello for Business on-premises deployment is for organizations that
 Provides a simple password validation for Azure AD authentication services using a software agent running on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and logon hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
 ### Related topics
-[Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Password Hash Synchronization](#password-hash-synchronization)
+[Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Password Hash Synchronization](#password-hash-sync)
 ### More information
 - [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/azure/security/azure-ad-choose-authn)
-[Return to Top](#hello-how-it-works-technology.md)
+[Return to Top](hello-how-it-works-technology.md)
 ## Password Hash Sync
 The simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
@ -253,7 +253,7 @@ The PRT is initially obtained during Windows Logon (user sign-in/unlock) in a si
 The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. Please also note that the PRT contains information about the device. This means that if you have any [device-based conditional access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-policy-connected-applications) policy set on an application, without the PRT, access will be denied.
-[Return to Top](#Technology-and-Terms)
+[Return to Top](#technology-and-terms)
 ## Storage Root Key
 The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is created when the ownership of the TPM is taken.
@ -284,9 +284,9 @@ A TPM implements controls that meet the specification described by the Trusted C
 - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
 - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
-Windows<EFBFBD>10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948).
+Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948).
-Windows<EFBFBD>10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows<EFBFBD>10 supports only TPM 2.0. 
+Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. 
 TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
@ -316,16 +316,3 @@ In a simplified manner, the TPM is a passive component with limited resources. I
 [Return to Top](hello-how-it-works-technology.md)
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@ -58,7 +58,18 @@ The Windows Hello for Business deployment depends on an enterprise public key in
 Key trust deployments do not need client issued certificates for on-premises authentication.  Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object.
-The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012.
+The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below.
 * The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL.
 * Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name).
 * The certificate Key Usage section must contain Digital Signature and Key Encipherment.
 * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
 * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1).
 * The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.  
 * The certificate template must have an extension that has the BMP data value "DomainController".
 * The domain controller certificate must be installed in the local computer's certificate store.
 > [!IMPORTANT]
 > For Azure AD joined device to authenticate to and use on-premises resources, ensure you:
@ -85,7 +96,7 @@ Organizations using older directory synchronization technology, such as DirSync
 <br>
 ## Federation with Azure ##
-You can deploy Windows Hello for Business key trust in non-federated and federated environments.  For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication).  For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2. 
+You can deploy Windows Hello for Business key trust in non-federated and federated environments.  For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication).  For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2. 
 ### Section Review ###
 > [!div class="checklist"]
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@ -97,7 +97,7 @@ Windows Hello for Business can use either keys (hardware or software) or certifi
 ## Learn more
-[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/830/Implementing-Windows-Hello-for-Business-at-Microsoft)
+[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/en-us/itshowcase/implementing-windows-hello-for-business-at-microsoft)
 [Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@ -117,7 +117,7 @@ You will want to balance testing in a lab with providing results to management q
 ## The Process
-The journey to password-less is to take each work persona through each password-less step. In the begging, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow.  The process looks something like 
+The journey to password-less is to take each work persona through each password-less step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow.  The process looks something like 
 1. Password-less replacement offering (Step 1) 
   1. Identify test users that represent the targeted work persona.
--- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
+++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
@ -163,16 +163,41 @@ Use Windows Event Forwarding to collect and aggregate your WIP audit events. You
 2.	In the console tree under **Application and Services Logs\Microsoft\Windows**, click **EDP-Audit-Regular** and **EDP-Audit-TCB**.
 ## Collect WIP audit logs using Azure Monitor
 You can collect audit logs using Azure Monitor. See [Windows event log data sources in Azure Monitor.](https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs)
 **To view the WIP events in Azure Monitor**
 1.  Use an existing or create a new Log Analytics workspace.
 2.  In **Log Analytics** > **Advanced Settings**, select **Data**. In Windows Event Logs, add logs to receive:
    ```
    Microsoft-Windows-EDP-Application-Learning/Admin
    Microsoft-Windows-EDP-Audit-TCB/Admin
    ```
    >[!NOTE]
    >If using Windows Events Logs, the event log names can be found under Properties of the event in the Events folder (Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB).
 3.  Download Microsoft [Monitoring Agent](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation).
 4.  To get MSI for Intune installation as stated in the Azure Monitor article, extract: MMASetup-.exe /c /t:
 Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. More information on Workspace ID and Primary key can be found in **Log Analytics** > **Advanced Settings**.
 5.  To deploy MSI via Intune, in installation parameters add: /q /norestart NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID=<WORKSPACE_ID> OPINSIGHTS_WORKSPACE_KEY=<WORKSPACE_KEY> AcceptEndUserLicenseAgreement=1
 >[!NOTE]
 >Replace <WORKSPACE_ID> & <WORKSPACE_KEY> received from step 5. In installation parameters, don't place <WORKSPACE_ID> & <WORKSPACE_KEY> in quotes ("" or '').
