Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into autopilot

2025-05-20 09:17:25 +00:00 · 2018-06-26 07:33:57 -07:00 · 2018-06-26 07:33:57 -07:00 · 79e4d2bdcc
commit 79e4d2bdcc
parent f71e0c4c5a af701c45e1
48 changed files with 238 additions and 418 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -6307,7 +6307,7 @@
 },
 {
 "source_path": "windows/whats-new/device-guard-overview.md",
-"redirect_url": "/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
+"redirect_url": "/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control",
 "redirect_document_id": false
 },
 {
@ -9007,7 +9007,7 @@
 },
 {
 "source_path": "windows/keep-secure/device-guard-deployment-guide.md",
-"redirect_url": "/windows/device-security/device-guard/device-guard-deployment-guide",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide",
 "redirect_document_id": true
 },
 {
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@ -646,9 +646,9 @@ This policy setting specifies whether you see an additional page in Microsoft Ed
 **Microsoft Intune to manage your MDM settings** 
 |   |   |
 |---|---|
-|MDM name |[ShowMessageWhenOpeningInteretExplorerSites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) |
+|MDM name |[ShowMessageWhenOpeningSitesInInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) |
 |Supported devices |Desktop  |
-|URI full path |./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInteretExplorer  |
+|URI full path |./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInternetExplorer  |
 |Data type | Integer |
 |Allowed values |<ul><li>**0 (default)** - Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.</li><li>**1** - Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.</li></ul> |
--- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
+++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
@ -18,7 +18,7 @@ ms.localizationpriority: medium
 PowerShell scripts to help set up and manage your Microsoft Surface Hub.
 -   [PowerShell scripts for Surface Hub admins](#scripts-for-admins)
-    -   [Create an on-premise account](#create-on-premise-ps-scripts)
+    -   [Create an on-premises account](#create-on-premises-ps-scripts)
    -   [Create a device account using Office 365](#create-os356-ps-scripts)
    -   [Account verification script](#acct-verification-ps-scripts)
    -   [Enable Skype for Business (EnableSfb.ps1)](#enable-sfb-ps-scripts)
@ -185,7 +185,7 @@ These scripts will create a device account for you. You can use the [Account ver
 The account creation scripts cannot modify an already existing account, but can be used to help you understand which cmdlets need to be run to configure the existing account correctly.
-### <a href="" id="create-on-premise-ps-scripts"></a>Create an on-premise account
+### <a href="" id="create-on-premises-ps-scripts"></a>Create an on-premises account
 Creates an account as described in [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md).
--- a/devices/surface-hub/miracast-over-infrastructure.md
+++ b/devices/surface-hub/miracast-over-infrastructure.md
@ -35,10 +35,11 @@ If you have a Surface Hub or other Windows 10 device that has been updated to Wi
 - The Surface Hub or device (Windows PC or phone) needs to be running Windows 10, version 1703.
 - A Surface Hub or Windows PC can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
-    - As a Miracast receiver, the Surface Hub or device must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
+    - As a Miracast receiver, the Surface Hub or device must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Surface Hub or device is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
    - As a Miracast source, the Windows PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
- The DNS Hostname (device name) of the Surface Hub or deviceneeds to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname. 
+- The DNS Hostname (device name) of the Surface Hub or device needs to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname. 
 - Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. 
 - On Windows 10 PCs, the **Projecting to this PC** feature must be enabled within System Settings, and the device must have a Wi-Fi interface enabled in order to respond to discovery requests. 
 It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
--- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
@ -16,7 +16,7 @@ ms.localizationpriority: medium
 This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment.
-If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, see [On-premises deployment for Surface Hub in a multi-forest environment](on-premises-deployment-surface-hub-multi-forest.md).
+If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premises-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, see [On-premises deployment for Surface Hub in a multi-forest environment](on-premises-deployment-surface-hub-multi-forest.md).
 1.  Start a remote PowerShell session from a PC and connect to Exchange.
--- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
@ -15,7 +15,7 @@ ms.localizationpriority: medium
 This topic explains how you add a device account for your Microsoft Surface Hub when you have a multi-forest, on-premises deployment.
-If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a single-forest deployment, see [On-premises deployment for Surface Hub in a single-forest environment](on-premises-deployment-surface-hub-device-accounts.md).
+If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premises-ps-scripts) to create device accounts. If you’re using a single-forest deployment, see [On-premises deployment for Surface Hub in a single-forest environment](on-premises-deployment-surface-hub-device-accounts.md).
 1.  Start a remote PowerShell session from a PC and connect to Exchange.
--- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
+++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
@ -16,7 +16,7 @@ ms.sitesec: library
 There are a few scenarios where you need to specify the domain name of your Skype for Business server:
 - **Multiple DNS suffixes** - When your Skype for Business infrastructure has disjointed namespaces such that one or more servers have a DNS suffix that doesn't match the suffix of the sign-in address (SIP) for Skype for Business.  
 - **Skype for Business and Exchange suffixes are different** - When the suffix of the sign-in address for Skype for Business differs from the suffix of the Exchange address used for the device account.
- **Working with certificates** - Large organizations with on-premise Skype for Business servers commonly use certificates with their own root certificate authority (CA). It is common for the CA domain to be different than the domain of the Skype for Business server which causes the certificate to not be trusted, and sign-in fails.  Skype needs to know the domain name of the certificate in order to set up a trust relationship. Enterprises typically use Group Policy to push this out to Skype desktop, but Group Policy is not supported on Surface Hub.
+- **Working with certificates** - Large organizations with on-premises Skype for Business servers commonly use certificates with their own root certificate authority (CA). It is common for the CA domain to be different than the domain of the Skype for Business server which causes the certificate to not be trusted, and sign-in fails.  Skype needs to know the domain name of the certificate in order to set up a trust relationship. Enterprises typically use Group Policy to push this out to Skype desktop, but Group Policy is not supported on Surface Hub.
 **To configure the domain name for your Skype for Business server**</br>
 1. On Surface Hub, open **Settings**.
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@ -28,7 +28,7 @@ To get started, go to http://education.minecraft.net/ and select **GET STARTED**
 ## Try Minecraft: Education Edition for Free 
-Minecraft: Education Edition is available for anyone to try, but there is a limit to the number of logins allowed before purchasing a subscription is required.
+Minecraft: Education Edition is available for anyone to try for free! The free trial is fully-functional but limited by the number of logins (25 for teachers and 10 for students) before a paid license will be required to continue playing.
 To learn more and get started, go to http://education.minecraft.net/ and select **GET STARTED**.
--- a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
+++ b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
@ -1,46 +1,41 @@
 ---
-title: How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server (Windows 10)
+title: How to configure the client to receive package and connection groups updates from the publishing server (Windows 10)
-description: How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server
+description: How to configure the client to receive package and connection groups updates from the publishing server.
 author: MaggiePucciEvans
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 06/25/2018
 ---
 # How to configure the client to receive package and connection groups updates from the publishing server
 >Applies to: Windows 10, version 1607
-# How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server
+The App-V publishing server's single-point management and high scalability lets you deploy packages and connection groups and keep them up to date.
-**Applies to**
+This article will tell you how to configure the App-V client to receive updates from the publishing server.
 -   Windows 10, version 1607
-Deploying packages and connection groups using the App-V publishing server is helpful because it offers single-point management and high scalability.
+>[!NOTE]
 >The following example has the management server installed on a computer named **MyMgmtSrv**, and the publishing server installed on a computer named **MyPubSrv**. If the computers you'll be configuring the App-V client on have different names, you should replace the example's names with your computer's names.
