diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md
index e3479458a2..77755fdf5a 100644
--- a/windows/configuration/provisioning-packages/provisioning-multivariant.md
+++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md
@@ -19,7 +19,7 @@ localizationpriority: high
 
 In your organization, you might have different configuration requirements for devices that you manage. You can create separate provisioning packages for each group of devices in your organization that have different requirements. Or, you can create a multivariant provisioning package, a single provisioning package that can work for multiple conditions. For example, in a single provisioning package, you can define one set of customization settings that will apply to devices set up for French and a different set of customization settings for devices set up for Japanese. 
 
-To provision multivariant settings, you use Windows Imaging and Configuration Designer (ICD) to create a provisioning package that contains all of the customization settings that you want to apply to any of your devices. Next, you manually edit the .XML file for that project to define each set of devices (a **Target**). For each **Target**, you specify at least one **Condition** with a value, which identifies the devices to receive the configuration. Finally, for each **Target**, you provide the customization settings to be applied to those devices.
+To provision multivariant settings, you use Windows Configuration Designer to create a provisioning package that contains all of the customization settings that you want to apply to any of your devices. Next, you manually edit the .XML file for that project to define each set of devices (a **Target**). For each **Target**, you specify at least one **Condition** with a value, which identifies the devices to receive the configuration. Finally, for each **Target**, you provide the customization settings to be applied to those devices.
 
 Let's begin by learning how to define a **Target**.
 
@@ -258,7 +258,7 @@ Follow these steps to create a provisioning package with multivariant capabiliti
 6. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step.
 
 
-7. Use the [Windows ICD command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml. 
+7. Use the [Windows Configuration Designer command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml. 
 
     For example:
 