 6.  After the agent is deployed, data will be received within approximately 10 minutes.
 7.  To search for logs, go to **Log Analytics workspace** > **Logs**, and type **Event** in search.
 ***Example***
 ```
 Event | where EventLog == "Microsoft-Windows-EDP-Audit-TCB/Admin"
 ```
-
+## Additional resources
-
+-   [How to deploy app via Intune](https://docs.microsoft.com/intune/apps-add)
 -   [How to create Log workspace](https://docs.microsoft.com/azure/azure-monitor/learn/quick-create-workspace)
 -   [How to use Microsoft Monitoring Agents for Windows](https://docs.microsoft.com/azure/azure-monitor/platform/agents-overview)
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -95,6 +95,7 @@
 #####  [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md)
 ##### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md)
 ##### [Information protection in Windows overview](microsoft-defender-atp/information-protection-in-windows-overview.md)
 ###### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@ -62,7 +62,7 @@ Detailed Tracking security policy settings and audit events can be used to monit
 -   [Audit Process Creation](audit-process-creation.md)
 -   [Audit Process Termination](audit-process-termination.md)
 -   [Audit RPC Events](audit-rpc-events.md)
-
+-   [Audit Credential Validation](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-credential-validation)
 > **Note:**  For more information, see [Security Monitoring](https://blogs.technet.microsoft.com/nathangau/2018/01/25/security-monitoring-a-possible-new-way-to-detect-privilege-escalation/)
 ## DS Access
--- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
@ -83,7 +83,7 @@ The rules that govern how Group Policy settings are applied propagate to the sub
 | - | - | - | -|
 | Detailed File Share Auditing | Success | Failure | Success |
 | Process Creation Auditing | Disabled | Success | Disabled |
-| Logon Auditing | Success | Failure | Failure |
+| Logon Auditing | Failure | Success | Failure |
 ## <a href="" id="bkmk-14"></a>What is the difference between an object DACL and an object SACL?
--- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md
@ -98,9 +98,10 @@
 #### [Managed security service provider support](mssp-support.md)
 ### [Microsoft Threat Protection](threat-protection-integration.md)
-####  [Protect users, data, and devices with conditional access](conditional-access.md)
+####  [Protect users, data, and devices with Conditional Access](conditional-access.md)
 #### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md)
 #### [Information protection in Windows overview](information-protection-in-windows-overview.md)
 ##### [Use sensitivity labels to prioritize incident response ](information-protection-investigation.md)
@ -360,7 +361,7 @@
 #### [Configure managed security service provider (MSSP) support](configure-mssp-support.md)
 ### Configure Microsoft Threat Protection integration
-#### [Configure conditional access](configure-conditional-access.md)
+#### [Configure Conditional Access](configure-conditional-access.md)
 #### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md)
 ####[Configure information protection in Windows](information-protection-in-windows-config.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
@ -1,6 +1,6 @@
 ---
-title: Enable conditional access to better protect users, devices, and data
+title: Enable Conditional Access to better protect users, devices, and data
-description: Enable conditional access to prevent applications from running if a device is considered at risk and an application is determined to be non-compliant.
+description: Enable Conditional Access to prevent applications from running if a device is considered at risk and an application is determined to be non-compliant.
 keywords: conditional access, block applications, security level, intune,
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
-# Enable conditional access to better protect users, devices, and data 
+# Enable Conditional Access to better protect users, devices, and data 
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -26,26 +26,26 @@ ms.topic: article
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink)
-Conditional access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications.
+Conditional Access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications.
-With conditional access, you can control access to enterprise information based on the risk level of a device. This helps keep trusted users on trusted devices using trusted applications.
+With Conditional Access, you can control access to enterprise information based on the risk level of a device. This helps keep trusted users on trusted devices using trusted applications.
 You can define security conditions under which devices and applications can run and access information from your network by enforcing policies to stop applications from running until a device returns to a compliant state. 
-The implementation of conditional access in Microsoft Defender ATP is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies. 
+The implementation of Conditional Access in Microsoft Defender ATP is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies. 
-The compliance policy is used with conditional access to allow only devices that fulfill one or more device compliance policy rules to access applications. 
+The compliance policy is used with Conditional Access to allow only devices that fulfill one or more device compliance policy rules to access applications. 
-## Understand the conditional access flow
+## Understand the Conditional Access flow
-Conditional access is put in place so that when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated. 
+Conditional Access is put in place so that when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated. 
 The flow begins with machines being seen to have a low, medium, or high risk. These risk determinations are then sent to Intune. 
-Depending on how you configure policies in Intune, conditional access can be set up so that when certain conditions are met, the policy is applied.
+Depending on how you configure policies in Intune, Conditional Access can be set up so that when certain conditions are met, the policy is applied.
-For example, you can configure Intune to apply conditional access on devices that have a high risk.
+For example, you can configure Intune to apply Conditional Access on devices that have a high risk.
-In Intune, a device compliance policy is used in conjunction with Azure AD conditional access to block access to applications. In parallel, an automated investigation and remediation process is launched.
+In Intune, a device compliance policy is used in conjunction with Azure AD Conditional Access to block access to applications. In parallel, an automated investigation and remediation process is launched.
 A user can still use the device while the automated investigation and remediation is taking place, but access to enterprise data is blocked until the threat is fully remediated. 
@ -54,23 +54,23 @@ To resolve the risk found on a device, you'll need to return the device to a com
 There are three ways to address a risk:
 1. Use Manual or automated remediation.
 2. Resolve active alerts on the machine. This will remove the risk from the machine.
-3. You can remove the machine from the active policies and consequently, conditional access will not be applied on the machine. 
+3. You can remove the machine from the active policies and consequently, Conditional Access will not be applied on the machine. 
-Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure conditional access](configure-conditional-access.md).
+Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure Conditional Access](configure-conditional-access.md).
 When the risk is removed either through manual or automated remediation, the device returns to a compliant state and access to applications is granted.
-The following example sequence of events explains conditional access in action:
+The following example sequence of events explains Conditional Access in action:
 1. A user opens a malicious file and Microsoft Defender ATP flags the device as high risk.
 2. The high risk assessment is passed along to Intune. In parallel, an automated investigation is initiated to remediate the identified threat. A manual remediation can also be done to remediate the identified threat.
-3. Based on the policy created in Intune, the device is marked as not compliant. The assessment is then communicated to Azure AD by the Intune conditional access policy. In Azure AD, the corresponding policy is applied to block access to applications.
+3. Based on the policy created in Intune, the device is marked as not compliant. The assessment is then communicated to Azure AD by the Intune Conditional Access policy. In Azure AD, the corresponding policy is applied to block access to applications.
