diff --git a/browsers/edge/Index.md b/browsers/edge/Index.md
index 4188a5ce94..77890240cb 100644
--- a/browsers/edge/Index.md
+++ b/browsers/edge/Index.md
@@ -37,6 +37,7 @@ Microsoft Edge lets you stay up-to-date through the Windows Store and to manage
 | [Available policies for Microsoft Edge](available-policies.md)  |Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings.<br><br>Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. |
 | [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) |If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11.<br><br>Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. |
 | [Security enhancements for Microsoft Edge](security-enhancements-microsoft-edge.md) |Microsoft Edge is designed with significant security improvements over existing browsers, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. |
+|[Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md)|Answering frequently asked questions about Microsoft Edge features, integration, support, and potential problems.
 
 ## Interoperability goals and enterprise guidance
 
diff --git a/browsers/edge/TOC.md b/browsers/edge/TOC.md
index fb5ad0c6f2..9a9115a9ac 100644
--- a/browsers/edge/TOC.md
+++ b/browsers/edge/TOC.md
@@ -5,4 +5,5 @@
 ##[Available policies for Microsoft Edge](available-policies.md)
 ##[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md)
 ##[Security enhancements for Microsoft Edge](security-enhancements-microsoft-edge.md)
+##[Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md)
 
diff --git a/browsers/edge/microsoft-edge-faq.md b/browsers/edge/microsoft-edge-faq.md
new file mode 100644
index 0000000000..f24235f60d
--- /dev/null
+++ b/browsers/edge/microsoft-edge-faq.md
@@ -0,0 +1,83 @@
+---
+title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros (Microsoft Edge for IT Pros)
+description: Answering frequently asked questions about Microsoft Edge features, integration, support, and potential problems.
+author: eross-msft
+ms.author: lizross
+ms.prod: edge
+ms.mktglfcycl: general
+ms.sitesec: library
+ms.localizationpriority: high
+---
+
+# Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros
+
+**Applies to:**
+
+- Windows 10
+- Windows 10 Mobile
+
+**Q: What is the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use?**
+
+**A:** Microsoft Edge is the default browser for all Windows 10 devices. It is built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites on the web that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility) to automatically send users to Internet Explorer 11 for those sites.
+
+For more information on how Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97).
+
+**Q: Does Microsoft Edge work with Enterprise Mode?**
+
+**A:** [Enterprise Mode](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) offers better backward compatibility and enables customers to run many legacy web applications. Microsoft Edge and Internet Explorer can be configured to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. For guidance and additional resources, please visit the [Microsoft Edge IT Center](https://technet.microsoft.com/en-us/microsoft-edge).
+
+
+**Q: I have Windows 10, but I don’t seem to have Microsoft Edge. Why?**
+
+**A:** Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality and can't be supported on systems running LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11.
+
+**Q: How do I get the latest Canary/Beta/Preview version of Microsoft Edge?**
+
+**A:** You can access the latest preview version of Microsoft Edge by updating to the latest Windows 10 preview via the [Windows Insider Program](https://insider.windows.com/). To run the preview version of Microsoft Edge on a stable version of Windows 10 (or any other OS), you can download a [Virtual Machine](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/windows/) that we provide or use the upcoming RemoteEdge service.
+
+**Q: How do I customize Microsoft Edge and related settings for my organization?**
+
+**A:** You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies) for a list of available policies for Microsoft Edge.
+
+**Q: Is Adobe Flash supported in Microsoft Edge?**
+
+**A:** Currently, Adobe Flash is supported as a built-in feature of Microsoft Edge on devices running the desktop version of Windows 10. In July 2017, Adobe announced that Flash will no longer be supported after 2020. We will phase out Flash from Microsoft Edge and Internet Explorer, culminating in the removal of Flash from Windows entirely by the end of 2020. This process began already for Microsoft Edge with [Click-to-Run for Flash](https://blogs.windows.com/msedgedev/2016/12/14/edge-flash-click-run/) in the Windows 10 Creators Update.
+
+For more information about the phasing out of Flash, read the [End of an Era – Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#85ZBy7aiVlDQHebO.97) blog post.
+
+**Q: Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java?**
+
+**A:** No, ActiveX controls and BHOs such as Silverlight or Java are not supported in Microsoft Edge. The need for ActiveX controls has been significantly reduced by modern web standards, which are more interoperable across browsers. We are working on plans for an extension model based on the modern web platform in Microsoft Edge. We look forward to sharing more details on these plans soon. Not supporting legacy controls in Microsoft Edge provides many benefits including better interoperability with other modern browsers, as well as increased performance, security, and reliability.
+
+**Q: How often will Microsoft Edge be updated?**
+
+**A:** In Windows 10, we are delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, and the bigger feature updates are currently pushed out with the Windows 10 releases on a semi-annual cadence.
+
+**Q: How can I provide feedback on Microsoft Edge?**
+
+**A:** Microsoft Edge is an evergreen browser and we will continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, you can use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. You can also provide feedback through the [Microsoft Edge Dev Twitter](https://twitter.com/MSEdgeDev) account. 
+
+**Q: Will Internet Explorer 11 continue to receive updates?**
+
+**A:** We will continue to deliver security updates to Internet Explorer 11 through its supported lifespan. To ensure consistent behavior across Windows versions, we will evaluate Internet Explorer 11 bugs for servicing on a case by case basis. The latest features and platform updates will only be available in Microsoft Edge. 
+
+**Q: I loaded a web page and Microsoft Edge sent me to Internet Explorer - what happened?**
+
+**A:** In some cases, Internet Explorer loads automatically for sites that still rely on legacy technologies such as ActiveX. For more information, read [Legacy web apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#uHpbs94kAaVsU1qB.97).
+
+**Q: Why is Do Not Track (DNT) off by default in Microsoft Edge?**
+
+**A:** When Microsoft first set the Do Not Track setting to “On” by default in Internet Explorer 10, industry standards had not yet been established. We are now making this default change as the World Wide Web Consortium (W3C) formalizes industry standards to recommend that default settings allow customers to actively indicate whether they want to enable DNT. As a result, DNT will not be enabled by default in upcoming versions of Microsoft’s browsers, but we will provide customers with clear information on how to turn this feature on in the browser settings should you wish to do so.
+
+**Q: How do I find out what version of Microsoft Edge I have?**
+
+**A:** Open Microsoft Edge. In the upper right corner click the ellipses icon (**…**), and then click **Settings**. Look in the **About this app** section to find your version. 
+ 
+**Q: What is Microsoft EdgeHTML?**
+
+**A:** Microsoft EdgeHTML is the new web rendering engine that powers the Microsoft Edge web browser and Windows 10 web app platform, and that helps web developers build and maintain a consistent site across all modern browsers. The Microsoft EdgeHTML engine also helps to defend against hacking through support for the W3C standard for [Content Security Policy (CSP)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/content-Security-Policy), which can help web developers defend their sites against cross-site scripting attacks, and support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant), which helps ensure that connections to important sites, such as to your bank, are always secured.
+
+**Q: Will Windows 7 or Windows 8.1 users get Microsoft Edge or the new Microsoft EdgeHTML rendering engine?**
+
+**A:** Microsoft Edge has been designed and built to showcase Windows 10 features like Cortana, and is built on top of the Universal Windows Platform. Although we don’t have any plans to bring Microsoft Edge to Windows 7 or Windows 8.1 at this time, you can test Microsoft Edge with older versions of Internet Explorer using [free virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/).
+
diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index 74d61c7720..82f4db6262 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -40,6 +40,7 @@
 ### [Using a room control system](use-room-control-system-with-surface-hub.md)
 ## [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md)
 ## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)
+## [Top support solutions for Surface Hub](support-solutions-surface-hub.md)
 ## [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
 ## [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md)
 ## [Useful downloads for Surface Hub administrators](surface-hub-downloads.md)
diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index 6fc60ccb51..fc50a8188d 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -16,6 +16,12 @@ ms.localizationpriority: medium
 
 This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
 
+## September 2017
+
+New or changed topic | Description
+--- | ---
+[Top support solutions for Surface Hub](support-solutions-surface-hub.md) | New
+
 ## August 2017
 
 
diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
index ab8cbc200f..cdde9fd95e 100644
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@@ -44,6 +44,7 @@ In some ways, adding your new Surface Hub is just like adding any other Microsof
 | [Manage Microsoft Surface Hub](manage-surface-hub.md) | How to manage your Surface Hub after finishing the first-run program. |
 | [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) | 
 | [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security.  | PowerShell scripts to help set up and manage your Surface Hub. |
+| [Top support solutions for Surface Hub](support-solutions-surface-hub.md) | These are the top Microsoft Support solutions for common issues experienced using Surface Hub. | 
 | [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) | Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. |
 | [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md) | Learn how to resolve Miracast issues. |
 | [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) | This topic provides links to useful Surface Hub documents, such as product datasheets, the site readiness guide, and user's guide. |
diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index 84340e8542..ece11a95f1 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -37,15 +37,15 @@ You can also configure Surface Hub to receive updates from both Windows Update f
 
 ## Surface Hub servicing model
 
-Surface Hub uses the Windows 10 servicing model, referred to as Windows as a Service (WaaS). Traditionally, new features are added only in new versions of Windows that are released every few years. Each new version required lengthy and expensive processes to deploy in an organization. As a result, end users and organizations don't frequently enjoy the benefits of new innovation. The goal of Windows as a Service is to continually provide new capabilities while maintaining a high level of quality.
+Surface Hub uses the Windows 10 servicing model, referred to as [Windows as a Service (WaaS)](https://docs.microsoft.com/windows/deployment/update/waas-overview). Traditionally, new features were added only in new versions of Windows that were released every few years. Each new version required lengthy and expensive processes to deploy in an organization. As a result, end users and organizations don't frequently enjoy the benefits of new innovation. The goal of Windows as a Service is to continually provide new capabilities while maintaining a high level of quality.
 
 Microsoft publishes two types of Surface Hub releases broadly on an ongoing basis:
-- **Feature updates** - Updates that install the latest new features, experiences, and capabilities. Microsoft expects to publish an average of two to three new feature upgrades per year.
+- **Feature updates** - Updates that install the latest new features, experiences, and capabilities. Microsoft expects to publish two tnew feature updates per year.
 - **Quality updates** - Updates that focus on the installation of security fixes, drivers, and other servicing updates. Microsoft expects to publish one cumulative quality update per month.
 
 In order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10, including Surface Hub, will be cumulative. This means new feature updates and quality updates will contain the payloads of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 quality update. For example, if a quality update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes.
 
-The Surface Hub operating system is available on **Current Branch (CB)** and **Current Branch for Business (CBB)**. Like other editions of Windows 10, the servicing lifetime of CB or CBB is finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
+The Surface Hub operating system receives updates on the [Semi-Annual Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes). Like other editions of Windows 10, the servicing lifetime ois finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
 
 For more information on Windows as a Service, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
 
@@ -55,11 +55,9 @@ Surface Hubs, like all Windows 10 devices, include **Windows Update for Business
 
 **To set up Windows Update for Business:**
 1. [Group Surface Hub into deployment rings](#group-surface-hub-into-deployment-rings)
-2. [Configure Surface Hub to use Current Branch or Current Branch for Business](#configure-surface-hub-to-use-current-branch-or-current-branch-for-business).
 2. [Configure when Surface Hub receives updates](#configure-when-surface-hub-receives-updates).
 
 > [!NOTE]
-
 > You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/itpro/windows/manage/waas-wufb-intune)
 
 
@@ -70,29 +68,22 @@ This table gives examples of deployment rings.
 
 | Deployment ring | Ring size | Servicing branch | Deferral for feature updates | Deferral for quality updates (security fixes, drivers, and other updates) | Validation step |
 | --------- | --------- | --------- | --------- | --------- | --------- |
-| Preview (e.g. non-critical or test devices) | Small | Current Branch (CB) | None. Devices receive feature updates immediately after CB is released. | None. Devices receive quality updates immediately after CB is released. | Manually test and evaluate new functionality. Pause updates if there are issues. |
-| Release (e.g. devices used by select teams) | Medium | Current Branch for Business (CBB) | None. Devices receive feature updates immediately once CBB is released. | None. Devices receive quality updates immediately after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
-| Broad deployment (e.g. most of the devices in your organization) | Large | Current Branch for Business (CBB) |  120 days after CBB is released. | 7-14 days after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
-| Mission critical (e.g. devices in executive boardrooms) | Small | Current Branch for Business (CBB) |  180 days after CBB is released (maximum deferral for feature updates). | 30 days after CBB is released (maximum deferral for quality updates). | Monitor device usage and user feedback. |
+| Preview (e.g. non-critical or test devices) | Small | Semi-annual channel (Targeted) | None.  | None.  | Manually test and evaluate new functionality. Pause updates if there are issues. |
+| Release (e.g. devices used by select teams) | Medium | Semi-annual channel  | None. | None.  | Monitor device usage and user feedback. Pause updates if there are issues. |
+| Broad deployment (e.g. most of the devices in your organization) | Large | Semi-annual channel |  120 days after release. | 7-14 days after release. | Monitor device usage and user feedback. Pause updates if there are issues. |
+| Mission critical (e.g. devices in executive boardrooms) | Small | Semi-annual channel |  180 days after release (maximum deferral for feature updates). | 30 days after release (maximum deferral for quality updates). | Monitor device usage and user feedback. |
 
 
-### Configure Surface Hub to use Current Branch or Current Branch for Business
-By default, Surface Hubs are configured to receive updates from Current Branch (CB). CB receives feature updates as soon as they are released by Microsoft. Current Branch for Business (CBB), on the other hand, receives feature updates at least four months after they have been initially offered to CB devices, and includes all of the quality updates that have been released in the interim. For more information on the differences between CB and CBB, see [Servicing branches](https://technet.microsoft.com/itpro/windows/manage/waas-overview#servicing-branches).
 
-**To manually configure Surface Hub to use CB or CBB:**
-1. Open **Settings** > **Update & Security** > **Windows Update**, and then select **Advanced Options**. 
-2. Select **Defer feature updates**.
-
-To configure Surface Hub to use CB or CBB remotely using MDM, set an appropriate [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) policy.
 
 
 ### Configure when Surface Hub receives updates
 Once you've determined deployment rings for your Surface Hubs, configure update deferral policies for each ring:
-- To defer feature updates, set an appropriate [Update/DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) policy for each ring.
-- To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) policy for each ring.
+- To defer feature updates, set an appropriate [Update/DeferFeatureUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays) policy for each ring.
+- To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) policy for each ring.
 
 > [!NOTE]
-> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates).
+> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-pausefeatureupdates) and [Update/PauseQualityUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-pausequalityupdates).
 
 
 ## Use Windows Server Update Services
diff --git a/devices/surface-hub/support-solutions-surface-hub.md b/devices/surface-hub/support-solutions-surface-hub.md
new file mode 100644
index 0000000000..f6eeed64e8
--- /dev/null
+++ b/devices/surface-hub/support-solutions-surface-hub.md
@@ -0,0 +1,50 @@
+---
+title: Top support solutions for Microsoft Surface Hub
+description: Find top solutions for common issues using Surface Hub.
+ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A
+keywords: Troubleshoot common problems, setup issues
+ms.prod: w10
+ms.mktglfcycl: support
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: kaushika-msft
+ms.author: jdecker
+ms.date: 09/07/2017
+ms.localizationpriority: medium
+---
+
+# Top support solutions for Microsoft Surface Hub
+
+Microsoft regularly releases both updates and solutions for Surface Hub. To ensure your devices can receive future updates, including security updates, it's important to keep your Surface Hub devices updated. For a complete listing of the update history, see [Surface Hub update history](https://www.microsoft.com/surface/support/surface-hub/surface-hub-update-history) and [Known issues and additional information about Microsoft Surface Hub](https://support.microsoft.com/help/4025643).
+
+
+These are the top Microsoft Support solutions for common issues experienced when using Surface Hub.
+
+## Setup and install issues
+
+- [Setup troubleshooting](troubleshoot-surface-hub.md#setup-troubleshooting)
+- [Exchange ActiveSync errors](troubleshoot-surface-hub.md#exchange-activesync-errors)
+
+## Miracast issues
+
+- [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md)
+ 
+## Download updates issues
+
+- [Surface Hub can't download updates from Windows Update](https://support.microsoft.com/help/3191418/surface-hub-can-t-download-updates-from-windows-update)
+
+## Connect app issues
+
+- [The Connect app in Surface Hub exits unexpectedly](https://support.microsoft.com/help/3157417/the-connect-app-in-surface-hub-exits-unexpectedly)
+
+
+
+ 
+
+
+ 
+
+
+
+
+
diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md
index 46b82e72e3..8fb31f0492 100644
--- a/devices/surface-hub/troubleshoot-surface-hub.md
+++ b/devices/surface-hub/troubleshoot-surface-hub.md
@@ -20,8 +20,6 @@ Troubleshoot common problems, including setup issues, Exchange ActiveSync errors
 
 Common issues are listed in the following table, along with causes and possible fixes. The [Setup troubleshooting](#setup-troubleshooting) section contains a listing of on-device problems, along with several types of issues that may be encountered during the first-run experience. The [Exchange ActiveSync errors](#exchange-activesync-errors) section lists common errors the device may encounter when trying to synchronize with an Microsoft Exchange ActiveSync server.
 
--   [Setup troubleshooting](#setup-troubleshooting)
--   [Exchange ActiveSync errors](#exchange-activesync-errors)
 
 ## Setup troubleshooting
 
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index 192f88b5e0..45393cc7e9 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -26,6 +26,7 @@
 ### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md)
 ## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)
 ## [Surface Data Eraser](microsoft-surface-data-eraser.md)
+## [Top support solutions for Surface devices](support-solutions-surface.md)
 ## [Change history for Surface documentation](change-history-for-surface.md)
 
 
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
index 33992b2d0a..04cd11e9f1 100644
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@@ -11,6 +11,12 @@ author: jdeckerms
 
 This topic lists new and updated topics in the Surface documentation library.
 
+## September 2017
+
+New or changed topic | Description
+--- | ---
+[Top support solutions for Surface devices](support-solutions-surface.md) | New
+
 ## June 2017
 
 |New or changed topic | Description |
diff --git a/devices/surface/index.md b/devices/surface/index.md
index 65fba37343..eeecfa1314 100644
--- a/devices/surface/index.md
+++ b/devices/surface/index.md
@@ -30,6 +30,7 @@ For more information on planning for, deploying, and managing Surface devices in
 | [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) | See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. |
 | [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md) | Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device. |
 | [Surface Data Eraser](microsoft-surface-data-eraser.md) | Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. |
+| [Top support solutions for Surface devices](support-solutions-surface.md) | These are the top Microsoft Support solutions for common issues experienced using Surface devices in an enterprise. |
 | [Change history for Surface documentation](change-history-for-surface.md) | This topic lists new and updated topics in the Surface documentation library. |
 
 
diff --git a/devices/surface/support-solutions-surface.md b/devices/surface/support-solutions-surface.md
new file mode 100644
index 0000000000..432c5dfe34
--- /dev/null
+++ b/devices/surface/support-solutions-surface.md
@@ -0,0 +1,64 @@
+---
+title: Top support solutions for Surface devices
+description: Find top solutions for common issues using Surface devices in the enterprise.
+ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A
+keywords: Troubleshoot common problems, setup issues
+ms.prod: w10
+ms.mktglfcycl: support
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: kaushika-msft
+ms.author: jdecker
+ms.date: 09/07/2017
+ms.localizationpriority: medium
+---
+
+# Top support solutions for Surface devices
+
+Microsoft regularly releases both updates and solutions for Surface devices. To ensure your devices can receive future updates, including security updates, it's important to keep your Surface devices updated.  For a complete listing of the update history, see [Surface update history](https://www.microsoft.com/surface/support/install-update-activate/surface-update-history) and [Install Surface and Windows updates](https://www.microsoft.com/surface/support/performance-and-maintenance/install-software-updates-for-surface?os=windows-10&=undefined).
+
+
+These are the top Microsoft Support solutions for common issues experienced when using Surface devices in an enterprise.
+
+## Screen cracked or scratched issues
+
+- [Cracked screen and physical damage](https://www.microsoft.com/surface/support/warranty-service-and-recovery/surface-is-damaged)
+
+
+##Device cover or keyboard issues
+
+- [Troubleshoot your Surface Type Cover or keyboard](https://www.microsoft.com/surface/support/hardware-and-drivers/troubleshoot-surface-keyboards)
+- [Troubleshoot problems with Surface Keyboard, Surface Ergonomic Keyboard, and Microsoft Modern Keyboard with Fingerprint ID](https://www.microsoft.com/surface/support/touch-mouse-and-search/surface-keyboard-troubleshooting)
+- [Set up Microsoft Modern Keyboard with Fingerprint ID](https://www.microsoft.com/surface/support/touch-mouse-and-search/microsoft-modern-keyboard-fingerprintid-set-up)
+- [Enabling Surface Laptop keyboard during MDT deployment](https://blogs.technet.microsoft.com/askcore/2017/08/18/enabling-surface-laptop-keyboard-during-mdt-deployment/)
+
+ 
+## Device won't wake from sleep or hibernation issues
+
+- [Surface won’t turn on or wake from sleep](https://www.microsoft.com/surface/support/warranty-service-and-recovery/surface-wont-turn-on-or-wake-from-sleep?os=windows-10&=undefined)
+- [Surface Pro 4 or Surface Book doesn't hibernate in Windows 10](https://support.microsoft.com/help/3122682)
+- [Surface Pro 3 doesn't hibernate after four hours in connected standby](https://support.microsoft.com/help/2998588/surface-pro-3-doesn-t-hibernate-after-four-hours-in-connected-standby)
+- [Surface Pro 3 Hibernation Doesn’t Occur on Enterprise Install](https://blogs.technet.microsoft.com/askcore/2014/11/05/surface-pro-3-hibernation-doesnt-occur-on-enterprise-install/)
+
+
+## Other common issues
+
+- [Trouble installing Surface updates](https://www.microsoft.com/surface/support/performance-and-maintenance/troubleshoot-updates?os=windows-10&=undefined)
+- [Troubleshooting common Surface Pro 3 issues post-deployment](http://blogs.technet.com/b/askcore/archive/2015/03/19/troubleshooting-common-surface-pro-3-issues-post-deployment.aspx)
+- [Surface Pro 3 hibernation doesn't occur on enterprise install](https://blogs.technet.microsoft.com/askcore/2014/11/05/surface-pro-3-hibernation-doesnt-occur-on-enterprise-install/)
+- [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manger OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd)
+- [Troubleshoot docking stations for Surface Pro and Surface 3](https://www.microsoft.com/surface/support/hardware-and-drivers/troubleshoot-docking-station?os=windows-8.1-update-1&=undefined)
+- [What to do if Surface is running slower](https://www.microsoft.com/surface/support/performance-and-maintenance/what-to-do-if-surface-is-running-slower?os=windows-10&=undefined)
+
+
+
+
+ 
+
+
+ 
+
+
+
+
+
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index c7c048afcb..b4457fe264 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -26,7 +26,7 @@ In Windows 10, version 1703 (Creators Update), it is straightforward to configur
 
 | Area | How to configure | What this does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S | 
 | --- | --- | --- | --- | --- | --- |
-| **Diagnostic Data** | **SetEduPolicies** | Sets Diagnostic Data to [Basic](https://technet.microsoft.com/itpro/windows/configure/configure-windows-telemetry-in-your-organization) | This is already set | This is already set | The policy must be set |
+| **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization) | This is already set | This is already set | The policy must be set |
 | **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This is already set | This is already set | The policy must be set |
 | **Cortana** | **AllowCortana** | Disables Cortana </br></br> * Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. </br></br> See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. </br></br> See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. |
 | **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This is already set | This is already set | The policy must be set |
diff --git a/windows/access-protection/credential-guard/credential-guard-considerations.md b/windows/access-protection/credential-guard/credential-guard-considerations.md
index a5c36084f6..6b15f98feb 100644
--- a/windows/access-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/access-protection/credential-guard/credential-guard-considerations.md
@@ -58,9 +58,9 @@ As a result Credential Guard can no longer decrypt protected data. VBS creates a
 Since Credential Manager cannot decrypt saved Windows Credentials, they are deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard. 
 