diff --git a/windows/device-security/TOC.md b/windows/device-security/TOC.md
index ec0aee811a..b5b1477df9 100644
--- a/windows/device-security/TOC.md
+++ b/windows/device-security/TOC.md
@@ -561,6 +561,7 @@
 ##### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md)
 ##### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md)
 ##### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)
+#####  [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)
 ##### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md)
 ##### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md)
 ##### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)
diff --git a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
new file mode 100644
index 0000000000..f28eab1191
--- /dev/null
+++ b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -0,0 +1,154 @@
+---
+title: Network access - Restrict clients allowed to make remote calls to SAM
+description: Security policy setting that controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Network access: Restrict clients allowed to make remote calls to SAM
+
+**Applies to**
+-   Windows 10, version 1607 and later
+-   Windows 10, version 1511 with [KB 4103198](https://support.microsoft.com/en-us/help/4013198) installed
+-   Windows 10, version 1507 with [KB 4012606](https://support.microsoft.com/en-us/help/4012606) installed 
+-   Windows 8.1 with [KB 4102219](https://support.microsoft.com/en-us/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed 
+-   Windows 7 with [KB 4012218](https://support.microsoft.com/en-us/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed 
+-   Windows Server 2016
+-   Windows Server 2012 R2 with[KB 4012219](https://support.microsoft.com/en-us/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed
+-   Windows Server 2012 with [KB 4012220](https://support.microsoft.com/en-us/help/4012220/march-2017-preview-of-monthly-quality-rollup-for-windows-server-2012) installed 
+-   Windows Server 2008 R2 with [KB 4012218](https://support.microsoft.com/en-us/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed
+
+
+The **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database. The setting was first supported by Windows 10 version 1607 and Windows Server 2016 (RTM) and can be configured on earlier Windows client and server operating systems by installing updates from the the KB articles listed in **Applies to** section of this topic. 
+
+This topic describes the default values for this security policy setting in different versions of Windows, related events, and how to enable audit mode before constraining the security principals that are allowed to remotely enumerate users and groups in the SAM so that your environment remains secure without adversely impacting application compatibility. 
+
+## Reference
+
+The SAMRPC protocol makes it possible for a low privileged user to query a machine on a network for data. For example, a user can use SAMRPC to enumerate users, including privileged accounts such as local or domain administrators, or to enumerate groups and group memberships from the local SAM and Active Directory. This information can provide important context and serve as a starting point for an attacker to compromise a domain or networking environment. 
+
+To mitigate this risk, you can configure the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting to force the security accounts manager (SAM) to do an access check against remote calls. The access check allows or denies remote RPC connections to SAM and Active Directory for users and groups that you define. 
+
+By default, the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting is not defined. If you define it, you can edit the default Security Descriptor Definition Language (SDDL) string to explicitly allow or deny users and groups to make remote calls to the SAM. If the policy setting is left blank after the policy is defined, the policy is not enforced.   
+
+The default security descriptor on computers beginning with Windows 10 version 1607 and Windows Server 2016 allows only the local (built-in) Administrators group remote access to SAM on non-domain controllers, and allows Everyone access on domain controllers. You can edit the default security descriptor to allow or deny other users and groups, including the built-in Administrators.
+
+The default security descriptor on computers that run earlier versions of Windows does not restrict any remote calls to SAM, but an administrator can edit the security descriptor to enforce restrictions. This less restrictive default allows for testing the impact of enabling restrictions on existing applications.
+
+This means that if you have a mix of computers, such as servers that run both Windows Server 2016 and Windows Server 2012 R2, the servers that run Windows Server 2016 may fail to enumerate accounts by default where the servers that run Windows Server 2012 R2 succeed.
+
+## Possible values
+-  Not defined
+-  Defined, along with the security descriptor for users and groups who are allowed or denied remote access to local SAM and Active directory using SAMRPC. 
+
+## Location
+
+Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
+
+This policy setting controls a string that will contain the SDDL of the security descriptor to be deployed to the following registry setting:
+
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSam
+
+> [!NOTE] 
+This policy is implemented similarly to other Network access policies in that there is a single policy element at the registry path listed. There is no notion of a local policy versus an enterprise policy; there is just one policy setting and whichever writes last wins. For example, suppose a local administrator configures this setting as part of a local policy using the Local Security Policy snap-in (Secpol.msc), which edits that same registry path. If an enterprise administrator configures this setting as part of an enterprise GPO, that enterprise GPO will overwrite the same registry path. 
+
+## Default values