-Use the following steps to configure the App-V client to receive updates from the publishing server.
+## Configure the App-V client to receive updates from the publishing server
 **Note**<br>
 For the following procedures the management server was installed on a computer named **MyMgmtSrv**, and the publishing server was installed on a computer named **MyPubSrv**.
 **To configure the App-V client to receive updates from the publishing server**
 1.  Deploy the App-V management and publishing servers, and add the required packages and connection groups. For more information about adding packages and connection groups, see [How to Add or Upgrade Packages by Using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md) and [How to Create a Connection Group](appv-create-a-connection-group.md).
 2.  To open the management console click the following link, open a browser and type the following: http://MyMgmtSrv/AppvManagement/Console.html in a web browser, and import, publish, and entitle all the packages and connection groups which will be necessary for a particular set of users.
 1. Deploy the App-V management and publishing servers, and add the required packages and connection groups. For more information about adding packages and connection groups, see [How to add or upgrade packages by using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md) and [How to create a connection group](appv-create-a-connection-group.md).
 2. To open the management console, open a web browser and enter the following URL: <https://MyMgmtSrv/AppvManagement/Console.html>. Import, publish, and entitle all packages and connection groups that your users will need.
 3. On the computer running the App-V client, open an elevated Windows PowerShell command prompt, and run the following command:
-    `Add-AppvPublishingServer -Name ABC -URL http://MyPubSrv/AppvPublishing`
+    ```PowerShell
    Add-AppvPublishingServer -Name ABC -URL https://MyPubSrv/AppvPublishing
    ```
    This command will configure the specified publishing server. You should see output similar to the following:
-    ```
+    ```PowerShell
    Id                        : 1
    SetByGroupPolicy          : False
    Name                      : ABC
-    URL                       : http:// MyPubSrv/AppvPublishing
+    URL                       : https://MyPubSrv/AppvPublishing
    GlobalRefreshEnabled      : False
    GlobalRefreshOnLogon      : False
    GlobalRefreshInterval     : 0
@ -51,16 +46,18 @@ For the following procedures the management server was installed on a computer n
    UserRefreshIntervalUnit   : Day
    ```
-4.  On the computer running the App-V client, open a Windows PowerShell command prompt, and type the following command:
+4. On the computer running the App-V client, open a Windows PowerShell command prompt and enter the following cmdlet:
-    `Sync-AppvPublishingServer -ServerId 1`
+    ```PowerShell
    Sync-AppvPublishingServer -ServerId 1
    ```
-    The command will query the publishing server for the packages and connection groups that need to be added or removed for this particular client based on the entitlements for the packages and connection groups as configured on the management server.
+    This cmdlet will query the publishing server for which packages and connection groups need to be added or removed for this particular client based on your configured entitlements for the packages and connection groups on the management server.
 ## Have a suggestion for App-V?
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
 ## Related topics
-[Operations for App-V](appv-operations.md)
+* [Operations for App-V](appv-operations.md)
--- a/windows/application-management/app-v/appv-connect-to-the-management-console.md
+++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md
@ -1,30 +1,28 @@
 ---
-title: How to Connect to the Management Console (Windows 10)
+title: How to connect to the Management Console (Windows 10)
-description: How to Connect to the Management Console
+description: How to Connect to the App-V Management Console.
 author: MaggiePucciEvans
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 06/25/2018
 ---
 # How to connect to the Management Console
-# How to Connect to the Management Console
+>Applies to: Windows 10, version 1607
 **Applies to**
 -   Windows 10, version 1607
 Use the following procedure to connect to the App-V Management Console.
-**To connect to the App-V Management Console**
+## Connect to the App-V Management Console
-1.  Open Internet Explorer browser and type the address for the App-V Management server. For example, **https://\<_management server name_\>:\<_management service port number_\>/console.html**.
+1. Open your web browser and enter the address for the App-V Management server. For example, **https://\<_management server name_\>:\<_management service port number_\>/console.html**.
-2.  To view different sections of the console, click the desired section in the navigation pane.
+2. To view different sections of the console, select your desired section in the navigation pane.
 ## Have a suggestion for App-V?
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
 ## Related topics
--- a/windows/application-management/app-v/appv-connection-group-file.md
+++ b/windows/application-management/app-v/appv-connection-group-file.md
@ -1,159 +1,62 @@
 ---
-title: About the Connection Group File (Windows 10)
+title: About the connection group file (Windows 10)
-description: About the Connection Group File
+description: A summary of what the connection group file is and how to configure it.
 author: MaggiePucciEvans
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 06/25/2018
 ---
 # About the connection group file
 >Applies to: Windows 10, version 1607
-# About the Connection Group File
+## Connection group file overview
-**Applies to**
+### What is a connection group?
 -   Windows 10, version 1607
-**In this topic:**
+A connection group is an App-V feature that can group packages together to create a virtual environment where applications within that package group can interact with each other.
-   [Connection group file purpose and location](#bkmk-cg-purpose-loc)
+For example, let's say you want to use plug-ins with Microsoft Office. You can create one package that contains the plug-ins and another package that contains Office, and then add both packages to the same connection group to enable Office to use those plug-ins.
-   [Structure of the connection group XML file](#bkmk-define-cg-5-0sp3)
+### How a connection group file works
-   [Configuring the priority of packages in a connection group](#bkmk-config-pkg-priority-incg)
+When you apply an App-V connection group file, all packages specified in the file will be combined at runtime into a single virtual environment. Use the Microsoft Application Virtualization (App-V) connection group file to configure existing App-V connection groups.
-   [Supported virtual application connection configurations](#bkmk-va-conn-configs)
+An example file path for a package file would be %APPDATA%\Microsoft\AppV\Client\Catalog\PackageGroups\{6CCC7575-162E-4152-9407-ED411DA138F4}\{4D1E16E1-8EF8-41ED-92D5-8910A8527F96}.
-## <a href="" id="bkmk-cg-purpose-loc"></a>Connection group file purpose and location
+## Structure of the connection group XML file
 This section will tell you more about the components of the connection group XML file.
-<table>
+### Parameters that define the connection group
 <colgroup>
 <col width="50%" />
 <col width="50%" />
 </colgroup>
 <tbody>
 <tr class="odd">
 <td align="left"><p>Connection group purpose</p></td>
 <td align="left"><p>A connection group is an App-V feature that enables you to group packages together to create a virtual environment in which the applications in those packages can interact with each other.</p>
 <p>Example: You want to use plug-ins with Microsoft Office. You can create a package that contains the plug-ins, and create another package that contains Office, and then add both packages to a connection group to enable Office to use those plug-ins.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>How the connection group file works</p></td>
 <td align="left"><p>When you apply an App-V connection group file, the packages that are enumerated in the file will be combined at runtime into a single virtual environment. Use the Microsoft Application Virtualization (App-V) connection group file to configure existing App-V connection groups.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Example file path</p></td>
 <td align="left"><p>%APPDATA%\Microsoft\AppV\Client\Catalog\PackageGroups\{6CCC7575-162E-4152-9407-ED411DA138F4}\{4D1E16E1-8EF8-41ED-92D5-8910A8527F96}.</p></td>
 </tr>
 </tbody>
 </table>
 ## <a href="" id="bkmk-define-cg-5-0sp3"></a>Structure of the connection group XML file
 **In this section:**
 -   [Parameters that define the connection group](#bkmk-params-define-cg)
 -   [Parameters that define the packages in the connection group](#bkmk-params-define-pkgs-incg)
 -   [App-V example connection group XML file](#bkmk-50sp3-exp-cg-xml)
 ### <a href="" id="bkmk-params-define-cg"></a>Parameters that define the connection group
 The following table describes the parameters in the XML file that define the connection group itself, not the packages.