 ### Domain-joined device’s automatically provisioned public key
-Beginning with Windows 10 and Windows Server 2016, domain-devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474).
+Beginning with Windows 10 and Windows Server 2016, domain-devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](https://docs.microsoft.com/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
 
-Since Credential Guard cannot decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it cannot authenticate with password until that policy disabled. For more information on Configuring device to only use public key, see [Domain-joined Device Public Key Authentication](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474).
+Since Credential Guard cannot decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it cannot authenticate with password until that policy disabled. For more information on Configuring device to only use public key, see [Domain-joined Device Public Key Authentication](https://docs.microsoft.com/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
 
 Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](https://msdn.microsoft.com/en-us/library/cc980032.aspx).
 
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
index d205a19291..aeea498de9 100644
--- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
@@ -634,7 +634,6 @@ Alert sample:
   <Item> 
    <Meta> 
     <Type xmlns=”syncml:metinf”>com.microsoft/MDM/AADUserToken</Type> 
-    <Format xmlns=”syncml:metinf”>chr</Format> 
    </Meta> 
    <Data>UserToken inserted here</Data> 
   </Item> 
@@ -664,7 +663,6 @@ Here's an example.
   <Item> 
    <Meta> 
     <Type xmlns=”syncml:metinf”>com.microsoft/MDM/LoginStatus</Type> 
-    <Format xmlns=”syncml:metinf”>chr</Format> 
    </Meta> 
    <Data>user</Data> 
   </Item> 
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index dc6c0d2503..8d2e232161 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -1044,6 +1044,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>Education/PreventAddingNewPrinters</li>
 <li>Education/PrinterNames</li>
 <li>Security/ClearTPMIfNotReady</li>
+<li>Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork</li>
 <li>Update/DisableDualScan</li>
 <li>Update/ScheduledInstallEveryWeek</li>
 <li>Update/ScheduledInstallFirstWeek</li>
@@ -1450,6 +1451,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>Privacy/EnableActivityFeed</li>
 <li>Privacy/PublishUserActivities</li>
 <li>Update/DisableDualScan</li>
+<li>Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork</li>
 </ul>
 <p>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.</p>
 <p>Changed the names of the following policies:</p>
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 46a3210754..a36b8b8b5f 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -2718,6 +2718,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-update.md#update-allowautoupdate" id="update-allowautoupdate">Update/AllowAutoUpdate</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-allowautowindowsupdatedownloadovermeterednetwork" id="update-allowautowindowsupdatedownloadovermeterednetwork">Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork</a>
+  </dd>
   <dd>
     <a href="./policy-csp-update.md#update-allowmuupdateservice" id="update-allowmuupdateservice">Update/AllowMUUpdateService</a>
   </dd>
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index cbf9af3172..e3a796b41d 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -176,6 +176,43 @@ ms.date: 08/30/2017
 
 <p style="margin-left: 20px">If the policy is not configured, end-users get the default behavior (Auto install and restart).
 
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-allowautowindowsupdatedownloadovermeterednetwork"></a>**Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Option to download updates automatically over metered connections (off by default). Value type is integer.  
+
+- 0 (default) - Not allowed
+- 1 - Allowed
+
+A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates.
+
+This policy is accessible through the Update setting in the user interface or Group Policy.
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md
new file mode 100644
index 0000000000..03b15f9859
--- /dev/null
+++ b/windows/client-management/windows-10-support-solutions.md
@@ -0,0 +1,62 @@
+---
+title: Top support solutions for Windows 10
+description: Get links to solutions for Windows 10 issues
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.author: elizapo
+author: kaushika-msft
+ms.localizationpriority: high
+---
+# Top support solutions for Windows 10
+
+Microsoft regularly releases both updates and solutions for Windows 10. To ensure your computers can receive future updates, including security updates, it's important to keep them updated. Check out the following links for a complete list of released updates:
+
+- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124/) 
+- [Windows 10 Version 1607 update history](https://support.microsoft.com/help/4000825/)
+- [Windows 10 Version 1511 update history](https://support.microsoft.com/help/4000824/)
+
+
+These are the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment. The links below include links to KB articles, updates, and library articles.
+
+## Solutions related to installing Windows updates or hotfixes
+- [Understanding the Windowsupdate.log file for advanced users](https://support.microsoft.com/help/4035760/understanding-the-windowsupdate-log-file-for-advanced-users)
+- [You can't install updates on a Windows-based computer](https://support.microsoft.com/help/2509997/you-can-t-install-updates-on-a-windows-based-computer)
+- [Get-WindowsUpdateLog](https://technet.microsoft.com/itpro/powershell/windows/windowsupdate/get-windowsupdatelog)
+- [How to read the Windowsupdate.log file](https://support.microsoft.com/help/902093/how-to-read-the-windowsupdate-log-file)
+- [Can't download updates from Windows Update from behind a firewall or proxy server](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p)
+- [Computer staged from a SysPrepped image doesn't receive WSUS updates](https://support.microsoft.com/help/4010909/computer-staged-from-a-sysprepped-image-doesn-t-receive-wsus-updates)
+- [Servicing stack update for Windows 10 Version 1703: June 13, 2017](https://support.microsoft.com/help/4022405/servicingstackupdateforwindows10version1703june13-2017)
+- [Servicing stack update for Windows 10 Version 1607 and Windows Server 2016: March 14, 2017](https://support.microsoft.com/help/4013418/servicing-stack-update-for-windows-10-version-1607-and-windows-server)
+
+## Solutions related to Bugchecks or Stop Errors
+- [Troubleshooting Stop error problems for IT Pros](https://support.microsoft.com/help/3106831/troubleshooting-stop-error-problems-for-it-pros)
+- [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s)
+- [How to troubleshoot Windows-based computer freeze issues](https://support.microsoft.com/help/3118553/how-to-troubleshoot-windows-based-computer-freeze-issues)
+- [Understanding Bugchecks](https://blogs.technet.microsoft.com/askperf/2007/12/18/understanding-bugchecks/)
+- [Understanding Crash Dump Files](https://blogs.technet.microsoft.com/askperf/2008/01/08/understanding-crash-dump-files/)
+
+## Solutions related to installing or upgrading Windows
+- [Resolve Windows 10 upgrade errors : Technical information for IT Pros](/windows/deployment/upgrade/resolve-windows-10-upgrade-errors)
+- [Windows OOBE fails when you start a new Windows-based computer for the first time](https://support.microsoft.com/help/4020048/windows-oobe-fails-when-you-start-a-new-windows-based-computer-for-the)
+- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/help/3194588/-0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus)
+- [0xC1900101 error when Windows 10 upgrade fails after the second system restart'(https://support.microsoft.com/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system)
+- [Updates fix in-place upgrade to Windows 10 version 1607 problem](https://support.microsoft.com/help/4020149/updates-fix-in-place-upgrade-to-windows-10-version-1607-problem)
+- [OOBE update for Windows 10 Version 1703: May 9, 2017](https://support.microsoft.com/help/4020008)
+- [OOBE update for Windows 10 Version 1607: May 30, 2017](https://support.microsoft.com/help/4022632)
+- [OOBE update for Windows 10 Version 1511: May 30, 2017](https://support.microsoft.com/help/4022633)
+
+## Solutions related to configuring or managing the Start menu
+- [Manage Windows 10 Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies)
+- [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout)
+- [Changes to Group Policy settings for Windows 10 Start](/windows/configuration/changes-to-start-policies-in-windows-10)
+- [Preinstalled system applications and Start menu may not work when you upgrade to Windows 10, Version 1511](https://support.microsoft.com/help/3152599)
+- [Start menu shortcuts aren't immediately accessible in Windows Server 2016](https://support.microsoft.com/help/3198613)
+- [Troubleshoot problems opening the Start menu or Cortana](https://support.microsoft.com/help/12385/windows-10-troubleshoot-problems-opening-start-menu-cortana)
+- [Modern apps are blocked by security software when you start the applications on Windows 10 Version 1607](https://support.microsoft.com/help/4016973/modern-apps-are-blocked-by-security-software-when-you-start-the-applic)
+
+## Solutions related to wireless networking and 802.1X authentication
+
+- [Windows 10 devices can't connect to an 802.1X environment](http://support.microsoft.com/kb/3121002)
+- [Windows 10 wireless connection displays "Limited" status](http://support.microsoft.com/kb/3114149)
+- [Computer that has VPN software installed can't detect wireless network after upgrading to Windows 10](http://support.microsoft.com/kb/3084164)
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
index 1313186ea4..16c8908aff 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
@@ -8,6 +8,8 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: high
+ms.author: jdecker
+ms.date: 10/05/2017
 ---
 
 # Customize Windows 10 Start and taskbar with Group Policy
@@ -61,6 +63,9 @@ Three features enable Start and taskbar layout control:
 
 To apply the Start and taskbar layout to users in a domain, use the Group Policy Management Console (GPMC) to configure a domain-based Group Policy Object (GPO) that sets **Start Layout** policy settings in the **Start Menu and Taskbar** administrative template for users in a domain.
 
+>[!IMPORTANT]
+>In Windows 10, version 1709, Edge is pinned to the desktop automatically during Windows 10 installation or upgrade. When you apply a custom Start layout using this policy, Edge will not be pinned to the desktop. 
+
 The GPO applies the Start and taskbar layout at the next user sign-in. Each time the user signs in, the timestamp of the .xml file with the Start and taskbar layout is checked and if a newer version of the file is available, the settings in the latest version of the file are applied.
 
 The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed.
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index e818979df8..a2f8ee5eb5 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -7,6 +7,8 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: high
+ms.author: jdecker
+ms.date: 10/05/2017
 ---
 
 # Provision PCs with apps 
@@ -21,6 +23,9 @@ In Windows 10, version 1703, you can install multiple Universal Windows Platform
 
 When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv).
 
+>[!IMPORTANT]
+>If you plan to use Intune to manage your devices, we recommend using Intune to install Office 365 ProPlus 2016 apps (Access, Excel, OneDrive for Business, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, Word, Project Online Desktop Cilent, and Visio Pro for Office 365 ProPlus). Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to assign Office 365 ProPlus 2016 apps using Microsoft Intune.](https://docs.microsoft.com/intune/apps-add-office365)
+
 ## Settings for UWP apps
 
 - **License Path**: Specify the license file if it is an app from the Microsoft Store. This is optional if you have a certificate for the app. 
diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md
index baa60ac6fd..82ce22b422 100644
--- a/windows/configuration/provisioning-packages/provisioning-apply-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md
@@ -23,6 +23,9 @@ Provisioning packages can be applied to a device during the first-run experience
 
 ## Desktop editions
 
+>[!NOTE]
+>In Windows 10, version 1709, you can interrupt a long-running provisioning process by pressing ESC.
+
 ### During initial setup, from a USB drive
 
 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md
index d3dd731cdf..7e89dfdb30 100644
--- a/windows/configuration/wcd/wcd-accounts.md
+++ b/windows/configuration/wcd/wcd-accounts.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md
index daa6ca5eb8..52223258ad 100644
--- a/windows/configuration/wcd/wcd-admxingestion.md
+++ b/windows/configuration/wcd/wcd-admxingestion.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-applicationmanagement.md b/windows/configuration/wcd/wcd-applicationmanagement.md
index f032ce168c..af27cea5f0 100644
--- a/windows/configuration/wcd/wcd-applicationmanagement.md
+++ b/windows/configuration/wcd/wcd-applicationmanagement.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md
index ad5d7551fb..201fc633e1 100644
--- a/windows/configuration/wcd/wcd-assignedaccess.md
+++ b/windows/configuration/wcd/wcd-assignedaccess.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-automatictime.md b/windows/configuration/wcd/wcd-automatictime.md
index abb8bbd179..52d9845460 100644
--- a/windows/configuration/wcd/wcd-automatictime.md
+++ b/windows/configuration/wcd/wcd-automatictime.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md
index 787b6fa65b..a8af54b4f9 100644
--- a/windows/configuration/wcd/wcd-browser.md
+++ b/windows/configuration/wcd/wcd-browser.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-callandmessagingenhancement.md b/windows/configuration/wcd/wcd-callandmessagingenhancement.md
index bb07ccc02c..f3905fe8bc 100644
--- a/windows/configuration/wcd/wcd-callandmessagingenhancement.md
+++ b/windows/configuration/wcd/wcd-callandmessagingenhancement.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md
index 64258bbe02..7ea42d279d 100644
--- a/windows/configuration/wcd/wcd-cellular.md
+++ b/windows/configuration/wcd/wcd-cellular.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-certificates.md b/windows/configuration/wcd/wcd-certificates.md
index 6347a4795d..4e414b4677 100644
--- a/windows/configuration/wcd/wcd-certificates.md
+++ b/windows/configuration/wcd/wcd-certificates.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-cleanpc.md b/windows/configuration/wcd/wcd-cleanpc.md
index ec1f5eaadc..fa14dead06 100644
--- a/windows/configuration/wcd/wcd-cleanpc.md
+++ b/windows/configuration/wcd/wcd-cleanpc.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md
index 1ce0db8e5b..98fdd61592 100644
--- a/windows/configuration/wcd/wcd-connections.md
+++ b/windows/configuration/wcd/wcd-connections.md
@@ -5,14 +5,14 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
 
 # Connections (Windows Configuration Designer reference)
 
-Use to configure settings related to variou types of phone connections.
+Use to configure settings related to various types of phone connections.
 
 ## Applies to
 
diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md
index bb7d3366c0..2a71e900c4 100644
--- a/windows/configuration/wcd/wcd-connectivityprofiles.md
+++ b/windows/configuration/wcd/wcd-connectivityprofiles.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-countryandregion.md b/windows/configuration/wcd/wcd-countryandregion.md
index aea53e22de..84e1e611f1 100644
--- a/windows/configuration/wcd/wcd-countryandregion.md
+++ b/windows/configuration/wcd/wcd-countryandregion.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
index 1cf770db9b..6f954aec14 100644
--- a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
+++ b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md
index e7c4378477..76c7f07631 100644
--- a/windows/configuration/wcd/wcd-developersetup.md
+++ b/windows/configuration/wcd/wcd-developersetup.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-deviceformfactor.md b/windows/configuration/wcd/wcd-deviceformfactor.md
index dc1e5cd524..c9d4434a24 100644
--- a/windows/configuration/wcd/wcd-deviceformfactor.md
+++ b/windows/configuration/wcd/wcd-deviceformfactor.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md
index 9297174468..297225f5a1 100644
--- a/windows/configuration/wcd/wcd-devicemanagement.md
+++ b/windows/configuration/wcd/wcd-devicemanagement.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-dmclient.md b/windows/configuration/wcd/wcd-dmclient.md
index 4efec80320..27a6b9dd36 100644
--- a/windows/configuration/wcd/wcd-dmclient.md
+++ b/windows/configuration/wcd/wcd-dmclient.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-editionupgrade.md b/windows/configuration/wcd/wcd-editionupgrade.md
index cb2fd133b6..76e05d28ae 100644
--- a/windows/configuration/wcd/wcd-editionupgrade.md
+++ b/windows/configuration/wcd/wcd-editionupgrade.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md b/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md
index 833b66a43a..2203a1cb2b 100644
--- a/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md
+++ b/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-firewallconfiguration.md b/windows/configuration/wcd/wcd-firewallconfiguration.md
index 5e394b2f6b..df61861e90 100644
--- a/windows/configuration/wcd/wcd-firewallconfiguration.md
+++ b/windows/configuration/wcd/wcd-firewallconfiguration.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md
index b3a53776ff..cf0f7c1983 100644
--- a/windows/configuration/wcd/wcd-firstexperience.md
+++ b/windows/configuration/wcd/wcd-firstexperience.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-folders.md b/windows/configuration/wcd/wcd-folders.md
index bbad0c9cb9..08eff6065d 100644
--- a/windows/configuration/wcd/wcd-folders.md
+++ b/windows/configuration/wcd/wcd-folders.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-initialsetup.md b/windows/configuration/wcd/wcd-initialsetup.md
index db5b9cee8b..a579fca408 100644
--- a/windows/configuration/wcd/wcd-initialsetup.md
+++ b/windows/configuration/wcd/wcd-initialsetup.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-internetexplorer.md b/windows/configuration/wcd/wcd-internetexplorer.md
index d1a2e56c56..e3290e6905 100644
--- a/windows/configuration/wcd/wcd-internetexplorer.md
+++ b/windows/configuration/wcd/wcd-internetexplorer.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-licensing.md b/windows/configuration/wcd/wcd-licensing.md
index 5b3ebb4f41..7ae7661ea8 100644
--- a/windows/configuration/wcd/wcd-licensing.md
+++ b/windows/configuration/wcd/wcd-licensing.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md
index 4a1bfc4a7a..afe5f92c1c 100644
--- a/windows/configuration/wcd/wcd-maps.md
+++ b/windows/configuration/wcd/wcd-maps.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-messaging.md b/windows/configuration/wcd/wcd-messaging.md
index a00378d147..871e87042c 100644
--- a/windows/configuration/wcd/wcd-messaging.md
+++ b/windows/configuration/wcd/wcd-messaging.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-modemconfigurations.md b/windows/configuration/wcd/wcd-modemconfigurations.md
index dc45dff1ef..98bae12f8b 100644
--- a/windows/configuration/wcd/wcd-modemconfigurations.md
+++ b/windows/configuration/wcd/wcd-modemconfigurations.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-multivariant.md b/windows/configuration/wcd/wcd-multivariant.md
index 37a5519dfd..fa8c0d735f 100644
--- a/windows/configuration/wcd/wcd-multivariant.md
+++ b/windows/configuration/wcd/wcd-multivariant.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md
index 7eb31bc61c..3689226767 100644
--- a/windows/configuration/wcd/wcd-networkproxy.md
+++ b/windows/configuration/wcd/wcd-networkproxy.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-networkqospolicy.md b/windows/configuration/wcd/wcd-networkqospolicy.md
index 5906d70cdd..be9d9f4d69 100644
--- a/windows/configuration/wcd/wcd-networkqospolicy.md
+++ b/windows/configuration/wcd/wcd-networkqospolicy.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-nfc.md b/windows/configuration/wcd/wcd-nfc.md
index c03217c87e..1b56de1940 100644
--- a/windows/configuration/wcd/wcd-nfc.md
+++ b/windows/configuration/wcd/wcd-nfc.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md
index 7a72de6bb0..e609255e3d 100644
--- a/windows/configuration/wcd/wcd-oobe.md
+++ b/windows/configuration/wcd/wcd-oobe.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-otherassets.md b/windows/configuration/wcd/wcd-otherassets.md
index f5f33e19a2..ff79d72f5f 100644
--- a/windows/configuration/wcd/wcd-otherassets.md
+++ b/windows/configuration/wcd/wcd-otherassets.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-personalization.md b/windows/configuration/wcd/wcd-personalization.md
index 27f82ea825..a5aaee541d 100644
--- a/windows/configuration/wcd/wcd-personalization.md
+++ b/windows/configuration/wcd/wcd-personalization.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index 72357237a0..f672b70b05 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md
index 5ed43d8d18..7ab3bd2e35 100644
--- a/windows/configuration/wcd/wcd-provisioningcommands.md
+++ b/windows/configuration/wcd/wcd-provisioningcommands.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md
index d771bbee7b..744e0acd11 100644
--- a/windows/configuration/wcd/wcd-sharedpc.md
+++ b/windows/configuration/wcd/wcd-sharedpc.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-shell.md b/windows/configuration/wcd/wcd-shell.md
index 8d7ad0b7ff..a0b581cb04 100644
--- a/windows/configuration/wcd/wcd-shell.md
+++ b/windows/configuration/wcd/wcd-shell.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md
index ce6de17758..df459903c7 100644
--- a/windows/configuration/wcd/wcd-smisettings.md
+++ b/windows/configuration/wcd/wcd-smisettings.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md
index 25fcc57075..3256dea604 100644
--- a/windows/configuration/wcd/wcd-start.md
+++ b/windows/configuration/wcd/wcd-start.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-startupapp.md b/windows/configuration/wcd/wcd-startupapp.md
index 06c5b20b7a..3e9d1ca9b2 100644
--- a/windows/configuration/wcd/wcd-startupapp.md
+++ b/windows/configuration/wcd/wcd-startupapp.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-startupbackgroundtasks.md b/windows/configuration/wcd/wcd-startupbackgroundtasks.md
index 6b0840c310..2e5c3fa161 100644
--- a/windows/configuration/wcd/wcd-startupbackgroundtasks.md
+++ b/windows/configuration/wcd/wcd-startupbackgroundtasks.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-surfacehubmanagement.md b/windows/configuration/wcd/wcd-surfacehubmanagement.md
index f2da4a2dd6..4a6dbb3dd3 100644
--- a/windows/configuration/wcd/wcd-surfacehubmanagement.md
+++ b/windows/configuration/wcd/wcd-surfacehubmanagement.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md
index a8d2ea900a..5f454d89bb 100644
--- a/windows/configuration/wcd/wcd-tabletmode.md
+++ b/windows/configuration/wcd/wcd-tabletmode.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-takeatest.md b/windows/configuration/wcd/wcd-takeatest.md
index 75613f3b2e..c498ffd865 100644
--- a/windows/configuration/wcd/wcd-takeatest.md
+++ b/windows/configuration/wcd/wcd-takeatest.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-theme.md b/windows/configuration/wcd/wcd-theme.md
index 2d3e643f85..bc5710c264 100644
--- a/windows/configuration/wcd/wcd-theme.md
+++ b/windows/configuration/wcd/wcd-theme.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md
index fe65f8413f..5ba21b01a3 100644
--- a/windows/configuration/wcd/wcd-unifiedwritefilter.md
+++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md
index 6ba1b3993a..50f88c2fdc 100644
--- a/windows/configuration/wcd/wcd-universalappinstall.md
+++ b/windows/configuration/wcd/wcd-universalappinstall.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md
index 17bbc8f15b..70cd723052 100644
--- a/windows/configuration/wcd/wcd-universalappuninstall.md
+++ b/windows/configuration/wcd/wcd-universalappuninstall.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-usberrorsoemoverride.md b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
index 7175b5e14b..31685f534d 100644
--- a/windows/configuration/wcd/wcd-usberrorsoemoverride.md
+++ b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-weakcharger.md b/windows/configuration/wcd/wcd-weakcharger.md
index f1316bc77a..92f8844d81 100644
--- a/windows/configuration/wcd/wcd-weakcharger.md
+++ b/windows/configuration/wcd/wcd-weakcharger.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md
index b9ee438e22..26c23a84ce 100644
--- a/windows/configuration/wcd/wcd-windowsteamsettings.md
+++ b/windows/configuration/wcd/wcd-windowsteamsettings.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md
index 6b641db70f..80bbb26cf5 100644
--- a/windows/configuration/wcd/wcd-wlan.md
+++ b/windows/configuration/wcd/wcd-wlan.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd-workplace.md b/windows/configuration/wcd/wcd-workplace.md
index 901e30a048..8db1aa11a4 100644
--- a/windows/configuration/wcd/wcd-workplace.md
+++ b/windows/configuration/wcd/wcd-workplace.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md
index 38f6061d9f..080f9e469f 100644
--- a/windows/configuration/wcd/wcd.md
+++ b/windows/configuration/wcd/wcd.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.author: jdecker
 ms.date: 08/21/2017
 ---
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index 4c6db249d6..b070057f1d 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -221,6 +221,9 @@
 ### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md)
 #### [Windows Insider Program for Business using Azure Active Directory](update/waas-windows-insider-for-business-aad.md)
 #### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md)
+#### [Olympia Corp enrollment](update/olympia/olympia-enrollment-guidelines.md)
+##### [Keep your current Windows 10 edition](update/olympia/enrollment-keep-current-edition.md)
+##### [Upgrade your Windows 10 edition from Pro to Enterprise](update/olympia/enrollment-upgrade-to-enterprise.md)
 ### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
 