 4. The manual or automated investigation and remediation is completed and the threat is removed. Microsoft Defender ATP sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications.
 5. Users can now access applications.
 ## Related topic
- [Configure conditional access in Microsoft Defender ATP](configure-conditional-access.md)
+- [Configure Conditional Access in Microsoft Defender ATP](configure-conditional-access.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
@ -1,5 +1,5 @@
 ---
-title: Configure conditional access in Microsoft Defender ATP
+title: Configure Conditional Access in Microsoft Defender ATP
 description: 
 keywords: 
 search.product: eADQiWindows 10XVcnh
@ -18,11 +18,11 @@ ms.topic: article
 ms.date: 09/03/2018
 ---
-# Configure conditional access in Microsoft Defender ATP
+# Configure Conditional Access in Microsoft Defender ATP
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-This section guides you through all the steps you need to take to properly implement conditional access.
+This section guides you through all the steps you need to take to properly implement Conditional Access.
 ### Before you begin
 >[!WARNING] 
@ -43,12 +43,12 @@ There are steps you'll need to take in Microsoft Defender Security Center, the I
 > [!NOTE] 
 > You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.
-Take the following steps to enable conditional access:
+Take the following steps to enable Conditional Access:
 - Step 1: Turn on the Microsoft Intune connection from Microsoft Defender Security Center
 - Step 2: Turn on the Microsoft Defender ATP integration in Intune
 - Step 3: Create the compliance policy in Intune
 - Step 4: Assign the policy 
- Step 5: Create an Azure AD conditional access policy
+- Step 5: Create an Azure AD Conditional Access policy
 ### Step 1: Turn on the Microsoft Intune connection
@ -85,17 +85,17 @@ Take the following steps to enable conditional access:
 4. Include or exclude your Azure AD groups to assign them the policy.
 5. To deploy the policy to the groups, select **Save**. The user devices targeted by the policy are evaluated for compliance.
-### Step 5: Create an Azure AD conditional access policy
+### Step 5: Create an Azure AD Conditional Access policy
-1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** > **Conditional access** > **New policy**.
+1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** > **Conditional Access** > **New policy**.
 2. Enter a policy **Name**, and select **Users and groups**. Use the Include or Exclude options to add your groups for the policy, and select **Done**.
 3. Select **Cloud apps**, and choose which apps to protect. For example, choose **Select apps**, and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**. Select **Done** to save your changes.
 4. Select **Conditions** > **Client apps** to apply the policy to apps and browsers. For example, select **Yes**, and then enable **Browser** and **Mobile apps and desktop clients**. Select **Done** to save your changes.
-5. Select **Grant** to apply conditional access based on device compliance. For example, select **Grant access** > **Require device to be marked as compliant**. Choose **Select** to save your changes.
+5. Select **Grant** to apply Conditional Access based on device compliance. For example, select **Grant access** > **Require device to be marked as compliant**. Choose **Select** to save your changes.
 6. Select **Enable policy**, and then **Create** to save your changes.
-For more information, see [Enable Microsoft Defender ATP with conditional access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
+For more information, see [Enable Microsoft Defender ATP with Conditional Access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
--- a/windows/security/threat-protection/microsoft-defender-atp/images/auto-labeling.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/auto-labeling.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/data-sensitivity-column.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/data-sensitivity-column.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/data-sensitivity-filter.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/data-sensitivity-filter.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/endpoint-data-loss-protection.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/endpoint-data-loss-protection.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/incident-page.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/incident-page.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/investigate-machines-tab.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/investigate-machines-tab.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/machine-timeline-labels.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/machine-timeline-labels.png
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md
@ -14,7 +14,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 12/05/2018
 ---
 # Configure information protection in Windows 
@ -23,18 +22,22 @@ ms.date: 12/05/2018
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Learn how you can use Microsoft Defender ATP to expand the coverage of Microsoft Information Protection (WIP) to protect files based on their label, regardless of their origin.
+Learn how you can use Microsoft Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin.
 >[!TIP]
 > Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/).
 If a file meets the criteria set in the policy settings and endpoint data loss prevention setting is also configured, WIP will be enabled for that file.
 ## Prerequisites
 - Endpoints need to be on Windows 10, version 1809 or later
 - You'll need the appropriate license to leverage the Microsoft Defender ATP and Azure Information Protection integration
 - Your tenant needs to be onboarded to Azure Information Protection analytics, for more information see, [Configure a Log Analytics workspace for the reports](https://docs.microsoft.com/azure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports)
-## Configuration steps
+## Configure endpoint data loss prevention
 1. Define a WIP policy and assign it to the relevant devices. For more information, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). If WIP is already configured on the relevant devices, skip this step. 
 2. Define which labels need to get WIP protection in Office 365 Security and Compliance. 
@ -42,7 +45,7 @@ Learn how you can use Microsoft Defender ATP to expand the coverage of Microsoft
    2. Create a new label or edit an existing one. 
    3. In the configuration wizard, go to 'Data loss prevention' tab and enable WIP.
-    ![Image of Office 365 Security and Compliance sensitivity label](images/office-scc-label.png)
+    ![Image of Office 365 Security and Compliance sensitivity label](images/endpoint-data-loss-protection.png)
    4. Repeat for every label that you want to get WIP applied to in Windows. 
@ -52,5 +55,36 @@ After completing these steps Microsoft Defender ATP will automatically identify
 >- The Microsoft Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take effect and ensure that the endpoint is online. Otherwise, it will not receive the policy.
 >- Data forwarded to Azure Information Protection is stored in the same location as your other Azure Information Protection data.
 ## Configure auto labeling
 Windows automatically detects when an Office file, PDF, CSV or TXT files are being created on a device and inspects it based on context to identify sensitive information types.
 Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the same way as if the file was labeled; the file is protected with Endpoint data loss prevention.
