Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into tocideas

windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md

@@ -151,7 +151,7 @@ $oulist = Import-csv -Path c:\oulist.txt
 ForEach($entry in $oulist){
     $ouname = $entry.ouname
     $oupath = $entry.oupath
-    New-ADOrganizationalUnit -Name $ouname -Path $oupath -WhatIf
+    New-ADOrganizationalUnit -Name $ouname -Path $oupath
     Write-Host -ForegroundColor Green "OU $ouname is created in the location $oupath"
 }
 ```

windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md

@@ -31,15 +31,15 @@ To configure your environment for BitLocker, you will need to do the following:
 4. Configure the rules (CustomSettings.ini) for BitLocker.
 
 > [!NOTE]
-> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For additional information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds).  
+> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For additional information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds).
 If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
 
 > [!NOTE]
-> Backing up TMP to Active Directory was supported only on Windows 10 version 1507 and 1511.
+> Backing up TPM to Active Directory was supported only on Windows 10 version 1507 and 1511.
 
 >[!NOTE]
->Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
- 
+>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/dd875529(v=ws.10)). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
+
 For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
 
 ## Configure Active Directory for BitLocker
@@ -95,7 +95,7 @@ Following these steps, you enable the backup of BitLocker and TPM recovery infor
 
 ### Set permissions in Active Directory for BitLocker
 
-In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://go.microsoft.com/fwlink/p/?LinkId=167133) from Microsoft to C:\\Setup\\Scripts on DC01.
+In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://gallery.technet.microsoft.com/ScriptCenter/b4dee016-053e-4aa3-a278-3cebf70d1191) from Microsoft to C:\\Setup\\Scripts on DC01.
 
 1. On DC01, start an elevated PowerShell prompt (run as Administrator).
 2. Configure the permissions by running the following command:

windows/deployment/update/update-compliance-configuration-script.md

@@ -41,7 +41,7 @@ When using the script in the context of troubleshooting, use `Pilot`. Enter `Run
 2. Configure `commercialIDValue` to your CommercialID. To get your CommercialID, see [Getting your CommercialID](update-compliance-get-started.md#get-your-commercialid).
 3. Run the script. The script must be run in System context.
 4. Examine the Logs output for any issues. If there were issues:
-   - Compare Logs output with the required settings covered in [Manually Configuring Devices for Update Compliance] (update-compliance-configuration-manual.md).
+   - Compare Logs output with the required settings covered in [Manually Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
    - Examine the script errors and refer to the [script error reference](#script-error-reference) on how to interpret the codes.
    - Make the necessary corrections and run the script again.
 5. When you no longer have issues, proceed to using the script for more broad deployment with the `Deployment` folder.

windows/deployment/update/update-compliance-monitor.md

@@ -18,9 +18,9 @@ ms.topic: article
 # Monitor Windows Updates with Update Compliance
 
 > [!IMPORTANT]
-> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal; however, please note the following updates:
-> As of March 31, 2020, The Windows Defender Antivirus reporting feature of Update Compliance is no longer supported and will soon be retired. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
-> * As of March 31, 2020, The Perspectives feature of Update Compliance is no longer supported and will soon be retired in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
+> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal. A few retirements are planned, noted below, but are placed **on hold** until the current situation stabilizes. 
+> * The Windows Defender Antivirus reporting feature of Update Compliance will soon be retired. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
+> * As of March 31, 2020, The Perspectives feature of Update Compliance will soon be retired in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
 
 ## Introduction
 

windows/deployment/windows-10-poc-sc-config-mgr.md

@@ -463,7 +463,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
 
 11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
 
-12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo.
+12. Click the **Task Sequence** tab. Under **State Restore** click **Tattoo** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo.
 
 13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again.
 
@@ -775,7 +775,7 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce
 
 9. Close the Map Network Drive window, the Explorer window, and the command prompt.
 
-10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequenc Wizard. Click **Next** to continue with the deployment.
+10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequence Wizard. Click **Next** to continue with the deployment.
 
 11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will:
     - Install Windows 10
@@ -1027,7 +1027,7 @@ In the Configuration Manager console, in the Software Library workspace under Op
 
 ### Deploy the new computer
 
-1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows Powershell prompt on the Hyper-V host:
+1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
 
     ```
     Start-VM PC4

windows/deployment/windows-10-subscription-activation.md

@@ -79,6 +79,9 @@ The following figure illustrates how deploying Windows 10 has evolved with each
 
 ### Windows 10 Enterprise requirements
 
+> [!NOTE]
+> The following requirements do not apply to general Windows 10 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](https://docs.microsoft.com/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines).
+
 For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: 
 
 - Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded.
@@ -191,6 +194,8 @@ When you have the required Azure AD subscription, group-based licensing is the p
 
 If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. 
 
+Caution: Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE(Out Of Box Experience)
+
 If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.
 
 If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt:

windows/deployment/windows-autopilot/known-issues.md

@@ -26,6 +26,9 @@ ms.topic: article
 <table>
 <th>Issue<th>More information
 
+<tr><td>Blocking apps specified in a user-targeted Enrollment Status Profile are ignored during device ESP.</td>
+<td>The services responsible for determining the list of apps that should be blocking during device ESP are not able to determine the correct ESP profile containing the list of apps because they do not know the user identity.  As a workaround, enable the default ESP profile (which targets all users and devices) and place the blocking app list there.  In the future, it will be possible to instead target the ESP profile to device groups to avoid this issue.</tr>
+
 <tr><td>Windows Autopilot user-driven Hybrid Azure AD deployments do not grant users Administrator rights even when specified in the Windows Autopilot profile.</td>
 <td>This will occur when there is another user on the device that already has Administrator rights.  For example, a PowerShell script or policy could create an additional local account that is a member of the Administrators group.  To ensure this works properly, do not create an additional account until after the Windows Autopilot process has completed.</tr>