diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
index 467193a09d..73387ceede 100644
--- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
@@ -101,10 +101,11 @@ Windows Defender ATP RBAC is designed to support your tier or role model of choi
 The implementation of role-based access control in Windows Defender ATP is based on Azure Active Directory (Azure AD) user groups. 
 
 The Windows Defender ATP RBAC framework is centered around the following controls:
-- **What actions roles are authorized to do**
-  - Create custom roles to control access to the Windows Defender ATP capabilities by leveraging on Azure AD user groups.
+- **Control who can take specific action**
+  - Create custom roles and control what Windows Defender ATP capabilities they can access with granularity.
+ 
 
-- **What information roles are authorized to view**
+- **Control who can see specific information**
   - Create machine groups by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Azure AD user group.
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
index 8ae72ea228..3803461eeb 100644
--- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
@@ -142,27 +142,40 @@ Available filters include action type, action, status, machine name, and descrip
 
 You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data. 
 
-### Pending actions
-This tab is displayed if there are any pending actions for which a decision is needed.
-
 ### Pending actions history
 This tab is displayed if there are pending actions for which a decision was made.
 
 
-## Pending actions on investigations
-The pending actions view aggregates all the file quarantine, persistence method removal, process termination, and release file handle that require action for an investigation to proceed or be completed.
+## Pending actions 
+This view aggregates all investigations that require an action for an investigation to proceed or be completed.
 
 Use the Customize columns drop-down menu to select columns that you'd like to show or hide. 
 
 From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
 
-![Image of Pending actions](images/atp-pending-actions-auto-ir.png)
+Pending actions are grouped together in the following tabs:
+-  Quarantine file
+-  Remove persistence
+-  Stop process
+-  Expand pivot
+-  Quarantine service
 
-Selecting a file opens a panel where you can approve or reject the remediation. Other details such as file details, investigation details, and alert details are displayed.
+>[!NOTE]
+>The tab will only appear if there are pending actions for that category.
+
+### Approve or reject an action
+You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed.
+
+Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed.
 
 ![Image of pending action selected](images/atp-pending-actions-file.png)
 
-Selecting other investigation numbers from the other pending actions categories also gives you access to this panel.
-
 From the panel, you can click on the Open investigation page link to see the investigation details.
 
+You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations. 
+
+![Image of multiple investigations selected](images/atp-pending-actions-multiple.png)
+
+
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-delete-query.png b/windows/security/threat-protection/windows-defender-atp/images/atp-delete-query.png
index 6d198441d0..703204c040 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-delete-query.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-delete-query.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-filter-advanced-hunting.png b/windows/security/threat-protection/windows-defender-atp/images/atp-filter-advanced-hunting.png
index d432af83be..2787e7d147 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-filter-advanced-hunting.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-filter-advanced-hunting.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-multiple.png b/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-multiple.png
new file mode 100644
index 0000000000..f0878a6699
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-multiple.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-save-query.png b/windows/security/threat-protection/windows-defender-atp/images/atp-save-query.png
index a9d250d5bc..0e8c9e12d2 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-save-query.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-save-query.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-shared-queries.png b/windows/security/threat-protection/windows-defender-atp/images/atp-shared-queries.png
index 1985b907d3..6c3508c0ab 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-shared-queries.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-shared-queries.png differ