 ## Windows Analytics
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index aa4243f2cf..d493765134 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: high
+ms.date: 09/05/2017
 author: greg-lindsay
 ---
 
diff --git a/windows/deployment/images/ua-step2-blades.png b/windows/deployment/images/ua-step2-blades.png
new file mode 100644
index 0000000000..c86f7a4338
Binary files /dev/null and b/windows/deployment/images/ua-step2-blades.png differ
diff --git a/windows/deployment/images/ua-step2-low-risk.png b/windows/deployment/images/ua-step2-low-risk.png
new file mode 100644
index 0000000000..6e9daf0233
Binary files /dev/null and b/windows/deployment/images/ua-step2-low-risk.png differ
diff --git a/windows/deployment/index.md b/windows/deployment/index.md
index 7d139ec69e..6841274b4c 100644
--- a/windows/deployment/index.md
+++ b/windows/deployment/index.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: high
+ms.date: 09/05/2017
 author: greg-lindsay
 ---
 
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index c87802238e..f828bce6a8 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
+ms.date: 09/05/2017
 ms.localizationpriority: high
 ---
 
@@ -17,28 +18,41 @@ ms.localizationpriority: high
 
 ## Summary
 
-**MBR2GPT.EXE** converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
+**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option. 
 
-MBR2GPT.EXE is located in the **Windows\\System32** directory on a Windows 10 computer running Windows 10 version 1703 or later.
+See the following video for a detailed description and demonstration of MBR2GPT.
 
-You can use MBR2GPT to perform the following:
+<iframe width="560" height="315" align="center" src="https://www.youtube.com/embed/hfJep4hmg9o" frameborder="0" allowfullscreen></iframe>
 
-- \[Within the Windows PE environment\]: Convert any attached MBR-formatted system disk to the GPT partition format.
-- \[From within the currently running OS\]: Convert any attached MBR-formatted system disk to the GPT partition format.
-
->MBR2GPT is available in Windows 10 version 1703, also known as Windows 10 Creator's Update, and later versions. 
+>MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later.
 >The tool is available in both the full OS environment and Windows PE. 
 
-You can use MBR2GPT to convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them.
+You can use MBR2GPT to: 
 
-The MBR2GPT tool can convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion.
+- Convert any attached MBR-formatted system disk to the GPT partition format. You cannot use the tool to convert non-system disks from MBR to GPT.
+- Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them.
+- Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion.
 
 Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 are not officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion.
 
 >[!IMPORTANT]
 >After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode. <BR>Make sure that your device supports UEFI before attempting to convert the disk.
 
-<iframe width="560" height="315" align="center" src="https://www.youtube.com/embed/hfJep4hmg9o" frameborder="0" allowfullscreen></iframe>
+## Prerequisites
+
+Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that:
+- The disk is currently using MBR
+- There is enough space not occupied by partitions to store the primary and secondary GPTs:
+  - 16KB + 2 sectors at the front of the disk
+  - 16KB + 1 sector at the end of the disk
+- There are at most 3 primary partitions in the MBR partition table
+- One of the partitions is set as active and is the system partition
+- The disk does not have any extended/logical partition
+- The BCD store on the system partition contains a default OS entry pointing to an OS partition
+- The volume IDs can be retrieved for each volume which has a drive letter assigned
+- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option
+
+If any of these checks fails, the conversion will not proceed and an error will be returned.
 
 ## Syntax
 
@@ -217,22 +231,6 @@ The following steps illustrate high-level phases of the MBR-to-GPT conversion pr
 5. The boot configuration data (BCD) store is updated.
 6. Drive letter assignments are restored.
 
-### Disk validation
-
-Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that:
-- The disk is currently using MBR
-- There is enough space not occupied by partitions to store the primary and secondary GPTs:
-  - 16KB + 2 sectors at the front of the disk
-  - 16KB + 1 sector at the end of the disk
-- There are at most 3 primary partitions in the MBR partition table
-- One of the partitions is set as active and is the system partition
-- The disk does not have any extended/logical partition
-- The BCD store on the system partition contains a default OS entry pointing to an OS partition
-- The volume IDs can be retrieved for each volume which has a drive letter assigned
-- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option
-
-If any of these checks fails, the conversion will not proceed and an error will be returned.
-
 ### Creating an EFI system partition
 
 For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules:
diff --git a/windows/deployment/update/olympia/enrollment-keep-current-edition.md b/windows/deployment/update/olympia/enrollment-keep-current-edition.md
new file mode 100644
index 0000000000..b0016c44ee
--- /dev/null
+++ b/windows/deployment/update/olympia/enrollment-keep-current-edition.md
@@ -0,0 +1,44 @@
+---
+title: Keep your current Windows 10 edition
+description: Olympia Corp enrollment - Keep your current Windows 10 edition
+ms.author: nibr
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 09/01/2017
+---
+
+# Olympia Corp enrollment
+
+## Keep your current Windows 10 edition
+
+1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
+
+    ![Settings -> Accounts](images/1-1.png)
+
+2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
+
+3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
+
+    ![Set up a work or school account](images/1-3.png)
+
+4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
+
+    > [!NOTE]
+    > Passwords should contain 8-16 characters, including at least one special character or number.
+
+    ![Update your password](images/1-4.png)
+
+5. Read the **Terms and Conditions**. Click **Accept** to participate in the program.
+
+6. If this is the first time you are logging in, please fill in the additional information to help you retrieve your account details.
+
+7. Create a PIN for signing into your Olympia corporate account.
+
+8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
+
+    > [!NOTE]
+    > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
+
+9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
diff --git a/windows/deployment/update/olympia/enrollment-upgrade-to-enterprise.md b/windows/deployment/update/olympia/enrollment-upgrade-to-enterprise.md
new file mode 100644
index 0000000000..6643971428
--- /dev/null
+++ b/windows/deployment/update/olympia/enrollment-upgrade-to-enterprise.md
@@ -0,0 +1,57 @@
+---
+title: Upgrade your Windows 10 edition from Pro to Enterprise
+description: Olympia Corp enrollment - Upgrade your Windows 10 edition from Pro to Enterprise
+ms.author: nibr
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 09/01/2017
+---
+
+# Olympia Corp enrollment
+
+## Upgrade your Windows 10 edition from Pro to Enterprise
+
+1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
+
+    ![Settings -> Accounts](images/1-1.png)
+
+2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
+	
+3. Click **Connect**, then click **Join this device to Azure Active Directory**.
+
+    ![Update your password](images/2-3.png)
+
+4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
+
+    ![Set up a work or school account](images/2-4.png)
+
+5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
+
+    > [!NOTE]
+    > Passwords should contain 8-16 characters, including at least one special character or number.
+
+    ![Update your password](images/2-5.png)
+
+6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
+
+7. If this is the first time you are signing in, please fill in the additional information to help you retrieve your account details.
+
+8. Create a PIN for signing into your Olympia corporate account.
+
+9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
+
+10. Restart your PC.
+
+11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your PC will upgrade to Windows 10 Enterprise*.
+
+12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
+
+    > [!NOTE]
+    > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
+
+13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
+
+\* Please note that your Windows 10 Enterprise license will not be renewed if your PC is not connected to Olympia.
+
diff --git a/windows/deployment/update/olympia/images/1-1.png b/windows/deployment/update/olympia/images/1-1.png
new file mode 100644
index 0000000000..ee06527529
Binary files /dev/null and b/windows/deployment/update/olympia/images/1-1.png differ
diff --git a/windows/deployment/update/olympia/images/1-3.png b/windows/deployment/update/olympia/images/1-3.png
new file mode 100644
index 0000000000..807e895aa5
Binary files /dev/null and b/windows/deployment/update/olympia/images/1-3.png differ
diff --git a/windows/deployment/update/olympia/images/1-4.png b/windows/deployment/update/olympia/images/1-4.png
new file mode 100644
index 0000000000..3e63d1c078
Binary files /dev/null and b/windows/deployment/update/olympia/images/1-4.png differ
diff --git a/windows/deployment/update/olympia/images/2-3.png b/windows/deployment/update/olympia/images/2-3.png
new file mode 100644
index 0000000000..7006da4179
Binary files /dev/null and b/windows/deployment/update/olympia/images/2-3.png differ
diff --git a/windows/deployment/update/olympia/images/2-4.png b/windows/deployment/update/olympia/images/2-4.png
new file mode 100644
index 0000000000..677679a000
Binary files /dev/null and b/windows/deployment/update/olympia/images/2-4.png differ
diff --git a/windows/deployment/update/olympia/images/2-5.png b/windows/deployment/update/olympia/images/2-5.png
new file mode 100644
index 0000000000..cfec6f7ce0
Binary files /dev/null and b/windows/deployment/update/olympia/images/2-5.png differ
diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
new file mode 100644
index 0000000000..17b87bd7b0
--- /dev/null
+++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
@@ -0,0 +1,22 @@
+---
+title: Olympia Corp enrollment guidelines
+description: Olympia Corp enrollment guidelines
+ms.author: nibr
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 09/01/2017
+---
+
+# Olympia Corp enrollment guidelines
+
+Welcome to Olympia Corp. Here are the steps to add your account to your PC.
+
+As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Enterprise from Windows 10 Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows 10 Enterprise, we recommend you to upgrade.
+
+Choose one of the following two enrollment options:
+
+1. [Keep your current Windows 10 edition](./enrollment-keep-current-edition.md)
+
+2. [Upgrade your Windows 10 edition from Pro to Enterprise](./enrollment-upgrade-to-enterprise.md)
diff --git a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
index 9ca055c5f5..731feea00e 100644
--- a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
+++ b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
@@ -2,7 +2,7 @@
 title: Upgrade Readiness - Resolve application and driver issues (Windows 10)
 description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Readiness.
 ms.prod: w10
-author: greg-lindsay
+author: jaimeo
 ---
 
 # Upgrade Readiness - Step 2: Resolve app and driver issues
@@ -14,8 +14,8 @@ This section of the Upgrade Readiness workflow reports application and driver in
 The blades in the **Step 2: Resolve issues** section are:
 
 - [Review applications with known issues](#review-applications-with-known-issues)
-- [Review applications with no known issues](#review-applications-with-no-known-issues)
 - [Review known driver issues](#review-known-driver-issues)
+- [Review low-risk apps and drivers](#review-low-risk-apps-and-drivers)
 - [Prioritize app and driver testing](#prioritize-app-and-driver-testing)
 
 >You can change an application’s upgrade decision and a driver’s upgrade decision from the blades in this section. To change an application’s or a driver’s importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list.
@@ -48,7 +48,7 @@ To change an application's upgrade decision:
 4. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list.
 5. Click **Save** when finished.  
 
-IMORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information.
+IMPORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information.
 
 For applications assessed as **Attention needed**, review the table below for details about known issues and for guidance about how to resolve them, when possible.
 
@@ -107,26 +107,6 @@ The following table lists possible values for **ReadyForWindows** and what they
 |Adoption status available | NamePublisher | A Ready for Windows adoption status is available for one or more versions of this application. Please check Ready for Windows to learn more. |Check [Ready for Windows](https://www.readyforwindows.com/) for adoption information for this application.|
 | Unknown | Any | There is no Ready for Windows information available for this version of this application. Information may be available for other versions of the application at [Ready for Windows](https://www.readyforwindows.com/). | N/A |
 
-## Review applications with no known issues
-
-Applications with no issues known to Microsoft are listed, grouped by upgrade decision.
-
-![Review applications with no known issues](../images/upgrade-analytics-apps-no-known-issues.png)
-
-Applications with no known issues that are installed on 2% or less of your total computer inventory \[number of computers application is installed on/total number of computers in your inventory\] are automatically marked **Ready to upgrade** and included in the applications reviewed count. Applications with no known issues that are installed on more than 2% of your total computer inventory are automatically marked **Not reviewed**.
-
-Be sure to review low install count applications for any business critical or important applications that may not yet be upgrade-ready, despite their low installation rates. 
-
-To change an application's upgrade decision:
-
-1. Select **Decide upgrade readiness** to view applications with issues. Select **Table** to view the list in a table. 
-
-2. Select **User changes** to change the upgrade decision for each application.
-
-3. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list.
-
-4. Click **Save** when finished.  
-
 ## Review drivers with known issues
 
 Drivers that won’t migrate to the new operating system are listed, grouped by availability.
@@ -152,9 +132,30 @@ To change a driver’s upgrade decision:
 
 4.  Click **Save** when finished.
 
+## Review low-risk apps and drivers
+
+Applications and drivers that are meet certain criteria to be considered low risk are displayed on this blade.
+
+![Blade showing low-risk apps](../images/ua-step2-low-risk.png)
+
+The first row reports the number of your apps that have an official statement of support on Windows 10 from the software vendor, so you can be confident that they will work on your target operating system.
+
+The second row (**Apps that are "Highly adopted"**) shows apps that have a ReadyForWindows status of "Highly adopted". This means that they have been installed on at least 100,000 commercial Windows 10 devices, and that Microsoft has not detected significant issues with the app in telemetry. Since these apps are prevalent in the ecosystem at large, you can be confident that they will work in your environment as well.
+
+Each row of the blade uses a different criterion to filter your apps or drivers. You can view a list of applications that meet the criterion by clicking into a row of the blade. For example, if you click the row that says "Apps that are 'Highly adopted'", the result is a list of apps that have a ReadyForWindows status of "Highly adopted". From here, you can bulk-select the results, select **Ready to upgrade**, and then click **Save**.  This will mark all apps meeting the "Highly adopted" criterion as "Ready to upgrade"--no further validation is required. Any applications that you have marked as *Mission critical* or *Business critical* are filtered out, as well as any app that has an issue known to Microsoft. This allows you to work with apps in bulk without having to worry about missing a critical app.
+
+You can customize the criteria further by using the Log Search query language. For example, if a ReadyForWindows status of "Adopted" is not sufficient by itself for you to be confident in an app's compatibility, you can add additional filters. To do this, click the row labeled **Apps that are 'Adopted'**.  Then, modify the resulting query to fit your company's risk tolerance. If, for example, you prefer that an app must be "Adopted" and have fewer than 1,000 installations, then add *TotalInstalls < 1000* to the end of the Log Search query. Similarly, you can append additional criteria by using other attributes such as monthly active users or app importance.
+
+>[!NOTE]
+>Apps that you have designated as *Mission critical* or *Business critical* are automatically **excluded** from the counts on this blade. If an app is critical, you should always validate it manually it prior to upgrading.
+
+ At the bottom of the blade, the **OTHER APPS AND DRIVERS IN NEED OF REVIEW** section allows you to quickly access apps you have designated as **Mission critical** or **Business critical**, your remaining apps that still need to be reviewed, and your remaining drivers that need to be reviewed.
+
+
+
 ## Prioritize app and driver testing
 
-Planning and executing an OS upgrade project can be overwhelming.  When you are tasked with evaluating thousands of applications and drivers to ensure a successful upgrade, it can be difficult to decide where to start. The Upgrade Readiness solution provides valuable assistance for you, helping to determine the most important apps and drivers to unblock and enabling you yo create a proposed action plan.   
+Planning and executing an OS upgrade project can be overwhelming. When you are tasked with evaluating thousands of applications and drivers to ensure a successful upgrade, it can be difficult to decide where to start. The Upgrade Readiness solution provides valuable assistance for you, helping to determine the most important apps and drivers to unblock and enabling you yo create a proposed action plan.   
 
 ### Proposed action plan
 
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index a6f560cc33..fc38a3df22 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
-ms.date: 08/23/2017
+ms.date: 09/05/2017
 author: greg-lindsay
 ---
 
@@ -15,6 +15,11 @@ author: greg-lindsay
 
 This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops.
 
+Deployment instructions are provided for the following scenarios:
+1. [Active Directory-joined VMs](#active-directory-joined-vms)
+2. [Azure Active Directory-joined VMs](#azure-active-directory-joined-vms)
+3. [Azure Gallery VMs](#azure-gallery-vms)
+
 ## Requirements
 
 - VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later.
@@ -64,7 +69,35 @@ For Azure AD-joined VMs, follow the same instructions (above) as for [Active Dir
 - In step 9, during setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it is not for Active Directory joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**.
 - In step 12, during setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in and add the bulk token using your organization's credentials.
 - In step 17, when entering the PackagePath, use the project name you entered in step 9 (ex: **Desktop Bulk Enrollment Token Pro GVLK.ppkg**)
-- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described below.
+- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described below in [Create custom RDP settings for Azure](#create-custom-rpd-settings-for-azure).
+
+## Azure Gallery VMs
+
+1. (Optional) To disable network level authentication, type the following at an elevated command prompt:
+
+    ```
+    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
+    ```
+
+2. At an elevated command prompt, type **sysdm.cpl** and press ENTER.
+3. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**.
+4. Click **Add**, type **Authenticated users**, and then click **OK** three times.
+(https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image#steps-to-generalize-a-vhd).
+5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
+6. Open Windows Configuration Designer and click **Provison desktop services**.
+7. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name. 
+    - Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step.
+8. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**.
+9. On the Set up network page, choose **Off**.
+10. On the Account Management page, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials.
+11. On the Add applications page, add applications if desired. This step is optional.
+12. On the Add certificates page, add certificates if desired. This step is optional.
+13. On the Finish page, click **Create**.
+14. Copy the .ppkg file to the remote Virtual machine.  Double click to initiate the provisioning package install.  This will reboot the system.
+
+- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described [below](#create-custom-rpd-settings-for-azure).
+
+## Create custom RDP settings for Azure
 
 To create custom RDP settings for Azure:
 
diff --git a/windows/device-security/bitlocker/bcd-settings-and-bitlocker.md b/windows/device-security/bitlocker/bcd-settings-and-bitlocker.md
index ccd9afd831..5bbe801d60 100644
--- a/windows/device-security/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/device-security/bitlocker/bcd-settings-and-bitlocker.md
@@ -126,11 +126,12 @@ This following is a full list of BCD settings with friendly names which are igno
 | 0x15000042 | all| keyringaddress| 
 | 0x15000047 | all| configaccesspolicy| 
 | 0x1500004b | all| integrityservices| 
-| 0x1500004c|all| volumebandid| 
+| 0x1500004c | all| volumebandid| 
 | 0x15000051 | all| initialconsoleinput| 
 | 0x15000052 | all| graphicsresolution| 
 | 0x15000065 | all| displaymessage| 
-| 0x15000066| all| displaymessageoverride| 
+| 0x15000066 | all| displaymessageoverride|
+| 0x15000081 | all| logcontrol|
 | 0x16000009 | all| recoveryenabled| 
 | 0x1600000b | all| badmemoryaccess| 
 | 0x1600000f | all| traditionalkseg| 
diff --git a/windows/device-security/bitlocker/bitlocker-group-policy-settings.md b/windows/device-security/bitlocker/bitlocker-group-policy-settings.md
index 5853b5df22..5c3968f8f7 100644
--- a/windows/device-security/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/device-security/bitlocker/bitlocker-group-policy-settings.md
@@ -237,7 +237,7 @@ On a computer with a compatible TPM, four types of authentication methods can be
 
 -   only the TPM for authentication
 -   insertion of a USB flash drive containing the startup key
--   the entry of a 6-digit to 20-digit personal identification number (PIN)
+-   the entry of a 4-digit to 20-digit personal identification number (PIN)
 -   a combination of the PIN and the USB flash drive
 
 There are four options for TPM-enabled computers or devices:
@@ -323,7 +323,7 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
 <tbody>
 <tr class="odd">
 <td align="left"><p><strong>Policy description</strong></p></td>
-<td align="left"><p>With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits, and it can have a maximum length of 20 digits.</p></td>
+<td align="left"><p>With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p><strong>Introduced</strong></p></td>
@@ -347,14 +347,34 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
 </tr>
 <tr class="odd">
 <td align="left"><p><strong>When disabled or not configured</strong></p></td>
-<td align="left"><p>Users can configure a startup PIN of any length between 6 and 20 digits.</p></td>
+<td align="left"><p>Users can configure a startup PIN of any length between 4 and 20 digits.</p></td>
 </tr>
 </tbody>
 </table>
  
 **Reference**
 
-This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.
+This policy setting is applied when you turn on BitLocker. 
+The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
+
+Originally, BitLocker allowed from 4 to 20 characters for a PIN. 
+Windows Hello has its own PIN for logon, which can be 4 to 127 characters. 
+Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks. 
+
+The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made. 
+
+The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. 
+For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. 
+A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. 
+This totals a maximum of about 4415 guesses per year. 
+If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years. 
+
+Increasing the PIN length requires a greater number of guesses for an attacker. 
+In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
+
+Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. 
+To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters. 
+If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended. 
 