+Beginning with Windows 10, version 1607 and Windows Server 2016, computers have hard-coded and more restrictive default values than earlier versions of Windows. The different default values help strike a balance where recent Windows versions are more secure by default and older versions don’t undergo any disruptive behavior changes. Computers that run earlier versions of Windows do not perform any access check by default. That includes domain controllers and non-domain controllers. This allows administrators to test whether applying the same restriction (that is, granting READ_CONTROL access only to members of the local Administrators group) will cause compatibility problems for existing applications before implementing this security policy setting in a production environment. 
+
+In other words, the hotfix in each KB article provides the necessary code and functionality, but you need to configure the restriction after you install the hotfix—no restrictions are enabled by default after the hotfix is installed on earlier versions of Windows.
+
+### Default values beginning with Windows 10 version 1607 and Windows Server 2016 
+The following default values apply to computers beginning with Windows Server 2016 and Windows 10, version 1607. The default security descriptor for non-domain controllers grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group.
+
+
+| |Default SDDL	|Translated SDDL| Comments
+|---|---|---|---|
+|Domain controller (reading Active Directory|“”|-|Everyone has read permissions to preserve compatibility.
+|Non-domain controller|(O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>DACL: <br>•	Revision: 0x02 <br>•	Size: 0x0020 <br>•	Ace Count: 0x001 <br>•	Ace[00]------------------------- AceType:0x00 <br> (ACCESS_ALLOWED_ACE_TYPE)<br> AceSize:0x0018 <br> InheritFlags:0x00 <br> Access Mask:0x00020000 <br> AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544) <br><br> SACL: Not present |Only members of the local (built-in) Administrators group get access.|
+
+### Default values for earlier versions of Windows
+
+The following sections explain how to enable audit only mode to test the restriction while using applications you plan to run. 
+
+## Policy management
+
+This section explains how to configure audit-only mode, how to analyze related events that are logged when the Network access: Restrict clients allowed to make remote calls to SAM security policy setting is enabled, and how to configure event throttling to prevent flooding the event log.
+
+### Audit only mode
+
+Audit only mode configures the SAM interface to do the access check against the currently configured security descriptor but will not fail the call if the access check fails. Instead, the call will be allowed, but the SAM interface will log an event describing what would have happened if the feature had been enabled. This provides administrators a way to test their applications before enabling the policy in production. Audit only mode is not configured by default. To configure it, add the following registry setting.
+
+|Registry|Details|
+|---|---|
+|Path|HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa|
+|Setting|RestrictRemoteSamAuditOnlyMode|
+|Data Type|REG_DWORD|
+|Value|1|
+|Notes|This setting cannot be added or removed by using predefined Group Policy settings. <br> Administrators may create a custom policy to set the registry value if needed. <br>                               SAM responds dynamically to changes in this registry value without a reboot. <br> You can use the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script to parse the event logs, as explained in the next section.|
+
+### Related events
+
+There are corresponding events that indicate when remote calls to the SAM are restricted, what accounts attempted to read from the SAM database, and more. The following workflow is recommended to identify applications that may be affected by restricting remote calls to SAM:
+1.	Dump event logs to a common share. 
+2.	Parse them with the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script. 
+3.	Look for the following events: <br>
+•	For domain controllers, events are logged in the Directory Services log in Event Viewer with event source Directory-Service-SAM (from Event ID 16962 to 16969, as listed in the following table). <br>
+•	For non-domain controllers, the same event IDs are logged in the System log with event source Directory-Service-SAM. 
+4.	Identify which security contexts are enumerating users or groups in the SAM database. 
+5.	Prioritize the callers, determine if they should be allowed or not, then include the allowed callers in the SDDL string.
+
+|Event ID|Event Message Text|Explanation |
+|---|---|---|
+|16962|"Remote calls to the SAM database are being restricted using the default security descriptor: %1.%n "<br><br> %2-  "Default SD String:" |Emit event when registry SDDL is absent, causing fallback to default hard-coded SDDL (event should include a copy of the default SDDL).|
+|16963|Message Text: "Remote calls to the SAM database are being restricted using the configured registry security descriptor: %1.%n" <br><br> %1 - "Registry SD String:" |Emit event when a new SDDL is read from the registry (either on startup or change) and is considered valid. The event includes the source and a copy of the queried SDDL.
+|16964|"The registry security descriptor is malformed: %1.%n Remote calls to the SAM database are being restricted using the default security descriptor: %2.%n" <br><br>%1- "Malformed SD String:"<br> %2- "Default SD String:"|Emit event when registry SDDL is mal-formed, causing fallback to default hard-coded SDDL (event should include a copy of the default SDDL).
+|16965|Message Text: "A remote call to the SAM database has been denied.%nClient SID: %1%n Network address: %2%n"<br><br> %1- "Client SID:" %2- "Client Network Address | Emit event when access is denied to a remote client. Event should include identity and network address of the client.
+|16966|Audit Mode is enabled- <br><br>Message Text: "Audit only mode is now enabled for remote calls to the SAM database. SAM will log an event for clients who would have been denied access in normal mode. %n"|Emit event whenever training mode (see 16968) is enabled or disabled. 
+|16967|Audit Mode is disabled- <br><br>Message Text: "Audit only mode is now disabled for remote calls to the SAM database.%n For more information"|Emit event whenever training mode (see 16968) is enabled or disabled.