 >[!NOTE]
 > Auto-labeling requires Windows 10, version 1903.
 1. In Office 365 Security & Compliance, go to **Classifications > Labels**.
 2. Create a new label or edit an existing one. 
 3. Set a policy for Data classification:
   1. Go through the label creation wizard.
   2. When you reach the Auto labeling page, turn on auto labeling toggle on.
   3. Add a new auto-labeling rule with the conditions that you require. 
    ![Image of auto labeling in Office 365 Security and Compliance center](images/auto-labeling.png)    
   4. Validate that "When content matches these conditions" setting is set to "Automatically apply the label".
 ## Related topic
 - [Information protection in Windows overview](information-protection-in-windows-overview.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
@ -31,22 +31,36 @@ Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection t
 > Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/).
-Microsoft Defender ATP applies two methods to discover and protect data:
+Microsoft Defender ATP applies the following methods to discover, classify, and protect data:
 - **Data discovery** - Identify sensitive data on Windows devices at risk
 - **Data classification** - Automatically classify data based on common Microsoft Information Protection (MIP) policies managed in Office 365 Security & Compliance Center. Auto-classification allows you to protect sensitive data even if the end user hasn’t manually classified it.
 - **Data protection** - Windows Information Protection (WIP) as outcome of Azure Information Protection label
-## Data discovery 
+## Data discovery and data classification
-Microsoft Defender ATP automatically discovers files with sensitivity labels on Windows devices when the feature is enabled. You can enable the Azure Information Protection integration feature from Microsoft Defender Security Center. For more information, see [Configure advanced features](advanced-features.md#azure-information-protection).
+Microsoft Defender ATP automatically discovers files with sensitivity labels and files that contain sensitive information types. 
 Sensitivity labels classify and help protect sensitive content. 
 Sensitive information types in the Office 365 data loss prevention (DLP) implementation fall under two categories:
 -	Default
 -	Custom
 Default sensitive information types include information such as bank account numbers, social security numbers, or national IDs. For more information, see [What the sensitive information type look for](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for). 
 Custom types are ones that you define and is designed to protect a different type of sensitive information (for example, employee IDs or project numbers). For more information see, [Create a custom sensitive information type](https://docs.microsoft.com/en-us/office365/securitycompliance/create-a-custom-sensitive-information-type).
 When a file is created or edited on a  Windows device, Windows Defender ATP scans the content to evaluate if it contains sensitive information. 
 Turn on the Azure Information Protection integration so that when a file that contains sensitive information is discovered by Microsoft Defender ATP though labels or information types, it is automatically forwarded to Azure Information Protection from the device.
 ![Image of settings page with Azure Information Protection](images/atp-settings-aip.png)
-After enabling the Azure Information Protection integration, data discovery signals are immediately forwarded to Azure Information Protection from the device. When a labeled file is created or modified on a Windows device, Microsoft Defender ATP automatically reports the signal to Azure Information Protection.
+The reported signals can be viewed on the Azure Information Protection – Data discovery dashboard. 
-The reported signals can be viewed on the Azure Information Protection - Data discovery dashboard.
+## Azure Information Protection - Data discovery dashboard 
 ### Azure Information Protection - Data discovery dashboard 
 This dashboard presents a summarized discovery information of data discovered by bothMicrosoft Defender ATP and Azure Information Protection. Data from Microsoft Defender ATP is marked with Location Type - Endpoint. 
 ![Image of Azure Information Protection - Data discovery](images/azure-data-discovery.png)
@ -54,13 +68,15 @@ This dashboard presents a summarized discovery information of data discovered by
 Notice the Device Risk column on the right, this device risk is derived directly from Microsoft Defender ATP, indicating the risk level of the security device where the file was discovered, based on the active security threats detected by Microsoft Defender ATP.
-Clicking the device risk level will redirect you to the device page in Microsoft Defender ATP, where you can get a comprehensive view of the device security status and its active alerts. 
+Click on a device to view a list of files observed on this device, with their sensitivity labels and information types.
 >[!NOTE]
->Microsoft Defender ATP does not currently report the Information Types. 
+>Please allow approximately 15-20 minutes for the Azure Information Protection Dashboard Discovery to reflect discovered files.
-### Log Analytics 
+
 ## Log Analytics 
 Data discovery based on Microsoft Defender ATP is also available in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-overview), where you can perform complex queries over the raw data.
 For more information on Azure Information Protection analytics, see [Central reporting for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/reports-aip). 
@ -82,10 +98,15 @@ InformationProtectionLogs_CL
 ## Data protection 
 For data to be protected, they must first be identified through labels. Sensitivity labels are created in Office Security and Compliance (SCC). Microsoft Defender ATP then uses the labels to identify endpoints that need Windows Information Protection (WIP) applied on them.
 ### Endpoint data loss prevention
 For data to be protected, they must first be identified through labels. 
-When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Microsoft Defender ATP is the Data loss prevention. You'll need to turn on the Data loss prevention and select Enable Windows end point protection (DLP for devices). 
+Sensitivity labels are created in Office 365 Security & Compliance Center. Microsoft Defender ATP then uses the labels to identify endpoints that need Windows Information Protection (WIP) applied on them.
 When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Microsoft Defender ATP is the Endpoint data loss prevention. 
 For the endpoint data loss prevention, you'll need to turn on the Endpoint Data loss prevention and select Enable Windows end point protection (DLP for devices). 
 ![Image of Office 365 Security and Compliance sensitivity label](images/office-scc-label.png)
@ -94,6 +115,19 @@ Once, the policy is set and published, Microsoft Defender ATP automatically enab
 This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin. 
 For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md).
 ## Auto labeling
 Auto labeling is another way to protect data and can also be configured in Office 365 Security & Compliance Center. Windows automatically detects when an Office file, PDF, CSV or TXT files are being created on a device and inspects it based on context to identify sensitive information types.
 Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the same way as if the file was labeled; the file is protected with Endpoint data loss prevention.
 > [!NOTE]
 > Auto-labeling is supported in Office apps only when the Azure Information Protection unified labeling client is installed. When sensitive content is detected in email or documents matching the conditions you choose, a label can automatically be applied or a message can be shown to users recommending they apply it themselves.
 For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md).
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
@ -0,0 +1,65 @@
 ---
 title: Use sensitivity labels to prioritize incident response
 description: Learn how to use sensitivity labels to prioritize and investigate incidents
 keywords: information, protection, data, loss, prevention,labels, dlp, incident, investigate, investigation
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ---
 # Use sensitivity labels to prioritize incident response  
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 A typical advanced persistent threat lifecycle involves data exfiltration. In a security incident, it's important to have the ability to prioritize investigations where sensitive files may be jeopardy so that corporate data and information are protected.
 Microsoft Defender ATP helps to make the prioritization of security incidents much simpler with the use of sensitivity labels. Sensitivity labels quickly identify incidents that may involve machines with sensitive information such as confidential information. 
 ## Investigate incidents that involve sensitive data
 Learn how to use data sensitivity labels to prioritize incident investigation.
 >[!NOTE]
 >Labels are detected for Windows 10, version 1809 or later.
 1. In Microsoft Defender Security Center, select **Incidents**. 
 2. Scroll to the right to see the **Data sensitivity** column. This column reflects sensitivity labels that have been observed on machines related to the incidents providing an indication of whether sensitive files may be impacted by the incident.
    ![Image of data sensitivity column](images/data-sensitivity-column.png)
    You can also filter based on **Data sensitivity** 
    ![Image of data sensitivity filter](images/data-sensitivity-filter.png)
 3. Open the incident page to further investigate.
    ![Image of incident page details](images/incident-page.png)
 4. Select the **Machines** tab to identify machines storing files with sensitivity labels.
    ![Image of machine tab](images/investigate-machines-tab.png)
 5. Select the machines that store sensitive data and search through the timeline to identify which files may be impacted then take appropriate action to ensure that data is protected. 
   You can narrow down the events shown on the machine timeline by searching for data sensitivity labels. Doing this will show only events associated with files that have said label name.
    ![Image of machine timeline with narrowed down search results based on label](images/machine-timeline-labels.png)
 >[!NOTE] 
 > The event side pane now provides additional insight to the WIP and AIP protection status.  
 >[!TIP]
 >These data points are also exposed through the ‘FileCreationEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status. 
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
@ -107,7 +107,7 @@ help | Provides help information for live response commands.
 persistence | Shows all known persistence methods on the machine.
 processes | Shows all processes running on the machine.
 registry | Shows registry values.
-sheduledtasks| Shows all scheduled tasks on the machine. 
+scheduledtasks| Shows all scheduled tasks on the machine. 
 services | Shows all services on the machine. 
 trace | Sets the terminal's logging mode to debug.
--- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual 
 ---
-# Microsoft Defender Advanced Threat Protection portal overview
+# Microsoft Defender Security Center portal overview
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
@ -40,8 +40,8 @@ Microsoft Defender ATP provides a comprehensive server protection solution, incl
 ## Azure Information Protection
 Keep sensitive data secure while enabling productivity in the workplace through data data discovery and data protection.
-## Conditional access
+## Conditional Access
-Microsoft Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation, ensuring that only secure devices have access to resources. 
+Microsoft Defender ATP's dynamic machine risk score is integrated into the Conditional Access evaluation, ensuring that only secure devices have access to resources. 
 ## Microsoft Cloud App Security
@ -56,7 +56,7 @@ The Skype for Business integration provides s a way for analysts to communicate
 ## Related topic
- [Protect users, data, and devices with conditional access](conditional-access.md)
+- [Protect users, data, and devices with Conditional Access](conditional-access.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@ -100,7 +100,7 @@ Query data using Advanced hunting in Microsoft Defender ATP.
    >[!NOTE]
    >Available from Windows 10, version 1803 or later.
- [Conditional access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) <br> Enable conditional access to better protect users, devices, and data.
+- [Conditional Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) <br> Enable conditional access to better protect users, devices, and data.
 - [Microsoft Defender ATP Community center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection)<BR> 
    The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. 
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@ -26,6 +26,7 @@ The SCT enables administrators to effectively manage their enterprise’s Group
 The Security Compliance Toolkit consists of:
 -   Windows 10 security baselines
    -   Windows 10 Version 1903 (May 2019 Update)
    -   Windows 10 Version 1809 (October 2018 Update)
    -   Windows 10 Version 1803 (April 2018 Update)
    -   Windows 10 Version 1709 (Fall Creators Update)
--- a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
+++ b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
@ -69,6 +69,9 @@ Enabling this policy setting allows the operating system to store passwords in a
 Disable the **Store password using reversible encryption** policy setting.
 >[!Note]
 > When policy settings are disabled, only new passwords will be stored using one-way encryption by default. Existing passwords will be stored using reversible encryption until they are changed.
 ### Potential impact
 If your organization uses CHAP through remote access or IAS, or Digest Authentication in IIS, you must configure this policy setting to Enabled. This presents a security risk when you apply the setting through Group Policy on a user-by-user basis because it requires the appropriate user account object to be opened in Active Directory Users and Computers.
--- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
@ -26,7 +26,7 @@ You can manage and configure Windows Defender Antivirus with the following tools
 - System Center Configuration Manager
 - Group Policy
 - PowerShell cmdlets
- Windows Management Instruction (WMI)
+- Windows Management Instrumentation (WMI)
 - The mpcmdrun.exe utility
 The topics in this section provide further information, links, and resources for using these tools to manage and configure Windows Defender Antivirus.