-<table>
+|Field|Description|
-<colgroup>
+|-----|-----------|
-<col width="50%" />
+|Schema name|Name of the schema.</br>If you want to use the “optional packages” and “use any version” features described in this table, you must specify the following schema in the XML file:</br>`xmlns="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"`|
-<col width="50%" />
+|AppConnectionGroupId|Unique GUID identifier for this connection group. The connection group state is associated with this identifier. Specify this identifier only when you create the connection group.</br>You can create a new GUID by entering **[Guid]::NewGuid()**.|
-</colgroup>
+|VersionId|Version GUID identifier for this version of the connection group.</br>When you update a connection group (for example, by adding or updating a new package), you must update the version GUID to reflect the new version.|
-<thead>
+|DisplayName|Display name of the connection group.|
-<tr class="header">
+|Priority|Optional priority field for the connection group.</br>A value of **0** indicates the highest priority.</br>If a priority is required but has not been configured, the package will fail because it can't determine the correct connection group to use.|
 <th align="left">Field</th>
 <th align="left">Description</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>Schema name</p></td>
 <td align="left"><p>Name of the schema.</p>
 <p>If you want to use the “optional packages” and “use any version” features that are described in this table, you must specify the following schema in the XML file:</p>
 <p><code>xmlns=&quot;https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&quot;</code></p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>AppConnectionGroupId</p></td>
 <td align="left"><p>Unique GUID identifier for this connection group. The connection group state is associated with this identifier. Specify this identifier only when you create the connection group.</p>
 <p>You can create a new GUID by typing: <strong>[Guid]::NewGuid()</strong>.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>VersionId</p></td>
 <td align="left"><p>Version GUID identifier for this version of the connection group.</p>
 <p>When you update a connection group (for example, by adding or updating a new package), you must update the version GUID to reflect the new version.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>DisplayName</p></td>
 <td align="left"><p>Display name of the connection group.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Priority</p></td>
 <td align="left"><p>Optional priority field for the connection group.</p>
 <p><strong>“0”</strong> - indicates the highest priority.</p>
 <p>If a priority is required, but has not been configured, the package will fail because the correct connection group to use cannot be determined.</p></td>
 </tr>
 </tbody>
 </table>
- 
+### Parameters that define the packages in the connection group
 ### <a href="" id="bkmk-params-define-pkgs-incg"></a>Parameters that define the packages in the connection group
 In the &lt;Packages&gt; section of the connection group XML file, you list the member packages in the connection group by specifying each package’s unique package identifier and version identifier, as described in the following table. The first package in the list has the highest precedence.
-<table>
+|Field|Description|
-<colgroup>
+|---|---|
-<col width="50%" />
+|PackageId|Unique GUID identifier for this package. This GUID doesn’t change when newer versions of the package are published.|
-<col width="50%" />
+|VersionId|Unique GUID identifier for the version of the package. </br>If you specify “*” for the package version, the GUID of the latest available package version is dynamically inserted.|
-</colgroup>
+|IsOptional|Parameter that enables you to make a package optional within the connection group. Valid entries are:</br>- “**true**”—package is optional in the connection group</br>- “**false**”—package is required in the connection group|
 <thead>
 <tr class="header">
 <th align="left">Field</th>
 <th align="left">Description</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>PackageId</p></td>
 <td align="left"><p>Unique GUID identifier for this package. This GUID doesn’t change when newer versions of the package are published.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>VersionId</p></td>
 <td align="left"><p>Unique GUID identifier for the version of the package.</p>
 <p>If you specify <strong>“*”</strong> for the package version, the GUID of the latest available package version is dynamically inserted.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>IsOptional</p></td>
 <td align="left"><p>Parameter that enables you to make a package optional within the connection group. Valid entries are:</p>
 <ul>
 <li><p><strong>“true”</strong> – package is optional in the connection group</p></li>
 <li><p><strong>“false”</strong> – package is required in the connection group</p></li>
 </ul>
 </td>
 </tr>
 </tbody>
 </table>
- 
+### App-V example connection group XML file
-### <a href="" id="bkmk-50sp3-exp-cg-xml"></a>App-V example connection group XML file
+The following example connection group XML file shows examples of the fields listed in the previous tables.
-The following example connection group XML file shows examples of the fields in the previous tables.
+```XML
 ```
 <?xml version="1.0" encoding="UTF-16"?>
 <appv:AppConnectionGroup
 xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"
@ -176,8 +79,7 @@ xmlns:appv="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiong
  </appv:Packages>
 ```
-## <a href="" id="bkmk-config-pkg-priority-incg"></a>Configuring the priority of packages in a connection group
+## Configuring the priority of packages in a connection group
 Package precedence is configured using the package list order. The first package in the document has the highest precedence. Subsequent packages in the list have descending priority.
@ -185,84 +87,56 @@ Package precedence is the resolution for otherwise inevitable resource collision
 You can use the connection group file to configure each connection group by using the following methods:
-   Specify runtime priorities for connection groups. To edit priority by using the App-V Management Console, click the connection group and then click **Edit**.
+- Specify runtime priorities for connection groups. To edit priority by using the App-V Management Console, select the connection group and then select **Edit**.
    **Note**  
    Priority is required only if the package is associated with more than one connection group.
    >[!NOTE]
    >A package only requires priority if it's associated with more than one connection group.
 - Specify package precedence within the connection group.
-The priority field is required when a running virtual application initiates from a native application request, for example, Microsoft Windows Explorer. The App-V client uses the priority to determine which connection group virtual environment the application should run in. This situation occurs if a virtual application is part of multiple connection groups.
+The priority field is required when a running virtual application initiates from a native application request, such as Microsoft Windows Explorer. The App-V client uses the priority to determine which connection group virtual environment the application should run in. This situation occurs if a virtual application is part of multiple connection groups.
-If a virtual application is opened using another virtual application the virtual environment of the original virtual application will be used. The priority field is not used in this case.
+If a virtual application is opened using another virtual application, the client will use the orignal virtual application's virtual environment. The priority field is not used in this case.
-**Example:**
+The following is an example of priority configuration:
 The virtual application Microsoft Outlook is running in virtual environment **XYZ**. When you open an attached Microsoft Word document, a virtualized version Microsoft Word opens in the virtual environment **XYZ**, regardless of the virtualized Microsoft Word’s associated connection groups or runtime priorities.
-## <a href="" id="bkmk-va-conn-configs"></a>Supported virtual application connection configurations
+## Supported virtual application connection configurations
-The following application connection configurations are supported.
+App-V supports the following application connection configurations.
- **An. exe file and plug-in (.dll)**. For example, you might want to distribute Microsoft Office to all users, but distribute a Microsoft Excel plug-in to only a subset of users.
+- **An .exe file and plug-in (.dll)**. For example, you might want to distribute Microsoft Office to all users, but only distribute a Microsoft Excel plug-in to a small subset of those users.
    Enable the connection group for the appropriate users. Update each package individually as required.
- **An. exe file and a middleware application**. You might have an application that requires a middleware application, or several applications that all depend on the same middleware runtime version.