 ### Disable new DMA devices when this computer is locked
 
diff --git a/windows/device-security/change-history-for-device-security.md b/windows/device-security/change-history-for-device-security.md
index cb46edf710..148538f76e 100644
--- a/windows/device-security/change-history-for-device-security.md
+++ b/windows/device-security/change-history-for-device-security.md
@@ -11,6 +11,12 @@ author: brianlic-msft
 # Change history for device security
 This topic lists new and updated topics in the [Device security](index.md) documentation.
 
+## September 2017
+|New or changed topic |Description |
+|---------------------|------------|
+| [TPM fundamentals](tpm/tpm-fundamentals.md)<br>[BitLocker Group Policy settings](bitlocker/bitlocker-group-policy-settings.md) | Explained the change to allow reducing the maximum PIN length from 6 characters to 4. |
+
+
 ## August 2017
 |New or changed topic |Description |
 |---------------------|------------|
diff --git a/windows/device-security/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png b/windows/device-security/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png
new file mode 100644
index 0000000000..52acafba66
Binary files /dev/null and b/windows/device-security/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png differ
diff --git a/windows/device-security/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png b/windows/device-security/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png
new file mode 100644
index 0000000000..858be4e70e
Binary files /dev/null and b/windows/device-security/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png differ
diff --git a/windows/device-security/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png b/windows/device-security/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png
new file mode 100644
index 0000000000..2efa6877c8
Binary files /dev/null and b/windows/device-security/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png differ
diff --git a/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
index e0e41611ad..a298ded405 100644
--- a/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
+++ b/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
@@ -53,6 +53,27 @@ The following table lists the actual and effective default values for this polic
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
  
+
+## To enable Admin Approval Mode
+If you wish to use Admin Approval Mode with an active built-in administrator account, follow these steps:
+
+1. In the search box, type gpedit.exe.
+2. From the Local Group Policy editor, navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options**.
+
+   ![User Account Control: Admin Approval Mode for the built-in administrator account](images/uac-admin-approval-mode-for-the-built-in-administrator-account.png)
+
+3. Double-click the policy **UAC-Admin-Approval-Mode-for-the-Built-in-Administrator-account**.
+4. On the **Local Security Setting** tab, make sure that the **Enabled** radio button is selected and then click OK.
+5. Configure the local security setting  **UAC-Behavior-of-the-elevation-prompt-for-administrators-in-Admin-Approval-Mode** by setting it to **Prompt for consent on the secure desktop** and then click OK.
+
+    ![User Account Control: behavior of the elevation prompt for administrators in Admin Approval Mode](images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png)
+
+As an alternative way to carry out step 5, you can also type "UAC" in the search box, and then from the User Account Control Settings dialog box, set the slider control to **Notify me only when apps try to make changes to my computer (default)**.
+
+![User Account Control notify me only when apps try to make changes to my pc](images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png)
+
+6. To activate the new setting, log out and then log in again.
+
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
@@ -67,7 +88,7 @@ This section describes how an attacker might exploit a feature or its configurat
 
 ### Vulnerability
 
-One of the risks of the User Account Control (UAC) feature is that it is intended to mitigate malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for malicious programs is to discover the password of the administrator account because that user account was created for all installations of the Windows. To address this risk, the built-in administrator account is disabled in computers running at least Windows Vista. In computers running at least Windows Server 2008, the administrator account is enabled, and the password must be changed the first time the Administrator logs on. In a default installation of a computer running at least Windows Vista, accounts with administrative control over the computer are initially set up in one of two ways:
+ An attack vector for malicious programs is to discover the password of the administrator account because that user account was created for all installations of Windows. To address this risk, the built-in administrator account is disabled in computers running at least Windows Vista. In computers running at least Windows Server 2008, the administrator account is enabled, and the password must be changed the first time the Administrator logs on. In a default installation of a computer running at least Windows Vista, accounts with administrative control over the computer are initially set up in one of two ways:
 
 -   If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator.
 -   If the computer is joined to a domain, no local administrator accounts are created. The enterprise or domain administrator must log on to the computer and create a local administrator account if one is warranted.
diff --git a/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
index cbc598ba9f..160a34bfa4 100644
--- a/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
+++ b/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
@@ -58,7 +58,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 ### Default values
 
 
-| Server type or GPO Default value |
+| Server type or GPO | Default value |
 | - | - |
 | Default Domain Policy | Not defined| 
 | Default Domain Controller Policy | Not defined |
diff --git a/windows/device-security/tpm/tpm-fundamentals.md b/windows/device-security/tpm/tpm-fundamentals.md
index 525a5a312d..ee007150c7 100644
--- a/windows/device-security/tpm/tpm-fundamentals.md
+++ b/windows/device-security/tpm/tpm-fundamentals.md
@@ -97,10 +97,7 @@ Because many entities can use the TPM, a single authorization success cannot res
 
 TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer, and the logic varied widely throughout the industry.
 
-> [!WARNING]
-> For the purposes of this topic, Windows 8 Certified Hardware also pertains to Windows 8.1 systems. The following references to “Windows” include these supported Windows versions.
-
-For Windows 8 Certified Hardware systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
+For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
 
 Attempts to use a key with an authorization value for the next two hours would not return success or failure; instead the response indicates that the TPM is locked. After two hours, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next two hours. If a period of 64 hours elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again.
 
@@ -112,10 +109,28 @@ In some enterprise situations, the TPM owner authorization value is configured t
 
 TPM 2.0 allows some keys to be created without an authorization value associated with them. These keys can be used when the TPM is locked. For example, BitLocker with a default TPM-only configuration is able to use a key in the TPM to start Windows, even when the TPM is locked.
 
-### Rationale behind the Windows 8.1 and Windows 8 defaults
+### Rationale behind the defaults
 
-Windows relies on the TPM 2.0 anti-hammering protection for multiple features. The defaults that are selected for Windows 8 balance trade-offs for different scenarios.
-For example, when BitLocker is used with a TPM plus PIN configuration, it needs the number of PIN guesses to be limited over time. If the computer is lost, someone could make only 32 PIN guesses immediately, and then only one more guess every two hours. This totals about 4415 guesses per year. This makes a good standard for system administrators to determine how many PIN characters to use for BitLocker deployments.
+Originally, BitLocker allowed from 4 to 20 characters for a PIN. 
+Windows Hello has its own PIN for logon, which can be 4 to 127 characters. 
+Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks. 
+
+The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](trusted-platform-module-services-group-policy-settings.md)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made. 
+
+The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. 
+For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. 
+A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. 
+This totals a maximum of about 4415 guesses per year. 
+If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years. 
+
+Increasing the PIN length requires a greater number of guesses for an attacker. 
+In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
+
+Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. 
+To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters. 
+If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended. 
+
+### TPM-based smart cards
 
 The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards:
 
diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md
index 8ed1a52f71..56c4ddc65a 100644
--- a/windows/hub/TOC.md
+++ b/windows/hub/TOC.md
@@ -6,4 +6,5 @@
 ## [Application management](/windows/application-management)
 ## [Access protection](/windows/access-protection)
 ## [Device security](/windows/device-security)
-## [Threat protection](/windows/threat-protection)
\ No newline at end of file
+## [Threat protection](/windows/threat-protection)
+## [Troubleshooting](/windows/client-management/windows-10-support-solutions)
\ No newline at end of file
diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md
index 2e3b61ee92..c3b5a294aa 100644
--- a/windows/threat-protection/TOC.md
+++ b/windows/threat-protection/TOC.md
@@ -6,17 +6,20 @@
 ### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
 ### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
 ### [Onboard endpoints and set up access](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
-#### [Configure endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
+#### [Configure client endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
 ##### [Configure endpoints using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
 ##### [Configure endpoints using System Security Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
 ##### [Configure endpoints using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
 ###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune)
 ##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
-#### [Configure proxy and Internet settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+##### [Configure non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
+#### [Configure server endpoints](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
+#### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
 #### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
 ### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
 ### [Use the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
-#### [View the Dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md)
+#### [View the Security operations dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md)
+#### [View the Security analytics dashboard](windows-defender-atp\security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
 #### [View and organize the Alerts queue](windows-defender-atp\alerts-queue-windows-defender-advanced-threat-protection.md)
 #### [Investigate alerts](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md)
 ##### [Alert process tree](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree)
@@ -27,17 +30,22 @@
 #### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md)
 #### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md)
 #### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md)
-##### [Search for specific alerts](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-alerts)
-##### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
-##### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
-##### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
+##### [Alerts related to this machine](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
+##### [Machine timeline](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
+###### [Search for specific events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
+###### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
+###### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
+###### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
 #### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md)
 #### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md)
 #### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md)
 ##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+###### [Manage machine group and tags](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
+###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package)
+###### [Run antivirus scan](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
+###### [Restrict app execution](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#restict-app-execution)
 ###### [Isolate machines from the network](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
 ###### [Undo machine isolation](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation)
-###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package)
 ###### [Check activity details in Action center](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
 ##### [Take response actions on a file](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md)
 ###### [Stop and quarantine files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
@@ -63,6 +71,46 @@
 #### [Python code examples](windows-defender-atp\python-example-code-windows-defender-advanced-threat-protection.md)
 #### [Experiment with custom threat intelligence alerts](windows-defender-atp\experiment-custom-ti-windows-defender-advanced-threat-protection.md)
 #### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
+### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md)
+#### [Supported Windows Defender ATP APIs](windows-defender-atp\supported-apis-windows-defender-advanced-threat-protection.md)
+##### Actor
+###### [Get actor information](windows-defender-atp\get-actor-information-windows-defender-advanced-threat-protection.md)
+###### [Get actor related alerts](windows-defender-atp\get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+##### Alerts
+###### [Get alerts](windows-defender-atp\get-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get alert information by ID](windows-defender-atp\get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+###### [Get alert related actor information](windows-defender-atp\get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related domain information](windows-defender-atp\get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related file information](windows-defender-atp\get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related IP information](windows-defender-atp\get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related machine information](windows-defender-atp\get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+##### Domain
+######  [Get domain related alerts](windows-defender-atp\get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get domain related machines](windows-defender-atp\get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+###### [Get domain statistics](windows-defender-atp\get-domain-statistics-windows-defender-advanced-threat-protection.md)
+###### [Is domain seen in organization](windows-defender-atp\is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+##### File
+###### [Get file information](windows-defender-atp\get-file-information-windows-defender-advanced-threat-protection.md)
+###### [Get file related alerts](windows-defender-atp\get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get file related machines](windows-defender-atp\get-file-related-machines-windows-defender-advanced-threat-protection.md)
+###### [Get file statistics](windows-defender-atp\get-file-statistics-windows-defender-advanced-threat-protection.md)
+##### IP
+###### [Get IP related alerts](windows-defender-atp\get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get IP related machines](windows-defender-atp\get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+###### [Get IP statistics](windows-defender-atp\get-ip-statistics-windows-defender-advanced-threat-protection.md)
+###### [Is IP seen in organization](windows-defender-atp\is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+##### Machines
+###### [Find machine information by IP](windows-defender-atp\find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+###### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md)
+###### [Get machine by ID](windows-defender-atp\get-machine-by-id-windows-defender-advanced-threat-protection.md)
+###### [Get machine log on users](windows-defender-atp\get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+###### [Get machine related alerts](windows-defender-atp\get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+##### User
+###### [Get alert related user information](windows-defender-atp\get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+###### [Get user information](windows-defender-atp\get-user-information-windows-defender-advanced-threat-protection.md)
+###### [Get user related alerts](windows-defender-atp\get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get user related machines](windows-defender-atp\get-user-related-machines-windows-defender-advanced-threat-protection.md)
+### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
 ### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
 #### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
 ##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
@@ -74,12 +122,12 @@
 #### [Configure email notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
 #### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
 #### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
 ### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md)
 ### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
 ### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
 ### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
 ### [Windows Defender Antivirus compatibility](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md)
-
 ##	[Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
 ### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md)
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
index 01bec5d98d..5b30a1d8e3 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -45,12 +45,11 @@ You can also [specify how long the file should be prevented from running](config
 
 ## How it works
 
-When a Windows Defender Antivirus client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. The following video describes how this feature works.
+When a Windows Defender Antivirus client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. 
 
-The Block at first sight feature only uses the cloud protection backend for executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the EXE file is checked via the cloud backend to determine if this is a previously undetected file.
+The Block at First Sight feature only uses the cloud protection backend for executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file.
 
-<iframe 
-src="https://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc62c59" width="768" height="432" allowFullScreen="true" frameBorder="0" scrolling="no"></iframe> 
+ 
 
 If the cloud backend is unable to make a determination, the file will be locked by Windows Defender AV while a copy is uploaded to the cloud. The cloud will perform additional analysis to reach a determination before it allows the file to run or blocks it in all future encounters, depending on whether the file is determined to be malicious or safe. 
 
diff --git a/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
index b8b5733748..6a6267b89a 100644
--- a/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -33,6 +33,11 @@ Cloud-delivered protection for Windows Defender Antivirus, also referred to as M
 
 Enabling cloud-delivered protection helps detect and block new malware - even if the malware has never been seen before - without needing to wait for a traditionally delivered definition update to block it. Definition updates can take hours to prepare and deliver, while our cloud service can deliver updated protection in seconds. 
 
+The following video describes how it works:
+
+<iframe 
+src="https://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc62c59" width="768" height="432" allowFullScreen="true" frameBorder="0" scrolling="no"></iframe>
+
 Cloud-delivered protection is enabled by default, however you may need to re-enable it if it has been disabled as part of previous organizational policies.
 
 The following table describes the differences in cloud-delivered protection between recent versions of Windows and System Center Configuration Manager.
diff --git a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
index 3e2f82bcdc..1c0e90fab7 100644
--- a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,9 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
+
 # Turn on advanced features in Windows Defender ATP
 
 **Applies to:**
@@ -21,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Windows Defender ATP with.
 
 Turn on the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations:
@@ -32,7 +36,7 @@ If your organization satisfies these conditions, the feature is enabled by defau
 
 ## Show user details
 When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a user's picture, name, title, and department information  when investigating user account entities. You can find user account information in the following views:
-- Dashboard
+- Security operations dashboard
 - Alert queue
 - Machine details page
 
@@ -57,3 +61,4 @@ When you enable this feature, you'll be able to incorporate data from Office 365
 - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
 - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
 - [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
index c56729bba8..5b05198ca9 100644
--- a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # View and organize the Windows Defender Advanced Threat Protection Alerts queue
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In each queue, you'll see details such as the severity of alerts and the number of machines the alerts were raised on.
 
 Alerts are organized in queues by their workflow status or assignment:
@@ -30,6 +33,7 @@ Alerts are organized in queues by their workflow status or assignment:
 - **In progress**
 - **Resolved**
 - **Assigned to me**
+- **Suppression rules** 
 
 To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane.
 
@@ -112,13 +116,14 @@ Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together
 ![Alerts queue bulk edit](images/alerts-q-bulk.png)
 
 ## Related topics
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
 - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
 - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
 - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
 - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
-- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
-- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md)
 - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
 - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
 - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
index bec8ac80d7..2d146c99a0 100644
--- a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Windows Defender ATP alert API fields
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
 
 
@@ -273,7 +276,7 @@ Field numbers match the numbers in the images below.
 
 ![Image of alert details pane with numbers](images/atp-siem-mapping13.png)
 
-![Image of alert timeline with numbers](images/atp-siem-mapping3.png)
+![Image of artifact timeline with numbers](images/atp-siem-mapping3.png)
 
 ![Image of alert timeline with numbers](images/atp-siem-mapping4.png)
 
diff --git a/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
index 8084be4e84..3f9933916f 100644
--- a/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Assign user access to the Windows Defender ATP portal
@@ -23,6 +24,8 @@ ms.localizationpriority: high
 - Office 365
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). Use the following methods to assign security roles.
 
 ## Assign user access using Azure PowerShell
diff --git a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
index ff45bb42eb..723ff75a42 100644
--- a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
 ---
 title: Check the health state of the sensor in Windows Defender ATP
 description: Check the sensor health on machines to identify which ones are misconfigured, inactive, or are not reporting sensor data.
-keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communication, communication
+keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Check sensor health state in Windows Defender ATP
@@ -22,6 +23,7 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
 
 The sensor health tile provides information on the individual endpoint’s ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
 
@@ -49,7 +51,7 @@ You can filter the health state list by the following status:
 - **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service.
 - **Misconfigured** - These machines might partially be reporting sensor data to the Windows Defender ATP service but have configuration errors that need to be corrected. Misconfigured machines can have either one or a combination of the following issues:
   - **No sensor data** - Machines has stopped sending sensor data. Limited alerts can be triggered from the machine.
-  - **Impaired communication** - Ability to communicate with machine is impaired. Sending files for deep analysis, blocking files, isolating machine from network and other actions that require communication with the machine may not work.
+  - **Impaired communications** - Ability to communicate with machine is impaired. Sending files for deep analysis, blocking files, isolating machine from network and other actions that require communication with the machine may not work.
 
 You can view the machine details when you click on a misconfigured or inactive machine. You’ll see more specific machine information when you click the information icon.
 
diff --git a/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
index df4b70e28a..beff40e45f 100644
--- a/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Configure HP ArcSight to pull Windows Defender ATP alerts
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Windows Defender ATP alerts.
 
 ## Before you begin
diff --git a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
index 97bfb2b0af..59f69d831e 100644
--- a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Configure email notifications in Windows Defender ATP
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.
 
 > [!NOTE]
@@ -74,3 +77,4 @@ This section lists various issues that you may encounter when using email notifi
 - [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
 - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
 - [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
index dd813aefb9..2d17ac8b25 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Configure endpoints using Group Policy
@@ -23,13 +24,16 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+
+[!include[Prerelease information](prerelease.md)]
+
 > [!NOTE]
 > To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
 
 ## Onboard endpoints
 1.  Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
 
-    a.  Click **Endpoint management** on the **Navigation pane**.
+    a.  Click **Endpoint management** > **Clients** on the **Navigation pane**.
 
     b.  Select **Group Policy**, click **Download package** and save the .zip file.
 
@@ -49,6 +53,7 @@ ms.localizationpriority: high
 
 9. Click **OK** and close any open GPMC windows.
 
+
 ## Additional Windows Defender ATP configuration settings
 For each endpoint, you can state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
 
@@ -150,4 +155,5 @@ With Group Policy there isn’t an option to monitor deployment of policies on t
 - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
 - [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
 - [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
 - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index 2c8aed6960..a1f1d75d60 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Configure endpoints using Mobile Device Management tools
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints.
 
 For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
@@ -106,7 +109,7 @@ Configuration for onboarded machines: telemetry reporting frequency | ./Device/V
 
 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
 
-    a.  Select **Endpoint management** > **Client management** on the **Navigation pane**.
+    a.  Select **Endpoint management** > **Clients** on the **Navigation pane**.
 
     b.  Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
 
@@ -203,4 +206,5 @@ Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/W
 - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
 - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
 - [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
 - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 59794d532f..89b06fa326 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Configure endpoints using System Center Configuration Manager
@@ -23,6 +24,8 @@ ms.localizationpriority: high
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 - System Center 2012 Configuration Manager or later versions
 
+[!include[Prerelease information](prerelease.md)]
+
 <span id="sccm1606"/>
 ## Configure endpoints using System Center Configuration Manager (current branch) version 1606
 System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
@@ -169,4 +172,5 @@ For more information about System Center Configuration Manager Compliance see [C
 - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
 - [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
 - [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
 - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
index 0f47beb693..e2993d8ccb 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Configure endpoints using a local script
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network.
 
 > [!NOTE]
@@ -121,4 +124,5 @@ Monitoring can also be done directly on the portal, or by using the different de
 - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
 - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
 - [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
 - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..8d28359a61
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,82 @@
+---
+title: Configure non-persistent virtual desktop infrastructure (VDI) machines
+description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to Windows Defender ATP the service.
+keywords: configure virtual desktop infrastructure (VDI) machine, vdi, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Configure non-persistent virtual desktop infrastructure (VDI) machines
+
+**Applies to:**
+- Virtual desktop infrastructure (VDI) machines
+
+[!include[Prerelease information](prerelease.md)]
+
+## Onboard non-persistent virtual desktop infrastructure (VDI) machines
+
+Windows Defender ATP supports non-persistent VDI session onboarding. There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario:
+
+
+- Instant early onboarding of a short living session
+    - A session should be onboarded to Windows Defender ATP prior to the actual provisioning.
+
+- Machine name persistence
+    - The machine names are typically reused for new sessions. One may ask to have them as a single machine entry while others may prefer to have multiple entries per machine name.
+
+You can onboard VDI machines using a single entry or multiple entries for each machine. The following steps will guide you through onboarding VDI machines and will highlight steps for single and multiple entries.
+
+1.  Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+
+    a.  Click **Endpoint management** > **Clients** on the **Navigation pane**.
+
+    b.  Select **VDI onboarding scripts for non-persistent endpoints** then click **Download package** and save the .zip file.
+
+2. Copy the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`.
+
+    >[!NOTE]
+    >If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
+
+3. The following step is only applicable if you're implementing a single entry for each machine: <br>
+    **For single entry for each machine**:<br>
+        a. From the `WindowsDefenderATPOnboardingPackage`, copy the `Onboard-NonPersistentMachine.ps1` file to `golden/master` image to the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. <br>
+
+    >[!NOTE]
+    >If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
+
+4. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
+
+5. Depending on the method you'd like to implement, follow the appropriate steps: <br>
+  **For single entry for each machine**:<br>
+  Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. <br><br>
+  **For multiple entries for each machine**:<br>
+  Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
+
+6. Test your solution:
+
+      a. Create a pool with one machine.
+      b. Logon to machine.
+      c. Logoff from machine.
+      d. Logon to machine with another user.
+      e. **For single entry for each machine**: Check only one entry in the Windows Defender ATP portal.<br>
+    **For multiple entries for each machine**: Check multiple entries in the Windows Defender ATP portal.
+
+7. Click **Machines list** on the Navigation pane.
+
+8. Use the search function by entering the machine name and select **Machine** as search type.
+
+## Related topics
+- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
+- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
+- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+
+
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
index f0e8bcee5c..8b9d4a256a 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
 ---
-title: Configure Windows Defender ATP endpoints
-description: Configure endpoints so that they can send sensor data to the Windows Defender ATP sensor.
-keywords: configure endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
+title: Configure Windows Defender ATP client endpoints
+description: Configure client endpoints so that they can send sensor data to the Windows Defender ATP sensor.
+keywords: configure client endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -10,9 +10,10 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
-# Configure Windows Defender ATP endpoints
+# Configure Windows Defender ATP client endpoints
 
 **Applies to:**
 
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Endpoints in your organization must be configured so that the Windows Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization.
 