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@ -95,7 +95,16 @@ Security intelligence and product updates
 Upload location for files submitted to Microsoft via the <a href="https://www.microsoft.com/en-us/security/portal/submission/submit.aspx">Submission form</a> or automatic sample submission
 </td>
 <td>
-*.blob.core.windows.net
+ussus1eastprod.blob.core.windows.net<br />
 ussus1westprod.blob.core.windows.net<br />
 usseu1northprod.blob.core.windows.net<br />
 usseu1westprod.blob.core.windows.net<br />
 ussuk1southprod.blob.core.windows.net<br />
 ussuk1westprod.blob.core.windows.net<br />
 ussas1eastprod.blob.core.windows.net<br />
 ussas1southeastprod.blob.core.windows.net<br />
 ussau1eastprod.blob.core.windows.net<br />
 ussau1southeastprod.blob.core.windows.net<br />
 </td>
 </tr>
 <tr style="vertical-align:top">
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
@ -73,7 +73,7 @@ Hiding notifications can be useful in situations where you can't hide the entire
 > [!NOTE]
 > Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection).
-See [Customize the Windows Security app for your organization](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines.
+See [Customize the Windows Security app for your organization](../windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines.
 **Use Group Policy to hide notifications:**
--- a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_26_Uninstall.png
+++ b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_26_Uninstall.png
--- a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_DownloadPackages.png
+++ b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_DownloadPackages.png
--- a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_IntuneAppUtil.png
+++ b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_IntuneAppUtil.png
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
@ -40,7 +40,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi
 4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
 5. Download **IntuneAppUtil** from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos).
-    ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
+    ![Windows Defender Security Center screenshot](images/MDATP_2_DownloadPackages.png)
 6. From a command prompt, verify that you have the three files.
    Extract the contents of the .zip files:
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
@ -41,7 +41,7 @@ Download the installation and onboarding packages from Windows Defender Security
 3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
 4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
-    ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
+    ![Windows Defender Security Center screenshot](images/MDATP_2_DownloadPackages.png)
 5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so:
@ -70,7 +70,7 @@ The configuration profile contains a custom settings payload that includes:
 - Microsoft Defender ATP for Mac onboarding information
 - Approved Kernel Extensions payload, to enable running the Microsoft kernel driver
-To set the onboarding information, upload a property list file with the name, _jamf/WindowsDefenderATPOnboarding.plist_.
+To set the onboarding information, add a property list file with the name, _jamf/WindowsDefenderATPOnboarding.plist_, as a custom setting. You can do this by navigating to **Computers**>**Configuration Profiles**, selecting **New**, then choosing **Custom Settings**>**Configure**. From there, you can upload the property list.
  >[!IMPORTANT]
  > You must set the the Preference Domain as "com.microsoft.wdav.atp"
@ -104,8 +104,8 @@ Use the **Logs** tab to monitor deployment status for each enrolled device.
    ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png)
-2. Upload wdav.pkg to the Distribution Point.
+2. Upload the package to the Distribution Point.
-3. In the **filename** field, enter the name of the package. For example, wdav.pkg.
+3. In the **filename** field, enter the name of the package. For example, _wdav.pkg_.
 ### Policy
@ -133,7 +133,7 @@ After a moment, the device's User Approved MDM status will change to **Yes**.
 ![MDM status screenshot](images/MDATP_23_MDMStatus.png)
-You may now enroll additional devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
+You may now enroll additional devices. You may also enroll them later, after you have finished provisioning system configuration and application packages.
 ## Deployment
@ -150,11 +150,11 @@ You can monitor deployment status in the **Logs** tab:
 ### Status on client device
-After the Configuration Profile is deployed, you'll see the profile on the device in  **System Preferences > Profiles >**, under the name of the configuration profile.
+After the Configuration Profile is deployed, you'll see the profile for the device in  **System Preferences** > **Profiles >**.
 ![Status on client screenshot](images/MDATP_25_StatusOnClient.png)
-After the policy is applied, you'll see the Microsoft Defender ATP icon in the macOS status bar in the top-right corner.
+Once the policy is applied, you'll see the Microsoft Defender ATP icon in the macOS status bar in the top-right corner.
 ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png)
@ -204,4 +204,33 @@ See [Logging installation issues](microsoft-defender-atp-mac-resources.md#loggin
 ## Uninstallation
-See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices.
+This method is based on the script described in [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling).
 ### Script
 Create a script in **Settings > Computer Management > Scripts**.
 This script removes Microsoft Defender ATP from the /Applications directory:
 ```bash
   echo "Is WDAV installed?"
   ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
   echo "Uninstalling WDAV..."
   rm -rf '/Applications/Microsoft Defender ATP.app'
   echo "Is WDAV still installed?"
   ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
   echo "Done!"
 ```
 ![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png)
 ### Policy
 Your policy should contain a single script:
 ![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png)
 Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy.
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
@ -77,35 +77,6 @@ There are several ways to uninstall Microsoft Defender ATP for Mac. Please note
 - ```sudo rm -rf '/Applications/Microsoft Defender ATP'```
 ### With a script
 Create a script in **Settings > Computer Management > Scripts**.
 ![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png)
 For example, this script removes Microsoft Defender ATP from the /Applications directory:
 ```bash
   echo "Is WDAV installed?"
   ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
   echo "Uninstalling WDAV..."
   rm -rf '/Applications/Microsoft Defender ATP.app'
   echo "Is WDAV still installed?"
   ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
   echo "Done!"
 ```
 ### With a JAMF policy
 If you are running JAMF, your policy should contain a single script:
 ![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png)
 Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy.