+- **An .exe file and a middleware application**. This is for cases where you have an application that requires a middleware application, or several applications that all depend on the same middleware runtime version.
    All computers that require one or more of the applications receive the connection groups with the application and middleware application runtime. You can optionally combine multiple middleware applications into a single connection group.
-    <table>
+    |Example|Example description|
-    <colgroup>
+    |---|---|
-    <col width="50%" />
+    |Virtual application connection group for the financial division|- Middleware application 1</br>- Middleware application 2</br>- Middleware application 3</br>- Middleware application runtime|
-    <col width="50%" />
+    |Virtual application connection group for HR division|- Middleware application 5</br>- Middleware application 6</br>- Middleware application runtime|
    </colgroup>
    <thead>
    <tr class="header">
    <th align="left">Example</th>
    <th align="left">Example description</th>
    </tr>
    </thead>
    <tbody>
    <tr class="odd">
    <td align="left"><p>Virtual application connection group for the financial division</p></td>
    <td align="left"><ul>
    <li><p>Middleware application 1</p></li>
    <li><p>Middleware application 2</p></li>
    <li><p>Middleware application 3</p></li>
    <li><p>Middleware application runtime</p></li>
    </ul></td>
    </tr>
    <tr class="even">
    <td align="left"><p>Virtual application connection group for HR division</p></td>
    <td align="left"><ul>
    <li><p>Middleware application 5</p></li>
    <li><p>Middleware application 6</p></li>
    <li><p>Middleware application runtime</p></li>
    </ul></td>
    </tr>
    </tbody>
    </table>
- **An. exe file and an .exe file**. You might have an application that relies on another application, and you want to keep the packages separate for operational efficiencies, licensing restrictions, or rollout timelines.
+- **An. exe file and an .exe file**. This is for cases where you have an application that relies on another application, but you want to keep the packages separate for operational efficiencies, licensing restrictions, or rollout timelines.
    For example, if you are deploying Microsoft Lync 2010, you can use three packages:
    - Microsoft Office 2010
    - Microsoft Communicator 2007
-    - Microsoft Lync 2010<br><br>
+    - Microsoft Lync 2010
  You can manage the deployment with the following connection groups:
  You can manage the deployment using the following connection groups:
    - Microsoft Office 2010 and Microsoft Communicator 2007
-    - Microsoft Office 2010 and Microsoft Lync 2010<br><br>
+    - Microsoft Office 2010 and Microsoft Lync 2010
-  When the deployment has completed, you can either create a single new Microsoft Office 2010 + Microsoft Lync 2010 package, or keep and maintain them as separate packages and deploy them by using a connection group.
+  After deployment, you can either create a single new Microsoft Office 2010 + Microsoft Lync 2010 package or keep and maintain them as separate packages and deploy them with a connection group.
 ## Have a suggestion for App-V?
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
 ## Related topics
-[Managing Connection Groups](appv-managing-connection-groups.md)
+- [Managing connection groups](appv-managing-connection-groups.md)
--- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md
+++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
@ -1,112 +1,69 @@
 ---
-title: About the Connection Group Virtual Environment (Windows 10)
+title: About the connection group virtual environment (Windows 10)
-description: About the Connection Group Virtual Environment
+description: Overview of how the connection group virtual environment works.
 author: MaggiePucciEvans
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 06/25/2018
 ---
 # About the connection group virtual environment
 >Applies to: Windows 10, version 1607
-# About the Connection Group Virtual Environment
+## How package priority is determined
-**Applies to**
+The virtual environment and its current state are associated with the connection group, not with the individual packages. If you remove an App-V package from the connection group, the state that existed as part of the connection group will not migrate with the package.
 -   Windows 10, version 1607
 **In this topic:**
 -   [How package priority is determined](#bkmk-pkg-priority-deter)
 -   [Merging identical package paths into one virtual directory in connection groups](#bkmk-merged-root-ve-exp)
 ## <a href="" id="bkmk-pkg-priority-deter"></a>How package priority is determined
 The virtual environment and its current state are associated with the connection group, not with the individual packages. If an App-V package is removed from the connection group, the state that existed as part of the connection group will not migrate with the package.
 If the same package is a part of two different connection groups, you have to indicate which connection group App-V should use. For example, you might have two packages in a connection group that each define the same registry DWORD value.
 The connection group that is used is based on the order in which a package appears inside the **AppConnectionGroup** XML document:
 - The first package has the highest precedence.
 - The second package has the second highest precedence.
 Consider the following example section:
-``` syntax
+```XML
 <appv:Packages><appv:PackagePackageId="A8731008-4523-4713-83A4-CD1363907160"VersionId="E889951B-7F30-418B-A69C-B37283BC0DB9"/><appv:PackagePackageId="1DC709C8-309F-4AB4-BD47-F75926D04276"VersionId="01F1943B-C778-40AD-BFAD-AC34A695DF3C"/><appv:PackagePackageId="04220DCA-EE77-42BE-A9F5-96FD8E8593F2"VersionId="E15EFFE9-043D-4C01-BC52-AD2BD1E8BAFA"/></appv:Packages>
 ```
-Assume that same DWORD value ABC (HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region) is defined in the first and third package, such as:
+Assume that same DWORD value ABC (HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region) is defined in the first and third package.
 For this example, the DWORD value definition would be the following:
 - Package 1 (A8731008-4523-4713-83A4-CD1363907160): HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=5
 - Package 3 (04220DCA-EE77-42BE-A9F5-96FD8E8593F2): HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=10
 Since Package 1 appears first, the AppConnectionGroup's virtual environment will have the single DWORD value of 5 (HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=5). This means that the virtual applications in Package 1, Package 2, and Package 3 will all see the value 5 when they query for HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region.
-Other virtual environment resources are resolved similarly, but the usual case is that the collisions occur in the registry.
+Other virtual environment resources are resolved in a similar way, but usually collisions occur in the registry.
-## <a href="" id="bkmk-merged-root-ve-exp"></a>Merging identical package paths into one virtual directory in connection groups
+## Merging identical package paths into one virtual directory in connection groups
 If two or more packages in a connection group contain identical directory paths, the paths are merged into a single virtual directory inside the connection group's virtual environment. Merging these paths allows an application in one package to access files that are in a different package.
-If two or more packages in a connection group contain identical directory paths, the paths are merged into a single virtual directory inside the connection group virtual environment. This merging of paths allows an application in one package to access files that are in a different package.
+When you remove a package from a connection group, the removed package's applications can no longer access files from packages in the connection group it was removed from.
-When you remove a package from a connection group, the applications in that removed package are no longer able to access files in the remaining packages in the connection group.
+App-V looks up a file’s name in the connection group in the order App-V packages are listed in the connection group manifest file.
 The order in which App-V looks up a file’s name in the connection group is specified by the order in which the App-V packages are listed in the connection group manifest file.
 The following example shows the order and relationship of a file name lookup in a connection group for **Package A** and **Package B**.
-<table>
+|Package A|Package B|
-<colgroup>
+|---|---|
-<col width="50%" />
+|C:\Windows\System32|C:\Windows\System32|
-<col width="50%" />
+|C:\AppTest|C:\AppTest|
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Package A</th>
 <th align="left">Package B</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>C:\Windows\System32</p></td>
 <td align="left"><p>C:\Windows\System32</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>C:\AppTest</p></td>
 <td align="left"><p>C:\AppTest</p></td>
 </tr>
 </tbody>
 </table>
- 
+When a virtualized application tries to find a specific file, App-V will first for a matching file path in Package A. If it doesn't find a matching path in Package A, it will then search Package B using the following mapping rules:
-In the example above, when a virtualized application tries to find a specific file, Package A is searched first for a matching file path. If a matching path is not found, Package B is searched, using the following mapping rules:
+- If a file named **test.txt** exists in the same virtual folder hierarchy in both application packages, App-V will use the first matching file.