+|16968| Message Text: "Audit only mode is currently enabled for remote calls to the SAM database.%n The following client would have been normally denied access:%nClient SID: %1 from network address: %2. %n" <br>%1- "Client SID:" <br>%2- "Client Network Address:"|Emit event when access would have been denied to a remote client, but was allowed through due to training mode being enabled. Event should include identity and network address of the client.|
+|16969|Message Text: "%2 remote calls to the SAM database have been denied in the past %1 seconds throttling window.%n <br>"%1- "Throttle window:" <br>%2- "Suppressed Message Count:"| Throttling may be necessary for some events due to expected high volume on some servers causing the event log to wrap. <br><br>Note: There is no throttling of events when audit mode is enabled. Environments with a large number of low-privilege and anonymous querying of the remote database may see large numbers of events logged to the System log. For more info, see the [Event Throttling](#event-throttling) section.
+
+Compare the security context attempting to remotely enumerate accounts with the default security descriptor. Then edit the security descriptor to add accounts that require remote access. 
+
+### Event Throttling
+A busy server can flood event logs with events related to the remote enumeration access check. To prevent this, access-denied events are logged once every 15 minutes by default. The length of this period is controlled by the following registry value.
+
+|Registry Path|System\CurrentControlSet\Control\Lsa\ 
+|---|---|
+Setting |RestrictRemoteSamEventThrottlingWindow|
+Data Type |DWORD|
+|Value|seconds|
+|Reboot Required?|No|
+|Notes|**Default** is 900 seconds – 15mins. <br>The throttling uses a suppressed events counter which starts at 0 and gets incremented during the throttling window. <br> For example, X events were suppressed in the last 15 minutes. <br>The counter is restarted after the event 16969 is logged.
+
+### Restart requirement
+
+Restarts are not required to enable, disable or modify the **Network access: Restrict clients allowed to make remote calls to SAM security** policy setting, including audit only mode. Changes become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability	
+The SAMRPC protocol has a default security posture that makes it possible for low-privileged attackers to query a machine on the network for data that is critical to their further hacking and penetration plans. <br><br>
+The following example illustrates how an attacker might exploit remote SAM enumeration:
+1.	A low-privileged attacker gains a foothold on a network.
+2.	The attacker then queries all machines on the network to determine which ones have a highly privileged domain user configured as a local administrator on that machine. 
+3.	If the attacker can then find any other vulnerability on that machine that allows taking it over, the attacker can then squat on the machine waiting for the high-privileged user to logon and then steal or impersonate those credentials.
+
+### Countermeasure
+You can mitigate this vulnerability by enabling the **Network access: Restrict clients allowed to make remote calls** to SAM security policy setting and configuring the SDDL for only those accounts that are explicitly allowed access.
+
+### Potential impact
+If the policy is defined, admin tools, scripts and software that formerly enumerated users, groups and group membership may fail. To identify accounts that may be affected, test this setting in [audit only mode](#audit-only-mode).  
+
+## Related Topics
+[Security Options](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/security-options)
+
+[SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016](https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b)
+
+<br>
\ No newline at end of file
diff --git a/windows/device-security/security-policy-settings/security-options.md b/windows/device-security/security-policy-settings/security-options.md
index 2d25a87621..b4896738f7 100644
--- a/windows/device-security/security-policy-settings/security-options.md
+++ b/windows/device-security/security-policy-settings/security-options.md
@@ -82,6 +82,7 @@ For info about setting security policies, see [Configure security policy setting
 | [Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Remotely accessible registry paths** security policy setting.| 
 | [Network access: Remotely accessible registry paths and subpaths](network-access-remotely-accessible-registry-paths-and-subpaths.md)| Describes the best practices, location, values, and security considerations for the **Network access: Remotely accessible registry paths and subpaths** security policy setting. |
 | [Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict anonymous access to Named Pipes and Shares** security policy setting. |
+| [Network access: Restrict clients allowed to make remote calls to SAM](network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting. |
 | [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Shares that can be accessed anonymously** security policy setting. |
 | [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Sharing and security model for local accounts** security policy setting. |
 | [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)| Describes the location, values, policy management, and security considerations for the **Network security: Allow Local System to use computer identity for NTLM** security policy setting. |
diff --git a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
index 921bf48bbb..b720246c1e 100644
--- a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
 ---
 title: View and organize the Windows Defender ATP Alerts queue
-description: Learn about how the Windows Defender ATP alerts queue work, and how to sort and filter lists of alerts.
+description: Learn about how the Windows Defender ATP alerts queues work, and how to sort and filter lists of alerts.
 keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -21,7 +21,7 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In any of the queues, you'll see details such as the severity of alerts and the number of machines where the alerts were seen.
+The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In each queue, you'll see details such as the severity of alerts and the number of machines the alerts were raised on.
 