 ## Configuring from the command line
 Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line:
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
@ -20,9 +20,9 @@ ms.topic: conceptual
 # Microsoft Defender Advanced Threat Protection for Mac
 >[!IMPORTANT]
->This topic relates to the pre-release version of Microsoft Defender Advanced Threat Protection (ATP) for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+>This topic relates to the pre-release version of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-This topic describes how to install and use Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac.
+This topic describes how to install and use Microsoft Defender ATP for Mac.
 ## What’s new in the public preview
@ -40,6 +40,7 @@ Since opening the limited preview, we've been working non-stop to enhance the pr
 ## Installing and configuring
 There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac.
 In general you'll need to take the following steps:
 - Ensure you have a Microsoft Defender ATP subscription and have access to the Microsoft Defender ATP Portal
@ -67,7 +68,7 @@ You should also have access to Microsoft Defender Security Center.
 Beta versions of macOS are not supported.
 > [!CAUTION]
-> Running other third-party endpoint protection along with Microsoft Defender ATP for Mac may lead to performance problems and unpredictable side effects.
+> Running other third-party endpoint protection alongside Microsoft Defender ATP for Mac may lead to performance problems and unpredictable side effects.
 After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
@ -75,16 +76,23 @@ The following table lists the services and their associated URLs that your netwo
 | Service        | Description                          | URL                                                                  |
 | -------------- | ------------------------------------ | -------------------------------------------------------------------- |
-| ATP            | Advanced threat protection service   | `https://x.cp.wd.microsoft.com`, `https://cdn.x.cp.wd.microsoft.com` |
+| ATP            | Advanced threat protection service   | [https://x.cp.wd.microsoft.com](https://x.cp.wd.microsoft.com), [https://cdn.x.cp.wd.microsoft.com](https://cdn.x.cp.wd.microsoft.com) |
-To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://cdn.x.cp.wd.microsoft.com/ping` in a browser, or run the following command in Terminal:
+To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping]([https://cdn.x.cp.wd.microsoft.com/ping) in a browser.
 If you prefer the command line, you can also check the connection by running the following command in Terminal:
 ```bash
-    mavel-mojave:~ testuser$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
+testuser$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
    OK https://x.cp.wd.microsoft.com/api/report
    OK https://cdn.x.cp.wd.microsoft.com/ping
 ```
 The output from this command should look like this:
 > `OK https://x.cp.wd.microsoft.com/api/report`
 >
 > `OK https://cdn.x.cp.wd.microsoft.com/ping`
 We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.
 ## Resources
--- a/windows/security/threat-protection/windows-defender-atp/user-roles.md
+++ b/windows/security/threat-protection/windows-defender-atp/user-roles.md
@ -0,0 +1,86 @@
 ---
 title: Create and manage roles for role-based access control
 description: Create roles and define the permissions assigned to the role as part of the role-based access control implementation 
 keywords: user roles, roles, access rbac
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ---
 # Create and manage roles for role-based access control
 **Applies to:**
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-roles-abovefoldlink)
 ## Create roles and assign the role to an Azure Active Directory group
 The following steps guide you on how to create roles in Windows Defender Security Center. It assumes that you have already created Azure Active Directory user groups.
 1.	In the navigation pane, select **Settings > Roles**.
 2.	Click **Add role**. 
 3.	Enter the role name, description, and permissions you'd like to assign to the role.
 	 - **Role name**
 	 - **Description**
 	 - **Permissions**
 		  - **View data** - Users can view information in the portal.
 		  - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
 		  - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
          - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups.
            >[!NOTE]
            >This setting is only available in the Windows Defender ATP administrator (default) role. 
 		  - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
 4.	Click **Next** to assign the role to an Azure AD group.
 5.	Use the filter to select the Azure AD group that you'd like to add to this role.
 6.	Click **Save and close**.
 7.	Apply the configuration settings.
 After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it to a role that you just created. 
 >[!NOTE]
 >The Windows Defender ATP administrator (default) role has administrator permissions with exclusive access to all machine groups. Administrator permissions cannot be assigned to any other role. 
 ## Edit roles
 1.	Select the role you'd like to edit.
 2.	Click **Edit**.
 3.	Modify the details or the groups that are assigned to the role. 
 4.	Click **Save and close**.
 ## Delete roles
 1.	Select the role you'd like to delete.
 2.	Click the drop-down button and select **Delete role**.
 ## Related topics
 - [User basic permissions to access the portal](../microsoft-defender-atp/basic-permissions.md)
 - [Create and manage machine groups](../microsoft-defender-atp/machine-groups.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
@ -57,12 +57,15 @@ This section covers requirements for each feature in Windows Defender EG.
 | ![supported](./images/ball_50.png) | Supported |
 | ![supported, full reporting](./images/ball_full.png) | Recommended. Includes full, automated reporting into the Microsoft Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an attack surface reduction rule that blocks executable files that meet age or prevalence criteria.|
-| Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 |
+| Feature | Windows 10 Home | Windows 10 Professional | Windows 10 Enterprise | Windows 10 with Enterprise E3 subscription | Windows 10 with Enterprise E5 subscription |
-| ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: |
+| ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: | :--------------------------------------: |
-| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
+| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
-| Attack surface reduction rules | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
+| Attack surface reduction rules | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
-| Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
+| Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
-| Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
+| Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
 >[!NOTE]
 > The [Identity & Threat Protection package](https://www.microsoft.com/microsoft-365/blog/2019/01/02/introducing-new-advanced-security-and-compliance-offerings-for-microsoft-365/), available for Microsoft 365 E3 customers, provides the same Windows Defender ATP capabilities as the Enterprise E5 subscription.
 The following table lists which features in Windows Defender EG require enabling [real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) from Windows Defender Antivirus. 