-
+- If a file named **bar.txt** exists in the virtual folder hierarchy of one application package, but not in the other, App-V will use the first matching file.
 -   If a file named **test.txt** exists in the same virtual folder hierarchy in both application packages, the first matching file is used.
 -   If a file named **bar.txt** exists in the virtual folder hierarchy of one application package, but not in the other, the first matching file is used.
 ## Have a suggestion for App-V?
-
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
 Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
 ## Related topics
-
+- [Managing Connection Groups](appv-managing-connection-groups.md)
 [Managing Connection Groups](appv-managing-connection-groups.md)
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@ -94,7 +94,7 @@ As you review the roles in your organization, you can use the following generali
 Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. 
-**MDM**: [MDM](https://www.microsoft.com/en-us/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premise domain joined devices. This makes MDM the best choice for devices that are constantly on the go.
+**MDM**: [MDM](https://www.microsoft.com/en-us/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This makes MDM the best choice for devices that are constantly on the go.
 **Group Policy** and **System Center Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings. If so, Group Policy and System Center Configuration Manager continue to be excellent management choices:
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@ -12,7 +12,7 @@ ms.date: 04/17/2018
 # Accounts CSP 
-The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and joint it to a local user group. This CSP was added in Windows 10, version 1803.
+The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803.
 The following diagram shows the Accounts configuration service provider in tree format.
--- a/windows/client-management/mdm/appv-deploy-and-config.md
+++ b/windows/client-management/mdm/appv-deploy-and-config.md
@ -13,7 +13,7 @@ ms.date: 06/26/2017
 ## Executive summary
-<p>Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premise group policies using System Center Configuration Manager (SCCM) or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premise counterparts.</p>
+<p>Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using System Center Configuration Manager (SCCM) or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.</p>
 <p>MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.</p>
@ -79,7 +79,7 @@ ms.date: 06/26/2017
 ## Scenarios addressed in App-V MDM functionality
-<p>All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premise App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.</p>
+<p>All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premises App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.</p>
 <p>A complete list of App-V policies can be found here:</p>
--- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
@ -30,7 +30,7 @@ On the desktop, you can create an Active Directory account, such as "enrollment@
 On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as "enroll@contoso.com" and "enrollmentpassword." These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.
-> **Note**  
+>[!NOTE]  
 > -   Bulk-join is not supported in Azure Active Directory Join.
 > -   Bulk enrollment does not work in Intune standalone enviroment.
 > -   Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console.
@ -47,7 +47,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
    Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain.
-## Create and apply a provisioning package for on-premise authentication
+## Create and apply a provisioning package for on-premises authentication
 Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
--- a/windows/client-management/mdm/device-update-management.md
+++ b/windows/client-management/mdm/device-update-management.md
@ -630,7 +630,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 > [!Important]  
 > Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Enterprise.
-<p style="margin-left: 20px">Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet.
+<p style="margin-left: 20px">Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
 <p style="margin-left: 20px">Supported operations are Get and Replace.
--- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
@ -96,9 +96,9 @@ Example: Export the Debug logs
 </SyncML>
 ```
-## Collect logs from Windows 10 Mobile devices
+## Collect logs from Windows 10 Mobile devices
-Since there is no Event Viewer in Windows 10 Mobile, you can use the [Field Medic]( http://go.microsoft.com/fwlink/p/?LinkId=718232) app to collect logs.
+Since there is no Event Viewer in Windows 10 Mobile, you can use the [Field Medic](https://www.microsoft.com/en-us/p/field-medic/9wzdncrfjb82?activetab=pivot%3aoverviewtab) app to collect logs.
 **To collect logs manually**
@ -168,9 +168,9 @@ The following table contains a list of common providers and their corresponding
-## Collect logs remotely from Windows 10 Mobile devices
+## Collect logs remotely from Windows 10 Holographic or Windows 10 Mobile devices
-For mobile devices already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md).
+For holographic or mobile devices already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md).
 You can use the DiagnosticLog CSP to enable the ETW provider. The provider ID is 3DA494E4-0FE2-415C-B895-FB5265C5C83B. The following examples show how to enable the ETW provider:
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@ -138,11 +138,11 @@ The following is a list of functions performed by the Device HealthAttestation C
 </tr>
 <tr class="even">
 <td style="vertical-align:top">Device Health Attestation – On Premise<p>(DHA-OnPrem)</p></td>
-<td style="vertical-align:top"><p>DHA-OnPrem refers to DHA-Service that is running on premise:</p>
+<td style="vertical-align:top"><p>DHA-OnPrem refers to DHA-Service that is running on premises:</p>
 <ul>
 <li>Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service) </li>
 <li>Hosted on an enterprise owned and managed server device/hardware</li>
-<li>Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on premise and hybrid (Cloud + OnPrem) hardware attestation scenarios</li>
+<li>Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios</li>
 <li><p>Accessible to all enterprise managed devices via following:</p>
 <ul>
 <li>FQDN = (enterprise assigned)</li>
@ -151,14 +151,14 @@ The following is a list of functions performed by the Device HealthAttestation C
 </ul>
 </li>
 </ul></td>
-<td style="vertical-align:top">The operation cost of running one or more instances of Server 2016 on premise.</td>
+<td style="vertical-align:top">The operation cost of running one or more instances of Server 2016 on-premises.</td>
 </tr>
 <tr class="even">
 <td style="vertical-align:top">Device Health Attestation - Enterprise Managed Cloud<p>(DHA-EMC)</p></td>
 <td style="vertical-align:top"><p>DHA-EMC refers to an enterprise managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise managed cloud service, such as Microsoft Azure.</p>
 <ul>
 <li>Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)</li>
-<li>Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on premise and hybrid (Cloud + OnPrem) hardware attestation scenarios </li>
+<li>Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios </li>
 <li><p>Accessible to all enterprise managed devices via following:</p>
 <ul>
 <li>FQDN = (enterprise assigned)</li>
@ -304,7 +304,7 @@ SSL-Session:
 There are three types of DHA-Service:
 - Device Health Attestation – Cloud (owned and operated by Microsoft)
- Device Health Attestation – On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premise)
+- Device Health Attestation – On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premises)
 - Device Health Attestation - Enterprise Managed Cloud (owned and operated by an enterprise, runs on Windows Server 2016 compatible enterprise managed cloud)
 DHA-Cloud is the default setting. No further action is required if an enterprise is planning to use Microsoft DHA-Cloud as the trusted DHA-Service provider.
--- a/windows/client-management/mdm/mobile-device-enrollment.md
+++ b/windows/client-management/mdm/mobile-device-enrollment.md
@ -62,7 +62,7 @@ The following topics describe the end-to-end enrollment process using various au
 ## Enrollment support for domain-joined devices
-Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
+Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
 ## Disable MDM enrollments
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@ -1600,7 +1600,8 @@ Alternatively you can use the following procedure to create an EAP Configuration
 7.  Close the rasphone dialog box.
 8.  Continue following the procedure in the [EAP configuration](eap-configuration.md) topic from Step 9 to get an EAP TLS profile with appropriate filtering.
