Merge pull request #3655 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)

windows/application-management/manage-windows-mixed-reality.md

@@ -38,11 +38,10 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
       > [!NOTE]
       > You must download the FOD .cab file that matches your operating system version.
 
-   1. Use `Add-Package` to add Windows Mixed Reality FOD to the image.
+   1. Use `Dism` to add Windows Mixed Reality FOD to the image.
 
       ```powershell
-      Add-Package
-      Dism /Online /add-package /packagepath:(path)
+      Dism /Online /Add-Package /PackagePath:(path)
       ```
       
       > [!NOTE]

windows/client-management/advanced-troubleshooting-boot-problems.md

@@ -220,6 +220,9 @@ If Windows cannot load the system registry hive into memory, you must restore th
 
 If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
 
+> [!NOTE]
+> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start).
+
 ## Kernel Phase
 
 If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following:
@@ -392,3 +395,6 @@ If the dump file shows an error that is related to a driver (for example, window
         3. Navigate to C:\Windows\System32\Config\.
         4. Rename the all five hives by appending ".old" to the name.
         5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode.
+
+> [!NOTE]
+> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start).

windows/deployment/update/waas-manage-updates-wufb.md

@@ -119,8 +119,13 @@ A compliance deadline policy (released in June 2019) enables you to set separate
 
 This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This is extremely beneficial in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation.
 
+#### Update Baseline
+The large number of different policies offered for Windows 10 can be overwhelming. Update Baseline provides a clear list of recommended Windows update policy settings for IT administrators who want the best user experience while also meeting their update compliance goals. The Update Baseline for Windows 10 includes policy settings recommendations covering deadline configuration, restart behavior, power policies, and more.
 
+The Update Baseline toolkit makes it easy by providing a single command for IT Admins to apply the Update Baseline to devices. You can get the Update Baseline toolkit from the [Download Center](https://www.microsoft.com/download/details.aspx?id=101056).
 
+>[!NOTE]
+>The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you’re using deferrals or target version to manage which updates are offered to your devices when.
 
 <!--
 

windows/security/identity-protection/credential-guard/credential-guard-manage.md

@@ -21,7 +21,8 @@ ms.custom:
 # Manage Windows Defender Credential Guard
 
 **Applies to**
--   Windows 10
+-   Windows 10 <=1903 Enterprise and Education SKUs
+-   Windows 10 >=1909
 -   Windows Server 2016
 -   Windows Server 2019
 

windows/security/threat-protection/microsoft-defender-atp/android-intune.md

@@ -31,7 +31,8 @@ device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-co
 
 > [!NOTE]
 > **Microsoft Defender ATP for Android is now available on Google Play.**
-You can connect to Google Play from Intune to deploy app across Device Administrator and Android Enterprise entrollment modes. Updates to the app are automatic via Google Play.
+> You can connect to Google Play from Intune to deploy Microsoft Defender ATP app across Device Administrator and Android Enterprise entrollment modes.
+  Updates to the app are automatic via Google Play.
 
 ## Deploy on Device Administrator enrolled devices
 
@@ -40,10 +41,6 @@ Administrator enrolled devices**
 
 This topic describes how to deploy Microsoft Defender ATP for Android on Intune Company Portal - Device Administrator enrolled devices. 
 
-> [!NOTE]
-> If you have already deployed **Preview APK as "Line of Business (LOB)" app**, you need to redeploy by adding new app as "Android store app" 
-
-
 ### Add as Android store app
 
 1. In [Microsoft Endpoint Manager admin
@@ -97,9 +94,6 @@ completed successfully.
 2. Tap the Microsoft Defender ATP app icon and follow the on-screen instructions
 to complete onboarding the app. The details include end-user acceptance of Android permissions required by Microsoft Defender ATP for Android.
 
-   > [!NOTE]
-   > If you already have **preview version of Microsoft Defender ATP app** installed, follow onboarding instruction to replace the existing version of app
-
 3. Upon successful onboarding, the device will start showing up on the Devices
 list in Microsoft Defender Security Center.
 