 Windows Defender ATP supports the following deployment tools and methods:
@@ -38,3 +41,4 @@ Topic | Description
 [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on endpoints.
 [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Managment tools or Microsoft Intune to deploy the configuration package on endpoints.
 [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) | Learn how to use the local script to deploy the configuration package on endpoints.
+[Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) | Learn how to use the configuration package to configure VDI machines.
diff --git a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index 9710d5a35b..1363cca541 100644
--- a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 
@@ -23,6 +24,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 The Windows Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
 
 The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Windows Defender ATP cloud service.
diff --git a/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..f359c9d10b
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,87 @@
+---
+title: Configure Windows Defender ATP server endpoints
+description: Configure server endpoints so that they can send sensor data to the Windows Defender ATP sensor.
+keywords: configure server endpoints, server, server onboarding, endpoint management, configure Windows ATP server endpoints, configure Windows Defender Advanced Threat Protection server endpoints
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Configure Windows Defender ATP server endpoints
+
+**Applies to:**
+
+- Windows Server 2012 R2
+- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console.
+
+Windows Defender ATP supports the onboarding of the following servers:
+- Windows Server 2012 R2
+- Windows Server 2016
+
+## Onboard server endpoints
+
+To onboard your servers to Windows Defender ATP, you’ll need to:
+
+- Turn on server monitoring from the Windows Defender Security Center portal.
+- If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below.
+
+
+### Turn on Server monitoring from the Windows Defender Security Center portal
+
+1. In the navigation pane, select **Endpoint management** > **Server management**. 
+
+2. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
+
+    ![Image of server onboarding](images/atp-server-onboarding.png)
+
+
+### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP 
+
+1.	Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
+
+2.	Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server:
+    - [Manually install the agent using setup](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup) <br>
+    On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
+    - [Install the agent using the command line](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). 
+
+3.	You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings).
+
+Once completed, you should see onboarded servers in the portal within an hour.
+
+### Configure server endpoint proxy and Internet connectivity settings 
+- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway).
+- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
+
+|    Agent Resource    |    Ports    |
+|------------------------------------|-------------|
+|    *.oms.opinsights.azure.com    |    443    |
+|    *.blob.core.windows.net    |    443    |
+|    *.azure-automation.net    |    443    |
+|    *.ods.opinsights.azure.com    |    443    |
+|    winatp-gw-cus.microsoft.com     |    443    |
+|    winatp-gw-eus.microsoft.com    |    443    |
+|    winatp-gw-neu.microsoft.com    |    443    |
+|    winatp-gw-weu.microsoft.com    |    443    |
+
+
+### Offboard server endpoints 
+To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP.
+For more information, see [To disable an agent](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent).
+
+>[!NOTE]
+>Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months.
+
+## Related topics
+- [Configure Windows Defender ATP client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+- [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+- [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
index 7b1168f940..c90b025275 100644
--- a/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Pull alerts to your SIEM tools
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 ## Pull alerts using supported security information and events management (SIEM) tools
 Windows Defender ATP supports (SIEM) tools to pull alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
 
diff --git a/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
index f698a6aeb3..701451367b 100644
--- a/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Configure Splunk to pull Windows Defender ATP alerts
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 You'll need to configure Splunk so that it can pull Windows Defender ATP alerts.
 
 ## Before you begin
diff --git a/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
index 9a12691b2c..48810c5ae3 100644
--- a/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Create custom alerts using the threat intelligence (TI) application program interface (API)
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to generate specific alerts that are applicable to your organization.
 
 ## Before you begin
diff --git a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
index 6c6ffef9ba..333d2f5e83 100644
--- a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
 ---
-title: View the Windows Defender Advanced Threat Protection Dashboard
+title: Windows Defender Advanced Threat Protection Security operations dashboard
 description: Use the Dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts.
 keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware
 search.product: eADQiWindows 10XVcnh
@@ -10,9 +10,10 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
-# View the Windows Defender Advanced Threat Protection Dashboard
+# View the Windows Defender Advanced Threat Protection Security operations dashboard
 
 **Applies to:**
 
@@ -22,7 +23,9 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-The **Dashboard** displays a snapshot of:
+[!include[Prerelease information](prerelease.md)]
+
+The **Security operations dashboard** displays a snapshot of:
 
 - The latest active alerts on your network
 - Daily machines reporting
@@ -34,7 +37,7 @@ The **Dashboard** displays a snapshot of:
 
 You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in.
 
-From the **Dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators.
+From the **Security operations dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators.
 
 It also has clickable tiles that give visual cues on the overall health state of your organization. Each tile opens a detailed view of the corresponding overview.
 
diff --git a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
index 740f5bfac2..b10e923513 100644
--- a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Windows Defender ATP data storage and privacy
@@ -22,6 +23,7 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
 
 This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP.
 > [!NOTE]
diff --git a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
index 4a0d314348..e3a3b4ae51 100644
--- a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Windows Defender compatibility
@@ -23,6 +24,8 @@ ms.localizationpriority: high
 - Windows Defender
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 The Windows Defender Advanced Threat Protection agent depends on Windows Defender Antivirus for some capabilities such as file scanning.
 
 If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode.
diff --git a/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
index 000296d697..32ba05c13a 100644
--- a/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Enable the custom threat intelligence API in Windows Defender ATP
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal.
 
 1. In the navigation pane, select **Preference Setup** > **Threat intel API**.
diff --git a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
index 13f4d9520a..26467de977 100644
--- a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Enable SIEM integration in Windows Defender ATP
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API.
 
 1. In the navigation pane, select **Preferences setup** > **SIEM integration**.
diff --git a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
index 3419078fcb..4200e50e85 100644
--- a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 
@@ -24,6 +25,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual endpoints.
 
 For example, if endpoints are not appearing in the **Machines list** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
diff --git a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
index ebd6f01e25..d5eb939076 100644
--- a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Experiment with custom threat intelligence (TI) alerts
@@ -22,6 +23,7 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
 
 With the Windows Defender ATP threat intelligence API, you can create custom threat intelligence alerts that can help you keep track of possible attack activities in your organization.  
 
diff --git a/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..239c463a13
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,100 @@
+---
+title: Use the Windows Defender Advanced Threat Protection exposed APIs  
+description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
+keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Use the Windows Defender ATP exposed APIs 
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+
+In general, you’ll need to take the following steps to use the APIs:
+-	Create an app
+-	Get an access token
+-	Run queries on the graph API
+
+### Before you begin
+Before using the APIs, you’ll need to create an app that you’ll use to authenticate against the graph. You’ll need to create a native app to use for the adhoc queries. 
+
+## Create an app
+
+1.	Log on to [Azure](https://portal.azure.com).
+
+2.	Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
+
+    ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
+
+3.	In the Create window, enter the following information then click **Create**.
+
+    ![Image of Create application window](images/atp-azure-create.png)
+
+    - **Name:** WinATPGraph
+    - **Application type:** Native
+    - **Redirect URI:** `https://localhost`
+
+
+4.	Navigate and select the newly created application.
+    ![Image of new app in Azure](images/atp-azure-atp-app.png)
+
+5.	Click **All settings** > **Required permissions** > **Add**.
+
+    ![Image of All settings, then required permissions](images/atp-azure-required-permissions.png)
+
+6.	Click **Select an API** > **Microsoft Graph**, then click **Select**.
+
+    ![Image of API access and API selection](images/atp-azure-api-access.png)
+
+
+7. Click **Select permissions** and select **Sign in and read user profile** then click **Select**.
+
+    ![Image of select permissions](images/atp-azure-select-permissions.png)
+
+You can now use the code snippets in the following sections to query the API using the created app ID.
+
+## Get an access token
+1.	Get the Client ID from the application you created.
+
+2. Use the **Client ID**. For example:
+    ```
+    private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
+    private const string resourceId = "https://graph.microsoft.com";
+    private const string clientId = "{YOUR CLIENT ID/APP ID HERE}";
+    private const string redirect = "https://localhost"; 
+    HttpClient client = new HttpClient();
+    AuthenticationContext auth = new AuthenticationContext(authority);
+    var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result;
+    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken);
+    ```
+
+## Query the graph
+Once the bearer token is retrieved, you can easily invoke the graph APIs. For example:
+
+```
+client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); 
+// sample endpoint
+string ep = @"https://graph.microsoft.com/{VERSION}/alerts?$top=5";
+HttpResponseMessage response = client.GetAsync(ep).Result;
+string resp = response.Content.ReadAsStringAsync().Result;
+Console.WriteLine($"response for: {ep} \r\n {resp}");
+```
+
+
+## Related topics
+- [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..cd1e27c74b
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,72 @@
+---
+title: Find machine information by interal IP API
+description: Use this API to create calls related to finding a machine entry around a specific timestamp by FQDN or interal IP.
+keywords: apis, graph api, supported apis, find machine, machine information, IP
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Find machine information by interal IP 
+Find a machine entity around a specific timestamp by FQDN or internal IP.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/machines/find(timestamp={time},key={IP/FQDN})
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine exists - 200 OK.
+If no machine found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp={time},key={IP/FQDN})
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
+    "value": [
+        {
+            "id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb",
+            "computerDnsName": "",
+            "firstSeen": "2017-07-06T01:25:04.9480498Z",
+            "osPlatform": "Windows10",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
index ec792a86dc..89ede3edae 100644
--- a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
 ---
 title: Fix unhealthy sensors in Windows Defender ATP
 description: Fix machine sensors that are reporting as misconfigured or inactive so that the service receives data from the machine.
-keywords: misconfigured, inactive, fix sensor, sensor health,  no sensor data, sensor data, impaired communication, communication
+keywords: misconfigured, inactive, fix sensor, sensor health,  no sensor data, sensor data, impaired communications, communication
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Fix unhealthy sensors in Windows Defender ATP
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section provides some explanations as to what might have caused a machine to be categorized as inactive or misconfigured.
 
 ## Inactive machines
@@ -41,13 +44,13 @@ Do you expect a machine to be in ‘Active’ status? [Open a support ticket tic
 
 ## Misconfigured machines
 Misconfigured machines can further be classified to:
-  - Impaired communication
+  - Impaired communications
   - No sensor data
 
-### Impaired communication
+### Impaired communications
 This status indicates that there's limited communication between the machine and the service.
 
-The following suggested actions can help fix issues related to a misconfigured machine with impaired communication:
+The following suggested actions can help fix issues related to a misconfigured machine with impaired communications:
 
 - [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)</br>
   The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
diff --git a/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
index 4e1390a814..db7f9796a9 100644
--- a/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 # Update general Windows Defender ATP settings
 
@@ -21,6 +22,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update some settings which you'll be able to do through the **Preferences setup** menu.
 