-> **Note**  You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx) topic.
+>[!NOTE]
 >You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx) topic.
 ### <a href="" id="remote"></a>Remote PIN reset not supported in Azure Active Directory joined mobile devices
@ -1617,7 +1618,7 @@ In Azure AD joined Windows 10 PC, provisioning /.User resources fails when the
 ### <a href="" id="kerberos"></a>Requirements to note for VPN certificates also used for Kerberos Authentication
-If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premise resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that do not meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. This issue primarily impacts Windows Phone.
+If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that do not meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. This issue primarily impacts Windows Phone.
 ### <a href="" id="pushbuttonreset"></a>Device management agent for the push-button reset is not working
@ -1626,6 +1627,28 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 ## Change history in MDM documentation
 ### June 2018
 <table class="mx-tdBreakAll">
 <colgroup>
 <col width="25%" />
 <col width="75%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th>New or updated topic</th>
 <th>Description</th>
 </tr>
 </thead>
 <tbody>
 <tr>
 <td style="vertical-align:top">[Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)</td>
 <td style="vertical-align:top"><p>Added procedure for collecting logs remotely from Windows 10 Holographic.</p>
 </td></tr>
 </tbody>
 </table>
 ### May 2018
 <table class="mx-tdBreakAll">
@ -2204,7 +2227,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <td style="vertical-align:top">[Mobile device enrollment](mobile-device-enrollment.md)</td>
 <td style="vertical-align:top"><p>Added the following statement:</p>
 <ul>
-<li>Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in <strong>Settings</strong>. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.</li>
+<li>Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in <strong>Settings</strong>. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.</li>
 </ul>
 </td></tr>
 <tr class="odd">
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@ -76,7 +76,7 @@ This cloud service encrypts a recovery secret, which is stored locally on the cl
 <p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
 <a href="" id="tenantid-policies-usecertificateforonpremauth--only-for---device-vendor-msft-"></a>***TenantId*/Policies/UseCertificateForOnPremAuth** (only for ./Device/Vendor/MSFT)  
-<p style="margin-left: 20px">Boolean value that enables Windows Hello for Business to use certificates to authenticate on-premise resources.
+<p style="margin-left: 20px">Boolean value that enables Windows Hello for Business to use certificates to authenticate on-premises resources.
 <p style="margin-left: 20px">If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@ -657,7 +657,7 @@ If you disable or do not configure this policy setting, the PIN recovery secret
                  <Replace />
                </AccessType>
                <DefaultValue>False</DefaultValue>
-                <Description>Windows Hello for Business can use certificates to authenticate to on-premise resources. 
+                <Description>Windows Hello for Business can use certificates to authenticate to on-premises resources. 
 If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -4790,7 +4790,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [Security/RequireDeviceEncryption](#security-requiredeviceencryption)  
 -   [Settings/AllowDateTime](#settings-allowdatetime)  
 -   [Settings/AllowVPN](#settings-allowvpn)  
 -   [System/AllowFontProviders](#system-allowfontproviders)  
 -   [System/AllowLocation](#system-allowlocation)  
 -   [System/AllowTelemetry](#system-allowtelemetry)  
 -   [Update/AllowAutoUpdate](#update-allowautoupdate)  
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@ -283,7 +283,7 @@ The following list shows the supported values:
 <!--Description-->
 Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows.
-The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD).
+The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premises only environment, cloud domain-joined in a hybrid environment, and BYOD).
 <!--/Description-->
 <!--ADMXMapped-->
--- a/windows/client-management/mdm/policy-csp-bitlocker.md
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 05/14/2018
+ms.date: 06/22/2018
 ---
 # Policy CSP - Bitlocker
@ -68,34 +68,6 @@ Specifies the BitLocker Drive Encryption method and cipher strength.
 > [!NOTE]
 > XTS-AES 128-bit and XTS-AES 256-bit values are only supported on Windows 10 for desktop.
 You can find the following policies in BitLocker CSP:
 <dl>
  <dd>
    <a href="./bitlocker-csp.md#encryptionmethodbydrivetype" id="encryptionmethodbydrivetype">BitLocker/EncryptionMethodByDriveType</a>
  </dd>
  <dd>
    <a href="./bitlocker-csp.md#fixeddrivesrecoveryoptions" id="fixeddrivesrecoveryoptions">BitLocker/FixedDrivesRecoveryOptions</a>
  </dd>
  <dd>
    <a href="./bitlocker-csp.md#fixeddrivesrequireencryption" id="fixeddrivesrequireencryption">BitLocker/FixedDrivesRequireEncryption</a>
  </dd>
  <dd>
    <a href="./bitlocker-csp.md#removabledrivesrequireencryption" id="removabledrivesrequireencryption">BitLocker/RemovableDrivesRequireEncryption</a>
  </dd>
  <dd>
    <a href="./bitlocker-csp.md#systemdrivesminimumpinlength" id="systemdrivesminimumpinlength">BitLocker/SystemDrivesMinimumPINLength</a>
  </dd>
  <dd>
    <a href="./bitlocker-csp.md#systemdrivesrecoverymessage" id="systemdrivesrecoverymessage">BitLocker/SystemDrivesRecoveryMessage</a>
  </dd>
  <dd>
    <a href="./bitlocker-csp.md#systemdrivesrecoveryoptions" id="systemdrivesrecoveryoptions">BitLocker/SystemDrivesRecoveryOptions</a>
  </dd>
  <dd>
    <a href="./bitlocker-csp.md#systemdrivesrequirestartupauthentication" id="systemdrivesrequirestartupauthentication">BitLocker/SystemDrivesRequireStartupAuthentication</a>
  </dd>
 </dl>
 <!--/Description-->
 <!--SupportedValues-->
 The following list shows the supported values:
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@ -1,12 +1,12 @@
 ---
 title: Policy CSP - Browser
 description: Policy CSP - Browser
 ms.author: maricia
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
-author: MariciaAlforque
+author: shortpatti
-ms.date: 05/14/2018
+ms.author: pashort
 ms.date: 06/21/2018
 ---
 # Policy CSP - Browser
@ -181,10 +181,9 @@ ms.date: 05/14/2018
 <!--/Scope-->
 <!--Description-->
-Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. 
+Added in Windows 10, version 1703. 
-> [!NOTE]
+By default, Microsoft Edge shows the Address bar drop-down list and makes it available.  When enabled (default setting), this policy takes precedence over the [Browser/AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) policy. If you want to minimize network connections from Microsoft Edge to Microsoft service, we recommend disabling this policy, which hides the Address bar drop-down list functionality. When disabled, Microsoft Edge also disables the _Show search and site suggestions as I type_ toggle in Settings.  
 > Disabling this setting turns off the address bar drop-down functionality. Because search suggestions are shown in the drop-down list, this setting takes precedence over the Browser/AllowSearchSuggestionsinAddressBar setting.
 Most restricted value is 0.
@ -245,7 +244,7 @@ The following list shows the supported values:
 <!--/Scope-->
 <!--Description-->
-Specifies whether autofill on websites is allowed.
+By default, users can choose to use Autofill for filling in form fields automatically.  With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill. 
 Most restricted value is 0.
@ -318,13 +317,10 @@ To verify AllowAutofill is set to 0 (not allowed):
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
-
+By default, the device allows Microsoft Edge on Windows 10 Mobile. Disabling this policy disables the Microsoft Edge tile, and when clicking the tile, a message opens indicating that the administrator disabled Internet browsing.