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@ -72,7 +72,8 @@ Any machine with System Guard enabled will automatically meet the following low-
 |SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (e.g. no OS/VMM owned memory). <br/>Must NOT contain any mappings to code sections within EfiRuntimeServicesCode. <br/>Must NOT have execute and write permissions for the same page <br/>Must allow ONLY that TSEG pages can be marked executable and the memory map must report TSEG EfiReservedMemoryType. <br/>BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry.  |
 |Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
 |TPM AUX Index|Platform must set up a AUX index with index, attributes, and policy that exactly corresponds to the AUX index specified in the TXT DG with a data size of exactly 104 bytes (for SHA256 AUX data). (NameAlg = SHA256) <br/> Platforms must set up a PS (Platform Supplier) index with: <ul><li> Exactly the "TXT PS2" style Attributes on creation as follows: <ul><li>AuthWrite</li><li>PolicyDelete</li><li>WriteLocked</li><li>WriteDefine</li><li>AuthRead</li><li>WriteDefine</li><li>NoDa</li><li>Written</li><li>PlatformCreate</li></ul> <li>A policy of exactly PolicyCommandCode(CC = TPM2_CC_UndefineSpaceSpecial) (SHA256 NameAlg and Policy)</li><li> Size of exactly 70 bytes </li><li> NameAlg = SHA256 </li><li> In addition, it must have been initialized and locked (TPMA_NV_WRITTEN = 1, TPMA_NV_WRITELOCKED = 1) at time of OS launch. </li></ul> PS index data DataRevocationCounters, SINITMinVersion, and PolicyControl must all be 0x00 |
-|AUX Policy|The required AUX policy must be as follows: <ul><li> A = TPM2_PolicyLocality (Locality 3 & Locality 4) </li><li>B = TPM2_PolicyCommandCode (TPM_CC_NV_UndefineSpecial)</li><li>authPolicy = {A} OR {{A} AND {B}}</li><li>authPolicy digest = 0xef, 0x9a, 0x26, 0xfc, 0x22, 0xd1, 0xae, 0x8c, 0xec, 0xff, 0x59, 0xe9, 0x48, 0x1a, 0xc1, 0xec, 0x53, 0x3d, 0xbe, 0x22, 0x8b, 0xec, 0x6d, 0x17, 0x93, 0x0f, 0x4c, 0xb2, 0xcc, 0x5b, 0x97, 0x24</li></ul>|
+|AUX Policy|The required AUX policy must be as follows: <ul><li> A = TPM2_PolicyLocality (Locality 3 & Locality 4) </li><li>B = TPM2_PolicyCommandCode (TPM_CC_NV_UndefineSpecial)</li><li>authPolicy = \{A} OR {{A} AND \{B}}</li><li>authPolicy digest = 0xef, 0x9a, 0x26, 0xfc, 0x22, 0xd1, 0xae, 0x8c, 0xec, 0xff, 0x59, 0xe9, 0x48, 0x1a, 0xc1, 0xec, 0x53, 0x3d, 0xbe, 0x22, 0x8b, 0xec, 0x6d, 0x17, 0x93, 0x0f, 0x4c, 0xb2, 0xcc, 0x5b, 0x97, 0x24</li></ul>|
 |TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with: <ul><li>Handle: 0x01C101C0 </li><li>Attributes: <ul><li>TPMA_NV_POLICYWRITE</li><li>TPMA_NV_PPREAD </li><li>TPMA_NV_OWNERREAD</li><li>TPMA_NV_AUTHREAD</li><li>TPMA_NV_POLICYREAD</li><li>TPMA_NV_NO_DA</li><li>TPMA_NV_PLATFORMCREATE</li><li>TPMA_NV_POLICY_DELETE</li></ul> <li>A policy of: </li><ul><li>A = TPM2_PolicyAuthorize(MSFT_DRTM_AUTH_BLOB_SigningKey)</li><li>B = TPM2_PolicyCommandCode(TPM_CC_NV_UndefineSpaceSpecial) </li><li> authPolicy = \{A} OR {{A} AND \{B}} </li><li> Digest value of 0xcb, 0x45, 0xc8, 0x1f, 0xf3, 0x4b, 0xcf, 0x0a, 0xfb, 0x9e, 0x1a, 0x80, 0x29, 0xfa, 0x23, 0x1c,0x87, 0x27, 0x30, 0x3c, 0x09, 0x22, 0xdc, 0xce, 0x68, 0x4b, 0xe3, 0xdb, 0x81, 0x7c, 0x20, 0xe1 </li></ul></ul> |
 |Platform firmware|Platform firmware must carry all code required to execute an Intel&reg; Trusted Execution Technology secure launch: <ul><li>Intel&reg; SINIT ACM must be carried in the OEM BIOS</li><li>Platforms must ship with a production ACM signed by the correct production Intel&reg; ACM signer for the platform</li></ul>|
 |Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@ -22,11 +22,8 @@ This article lists new and updated features and content that are of interest to
 The following 3-minute video summarizes some of the new features that are available for IT Pros in this release.
 &nbsp;
 > [!video https://www.microsoft.com/en-us/videoplayer/embed/RE21ada?autoplay=false]
 ## Deployment
 ### Windows Autopilot
@ -135,7 +132,7 @@ Portions of the work done during the offline phases of a Windows update have bee
 ### Co-management
-Intune and System Center Configuration Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
+**Intune** and **System Center Configuration Manager** policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
 For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803)
@ -231,8 +228,8 @@ Support in [Windows Defender Application Guard](#windows-defender-application-gu
 ## See Also
-[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.<br>
+- [Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.  
-[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.<br>
+- [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
-[What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.<br>
+- [What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
-[Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709.
+- [Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709.
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@ -120,7 +120,7 @@ The draft release of the [security configuration baseline settings](https://blog
 - [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
 - [Streamlined Windows Hello PIN reset experience](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
- Sign-in with [Password-less](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience! i
+- Sign-in with [Password-less](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience!
 - [Remote Desktop with Biometrics](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
 ### Security management