 1. In the navigation pane, select **Preferences setup** > **General**.
@@ -39,3 +42,4 @@ During the onboarding process, a wizard takes you through the general settings o
 - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
 - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
 - [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..b5745d86a0
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,67 @@
+---
+title: Get actor information API
+description: Retrieves an actor information report. 
+keywords: apis, graph api, supported apis, get, actor, information
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get actor information 
+Retrieves an actor information report. 
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/actor/{id}/
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and actor exists - 200 OK. 
+If actor does not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/actors/zinc
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Actors/$entity",
+    "id": "zinc",
+    "linkToReport": "link-to-pdf"
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..d22c9702da
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,77 @@
+---
+title: Get actor related alerts API
+description: Retrieves all alerts related to a given actor.
+keywords: apis, graph api, supported apis, get, actor, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get actor related alerts 
+Retrieves all alerts related to a given actor.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/actor/{id}/alerts
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert exists - 200 OK. 
+If actor does not exist or no related alerts - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/actors/zinc/alerts
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
+    "@odata.count": 3,
+    "value": [
+        {
+            "id": "636390437845006321_-1646055784",
+            "severity": "Medium",
+            "status": "Resolved",
+            "description": "Malware associated with ZINC has been detected.",
+            "recommendedAction": "1.\tContact your incident response team.",
+            "alertCreationTime": "2017-08-23T00:09:43.9057955Z",
+            "category": "Malware",
+            "title": "Malware associated with the activity group ZINC was discovered",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..5a3baedc8a
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,73 @@
+---
+title: Get alert information by ID API
+description: Retrieves an alert by its ID.
+keywords: apis, graph api, supported apis, get, alert, information, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get alert information by ID
+Retrieves an alert by its ID.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/alerts/{id}
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert exists - 200 OK.
+If alert not found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/alerts/{id}
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts/$entity",
+    "id": "636396039176847743_89954699",
+    "severity": "Informational",
+    "status": "New",
+    "description": "Readily available tools, such as commercial spyware, monitoring software, and hacking programs",
+    "recommendedAction": "Collect artifacts and determine scope.",
+    "alertCreationTime": "2017-08-29T11:45:17.5754165Z",
+…
+}
+
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..8727105bd0
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,69 @@
+---
+title: Get alert related actor information API
+description: Retrieves the actor information related to the specific alert.
+keywords: apis, graph api, supported apis, get, alert, actor, information, related
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get alert related actor information 
+Retrieves the actor information related to the specific alert.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/alerts/{id}/actor
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and actor exist - 200 OK.
+If alert not found or actor not found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/actor
+Content-type: application/json
+
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Actors/$entity",
+    "id": "zinc",
+    "linkToReport": "link-to-pdf"
+}
+
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..d22d6043a1
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,71 @@
+---
+title: Get alert related domain information 
+description: Retrieves all domains related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related domain
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get alert related domain information 
+Retrieves all domains related to a specific alert.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/alerts/{id}/domains
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and domain exist - 200 OK.
+If alert not found or domain not found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/domains
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Domains",
+    "value": [
+        {
+            "host": "www.example.com"
+        }
+    ]
+}
+
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..7020f3ddb1
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,73 @@
+---
+title: Get alert related files information 
+description: Retrieves all files related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related files
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get alert related files information 
+Retrieves all files related to a specific alert.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/alerts/{id}/files
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and files exist - 200 OK.
+If alert not found or files not found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/files
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Files",
+    "value": [
+        {
+            "sha1": "121c7060dada38275d7082a4b9dc62641b255c36",
+            "sha256": "c815e0abb8273ba4ea6ca92d430d9e4d065dbb52877a9ce6a8371e5881bd7a94",
+            "md5": "776c970dfd92397b3c7d74401c85cd40",
+            "globalPrevalence": null,
+            "globalFirstObserved": null,
+…
+}
+
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..83ff265f9a
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,73 @@
+---
+title: Get alert related IP information 
+description: Retrieves all IPs related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related ip
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get alert related IP information 
+Retrieves all IPs related to a specific alert.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/alerts/{id}/ips
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and an IP exist - 200 OK.
+If alert not found or IPs not found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/ips
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Ips",    
+"value": [
+        {
+            "id": "104.80.104.128"
+        },
+        {
+            "id": "23.203.232.228
+…
+}
+ 
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..1051f8e032
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,68 @@
+---
+title: Get alert related machine information 
+description: Retrieves all machines related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related machine
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get alert related machine information 
+Retrieves all machines related to a specific alert.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/alerts/{id}/machine
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and machine exist - 200 OK.
+If alert not found or machine not found - 404 Not Found.
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/machine
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines/$entity",
+    "id": "207575116e44741d2b22b6a81429b3ca4fd34608",
+    "computerDnsName": "machine1-corp.contoso.com",
+    "firstSeen": "2015-12-01T11:31:53.7016691Z",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..008f657eb7
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,71 @@
+---
+title: Get alert related user information 
+description: Retrieves the user associated to a specific alert.
+keywords: apis, graph api, supported apis, get, alert, information, related, user
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get alert related user information 
+Retrieves the user associated to a specific alert.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/alerts/{id}/user
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and a user exists - 200 OK.
+If alert not found or user not found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/user
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users/$entity",
+    "id": "UserPII_487a7e2aa8b0a24e429b0be88e5cf5e91be1a8f4\\DomainPII_aca88e6ed7dc68a69c35019ca947745f3858c868",
+    "accountSid": null,
+    "accountName": "DomainPII_aca88e6ed7dc68a69c35019ca947745f3858c868",
+    "accountDomainName": "UserPII_487a7e2aa8b0a24e429b0be88e5cf5e91be1a8f4",
+…
+}
+
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..27cbaabe0a
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,75 @@
+---
+title: Get alerts API
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get alerts 
+Retrieves top recent alerts.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/alerts
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and alerts exists - 200 OK. 
+If no recent alerts found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/alerts
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
+    "@odata.count": 5000,
+    "@odata.nextLink": "https://graph.microsoft.com/testwdatppreview/alerts?$skip=5000",
+    "value": [
+        {
+            "id": "636396039176847743_89954699",
+            "severity": "Informational",
+            "status": "New",
+            "description": "Readily available tools, such as commercial spyware, monitoring software, and hacking programs",
+            "recommendedAction": "Collect artifacts and determine scope",
+            "alertCreationTime": "2017-08-29T11:45:17.5754165Z",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..4ade44c5d8
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,74 @@
+---
+title: Get domain related alerts API
+description: Retrieves a collection of alerts related to a given domain address.
+keywords: apis, graph api, supported apis, get, domain, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get domain related alerts
+Retrieves a collection of alerts related to a given domain address.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/domains/{id}/alerts
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain and alert exists - 200 OK.
+If domain or alert does not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/domains/{id}/alerts
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
+    "@odata.count": 9,
+    "value": [
+        {
+            "id": "636396023170943366_-36088267",
+            "severity": "Medium",
+            "status": "New",
+            "description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
+            "recommendedAction": "Update AV signatures and run a full scan.",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..630af76023
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,72 @@
+---
+title: Get domain related machines API
+description: Retrieves a collection of machines related to a given domain address.
+keywords: apis, graph api, supported apis, get, domain, related, machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get domain related machines
+Retrieves a collection of machines related to a given domain address.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/domains/{id}/machines
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain and machine exists - 200 OK.
+If domain or machines do not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
+    "value": [
+        {
+            "id": "0a3250e0693a109f1affc9217be9459028aa8426",
+            "computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
+            "firstSeen": "2017-07-05T08:21:00.0572159Z",
+            "osPlatform": "Windows10",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..168ba45b95
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,69 @@
+---
+title: Get domain statistics API
+description: Retrieves the prevalence for the given domain.
+keywords: apis, graph api, supported apis, get, domain, domain related machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get domain statistics
+Retrieves the prevalence for the given domain.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/domains/{id}/stats
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain exists - 200 OK.
+If domain does not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.graph.InOrgDomainStats",
+    "host": "example.com",
+    "orgPrevalence": "4070",
+    "orgFirstSeen": "2017-07-30T13:23:48Z",
+    "orgLastSeen": "2017-08-29T13:09:05Z"
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..bf5224ea2c
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,70 @@
+---
+title: Get file information API
+description: Retrieves a file by identifier Sha1, Sha256, or MD5.
+keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get file information
+Retrieves a file by identifier Sha1, Sha256, or MD5.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/files/{id}/
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and file exists - 200 OK.
+If file does not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/files/{id}
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Files/$entity",
+    "sha1": "adae3732709d2178c8895c9be39c445b5e76d587",
+    "sha256": "34fcb083cd01b1bd89fc467fd3c2cd292de92f915a5cb43a36edaed39ce2689a",
+    "md5": "d387a06cd4bf5fcc1b50c3882f41a44e",
+    "globalPrevalence": 40790196,
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..0bc15888fe
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,74 @@
+---
+title: Get file related alerts API
+description: Retrieves a collection of alerts related to a given file hash.
+keywords: apis, graph api, supported apis, get, file, hash
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get file related alerts
+Retrieves a collection of alerts related to a given file hash.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/files/{id}/alerts
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and file and alert exists - 200 OK.
+If file or alerts do not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/files/{id}/alerts
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
+    "@odata.count": 9,
+    "value": [
+        {
+            "id": "636396023170943366_-36088267",
+            "severity": "Medium",
+            "status": "New",
+            "description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
+            "recommendedAction": "Update AV signatures and run a full scan.",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..0dd8cbb37e
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,72 @@
+---
+title: Get file related machines API
+description: Retrieves a collection of machines related to a given file hash.
+keywords: apis, graph api, supported apis, get, machines, hash
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get file related machines 
+Retrieves a collection of machines related to a given file hash.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/files/{id}/machines
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and file and machines exists - 200 OK.
+If file or machines do not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
+    "value": [
+        {
+            "id": "0a3250e0693a109f1affc9217be9459028aa8426",
+            "computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
+            "firstSeen": "2017-07-05T08:21:00.0572159Z",
+            "osPlatform": "Windows10",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..cf4bdfb5bb
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,73 @@
+---
+title: Get file statistics API
+description: Retrieves the prevalence for the given file.
+keywords: apis, graph api, supported apis, get, file, statistics
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get file statistics 
+Retrieves the prevalence for the given file.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/files/{id}/stats
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and file exists - 200 OK.
+If file do not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
+    "sha1": "adae3732709d2178c8895c9be39c445b5e76d587",
+    "orgPrevalence": "106398",
+    "orgFirstSeen": "2017-07-30T13:29:50Z",
+    "orgLastSeen": "2017-08-29T13:29:31Z",
+    "topFileNames": [
+        "chrome.exe",
+        "old_chrome.exe"
+    ]
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..cc3eaf628c
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,74 @@
+---
+title: Get IP related alerts API
+description: Retrieves a collection of alerts related to a given IP address.
+keywords: apis, graph api, supported apis, get, ip, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get IP related alerts
+Retrieves a collection of alerts related to a given IP address.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/ips/{id}/alerts
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and IP and alert exists - 200 OK.
+If IP and alerts do not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/ips/{id}/alerts
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
+    "@odata.count": 9,
+    "value": [
+        {
+            "id": "636396023170943366_-36088267",
+            "severity": "Medium",
+            "status": "New",
+            "description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
+            "recommendedAction": "Update AV signatures and run a full scan.",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..5a3164c261
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,72 @@
+---
+title: Get IP related machines API
+description: Retrieves a collection of machines related to a given IP address.
+keywords: apis, graph api, supported apis, get, ip, related, machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get IP related machines 
+Retrieves a collection of alerts related to a given IP address.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/ips/{id}/machines
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and IP and machines exists - 200 OK.
+If IP or machines do not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
+    "value": [
+        {
+            "id": "0a3250e0693a109f1affc9217be9459028aa8426",
+            "computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
+            "firstSeen": "2017-07-05T08:21:00.0572159Z",
+            "osPlatform": "Windows10",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..077f8220bb
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,69 @@
+---
+title: Get IP statistics API
+description: Retrieves the prevalence for the given IP.
+keywords: apis, graph api, supported apis, get, ip, statistics, prevalence
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get IP statistics 
+Retrieves the prevalence for the given IP.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/ips/{id}/stats
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and IP and domain exists - 200 OK.
+If domain does not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats",
+    "ipAddress": "192.168.1.1",
+    "orgPrevalence": "63515",
+    "orgFirstSeen": "2017-07-30T13:36:06Z",
+    "orgLastSeen": "2017-08-29T13:32:59Z"
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..eefe82c97b
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,72 @@
+---
+title: Get machine by ID API
+description: Retrieves a machine entity by ID.
+keywords: apis, graph api, supported apis, get, machines, entity, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get machine by ID
+Retrieves a machine entity by ID.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/machines/{id}
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine exists - 200 OK.
+If no machine found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/machines/{id}
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines/$entity",
+    "id": "fadd8a46f4cc722a0391fdee82a7503b9591b3b9",
+    "computerDnsName": "",
+    "firstSeen": "2015-03-15T00:18:20.6588778Z",
+    "osPlatform": "Windows10",
+    "osVersion": "10.0.0.0",
+…
+}
+
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..837fece398
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,71 @@
+---
+title: Get machine log on users API
+description: Retrieves a collection of logged on users.
+keywords: apis, graph api, supported apis, get, machine, log on, users
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get machine log on users 
+Retrieves a collection of logged on users.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/machines/{id}/logonusers
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine and user exist - 200 OK.
+If no machine found or no users found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/machines/{id}/logonusers
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+ "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users",
+    "value": [
+        {
+            "id": "m",
+            "accountSid": null,
+            "accountName": "",
+            "accountDomainName": "northamerica",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..0afb16bf58
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,73 @@
+---
+title: Get machine related alerts API
+description: Retrieves a collection of alerts related to a given machine ID.
+keywords: apis, graph api, supported apis, get, machines, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get machine related alerts  
+Retrieves a collection of alerts related to a given machine ID.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/machines/{id}/alerts
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine and alert exists - 200 OK.
+If no machine or no alerts found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/machines/{id}/alerts
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
+    "@odata.count": 1,
+    "value": [
+        {
+            "id": "636396066728379047_-395412459",
+            "severity": "Medium",
+            "status": "New",
+            "description": "A reverse shell created from PowerShell was detected. A reverse shell allows an attacker to access the compromised machine without authenticating.",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..7674740001
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,76 @@
+---
+title: Get machines API
+description: Retrieves a collection of recently seen machines.
+keywords: apis, graph api, supported apis, get, machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get machines 
+Retrieves a collection of recently seen machines.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/machines
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and machines exists - 200 OK.
+If no recent machines - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/machines
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
+    "@odata.count": 5000,
+    "@odata.nextLink": "https://graph.microsoft.com/testwdatppreview/machines?$skip=5000",
+    "value": [
+        {
+            "id": "fadd8a46f4cc722a0391fdee82a7503b9591b3b9",
+            "computerDnsName": "",
+            "firstSeen": "2015-03-15T00:18:20.6588778Z",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.0.0",
+…
+}
+
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..cf588557dc
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,70 @@
+---
+title: Get user information API
+description: Retrieve a User entity by key such as user name or domain.
+keywords: apis, graph api, supported apis, get, user, user information
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get user information 
+Retrieve a User entity by key (user name or domain\user).
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/users/{id}/
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and user exists - 200 OK.
+If user does not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/users/{id}
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users/$entity",
+    "id": "",
+    "accountSid": null,
+    "accountName": "",
+    "accountDomainName": "",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..88cc381aaf
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,74 @@
+---
+title: Get user related alerts API
+description: Retrieves a collection of alerts related to a given user ID.
+keywords: apis, graph api, supported apis, get, user, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get user related alerts
+Retrieves a collection of alerts related to a given user ID.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/users/{id}/alerts
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and user and alert exists - 200 OK.
+If user does not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/users/{id}/alerts
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
+    "@odata.count": 9,
+    "value": [
+        {
+            "id": "636396023170943366_-36088267",
+            "severity": "Medium",
+            "status": "New",
+            "description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
+            "recommendedAction": "Update AV signatures and run a full scan.",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..46b715810b
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,72 @@
+---
+title: Get user related machines API
+description: Retrieves a collection of machines related to a given user ID.
+keywords: apis, graph api, supported apis, get, user, user related alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get user related machines
+Retrieves a collection of machines related to a given user ID.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/users/{id}/machines
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and user and machine exists - 200 OK.
+If user or machine does not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/users/{id}/machines
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
+    "value": [
+        {
+            "id": "0a3250e0693a109f1affc9217be9459028aa8426",
+            "computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
+            "firstSeen": "2017-07-05T08:21:00.0572159Z",
+            "osPlatform": "Windows10",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-block-file.png b/windows/threat-protection/windows-defender-atp/images/atp-action-block-file.png
new file mode 100644
index 0000000000..3c945c3b8d
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-action-block-file.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-center-app-restriction.png b/windows/threat-protection/windows-defender-atp/images/atp-action-center-app-restriction.png
new file mode 100644
index 0000000000..f195635b73
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-action-center-app-restriction.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-center-package-collection.png b/windows/threat-protection/windows-defender-atp/images/atp-action-center-package-collection.png
new file mode 100644
index 0000000000..a29e87f278
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-action-center-package-collection.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-center-restrict-app.png b/windows/threat-protection/windows-defender-atp/images/atp-action-center-restrict-app.png
new file mode 100644
index 0000000000..080b28974c
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-action-center-restrict-app.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png b/windows/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png
index ff3c828a38..5f0e1199b6 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png and b/windows/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-action-center.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-action-center.png
new file mode 100644
index 0000000000..90e1f30d77
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-action-center.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-collect-investigation-package.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-collect-investigation-package.png
new file mode 100644
index 0000000000..ce13835ade
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-collect-investigation-package.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-isolate-machine.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-isolate-machine.png
new file mode 100644
index 0000000000..df19e86e74
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-isolate-machine.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-manage-tags.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-manage-tags.png
new file mode 100644
index 0000000000..467cb3414e
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-manage-tags.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isolation.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isolation.png
new file mode 100644
index 0000000000..71d61dca5f
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isolation.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isoloation.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isoloation.png
new file mode 100644
index 0000000000..5b5116f4dd
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isoloation.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-remove-app-restrictions.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-remove-app-restrictions.png
new file mode 100644
index 0000000000..88ed4da744
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-remove-app-restrictions.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-restrict-app-execution.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-restrict-app-execution.png
new file mode 100644
index 0000000000..70a29f078a
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-restrict-app-execution.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-run-av.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-run-av.png
new file mode 100644
index 0000000000..79dfdf7756
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-run-av.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-add-application-name.png b/windows/threat-protection/windows-defender-atp/images/atp-add-application-name.png
new file mode 100644
index 0000000000..e46547a2ff
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-add-application-name.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-add-application.png b/windows/threat-protection/windows-defender-atp/images/atp-add-application.png
new file mode 100644
index 0000000000..38767341f9
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-add-application.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png
index f162f21b1b..9745627e88 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png and b/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-app-restriction.png b/windows/threat-protection/windows-defender-atp/images/atp-app-restriction.png
new file mode 100644
index 0000000000..ae493ad999
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-app-restriction.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-application-information.png b/windows/threat-protection/windows-defender-atp/images/atp-application-information.png
new file mode 100644
index 0000000000..0fa908d66c
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-application-information.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png b/windows/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png
new file mode 100644
index 0000000000..d980fc4ed9
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-av-scan-notification.png b/windows/threat-protection/windows-defender-atp/images/atp-av-scan-notification.png
new file mode 100644
index 0000000000..aed05187d6
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-av-scan-notification.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-api-access.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-api-access.png
new file mode 100644
index 0000000000..31a49811ec
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-api-access.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-atp-app.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-atp-app.png
new file mode 100644
index 0000000000..2fe20462f2
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-atp-app.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-create.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-create.png
new file mode 100644
index 0000000000..a222f09880
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-create.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-new-app.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-new-app.png
new file mode 100644
index 0000000000..effefd5424
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-new-app.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png
new file mode 100644
index 0000000000..ce3d0672a6
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png
new file mode 100644
index 0000000000..5aa454b9c8
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-block-file-confirm.png b/windows/threat-protection/windows-defender-atp/images/atp-block-file-confirm.png
new file mode 100644
index 0000000000..23dcbb397e
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-block-file-confirm.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-collect-investigation-package.png b/windows/threat-protection/windows-defender-atp/images/atp-collect-investigation-package.png
new file mode 100644
index 0000000000..d90199bb76
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-collect-investigation-package.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-confirm-isolate.png b/windows/threat-protection/windows-defender-atp/images/atp-confirm-isolate.png
new file mode 100644
index 0000000000..e56876ff1b
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-confirm-isolate.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-create-dashboard.png b/windows/threat-protection/windows-defender-atp/images/atp-create-dashboard.png
new file mode 100644
index 0000000000..5a04cb5fd5
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-create-dashboard.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics.png b/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics.png
new file mode 100644
index 0000000000..4f738b77ae
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-download-connector.png b/windows/threat-protection/windows-defender-atp/images/atp-download-connector.png
new file mode 100644
index 0000000000..8166caf6ae
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-download-connector.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-improv-ops.png b/windows/threat-protection/windows-defender-atp/images/atp-improv-ops.png
new file mode 100644
index 0000000000..3cfe2f682f
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-improv-ops.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-isolate-machine.png b/windows/threat-protection/windows-defender-atp/images/atp-isolate-machine.png
index 4905b60304..d416fcb5ad 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-isolate-machine.png and b/windows/threat-protection/windows-defender-atp/images/atp-isolate-machine.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-actions-undo.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-actions-undo.png
new file mode 100644
index 0000000000..ad6c46725c
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machine-actions-undo.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-actions.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-actions.png
new file mode 100644
index 0000000000..dc88fe76e4
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machine-actions.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-investigation-package.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-investigation-package.png
index 2c32d9780d..65eafd21ea 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-investigation-package.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-investigation-package.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-isolation.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-isolation.png
index 10b778ae73..cdc1be01f6 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-isolation.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-isolation.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png
index c9063c8fa9..0c7f50581f 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png
index da80abb64f..c90cef7b32 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-view-ata.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-view-ata.png
new file mode 100644
index 0000000000..5e2258d16d
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machine-view-ata.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png
index 746d043732..7c10c6b14f 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png and b/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-manage-tags.png b/windows/threat-protection/windows-defender-atp/images/atp-manage-tags.png
new file mode 100644
index 0000000000..fc88a55489
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-manage-tags.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-notification-collect-package.png b/windows/threat-protection/windows-defender-atp/images/atp-notification-collect-package.png
new file mode 100644
index 0000000000..3160d850e0
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-notification-collect-package.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-notification-restrict.png b/windows/threat-protection/windows-defender-atp/images/atp-notification-restrict.png
new file mode 100644
index 0000000000..5dbd52ce1c
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-notification-restrict.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png b/windows/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png
index 508822a2ad..b4865884d3 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png and b/windows/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-org-score.png b/windows/threat-protection/windows-defender-atp/images/atp-org-score.png
new file mode 100644
index 0000000000..e0e05e11be
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-org-score.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png b/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png
new file mode 100644
index 0000000000..65dc93e72c
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-permissions-applications.png b/windows/threat-protection/windows-defender-atp/images/atp-permissions-applications.png
new file mode 100644
index 0000000000..c8a1a31e06
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-permissions-applications.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-portal.png b/windows/threat-protection/windows-defender-atp/images/atp-portal.png
index 5f39939886..742b8deb22 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-portal.png and b/windows/threat-protection/windows-defender-atp/images/atp-portal.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png
new file mode 100644
index 0000000000..953e4af373
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-get-data.png b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-get-data.png
new file mode 100644
index 0000000000..96200e68ff
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-get-data.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-navigator.png b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-navigator.png
new file mode 100644
index 0000000000..2061e53383
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-navigator.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-options.png b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-options.png
new file mode 100644
index 0000000000..be0e101c6e
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-options.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-preview.png b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-preview.png
new file mode 100644
index 0000000000..92599b5a75
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-preview.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-restrict-app.png b/windows/threat-protection/windows-defender-atp/images/atp-restrict-app.png
new file mode 100644
index 0000000000..d587e6d40a
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-restrict-app.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-run-av-scan.png b/windows/threat-protection/windows-defender-atp/images/atp-run-av-scan.png
new file mode 100644
index 0000000000..ff284e05fc
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-run-av-scan.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-save-tag.png b/windows/threat-protection/windows-defender-atp/images/atp-save-tag.png
new file mode 100644
index 0000000000..47cedd37ae
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-save-tag.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-sec-coverage.png b/windows/threat-protection/windows-defender-atp/images/atp-sec-coverage.png
new file mode 100644
index 0000000000..fd2d52834b
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-sec-coverage.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-dashboard.png b/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-dashboard.png
new file mode 100644
index 0000000000..1b3c80e762
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-dashboard.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines.png b/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines.png
new file mode 100644
index 0000000000..e7f8d974bf
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png b/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png
new file mode 100644
index 0000000000..627d376ba2
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-coverage.png b/windows/threat-protection/windows-defender-atp/images/atp-security-coverage.png
new file mode 100644
index 0000000000..2a1d763b3f
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-security-coverage.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-improvements.png b/windows/threat-protection/windows-defender-atp/images/atp-security-improvements.png
new file mode 100644
index 0000000000..d99b7de547
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-security-improvements.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-server-onboarding.png b/windows/threat-protection/windows-defender-atp/images/atp-server-onboarding.png
new file mode 100644
index 0000000000..07fa544f73
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-server-onboarding.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png
index 8dcfa06ea0..191941085d 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png b/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png
index cb58fad705..1f09d12343 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png and b/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png b/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png
new file mode 100644
index 0000000000..e1d37a4f65
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-tag-management.png b/windows/threat-protection/windows-defender-atp/images/atp-tag-management.png
new file mode 100644
index 0000000000..6a4b746009
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-tag-management.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-undo-isolation.png b/windows/threat-protection/windows-defender-atp/images/atp-undo-isolation.png
index ea42abd060..ce515c1e79 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-undo-isolation.png and b/windows/threat-protection/windows-defender-atp/images/atp-undo-isolation.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png b/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png
index 1d852999b9..b08381baed 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png and b/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-details-view-tdp.png b/windows/threat-protection/windows-defender-atp/images/atp-user-details-view-tdp.png
new file mode 100644
index 0000000000..b0732653d6
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-user-details-view-tdp.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-details.png b/windows/threat-protection/windows-defender-atp/images/atp-user-details.png
new file mode 100644
index 0000000000..1d852999b9
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-user-details.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-view-ata.png b/windows/threat-protection/windows-defender-atp/images/atp-user-view-ata.png
new file mode 100644
index 0000000000..2bea8cb48d
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-user-view-ata.png differ
diff --git a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
index 22cb47ce0e..d2e1a9a60a 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Investigate Windows Defender Advanced Threat Protection alerts
@@ -18,6 +19,8 @@ ms.localizationpriority: high
 
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Investigate alerts that are affecting your network, what they mean, and how to resolve them. Use the alert details view to see various tiles that provide information about alerts. You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them.
 
 ![Image of the alert page](images/atp-alert-details.png)
@@ -27,7 +30,7 @@ The alert context tile shows the where, who, and when context of the alert. As w
 
 For more information about managing alerts, see [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md).
 
-The alert details page also shows the alert process tree, an incident graph, and an alert timeline.
+The alert details page also shows the alert process tree, an incident graph, and an artifact timeline.
 
 You can click on the machine link from the alert view to navigate to the machine. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Machine timeline**. If the alert appeared more than once on the machine, the latest occurrence will be displayed in the **Machine timeline**.
 
@@ -74,15 +77,15 @@ The **Incident Graph** expansion by destination IP Address, shows the organizati
 
 You can click the full circles on the incident graph to expand the nodes and view the expansion to other machines where the matching criteria were observed.
 
-## Alert timeline
-The **Alert timeline** feature provides an addition view of the evidence that triggered the alert on the machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the machine. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the machine earlier - without triggering an alert.
+## Artifact timeline
+The **Artifact timeline** feature provides an addition view of the evidence that triggered the alert on the machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the machine. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the machine earlier - without triggering an alert.
 
-![Image of alert timeline](images/atp-alert-timeline.png)
+![Image of artifact timeline](images/atp-alert-timeline.png)
 
 Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization.
 
 ## Related topics
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
 - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
 - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
index bb040b50a1..6c5effd35b 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 # Investigate a domain associated with a Windows Defender ATP alert
 
@@ -21,6 +22,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
 
 You can see information from the following sections in the URL view:
@@ -45,7 +48,7 @@ The **Communication with URL in organization** section provides a chronological
 5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
 
 ## Related topics
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
 - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
 - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
index 60f65b2052..afb66067f3 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 # Investigate a file associated with a Windows Defender ATP alert
 
@@ -21,31 +22,36 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
 
 You can get information from the following sections in the file view:
 
 - File details, Malware detection, Prevalence worldwide
--	Deep analysis
--	Alerts related to this file
--	File in organization
--	Most recent observed machines with file
-
+- Deep analysis
+- Alerts related to this file
+- File in organization
+- Most recent observed machines with file
 
+## File worldwide and Deep analysis
 The file details, malware detection, and prevalence worldwide sections display various attributes about the file. You’ll see actions you can take on the file. For more information on how to take action on a file, see [Take response action on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md).
 
-You'll also see details such as the file’s MD5, the VirusTotal detection ratio and Windows Defender AV detection if available, and the file’s prevalence worldwide. You'll also be able to [submit a file for deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis).
+You'll see details such as the file’s MD5, the VirusTotal detection ratio and Windows Defender AV detection if available, and the file’s prevalence worldwide. You'll also be able to [submit a file for deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis).
 
 ![Image of file information](images/atp-file-information.png)
 
+## Alerts related to this file
 The **Alerts related to this file** section provides a list of alerts that are associated with the file. This list is a simplified version of the Alerts queue, and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.
 
 ![Image of alerts related to the file section](images/atp-alerts-related-to-file.png)
 
+## File in organization
 The **File in organization** section provides details on the prevalence of the file, prevalence in email inboxes and the name observed in the organization.
 
 ![Image of file in organization](images/atp-file-in-org.png)
 
+## Most recent observed machinew with the file
 The **Most recent observed machines with the file** section allows you to specify a date range to see which machines have been observed with the file.
 
 ![Image of most recent observed machine with the file](images/atp-observed-machines.png)
@@ -53,7 +59,7 @@ The **Most recent observed machines with the file** section allows you to specif
 This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the organization. For example, if you’re trying to identify the origin of a network communication to a certain IP Address within a 10-minute period on a given date, you can specify that exact time interval, and see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
 
 ## Related topics
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
 - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
 - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
index 486af0335d..0efb6d5061 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 # Investigate an IP address associated with a Windows Defender ATP alert
 
@@ -21,6 +22,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Examine possible communication between your machines and external internet protocol (IP) addresses.
 
 Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines.
@@ -53,7 +56,7 @@ Use the search filters to define the search criteria. You can also use the timel
 Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
 
 ## Related topics
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
 - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
 - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
index 2a4675f3c4..f437a524b9 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
 ---
 title: Investigate machines in the Windows Defender ATP Machines list
-description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines list.
-keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity
+description: Investigate affected machines by reviewing alerts, network connection information, adding machine tags and groups, and checking the service health.
+keywords: machines, endpoints, tags, groups, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service heatlh
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Investigate machines in the Windows Defender ATP Machines list
@@ -18,6 +19,8 @@ ms.localizationpriority: high
 
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 ## Investigate machines
 Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach.
 
@@ -25,39 +28,43 @@ You can click on affected machines whenever you see them in the portal to open a
 
 - The [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md)
 - The [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
-- The [Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- The [Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - Any individual alert
 - Any individual file details view
 - Any IP address or domain details view
 
 When you investigate a specific machine, you'll see:
--	Machine details, Logged on users, and Machine Reporting
+- Machine details, Logged on users, and Machine Reporting
 - Alerts related to this machine
 - Machine timeline
 
-![Image of machine details page](images/atp-machine-details-view.png)
+![Image of machine view](images/atp-machine-details-view.png)
 
-The machine details, total logged on users and machine reporting sections display various attributes about the machine. You’ll see details such as machine name, health state, actions you can take on the machine, and others. For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md).
+The machine details, total logged on users, and machine reporting sections display various attributes about the machine.
 
-You'll also see other information such as domain, operating system (OS) and build, total logged on users and who frequently and less frequently logged on, IP address, and how long it's been reporting sensor data to the Windows Defender ATP service.
+The machine details tile provides information such as the domain and OS of the machine. If there's an investigation package available on the machine, you'll see a link that allows you to download the package.
+
+For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md).
 
 Clicking on the number of total logged on users in the Logged on users tile opens the Users Details pane that displays the following information for logged on users in the past 30 days:
 
 -	Interactive and remote interactive logins
 -	Network, batch, and system logins
 
-![Image of user details pane](images/atp-user-details-pane.png)
+![Image of user details pane](images/atp-user-details.png)
 
 You'll also see details such as logon types for each user account, the user group, and when the account logon occurred.
 
  For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md).
 
+## Alerts related to this machine
 The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. You can also manage alerts from this section by clicking the circle icons to the left of the alert (or using Ctrl or Shift + click to select multiple alerts).
 
 This list is a filtered version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the alert's last activity was detected, a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. You'll also see a list of displayed alerts and you'll be able to quickly know the total number of alerts on the machine.
 