@@ -116,9 +110,6 @@ Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll) .
 Currently only Personal devices with Work Profile enrolled  are supported for deployment. 
 
 
->[!NOTE]
-> If you have already deployed **Preview version of Microsoft Defender for Android app**, you need to redeploy by adding new app as 'managed Google Play App'
-
 
 ## Add Microsoft Defender ATP for Android as a Managed Google Play app
 

windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md

@@ -155,7 +155,7 @@ registry HKEY_CURRENT_USER\Console
 
 ```
 # Show information about a specific registry value
-registry HKEY_CURRENT_USER\Console\\ScreenBufferSize
+registry HKEY_CURRENT_USER\Console\ScreenBufferSize
 ```
 
 

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md

@@ -85,7 +85,7 @@ For more information, see [Deploy Microsoft Defender ATP for Android with Micros
 
 > [!NOTE]
 > **Microsoft Defender ATP for Android is available on Google Play now.**
-You can connect to Google Play from Intune directly to deploy app across Device Administrator and Android Enterprise entrollment modes. 
+> You can connect to Google Play from Intune to deploy Microsoft Defender ATP app, across Device Administrator and Android Enterprise entrollment modes. 
 
 ## How to Configure Microsoft Defender ATP for Android
 

windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md

@@ -81,16 +81,13 @@ None. Changes to this policy become effective without a device restart when they
 
 ### Safe mode considerations
 
-When you start a device in safe mode, the disabled administrator account is enabled only if the computer is non-domain joined and there are no other active local administrator accounts. If the computer is joined to a domain, the disabled administrator account is not enabled.
-If the administrator account is disabled, you can still access the computer by using safe mode with the current administrative credentials. For example, if a failure occurs using a secure channel with a domain-joined computer, and there is no other local administrator account, you must restart the device in safe mode to fix the failure.
+When you start a device in safe mode, the disabled administrator account is enabled only if the computer is non-domain joined and there are no other active local administrator accounts. In this case, you can access the computer by using safe mode with the current administrative credentials. If the computer is joined to a domain, the disabled administrator account is not enabled.
 
 ### How to access a disabled Administrator account
 
 You can use the following methods to access a disabled Administrator account:
--   When there is only one local administrator account that is disabled, start the device in safe mode (locally or over a network), and sign in by using the credentials for the administrator account on that computer.
--   When there are local administrator accounts in addition to the built-in account, start the computer in safe mode (locally or over a network), and sign in by using the credentials for the administrator account on that device. An alternate method is to sign in to Windows by using another local 
-Administrator account that was created.
--   When multiple domain-joined servers have a disabled local Administrator account that can be accessed in safe mode, you can remotely run psexec by using the following command: **net user administrator /active: no**.
+-   For non-domain joined computers: when all the local administrator accounts are disabled, start the device in safe mode (locally or over a network), and sign in by using the credentials for the default local administrator account on that computer. 
+-   For domain-joined computers: remotely run the command **net user administrator /active: yes** by using psexec to enable the default local administrator account.
 
 ## Security considerations
 

windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md

@@ -61,7 +61,12 @@ This setting has these possible values:
     This change makes this setting consistent with the functionality of the new **Privacy** setting.
     To display no user information, enable the Group Policy setting **Interactive logon: Don't display last signed-in**.
 
--   Blank.
+-   **Domain and user names only**
+
+    For a domain logon only, the domain\username is displayed.
+    The **Privacy** setting is automatically on and grayed out.
+    
+-   **Blank**
 
     Default setting.
     This translates to “Not defined,” but it will display the user’s full name in the same manner as the option **User display name only**.
@@ -89,7 +94,7 @@ For all versions of Windows 10, only the user display name is shown by default.
 If **Block user from showing account details on sign-in** is enabled, then only the user display name is shown regardless of any other Group Policy settings.
 Users will not be able to show details.
 
-If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** to show additional details such as domain\username.
+If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** or **Domain and user names only** to show additional details such as domain\username.
 In this case, clients that run Windows 10 version 1607 need [KB 4013429](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) applied.
 Users will not be able to hide additional details.