 Specifies whether the browser is allowed on the device.
 Most restricted value is 0.
 When this policy is set to 0 (not allowed), the Microsoft Edge for Windows 10 Mobile tile will appear greyed out, and clicking on the tile will display a message indicating theat Internet browsing has been disabled by your administrator.
 <!--/Description-->
 <!--SupportedValues-->
 The following list shows the supported values:
@ -374,7 +370,7 @@ The following list shows the supported values:
 <!--/Scope-->
 <!--Description-->
-This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library.
+By default, Microsoft Edge automatically updates the configuration data for the Books Library.  Enabling this policy prevents Microsoft Edge from updating the configuration data. 
 <!--/Description-->
 <!--SupportedValues-->
@ -425,7 +421,7 @@ The following list shows the supported values:
 <!--/Scope-->
 <!--Description-->
-Specifies whether cookies are allowed.
+By default, Microsoft Edge allows all cookies from all websites.  With this policy, however, you can configure Microsoft to block only 3rd-party cookies or block all cookies. 
 Most restricted value is 0.
@ -443,9 +439,9 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
-   0 – Block all cookies
+-   0 – Block all cookies from all sites.
-   1 – Block only third party cookies
+-   1 – Block only cookies from third party websites.
-   2 - Allow cookies
+-   2 - Allow all cookies from all sites.
 <!--/SupportedValues-->
 <!--Validation-->
@ -501,8 +497,7 @@ To verify AllowCookies is set to 0 (not allowed):
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
+By default, Microsoft Edge allows users to use the F12 developer tools to build and debug web pages. Disabling this policy prevents users from using the F12 developer tools.
 Specifies whether employees can use F12 Developer Tools on Microsoft Edge. Turning this setting on, or not configuring it, lets employees use F12 Developer Tools. Turning this setting off stops employees from using F12 Developer Tools.
 Most restricted value is 0.
@ -563,7 +558,7 @@ The following list shows the supported values:
 <!--/Scope-->
 <!--Description-->
-Specifies whether Do Not Track headers are allowed.
+By default, Microsoft Edge does not send Do Not Track requests to websites asking for tracking information, but users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information.
 Most restricted value is 1.
@ -579,8 +574,10 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
-   0 (default) – Not allowed.
+-	Blank/Null (default) Not configured - Does not send tracking information, but allow users to choose whether to send tracking information to sites they visit.
-   1 – Allowed.
+-	0 (Disabled) - Never sends tracking information.
 -	1 (Enabled) - Sends tracking information, including to the third parties whose content may be hosted on the sites visited.
 <!--/SupportedValues-->
 <!--Validation-->
@ -2381,7 +2378,7 @@ ADMX Info:
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-Specifies whether to send intranet traffic over to Internet Explorer.
+By default, all websites, including intranet sites, open in Microsoft Edge automatically.  Only enable this policy if there are known compatibility problems with Microsoft Edge.  Enabling this policy loads only intranet sites in Internet Explorer 11 automatically.
 Most restricted value is 0.
@ -2397,8 +2394,9 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
-   0 (default) – Intranet traffic is sent to Internet Explorer.
+- 0 (default) - All websites, including intranet sites, open in Microsoft Edge automatically.
-   1 – Intranet traffic is sent to Microsoft Edge.
+- 1 - Only intranet sites open in Internet Explorer 11 automatically.
 <!--/SupportedValues-->
 <!--/Policy-->
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@ -1204,7 +1204,6 @@ Footnote:
 <!--StartHoloLens-->
 ## <a href="" id="hololenspolicies"></a>System policies supported by Windows Holographic for Business  
 -   [System/AllowFontProviders](#system-allowfontproviders)  
 -   [System/AllowLocation](#system-allowlocation)  
 -   [System/AllowTelemetry](#system-allowtelemetry)  
 <!--EndHoloLens-->
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@ -2968,7 +2968,7 @@ The following list shows the supported values:
 > [!Important]  
 > Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile.
-Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet.
+Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
 Supported operations are Get and Replace.
--- a/windows/client-management/mdm/provisioning-csp.md
+++ b/windows/client-management/mdm/provisioning-csp.md
@ -40,7 +40,7 @@ The full URL for the discovery service.
 <a href="" id="provisioning-enrollments-upn-secret"></a>**Provisioning/Enrollments/*UPN*/Secret**  
 This information is dependent on the AuthPolicy being used. Possible values:
-   Password string for on-premise authentication enrollment
+-   Password string for on-premises authentication enrollment
 -   Federated security token for federated enrollment
 -   Certificate thumb print for certificated based enrollment
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@ -736,7 +736,7 @@ Start/DisableContextMenus | 1 - Context menus are hidden for Start apps | No
 <span id="lnk-files" />
 ## Provision .lnk files using Windows Configuration Designer
-First, create your desktop app's shortcut file by installing the app on a test device. Right-click the installed application, and choose **Send to** > **Desktop (create shortcut)**. Rename the shortcut to `<appName>.lnk`
+First, create your desktop app's shortcut file by installing the app on a test device, using the default installation location. Right-click the installed application, and choose **Send to** > **Desktop (create shortcut)**. Rename the shortcut to `<appName>.lnk`
 Next, create a batch file with two commands. If the desktop app is already installed on the target device, skip the first command for MSI install. 
--- a/windows/configuration/wcd/wcd-workplace.md
+++ b/windows/configuration/wcd/wcd-workplace.md
@ -32,7 +32,7 @@ Select **Enrollments**, enter a UPN, and then click **Add** to configure the set
 | DiscoveryServiceFullUrl | URL | The full URL for the discovery service |
 | EnrollmentServiceFullUrl | URL | The full URL for the enrollment service |
 | PolicyServiceFullUrl | URL | The full URL for the policy service |
-| Secret | - Password string for on-premise authentication enrollment</br>- Federated security token for federated enrollment</br>- Certificate thumb print for certificate-based enrollment | Enter the appropriate value for the selected AuthPolicy  |
+| Secret | - Password string for on-premises authentication enrollment</br>- Federated security token for federated enrollment</br>- Certificate thumb print for certificate-based enrollment | Enter the appropriate value for the selected AuthPolicy  |
 ## Related topics
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@ -634,7 +634,7 @@ Follow these steps to create a bootable USB stick from the offline media content
 ## <a href="" id="sec11"></a>Unified Extensible Firmware Interface (UEFI)-based deployments
-As referenced in [Windows 10 deployment tools](https://go.microsoft.com/fwlink/p/?LinkId=619546), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you have an UEFI-based machine and creates the partitions UEFI requires. You do not need to update or change your task sequences in any way to accommodate UFEI.
+As referenced in [Windows 10 deployment tools](https://go.microsoft.com/fwlink/p/?LinkId=619546), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you have an UEFI-based machine and creates the partitions UEFI requires. You do not need to update or change your task sequences in any way to accommodate UEFI.
 ![figure 14](../images/mdt-07-fig16.png)
--- a/windows/deployment/update/device-health-get-started.md
+++ b/windows/deployment/update/device-health-get-started.md
@ -26,7 +26,7 @@ Steps are provided in sections that follow the recommended setup process:
 ## Add Device Health to Microsoft Operations Management Suite or Azure Log Analytics
-Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
+Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
 **If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. Find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)  and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already.
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@ -25,7 +25,7 @@ Steps are provided in sections that follow the recommended setup process:
 ## Add Update Compliance to Microsoft Operations Management Suite or Azure Log Analytics
-Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
+Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
 >[!IMPORTANT]
 >Update Compliance is a free solution for Azure subscribers.