 You can also choose to highlight an alert from the **Alerts related to this machine** or from the  **Machine timeline** section to see the correlation between the alert and its related events on the machine by right-clicking on the alert and selecting **Select and mark events**. This highlights the alert and its related events and helps distinguish them from other alerts and events appearing in the timeline. Highlighted events are displayed in all information levels whether you choose to view the timeline by **Detections**, **Behaviors**, or **Verbose**.
 
+## Machine timeline
 The **Machine timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine.
 
 This feature also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a selected time period.  
@@ -72,38 +79,39 @@ Use the search bar to look for specific timeline events. Harness the power of us
 
 -	**Value** - Type in any search keyword to filter the timeline with the attribute you’re searching for. This search supports defined search queries based on type:value pairs.<br>
   You can use any of the following values:<br>
-  - Hash: Sha1 or MD5
-  - File name
-  - File extension
-  - Path
-  - Command line
-  - User
-  - IP
-  - URL
+    - Hash: Sha1 or MD5
+    - File name
+    - File extension
+    - Path
+    - Command line
+    - User
+    - IP
+    - URL
+
 -	**Informational level** – Click the drop-down button to filter by the following levels:
-  - Detections mode: displays Windows ATP Alerts and detections
-  -	Behaviors mode: displays "detections" and selected events of interest
-  -	Verbose mode: displays all raw events without aggregation or filtering
+    - Detections mode: displays Windows ATP Alerts and detections
+    -	Behaviors mode: displays "detections" and selected events of interest
+    -	Verbose mode: displays all raw events without aggregation or filtering
 
 - **Event type** - Click the drop-down button to filter by the following levels:
-  - Windows Defender ATP alerts
-  - Windows Defender AV alerts
-  - Response actions
-  - AppGuard related events
-  - Windows Defender Device Guard events
-  - Process events
-  - Network events
-  - File events
-  - Registry events
-  - Load DLL events
-  - Other events <br><br>
-  Filtering by event type allows you to define precise queries so that you see events with a specific focus. For example, you can search for a file name, then filter the results to only see Process events matching the search criteria or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed.
+    - Windows Defender ATP alerts
+    - Windows Defender AV alerts
+    - Response actions
+    - AppGuard related events
+    - Windows Defender Device Guard events
+    - Process events
+    - Network events
+    - File events
+    - Registry events
+    - Load DLL events
+    - Other events <br><br>
+    Filtering by event type allows you to define precise queries so that you see events with a specific focus. For example, you can search for a file name, then filter the results to only see Process events matching the search criteria or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed.
 
 -	**User account** – Click the drop-down button to filter the machine timeline by the following user associated events:
-  -	Logon users
-  -	System
-  -	Network
-  -	Local service
+    -	Logon users
+    -	System
+    -	Network
+    -	Local service
 
 The following example illustrates the use of type:value pair. The events were filtered by searching for the user jonathan.wolcott and network events as the event type:
 
@@ -133,14 +141,16 @@ From the list of events that are displayed in the timeline, you can examine the
 ![Image of machine timeline details pane](images/atp-machine-timeline-details-panel.png)
 
 
-You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline) feature to see the correlation between alerts and events on a specific machine.
+You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine.
 
 Expand an event to view associated processes related to the event. Click on the circle next to any process or IP address in the process tree to investigate additional details of the identified processes. This action brings up the **Details pane** which includes execution context of processes, network communications and a summary of metadata on the file or IP address.
 
 The details pane enriches the ‘in-context’ information across investigation and exploration activities, reducing the need to switch between contexts. It lets you focus on the task of tracing associations between attributes without leaving the current context.
 
+
+
 ## Related topics
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
 - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
 - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
index 3fad51eada..52c8a9583f 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 # Investigate a user account in Windows Defender ATP
 
@@ -21,6 +22,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 ## Investigate user account entities
 Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account.
 
@@ -36,7 +39,7 @@ When you investigate a user account entity, you'll see:
 - Alerts related to this user
 - Observed in organization (machines logged on to)
 
-![Image of the user account entity details page](images/atp-user-details-view.png)
+![Image of the user account entity details page](images/atp-user-details-view-tdp.png)
 
 The user account entity details and logged on machines section display various attributes about the user account. You'll see details such as when the user was first and last seen and the total number of machines the user logged on to. You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine.
 
@@ -64,7 +67,7 @@ You can filter the results by the following time periods:
 - 6 months
 
 ## Related topics
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
 - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
 - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..5d32e4419b
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,66 @@
+---
+title: Is domain seen in org API
+description: Use this API to create calls related to checking whether a domain was seen in the organization.
+keywords: apis, graph api, supported apis, domain, domain seen
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Is domain seen in org
+Answers whether a domain was seen in the organization. 
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/domains/{id}/
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain exists - 200 OK.
+If domain does not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/domains/{id}
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Domains/$entity",
+    "host": "example.com"
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..9dfc6cd763
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,66 @@
+---
+title: Is IP seen in org API
+description: Answers whether an IP was seen in the organization.
+keywords: apis, graph api, supported apis, is, ip, seen, org, organization
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Is IP seen in org
+Answers whether an IP was seen in the organization.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/ips/{id}/
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and IP exists - 200 OK.
+If IP do not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/ips/{id}
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Ips/$entity",
+    "id": "192.168.1.1"
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
index 78c0d14437..4fa77ae8f4 100644
--- a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # View and organize the Windows Defender ATP Machines list
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 The **Machines list** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network.
 
 Use the Machines list in these main scenarios:
@@ -34,7 +37,7 @@ Use the Machines list in these main scenarios:
 ## Sort, filter, and download the list of machines from the Machines list
 You can sort the **Machines list** by clicking on any column header to sort the view in ascending or descending order.  
 
-Filter the **Machines list** by time period, **OS Platform**, **Health**, or **Malware category alerts** to focus on certain sets of machines, according to the desired criteria.  
+Filter the **Machines list** by time period, **OS Platform**, **Health**, **Security state**, **Malware category alerts**, or **Groups** to focus on certain sets of machines, according to the desired criteria.  
 
 You can also download the entire list in CSV format using the **Export to CSV** feature.
 
@@ -53,14 +56,22 @@ You can use the following filters to limit the list of machines displayed during
 - Windows 10
 - Windows Server 2012 R2
 - Windows Server 2016
+- Linux
+- Mac OS
 - Other
 
+**Health**</br>
+- All
+- Well configure
+- Requires attention - Depending on the Windows Defender security controls configured in your enterprise, you'll see various available filters.
+ 
+
 **Sensor health state**</br>
 Filter the list to view specific machines grouped together by the following machine health states:
 
 - **Active** – Machines that are actively reporting sensor data to the service.
--	**Misconfigured** – Machines that have impaired communication with service or are unable to send sensor data. Misconfigured machines can further be classified to:
-  - Impaired communication
+-	**Misconfigured** – Machines that have impaired communications with service or are unable to send sensor data. Misconfigured machines can further be classified to:
+  - Impaired communications
   - No sensor data
 
   For more information on how to address issues on misconfigured machines see,  [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
@@ -101,7 +112,7 @@ You can sort the **Machines list** by the following columns:
 
 
 ## Related topics
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
 - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
 - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
index 82f32619ad..be0229d1d1 100644
--- a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Manage Windows Defender Advanced Threat Protection alerts
@@ -22,7 +23,9 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Dashboard**, and you can access all alerts in the **Alerts queue** menu.
+[!include[Prerelease information](prerelease.md)]
+
+Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue** menu.
 
 You can manage alerts by selecting an alert in the **Alerts queue** or the **Alerts related to this machine** section of the machine details view.
 
@@ -112,7 +115,7 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
 You can select rules to open up the **Alert management** pane. From there, you can activate previously disabled rules.
 
 ## Related topics
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
 - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
 - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
index 897439c53a..158de675fc 100644
--- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Minimum requirements for Windows Defender ATP
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 There are some minimum requirements for onboarding your network and endpoints.
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1)
diff --git a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
index b433fffe39..d5a674a071 100644
--- a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Onboard and set up Windows Defender Advanced Threat Protection
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 You need to onboard to Windows Defender ATP before you can use the service.
 
 For more information, see [Onboard your Windows 10 endpoints to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be).
@@ -38,6 +41,7 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us
 ## In this section
 Topic | Description
 :---|:---
-[Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure endpoints in your enterprise.
+[Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure endpoints in your enterprise.
+[Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md) |  Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP 
 [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
 [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding.
diff --git a/windows/threat-protection/windows-defender-atp/optimize-security-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/optimize-security-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..2f535cb869
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/optimize-security-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,33 @@
+---
+title: Optimize Windows Defender Antivirus
+description:
+keywords:
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Optimize Windows Defender Antivirus
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+The Antivirus optimization tile provides a list of recommendations to affected machines. Taking action on the recommendations will help improve your overall organizational security:
+
+- [Use Windows Defender AV with Windows Defender ATP](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
+- [Turn on cloud-delivered protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
+- [Turn on protection from potentially unwanted applications](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
+- [Turn on real-time protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus)
+- [Update antivirus protection and definitions](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
index 6105da4bd7..7a8e8393e6 100644
--- a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: DulceMV
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Windows Defender Advanced Threat Protection portal overview
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Enterprise security teams can use the Windows Defender ATP portal to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches.
 
 You can use the [Windows Defender ATP portal](https://securitycenter.windows.com/) to:
@@ -46,14 +49,14 @@ You can navigate through the portal using the menu options available in all sect
 Area | Description
 :---|:---
 (1) Search bar, Feedback, Settings, Help and support | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text.  </br> **Feedback** -Access the feedback button to provide comments about the portal. </br> **Settings** - Gives you access to the configuration settings where you can set time zones, alert suppression rules, and license information. </br> **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support.
-(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines list**, **Service health**, **Preferences setup**, and **Endpoint management**.
-**Dashboard**	| Provides clickable tiles that open detailed information on various alerts that have been detected in your organization.
+(2) Navigation pane | Use the navigation pane to move between the **Dashboards**, **Alerts queue**, **Machines list**, **Service health**, **Preferences setup**, and **Endpoint management**.
+**Dashboards**	| Enables you to view the Security operations or the Security analytics dashboard.
 **Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts.
 **Machines list** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
 **Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
 **Preferences setup** |	Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set email notifications, activate the preview experience, and enable or turn off advanced features.
 **Endpoint management** |	Allows you to download the onboarding configuration package. It provides access to endpoint offboarding.
-(3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines list.
+(3) Main portal| Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list.
 
 ## Windows Defender ATP icons
 The following table provides information on the icons used all throughout the portal:
diff --git a/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..1419c95077
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,134 @@
+---
+title: Create and build Power BI reports using Windows Defender ATP data
+description: Get security insights by creating and building Power BI dashboards using data from Windows Defender ATP and other data sources.
+keywords: preferences setup, power bi, power bi service, power bi desktop, reports, dashboards, connectors , security insights, mashup
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+ms.date: 09/05/2017
+---
+# Create and build Power BI reports using Windows Defender ATP data
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Understand the security status of your organization, including the status of machines, alerts, and investigations using the Windows Defender ATP reporting feature that integrates with Power BI. 
+
+Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access Windows Defender ATP data using Microsoft Graph.
+
+Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine data to build reports and dashboards that meet the needs of your organization. 
+
+You can easily get started by:
+- Creating a dashboard on the Power BI service 
+- Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting requirements of your organization 
+
+You can access these options from the Windows Defender ATP portal. Both the Power BI service and Power BI Desktop are supported. 
+
+## Create a Windows Defender ATP dashboard on Power BI service
+Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. 
+
+1. In the navigation pane, select **Preferences setup** > **Power BI reports**.
+
+2.	Click **Create dashboard**. This opens up a new tab in your browser and loads the Power BI service with data from your organization.
+
+    ![Preferences setup with create dashboard button](images/atp-create-dashboard.png)
+
+    >[!NOTE]
+    >Loading your data in the Power BI service can take a few minutes.
+
+3. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data.
+
+      ![Consent image](images/atp-powerbi-consent.png)
+
+4.	Click **Accept**. Power BI service will start downloading your Windows Defender ATP data from Microsoft Graph. 
+
+When the dashboard is ready, you’ll get a notification within the Power BI website. Use the link in the portal to the Power BI console after creating the dashboard.
+
+For more information, see [Create a Power BI dashboard from a report](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-create-a-dashboard/).
+
+## Build a custom Windows Defender ATP dashboard in Power BI Desktop
+You can create a custom dashboard in Power BI Desktop to create visualizations that cater to the specific views that your organization requires.  
+
+### Before you begin
+1.	Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/).
+
+2.	In the Windows Defender ATP portal navigation pane, select **Preferences setup** > **Power BI reports**.
+
+3.	Click **Download connector** to download the WDATPPowerBI.zip file and extract it.
+
+    ![Preferences setup with download connector button](images/atp-download-connector.png)
+
+4.	Create a new directory `Microsoft Power BI Desktop\Custom Connectors` under the user's Documents folder.
+
+5.	Copy WDATPDataConnector.mez from the zip to the directory you just created.
+
+6.	Open Power BI Desktop.
+
+7.	Click **File** > **Options and settings** > **Custom data connectors**.
+
+8.	Select **New table and matrix visuals** and **Custom data connectors** and click **OK**.
+
+    ![Power BI options page](images/atp-powerbi-options.png)
+
+9. Restart Power BI Desktop.
+
+## Customize the Windows Defender ATP Power BI dashboard
+After completing the steps in the Before you begin section, you can proceed with building your custom dashboard.
+
+1.	Open WDATPPowerBI.pbit from the zip with Power BI Desktop.
+
+2.	If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data.
+
+    ![Consent image](images/atp-powerbi-consent.png)
+
+3.	Click **Accept**. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
+
+## Mashup Windows Defender ATP data with other data sources
+You can use Power BI Desktop to analyse data from Windows Defender ATP and mash that data up with other data sources to gain better security perspective in your organization.
+
+1.	In Power BI Desktop, in the Home ribbon, click **Get data** and search for **Windows Defender Advanced Threat Protection**.
+
+    ![Get data in Power BI](images/atp-powerbi-get-data.png)
+
+2. Click **Connect**.
+
+3.	On the Preview Connector windows, click **Continue**. 
+
+    ![Power BI preview connector](images/atp-powerbi-preview.png) 
+
+4.	If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data.
+
+    ![Consent image](images/atp-powerbi-consent.png)
+
+5.	Click **Accept**. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
+
+6.	In the Navigator dialog box, select the Windows Defender ATP feeds you'd like to download and use in your reports and click Load. Data will start to be downloaded from the Microsoft Graph.
+
+     ![Power BI navigator page](images/atp-powerbi-navigator.png)
+
+7.	Load other data sources by clicking **Get data item** in the Home ribbon, and select another data source.
+
+8.	Add visuals and select fields from the available data sources. 
+
+## Related topics
+- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
+- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
+- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
+- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+
+
+
+
diff --git a/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
index 68be48aa4f..e3960714e7 100644
--- a/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # PowerShell code examples for the custom threat intelligence API
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 This article provides PowerShell code examples for using the custom threat intelligence API.
 
 These code examples demonstrate the following tasks:
diff --git a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
index 66b0319b67..beade9fba5 100644
--- a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 # Configure Windows Defender ATP preferences settings
 
@@ -21,6 +22,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Use the **Preferences setup** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
 
 ## In this section
@@ -33,3 +36,4 @@ Topic | Description
 [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) | Enables you to configure and identify a group of individuals who will immediately be informed of new alerts through email notifications.
 [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md) | Enable security information and event management (SIEM) integration to pull alerts from the Windows Defender ATP portal using your SIEM solution.
 [Enable Threat intel API](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application.
+[Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md) | Get security insights by creating and building Power BI dashboards using data from Windows Defender ATP and other data sources.
diff --git a/windows/threat-protection/windows-defender-atp/prerelease.md b/windows/threat-protection/windows-defender-atp/prerelease.md
new file mode 100644
index 0000000000..315e4f96d8
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/prerelease.md
@@ -0,0 +1,3 @@
+>[!IMPORTANT]
+
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
index 8a3c2389d9..ec38ff1fd1 100644
--- a/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 # Turn on the preview experience in Windows Defender ATP
 
@@ -21,6 +22,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Turn on the preview experience setting to be among the first to try upcoming features.
 
 1. In the navigation pane, select **Preferences setup** > **Preview experience**.
@@ -32,3 +35,4 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
 - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
 - [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
index 4347ed4f8c..096f49bab4 100644
--- a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Windows Defender ATP preview features
@@ -22,6 +23,7 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
 
 The Windows Defender ATP service is constantly being updated to include new feature enhancements and capabilities.
 
@@ -35,4 +37,34 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 2. Toggle the setting between **On** and **Off** and select **Save preferences**.
 
 ## Preview features
-There are currently no preview only features.
+The following features are included in the preview release:
+
+- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)<br>
+You can now onboard VDI machines to the Windows Defender ATP service.
+
+- [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md)<br>
+Windows Defender ATP supports the onboarding of the following servers:
+    - Windows Server 2012 R2
+    - Windows Server 2016
+
+- [View the Windows Defender ATP Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)<br>
+The Security Analytics dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place.
+
+- [Restrict app execution](respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)<br>
+You can lock down a device and prevent subsequent attempts of potentially malicious programs from running.
+
+- [Run Windows Defender Antivirus scan on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)<br>
+As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine.
+
+- [Manage machine group and tags](respond-machine-alerts-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)<br>
+Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident.
+
+- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)<br>
+Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access Windows Defender ATP data using Microsoft Graph.
+
+- [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)<br>
+    Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities.
+
+
+    
+
diff --git a/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
index 38e72858dc..ebf7206b49 100644
--- a/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Pull Windows Defender ATP alerts using REST API
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts from the portal.
 
 In general, the OAuth 2.0 protocol supports four types of flows:
diff --git a/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
index d9602489d5..607ab8d422 100644
--- a/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Python code examples for the custom threat intelligence API
@@ -22,6 +23,7 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
 
 ## Before you begin
 You must [install](http://docs.python-requests.org/en/master/user/install/#install) the "[requests](http://docs.python-requests.org/en/master/)" python library.
diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index 7f69b9369f..328a0ff719 100644
--- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Take response actions on a file
@@ -22,6 +23,7 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
 
 Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center.
 
@@ -33,29 +35,29 @@ You can also submit files for deep analysis to run the file in a secure cloud sa
 ## Stop and quarantine files in your network
 You can contain an attack in your organization by stopping the malicious process and quarantine the file where it was observed.
 
-The **Stop & Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys.
+The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys.
 
 The action takes effect on machines with the latest Windows 10, version 1703 where the file was observed in the last 30 days.
 
 ### Stop and quarantine files
 1.	Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
 
-  - **Alerts** - click the corresponding links from the Description or Details in the Alert timeline
+  - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
   - **Search box** - select File from the drop–down menu and enter the file name
 
-2.	Open the **Actions menu** and select **Stop & Quarantine File**.
+2.	Open the **Actions menu** and select **Stop and Quarantine File**.
     ![Image of stop and quarantine file action](images/atp-stop-quarantine-file.png)
 
-3. Type a comment (optional), and select **Yes** to take action on the file. The comment will be saved in the Action center for reference.
+3. Type a comment and select **Yes, stop and quarantine** to take action on the file.
+    ![Image of stop and quarantine file](images/atp-stop-quarantine.png)
 
   The Action center shows the submission information:
     ![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png)
 
-    -	**Submission time** - Shows when the action was submitted. <br>
-    -	**Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon. <br>
-    -	**Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.<br>
-    -	**Success** - Shows the number of machines where the file has been stopped and quarantined.<br>
-    -	**Failed** - Shows the number of machines where the action failed and details about the failure.<br>
+   - **Submission time** - Shows when the action was submitted.
+   - **Success** - Shows the number of machines where the file has been stopped and quarantined.
+   - **Failed** - Shows the number of machines where the action failed and details about the failure.
+   - **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.
 
 4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed.
 
@@ -104,14 +106,17 @@ This feature is designed to prevent suspected malware (or potentially malicious
 
   ![Image of preferences setup](images/atp-preferences-setup.png)
 
-3. Type a comment (optional) and select **Yes** to take action on the file.
-The Action center shows the submission information:
 
-  ![Image of block file](images/atp-blockfile.png)
+3. Type a comment and select **Yes, block file** to take action on the file.
+
+
+    The Action center shows the submission information:
+
+    ![Image of block file](images/atp-blockfile.png)
 
   - **Submission time** - Shows when the action was submitted. <br>
-  -	**Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon. <br>
-  -	**Status** - Indicates whether the file was added to or removed from the blacklist.
+  - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon. <br>
+  - **Status** - Indicates whether the file was added to or removed from the blacklist.
 
 When the file is blocked, there will be a new event in the machine timeline.</br>
 
@@ -130,9 +135,9 @@ For prevalent files in the organization, a warning is shown before an action is
 ### Remove file from blocked list
 1.	Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box:
 
-  -	**Alerts** - Click the file links from the Description or Details in the Alert timeline <br>
-  -	**Machines list** - Click the file links in the Description or Details columns in the Observed on machine section <br>
-  -	**Search box** - Select File from the drop–down menu and enter the file name
+  - **Alerts** - Click the file links from the Description or Details in the Artifact timeline <br>
+  - **Machines list** - Click the file links in the Description or Details columns in the Observed on machine section <br>
+  - **Search box** - Select File from the drop–down menu and enter the file name
 
 2.	Open the **Actions** menu and select **Remove file from blocked list**.
 
@@ -175,7 +180,7 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure
 **Submit files for deep analysis:**
 
 1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views: <br>
-  - Alerts - click the file links from the **Description** or **Details** in the Alert timeline <br>
+  - Alerts - click the file links from the **Description** or **Details** in the Artifact timeline <br>
   - **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section <br>
   - Search box - select **File** from the drop–down menu and enter the file name <br>
 2. In the **Deep analysis** section of the file view, click **Submit**.
@@ -229,4 +234,4 @@ HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
 > If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.
 
 ## Related topics
-– [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+- [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
index 3c8baf58e6..0879c73c17 100644
--- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
 ---
 title: Take response actions on a machine in Windows Defender ATP
-description: Take response actions on a machine by isolating machines, collecting an investigation package, and checking activity details.
-keywords: respond, isolate, isolate machine, collect investigation package, action center
+description: Take response actions on a machine such as isolating machines, collecting an investigation package, managing tags, running av scan, and restricting app execution.
+keywords: respond, isolate, isolate machine, collect investigation package, action center, restrict, manage tags, av scan, restrict app
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Take response actions on a machine
@@ -22,59 +23,60 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
 
 Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center.
 
 >[!NOTE]
 > These response actions are only available for machines on Windows 10, version  1703.
 
-## Isolate machines from the network
-Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement.
+## Manage machine group and tags
+Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident. 
 