 Alerts are organized in queues by their workflow status or assignment:
 
@@ -33,17 +33,17 @@ Alerts are organized in queues by their workflow status or assignment:
 To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane.
 
 > [!NOTE]
-> By default, the queues are sorted from newest to oldest.
+> By default, alerts in the queues are sorted from newest to oldest.
 
 ## Sort and filter the alerts
-You can sort and filter the alerts by using the available filters or clicking columns that allows you to sort the view in ascending or descending order.
+You can sort and filter the alerts using the available filters or clicking on a column's header that will sort the view in ascending or descending order.
 
 ![Alerts queue with numbers](images/alerts-queue-numbered.png)
 
 Highlighted area|Area name|Description
 :---|:---|:---
 1 | Alert filters | Filter the list of alerts by severity, detection source, time period, or change the view from flat to grouped.
-2 | Alert selected | Select an alert to bring up the **Alert management** to manage and see details about the alert.
+2 | Alert selected | Select an alert to bring up the **Alert management** pane to manage and see details about the alert.
 3 | Alert management pane | View and manage alerts without leaving the alerts queue view.
 
 ### Sort, filter, and group the alerts list
@@ -76,9 +76,9 @@ Reviewing the various alerts and their severity can help you decide on the appro
 
 **View**</br>
 - **Flat view** - Lists alerts individually with alerts having the latest activity displayed at the top.
-- **Grouped view** - Groups alerts by alert ID, file hash, malware family, or other attribute to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating alerts together.
+- **Grouped view** - Groups alerts by alert ID, file hash, malware family, or other attribute to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating similar alerts together.
 
-The group view allows for efficient alert triage and management.
+The grouped view allows efficient alert triage and management.
 
 ### Use the Alert management pane
 Selecting an alert brings up the **Alert management** pane where you can manage and see details about the alert.
diff --git a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
index 073acf1b34..a74dd4b020 100644
--- a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
@@ -134,7 +134,7 @@ This step will guide you in simulating an event in connection to a malicious IP
 ## Step 4: Explore the custom alert in the portal
 This step will guide you in exploring the custom alert in the portal.
 
-1.	Open the [Windows Defender ATP portal](http: /securitycenter.windows.com/) on a browser.
+1.	Open the [Windows Defender ATP portal](http://securitycenter.windows.com/) on a browser.
 
 2.	Log in with your Windows Defender ATP credentials.
 
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
index 5bcc8e1a05..3b756a14c7 100644
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
@@ -342,6 +342,9 @@ After you've added the apps you want to protect with WIP, you'll need to apply a
 
 We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**.
 
+>[!NOTE]
+>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
+
 **To add your protection mode**
 
 1.	From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
@@ -353,7 +356,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
     |Mode |Description |
     |-----|------------|
     |Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
-    |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459).|
+    |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
     |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
     |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<br><br>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
 
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
index 59a4720f61..4dbf46f1e8 100644
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
@@ -339,10 +339,13 @@ After you've added the apps you want to protect with WIP, you'll need to apply a
 
 We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
 
+>[!NOTE]
+>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
+
 |Mode |Description |
 |-----|------------|
 |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
-|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
+|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. |
 |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
 |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
 
diff --git a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index d00786a7cf..19071542aa 100644
--- a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -82,7 +82,8 @@ WIP gives you a new way to manage data policy enforcement for apps and documents
     
         You don’t have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list.
 
-    -   **Deciding your level of data access.** WIP lets you hide overrides, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list.
+    -   **Deciding your level of data access.** WIP lets you hide overrides, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
+
 
     -   **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
     
@@ -123,18 +124,18 @@ Enterprise data is automatically encrypted after it’s loaded on a device from
 
 Your WIP policy includes a list of trusted apps that are allowed to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned.
 
+>[!NOTE]
+>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
+
 You can set your WIP policy to use 1 of 4 protection and management modes:
 
 |Mode|Description|
 |----|-----------|
 |Hide overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
-|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
+|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
 |Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
 |Off |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.<p>**Note**<br>For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. |
 
->[!NOTE]
->For info about how to collect your audit logs, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
-
 ## Turn off WIP
 You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn’t recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won’t be automatically reapplied.