--- a/windows/deployment/upgrade/upgrade-readiness-requirements.md
+++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md
@ -38,7 +38,7 @@ While Upgrade Readiness can be used to assist with updating devices from Windows
 ## Operations Management Suite or Azure Log Analytics
-Upgrade Readiness is offered as a solution in Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
+Upgrade Readiness is offered as a solution in Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud based services for managing on premises and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
 If you’re already using OMS or Azure Log Analytics, you’ll find Upgrade Readiness in the Solutions Gallery. Click the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution’s details page. Upgrade Readiness is now visible in your workspace. You can also 
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@ -1625,7 +1625,7 @@ To turn this off:
 ### <a href="" id="bkmk-spp"></a>18. Software Protection Platform
-Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
+Enterprise customers can manage their Windows activation status with volume licensing using an on-premises Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
 For Windows 10:
--- a/windows/security/hardware-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/hardware-protection/tpm/trusted-platform-module-overview.md
@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: high
 author: brianlic-msft
-ms.date: 07/27/2017
+ms.date: 06/18/2018
 ---
 # Trusted Platform Module Technology Overview
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@ -73,7 +73,7 @@ A deployment's trust type defines how each Windows Hello for Business client aut
 The key trust type does not require issuing authentication certificates to end users.  Users authenticate using a hardware-bound key created during an in-box provisioning experience, which requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment.  Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
-The certificate trust type issues authentication certificates to end users.  Users authenticate using a certificate requested using a hardware-bound key created during the in-box provisioning experience.  Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers.  Users can authentication using their certificate to any Windows Server 2008 R2 or later domain controller.
+The certificate trust type issues authentication certificates to end users.  Users authenticate using a certificate requested using a hardware-bound key created during the in-box provisioning experience.  Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers.  Users can authentice using their certificate to any Windows Server 2008 R2 or later domain controller.
 #### Device registration
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: high
 author: brianlic-msft
-ms.date: 05/03/2018
+ms.date: 06/25/2018
 ---
 # BitLocker Deployment and Administration FAQ
@ -44,12 +44,12 @@ No, BitLocker does not encrypt and decrypt the entire drive when reading and wri
 ## How can I prevent users on a network from storing data on an unencrypted drive?
-You can can Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+You can configure Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
 When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only.
 ## What is Used Disk Space Only encryption?
-BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to beencrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption).
+BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption).
 ## What system changes would cause the integrity check on my operating system drive to fail?
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@ -79,7 +79,7 @@ For planned scenarios, such as a known hardware or firmware upgrades, you can av
 >**Note:**  If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool.
-If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premise user to provide the additional authentication method.
+If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method.
 Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user.
--- a/windows/security/threat-protection/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/get-support-for-security-baselines.md
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.localizationpriority: high
 ms.author: sagaudre
 author: brianlic-msft
-ms.date: 05/01/2018
+ms.date: 06/25/2018
 ---
 # Get Support
@ -25,7 +25,7 @@ Any version of Windows baseline before Windows 10 1703 can still be downloaded u
 -   [SCM 4.0 Download](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
 -   [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
 -   [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
-   [SCM Baseline Download Help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
+-   [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
 **What file formats are supported by the new SCT?**
@ -94,4 +94,4 @@ Internet Explorer 11 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2
 ## See also
-[Windows Security Baselines](windows-security-baselines.md)
+[Windows security baselines](windows-security-baselines.md)
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.localizationpriority: high
 ms.author: sagaudre
 author: brianlic-msft
-ms.date: 05/01/2018
+ms.date: 06/25/2018
 ---
 # Microsoft Security Compliance Toolkit 1.0
@ -21,7 +21,7 @@ The SCT enables administrators to effectively manage their enterprise’s Group
 The Security Compliance Toolkit consists of:
-   Windows 10 Security Baselines
+-   Windows 10 security baselines
    -   Windows 10 Version 1803 (April 2018 Update)
    -   Windows 10 Version 1709 (Fall Creators Update)
    -   Windows 10 Version 1703 (Creators Update)
@ -29,11 +29,11 @@ The Security Compliance Toolkit consists of:
    -   Windows 10 Version 1511 (November Update)
    -   Windows 10 Version 1507
-   Windows Server Security Baselines
+-   Windows Server security baselines
    -   Windows Server 2016
    -   Windows Server 2012 R2
-   Microsoft Office Security Baselines
+-   Microsoft Office security baseline
    -   Office 2016 
 -   Tools
--- a/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG
+++ b/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG
--- a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
@ -103,7 +103,7 @@ Use optional query parameters to specify and control the amount of data returned
 Name | Value| Description
 :---|:---|:---
-DateTime?sinceTimeUtc | string | Defines the lower time bound alerts are retrieved from, based on field: <br> `LastProccesedTimeUtc` <br> The time range will be: from sinceTimeUtc time to current time. <br><br> **NOTE**: When not specified, all alerts generated in the last two hours are retrieved.
+DateTime?sinceTimeUtc | string | Defines the lower time bound alerts are retrieved from, based on field: <br> `LastProcessedTimeUtc` <br> The time range will be: from sinceTimeUtc time to current time. <br><br> **NOTE**: When not specified, all alerts generated in the last two hours are retrieved.
 DateTime?untilTimeUtc | string | Defines the upper time bound alerts are retrieved. <br> The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time. <br><br> **NOTE**: When not specified, the default value will be the current time.
 string ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time. <br><br> Value should be set according to **ISO 8601** duration format <br> E.g. `ago=PT10M` will pull alerts received in the last 10 minutes.
 int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.<br><br> **NOTE**: When not specified, all alerts available in the time range will be retrieved.
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 02/26/2018
+ms.date: 06/25/2018
 ---
 # Troubleshoot custom threat intelligence issues
@ -39,7 +39,9 @@ If your client secret expires or if you've misplaced the copy provided when you
 3. Select your tenant.
-4. Click **App registrations** > **All apps**. Then select the application name **WindowsDefenderATPThreatIntelAPI** (formerly known as **WindowsDefenderATPCustomerTiConnector**).
+4. Click **App registrations** > **All apps**. Then select the relevant application name:
    - **WindowsDefenderATPThreatIntelAPI** (formerly known as **WindowsDefenderATPCustomerTiConnector**)
    - **WindowsDefenderATPSiemConnector**
 5. Under **Settings**, select **Keys**, then provide a key description and specify the key validity duration.
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md
@ -69,7 +69,7 @@ If the portal dashboard, and other sections show an error message such as "Data
 ![Image of data currently isn't available](images/atp-data-not-available.png)
-You'll need to whitelist the `security.windows.com` and all sub-domains under it. For example `*security.windows.com`.
+You'll need to whitelist the `securitycenter.windows.com` and all sub-domains under it. For example `*.securitycenter.windows.com`.
 ## Related topics
--- a/windows/security/threat-protection/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-baselines.md
@ -1,16 +1,16 @@
 ---
-title: Windows Security Baselines
+title: Windows security baselines
-description: This article, and the articles it links to, describe how to use Windows Security Baselines in your organization
+description: This article, and the articles it links to, describe how to use Windows security baselines in your organization
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: high
 ms.author: sagaudre
 author: brianlic-msft
-ms.date: 05/01/2018
+ms.date: 06/25/2018
 ---
-# Windows Security Baselines
+# Windows security baselines
 **Applies to**