-This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine.
+Machine related properties are being extended to account for:
 
->[!NOTE]
->You’ll be able to reconnect the machine back to the network at any time.
+- Group affiliation
+- Dynamic context capturing  
 
-1.	Select the machine that you want to isolate. You can select or search for a machine from any of the following views:
 
-  -	**Dashboard** - Select the machine name from the Top machines with active alerts section.
-  -	**Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
-  -	**Machines list** - Select the machine name from the list of machines.
-  -	**Search box** - Select Machine from the drop-down menu and enter the machine name.
 
-2.	Open the **Actions** menu and select **Isolate machine**.
+### Group machines
+Machine group affiliation can represent geographic location, specific activity, importance level and others. Grouping machines with similar attributes can be handy when you need to apply contextual action on a specific list of machines. After creating groups, you can apply the Group filter on the Machines list to get a narrowed list of machines.
 
-  ![Image of isolate machine](images/atp-isolate-machine.png)
+Machine group is defined in the following registry key entry of the machine:
 
-3. Type a comment (optional) and select **Yes** to take action on the machine.
-  >[!NOTE]
-  >The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network.
+-	Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
+-	Registry key value (string): Group
 
-  The Action center shows the submission information:
-  ![Image of machine isolation](images/atp-machine-isolation.png)
 
-  -	**Submission time** - Shows when the isolation action was submitted.
-  -	**Submitting user** - Shows who submitted the action on the machine. You can view the comments provided by the user by selecting the information icon.
-  -	**Status** - Indicates any pending actions or the results of completed actions.
+### Set standard tags on machines
+Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag.
 
-When the isolation configuration is applied, there will be a new event in the machine timeline.
+1.	Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
 
-**Notification on machine user**:</br>
-When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network:
+    -	**Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
+    -	**Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
+    -	**Machines list** - Select the machine name from the list of machines.
+    -	**Search box** - Select Machine from the drop-down menu and enter the machine name.
 
-![Image of no network connection](images/atp-notification-isolate.png)
+    You can also get to the alert page through the file and IP views.
 
-## Undo machine isolation
-Depending on the severity of the attack and the state of the machine you can choose to release the machine isolation after you have verified that the compromised machine has been remediated.
+2.	Open the **Actions** menu and select **Manage tags**.
 
-1.	Select a machine that was previously isolated.
+    ![Image of taking action to manage tags on a machine](images/atp-manage-tags.png)
 
-2.	Open the **Actions** menu and select **Undo machine isolation**.
+3. Enter tags on the machine. To add more tags, click the + icon.
+4. Click **Save and close**. 
 
-  ![Image of undo isolation](images/atp-undo-isolation.png)
+    ![Image of adding tags on a machine](images/atp-save-tag.png)
+
+    Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** or **Groups** filter to see the relevant list of machines.
+
+### Manage machine tags
+You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel. 
+
+![Image of adding tags on a machine](images/atp-tag-management.png)
 
-3.	Type a comment (optional) and select **Yes** to take action on the file. The machine will be reconnected to the network.
 
 ## Collect investigation package from machines
 As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker.
@@ -83,35 +85,40 @@ You can download the package (Zip file) and investigate the events that occurred
 
 The package contains the following folders:
 
-Folder | Description
-:---|:---
-Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.”
-Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509).
-Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> -	ActiveNetworkConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> -	Dnscache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - Ipconfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.
-Prefetch files | Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. </br></br> - Prefetch folder –  Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. </br></br> - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder.
-Processes | Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state.
-Scheduled tasks | Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically.
-Security event log | Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. </br></br>NOTE: Open the event log file using Event viewer.
-Services | Contains the services.txt file which lists services and their states.
-Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. </br></br> Contains files for SMBInboundSessions and SMBOutboundSession. </br></br> NOTE: If the file contains the following message: “ERROR: The system was unable to find the specified registry key or value.”, it means that there were no SMB sessions of this type (inbound or outbound).
-Temp Directories | Contains a set of text files that lists the files located in %Temp% for every user in the system. </br></br> This can help to track suspicious files that an attacker may have dropped on the system. </br></br> NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system.
-Users and Groups | Provides a list of files that each represent a group and its members.
-CollectionSummaryReport.xls | This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors.
+| Folder                                      | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
+|:--------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Autoruns                                    | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.”                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+| Installed programs                          | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+| Network connections                         | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> -	ActiveNetworkConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> -	Dnscache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - Ipconfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. |
+| Prefetch files                              | Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. </br></br> - Prefetch folder –  Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. </br></br> - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
+| Processes                                   | Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
+| Scheduled tasks                             | Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
+| Security event log                          | Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. </br></br>NOTE: Open the event log file using Event viewer.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| Services                                    | Contains the services.txt file which lists services and their states.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
+| Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. </br></br> Contains files for SMBInboundSessions and SMBOutboundSession. </br></br> NOTE: If the file contains the following message: “ERROR: The system was unable to find the specified registry key or value.”, it means that there were no SMB sessions of this type (inbound or outbound).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
+| Temp Directories                            | Contains a set of text files that lists the files located in %Temp% for every user in the system. </br></br> This can help to track suspicious files that an attacker may have dropped on the system. </br></br> NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
+| Users and Groups                            | Provides a list of files that each represent a group and its members.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
+| CollectionSummaryReport.xls                 | This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
 
 1.	Select the machine that you want to investigate. You can select or search for a machine from any of the following views:
 
-  -	**Dashboard** - Select the machine name from the Top machines with active alerts section.
-  -	**Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
-  -	**Machines list** - Select the heading of the machine name from the machines list.
-  -	**Search box** - Select Machine from the drop-down menu and enter the machine name.
+  - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
+  - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
+  - **Machines list** - Select the heading of the machine name from the machines list.
+  - **Search box** - Select Machine from the drop-down menu and enter the machine name.
 
 2.	Open the **Actions** menu and select **Collect investigation package**.
 
+    ![Image of collect investigation package action](images/atp-actions-collect-investigation-package.png)
+
+3.  Type a comment and select **Yes, collect package** to take action on the machine.
+  
+    ![Image of notification to collect package](images/atp-notification-collect-package.png)
+
     The Action center shows the submission information:
-    ![Image of investigation package in action center](images/atp-investigation-package-action-center.png)
+    ![Image of investigation package in action center](images/atp-action-center-package-collection.png)
 
     - **Submission time** - Shows when the action was submitted.
-    -	**Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
     -	**Status** - Indicates if the package was successfully collected from the network. When the collection is complete, you can download the package.
 
 3.	Select **Package available** to download the package. </br>
@@ -122,8 +129,152 @@ CollectionSummaryReport.xls | This file is a summary of the investigation packag
 
     You can also search for historical packages in the machine timeline.
 
+## Run Windows Defender Antivirus scan on machines
+As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine.
+
+>[!NOTE]
+> A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not.
+
+1.	Select the machine that you want to run the scan on. You can select or search for a machine from any of the following views:
+
+  - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
+  - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
+  - **Machines list** - Select the machine name from the list of machines.
+  - **Search box** - Select Machine from the drop-down menu and enter the machine name.
+2.	Open the **Actions** menu and select **Run antivirus scan**.
+
+    ![Image of run antivirus scan](images/atp-actions-run-av.png)
+    
+3. Select the scan type that you'd like to run. You can choose between a quick or a full scan.
+
+    ![Image of notification to select quick scan or full scan and add comment](images/atp-av-scan-notification.png)
+    
+
+4. Type a comment and select **Yes, run scan** to start the scan.<br>
+
+    The Action center shows the scan information:
+
+    ![Image of action center with antivirus scan](images/atp-av-scan-action-center.png)
+
+    - **Submission time** - Shows when the isolation action was submitted.
+    - **Status** - Indicates any pending actions or the results of completed actions.
+
+The machine timeline will include a new event, reflecting that a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced during the scan.
+
+## Restrict app execution
+In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
+
+The action to restrict an application from running applies a code integrity policy that only allows running of files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities.
+
+>[!NOTE]
+>You’ll be able to reverse the restriction of applications from running at any time.
+
+1. Select the machine where you'd like to restrict an application from running from. You can select or search for a machine from any of the following views:
+
+  - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
+  - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
+  - **Machines list** - Select the machine name from the list of machines.
+  - **Search box** - Select Machine from the drop-down menu and enter the machine name.
+
+2.	Open the **Actions** menu and select **Restrict app execution**.
+
+    ![Image of restrict app execution action](images/atp-actions-restrict-app-execution.png)
+
+3. Type a comment and select **Yes, restict app execution** to take action on the file.
+
+   ![Image of app restriction notification](images/atp-notification-restrict.png)
+
+    The Action center shows the submission information:
+    ![Image of action center with app restriction](images/atp-action-center-app-restriction.png)
+
+
+  - **Submission time** - Shows when the isolation action was submitted.
+  - **Status** - Indicates any pending actions or the results of completed actions.
+
+When the application execution restriction configuration is applied, a new event is reflected in the machine timeline.
+
+
+**Notification on machine user**:</br>
+When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running:
+
+![Image of app restriction](images/atp-app-restriction.png) 
+
+## Remove app restriction 
+Depending on the severity of the attack and the state of the machine, you can choose to reverse the restriction of applications policy after you have verified that the compromised machine has been remediated.
+
+1.	Select the machine where you restricted an application from running from.
+
+2.	Open the **Actions** menu and select **Remove app restrictions**. 
+
+    ![Image of remove app restrictions](images/atp-actions-remove-app-restrictions.png)
+
+3.	Type a comment and select **Yes, remove restriction** to take action on the application. The machine application restriction will no longer apply on the machine.  
+
+
+## Isolate machines from the network
+Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement.
+
+This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine.
+
+On Windows 10, version 1710 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity.
+
+>[!NOTE]
+>You’ll be able to reconnect the machine back to the network at any time.
+
+1.	Select the machine that you want to isolate. You can select or search for a machine from any of the following views:
+
+  - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
+  - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
+  - **Machines list** - Select the machine name from the list of machines.
+  - **Search box** - Select Machine from the drop-down menu and enter the machine name.
+
+2.	Open the **Actions** menu and select **Isolate machine**.
+
+    ![Image of isolate machine](images/atp-actions-isolate-machine.png)
+
+3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated.
+
+    ![Image of isolation confirmation](images/atp-confirm-isolate.png)
+
+4. Type a comment and select **Yes, isolate machine** to take action on the machine.
+  
+    >[!NOTE]
+    >The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated.
+
+   The Action center shows the submission information:
+    ![Image of machine isolation](images/atp-machine-isolation.png)
+
+   - **Submission time** - Shows when the isolation action was submitted.
+   - **Status** - Indicates any pending actions or the results of completed actions. Additional indications will be provided if you've enabled Outlook and Skype for Business communication.  
+
+When the isolation configuration is applied, a new event is reflected in the machine timeline.
+
+**Notification on machine user**:</br>
+When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network:
+
+![Image of no network connection](images/atp-notification-isolate.png)
+
+## Release machine from isolation
+Depending on the severity of the attack and the state of the machine you can choose to release the machine from isolation after you have verified that the compromised machine has been remediated.
+
+1.	Select a machine that was previously isolated.
+
+2.	Open the **Actions** menu and select **Release from isolation**.
+
+    ![Image of release from isolation](images/atp-actions-release-from-isolation.png)
+
+3.	Type a comment and select **Yes, release machine** to take action on the machine. The machine will be reconnected to the network.
+
+
 ## Check activity details in Action center
-The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view if a machine was isolated and if an investigation package is available from a machine. All related details are also shown, for example, submission time, submitting user, and if the action succeeded or failed.
+The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the following details:
+
+- Investigation package collection
+- Antivirus scan
+- App restriction
+- Machine isolation
+
+All other related details are also shown, for example, submission time, submitting user, and if the action succeeded or failed.
 
 ![Image of action center with information](images/atp-action-center-with-info.png)
 
diff --git a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
index eef6296540..548e32a5b1 100644
--- a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Take response actions in Windows Defender ATP
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 
 You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization.
 
@@ -35,7 +38,7 @@ Topic | Description
 [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)| Stop and quarantine files or block a file from your network.
 
 ## Related topics
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
 - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
 - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..4a5e44b615
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,120 @@
+---
+title: View the Security Analytics dashboard in Windows Defender ATP
+description: Use the Security Analytics dashboard to assess and improve the security state of your organization by analyzing various security control tiles. 
+keywords: security analytics, dashboard, security recommendations, security control state, security score, score improvement, organizational security score, security coverate, security control, improvement opportunities, edr, antivirus, av, os security updates
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# View the Windows Defender Advanced Threat Protection Security analytics dashboard
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+The Security Analytics dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.
+
+The **Security analytics dashboard** displays a snapshot of:
+- Organizational security score
+- Security coverage
+- Improvement opportunities
+
+![Security analytics dashboard](images/atp-dashboard-security-analytics.png)
+
+## Organizational security score
+The organization security score is reflective of the average score of all the Windows Defender security controls that are configured according to the recommended baseline. You can improve this score by taking the steps in configuring each of the security controls in the optimal settings.
+
+![Organizational security score](images/atp-org-score.png)
+
+Each Windows Defender security control from the **Security coverage** tile contributes 100 points to the organizational security score.
+
+The denominator is reflective of the organizational score potential and calculated by multiplying the number of supported security controls (Security coverage pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar). 
+
+
+In the example image, the total points from the **Improvement opportunities** tile add up to 279 points for the three pillars from the **Security coverage** tile.
+
+## Security coverage
+The security coverage tile shows a bar graph where each bar represents a Windows Defender security control. Each bar contributes 100 points to the overall organizational security score. It also represents the various Windows 10 security components with an indicator of the total number of machines that are well configured and those that require attention. Hovering on top of the individual bars will show exact numbers for each category.
+
+
+![Security coverage](images/atp-sec-coverage.png)
+
+## Improvement opportunities 
+Improve your organizational security score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control.
+
+Click on each control to see the recommended optimizations.
+
+![Improvement opportunities](images/atp-improv-ops.png)
+
+The numbers beside the green triangle icon on each recommended action represents the number of points you can gain by taking the action.  When added together, the total number makes up the numerator in the fraction for each segment in the Improvement opportunities tile.
+
+Recommendations that do not display a green action are informational only and no action is required. 
+
+Clicking **View machines** in a specific recommendation opens up the **Machines list** with filters applied to show only the list of machines where the the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice. 
+
+The following image shows an example list of machines where the EDR sensor is not turned on.
+
+![Image of view machines list with a filter applied](images/atp-security-analytics-view-machines2.png)
+
+### Endpoint detection and response (EDR) optimization
+This tile provides a specific list of actions you can take on Windows Defender ATP to improve how endpoints provide sensor data to the Windows Defender ATP service.
+
+You can take the following actions to increase the overall security score of your organization:
+- Turn on sensor
+- Fix sensor data collection
+- Fix impaired communications
+
+For more  information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). 
+
+### Windows Defender Antivirus optimization
+This tile provides a list of specific list of actions you can implement on endpoints with Windows Defender Antivirus to improve the security in your organization. Each action shows the exact number of endpoints where you can apply the action on.
+
+You can take the following actions to increase the overall security score of your organization:
+
+>[!NOTE]
+> For the Windows Defender Antivirus properties to show,  you'll need to ensure that the Windows Defender Antivirus Cloud-based protection is properly configured on the endpoint. 
+
+- Fix antivirus reporting
+  - This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md).
+- Turn on antivirus
+- Update antivirus definitions
+- Turn on cloud-based protection
+- Turn on real-time protection
+- Turn on PUA protection
+
+For more information, see [Configure Windows Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md).
+
+
+### OS security updates optimization
+This tile shows you the exact number of machines that require the latest security updates. It also shows machines that are running on the latest Windows Insider preview build and serves as a reminder to ensure that users should run the latest builds.
+ 
+You can take the following actions to increase the overall security score of your organization:
+- Install the latest security updates
+
+For more information on, see [Windows Update Troubleshooter](https://support.microsoft.com/en-us/help/4027322/windows-windows-update-troubleshooter).
+
+## Related topics
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a user account in Windows Defender ATP ](investigate-user-windows-defender-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)
+
diff --git a/windows/threat-protection/windows-defender-atp/security-updates-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/security-updates-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..a6f76a8f46
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/security-updates-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,22 @@
+---
+title:
+description:
+keywords:
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Security updates
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
diff --git a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
index edd9a3e180..aed38dc020 100644
--- a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Check the Windows Defender Advanced Threat Protection service health
@@ -22,16 +23,18 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 The **Service health** provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time.
 
 You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status.
 
-You can view details on the service health by clicking the tile from the **Dashboard** or selecting the **Service health** menu from the navigation pane.
+You can view details on the service health by clicking the tile from the **Security operations dashboard** or selecting the **Service health** menu from the navigation pane.
 
 The **Service health** details page has the following tabs:
 
 - **Current issues**
-- **Status History**
+- **Status history**
 
 ## Current issues
 The **Current issues** tab shows the current state of the Windows Defender ATP service. When the service is running smoothly a healthy service health is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue:
diff --git a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
index 6dd42769f1..0d217af685 100644
--- a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: DulceMV
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Windows Defender Advanced Threat Protection settings
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Use the **Settings** menu ![Settings icon](images/settings.png) to configure the time zone, suppression rules, and view license information.
 
 ## Time zone settings
diff --git a/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..108fefc1b7
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,38 @@
+---
+title: Supported Windows Defender Advanced Threat Protection APIs  
+description: Learn about the specific supported Windows Defender Advanced Threat Protection entities where you can create API calls to. 
+keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Supported Windows Defender ATP APIs 
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.
+
+## In this section
+Topic | Description
+:---|:---
+Actor | Run API calls such as get actor information and get actor related alerts.
+Alerts | Run API calls such as get alerts, alert information by ID, alert related actor information, alert related IP information, and alert related machine information.
+Domain |Run API calls such as get domain related machines, domain related machines, statistics, and check if a domain is seen in your organization.
+File | Run API calls such as get file information, file related alerts, file related machines, and file statistics.
+IP | Run API calls such as get IP related alerts, IP related machines, IP statistics, and check if and IP is seen in your organization.
+Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID.
+User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines.
+
diff --git a/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
index c5cc1addec..f802ef999b 100644
--- a/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Understand threat intelligence concepts
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Advanced cybersecurity attacks comprise of multiple complex malicious events, attributes, and contextual information. Identifying and deciding which of these activities qualify as suspicious can be a challenging task. Your knowledge of known attributes and abnormal activities specific to your industry is fundamental in knowing when to call an observed behavior as suspicious.
 
 With Windows Defender ATP, you can create custom threat alerts that can help you keep track of possible attack activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack chain. These custom threat alerts will only appear in your organization and will flag events that you set it to track.
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
index 1d8d5a0b52..a7b4331483 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Troubleshoot custom threat intelligence issues
@@ -22,6 +23,7 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
 
 You might need to troubleshoot issues while using the custom threat intelligence feature.
 
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index 8575f7b937..30083255ae 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues.
 This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the endpoints.
 
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
index 0a66cc942d..b04d0fdea3 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Troubleshoot SIEM tool integration issues
@@ -22,6 +23,9 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
+
 You might need to troubleshoot issues while pulling alerts in your SIEM tools.
 
 This page provides detailed steps to troubleshoot issues you might encounter.
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
index 5bb2935a52..00ddbd8987 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,9 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
+
 # Troubleshoot Windows Defender Advanced Threat Protection
 
 **Applies to:**
@@ -21,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
 
 ### Server error - Access is denied due to invalid credentials
diff --git a/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
index d4e2d80927..727c6135b0 100644
--- a/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Use the threat intelligence API to create custom alerts
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization.
 
 You can use the code examples to guide you in creating calls to the custom threat intelligence API.
diff --git a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
index 3c7f06e779..bcd359ef0c 100644
--- a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Use the Windows Defender Advanced Threat Protection portal
@@ -22,9 +23,11 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 A typical security breach investigation requires a member of a security operations team to:
 
-1. View an alert on the **Dashboard** or **Alerts queue**
+1. View an alert on the **Security operations dashboard** or **Alerts queue**
 2. Review the indicators of compromise (IOC) or indications of attack (IOAs)
 3. Review a timeline of alerts, behaviors, and events from the machine
 4. Manage alerts, understand the threat or potential breach, collect information to support taking action, and resolve the alert
@@ -33,13 +36,14 @@ A typical security breach investigation requires a member of a security operatio
 
 Security operation teams can use Windows Defender ATP portal to carry out this end-to-end process without having to leave the portal.
 
-Teams can monitor the overall status of enterprise endpoints from the **Dashboard**, gain insight on the various alerts, their category, when they were observed, and how long they’ve been in the network at a glance.
+Teams can monitor the overall status of enterprise endpoints from the **Security operations dashboard**, gain insight on the various alerts, their category, when they were observed, and how long they’ve been in the network at a glance.
 
 ### In this section
 
 Topic | Description
 :---|:---
-[View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP  **Dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
+[View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP  **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
+[View the Windows Defender Advanced Threat Protection Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | The **Security Analytics dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place.
 [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) | You can sort and filter alerts across your network, and drill down on individual alert queues such as new, in progress, or resolved queues.
 [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization.
 [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
diff --git a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
index 512dd52132..4f308f2bea 100644
--- a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
@@ -10,6 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Windows Defender Advanced Threat Protection
@@ -22,6 +23,8 @@ ms.localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1)
 >
 >For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
@@ -95,6 +98,7 @@ Topic | Description
 [Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) | Learn about the capabilities of Windows Defender ATP to help you investigate alerts that might be indicators of possible breaches in your enterprise.
 [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md) | Learn about pulling alerts from the Windows Defender ATP portal using supported security information and events management (SIEM) tools.
 [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) | Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization.
+[Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) | Understand the security status of your organization, including the status of machines, alerts, and investigations using the Windows Defender ATP reporting feature that integrates with Power BI. 
 [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) | Check the sensor health state on endpoints to verify that they are providing sensor data and communicating with the Windows Defender ATP service.
 [Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Use the Preferences setup menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
 [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) | Configure time zone settings, suppression rules, and view license information.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png
index 241c064ed0..62ca8c3021 100644
Binary files a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png and b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
index efab74fbdb..3df7e0ace2 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
@@ -29,7 +29,7 @@ ms.date: 08/25/2017
 
 - Enterprise security administrators
 
-Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of the operating system and apps used by your employees.
+Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees.
 
 There are four features in Windows Defender EG:
 
diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
index 957fc1f33b..f68b1bb523 100644
--- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
+++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
@@ -9,7 +9,6 @@ ms.pagetype: security
 author: eross-msft
 ms.localizationpriority: high
 ---
-
 # Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings
 **Applies to:**