udpates

windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md

@@ -77,7 +77,7 @@ As part of the process of creating a machine group, you'll:
 
 You can promote the rank of a machine group so that it is given higher priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group.
 
-Machines that are not matched to any groups are added to **Ungrouped machines**. By default, remediations performed on machines in this group require approval, but you can also define the remediation level for this group.
+Machines that are not matched to any groups are added to **Ungrouped machines (default)** group. By default, remediations performed on machines in this group require approval, but you can also define the remediation level for this group. By default, ungrouped machines are accessible by all users with portal access. You can change the default behavior by assigning the ungrouped machines to specific Azure AD user groups.
 
 You can also edit and delete groups.
 

windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md

@@ -51,18 +51,22 @@ To implement role-based access, you'll need to define admin roles, assign corres
 
 
 ### Before you begin
+Before using RBAC, it's important that you understand the roles that can grant permissions and the consequences of turning on RBAC.
+
 
 > [!WARNING]
-> Before enabling the feature, it's important that you have a Global Administrator role in Azure AD and that have your Azure AD groups ready to reduce the risk of being locked out of the portal. 
+> Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in Azure AD and that have your Azure AD groups ready to reduce the risk of being locked out of the portal. 
 
 When you first log in to the Windows Defender ATP portal, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD. 
 
+Someone with a Windows Defender ATP Global administrator role has unrestricted access to all machines, regardless of their machine group association and the Azure AD user groups assignments
+
 > [!WARNING]
-> Only those with Azure AD Global Administrator rights will be able to create and assign roles in the Windows Defender ATP portal, therefore, having the right groups ready in Azure AD is important.
+> Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in the Windows Defender ATP portal, therefore, having the right groups ready in Azure AD is important.
 >
-> **Turning on role-based access control will cause users with read-only permissions to lose access until they are assigned to a role.** 
+> **Turning on role-based access control will cause users with read-only permissions (for example, users assigned to Azure AD Security reader role) to lose access until they are assigned to a role.** 
 >
->Users with admin permissions are automatically assigned the default Windows Defender ATP global administrator role with full permissions.
+>Users with admin permissions are automatically assigned the default built-in Windows Defender ATP global administrator role with full permissions. After opting in to use RBAC, you can assign additional users that are not Azure AD Global or Security Administrators to the Windows Defender ATP global administrator role. 
 >
 > After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal. 
 

windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md

@@ -312,6 +312,7 @@ You can take the following actions to increase the overall security score of you
 - Fix sensor data collection
   - The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
 
+For more information, see [Bitlocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview).
 
 ### Windows Defender Credential Guard optimization
 For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender Credential Guard is fulfilled.
@@ -334,6 +335,7 @@ You can take the following actions to increase the overall security score of you
 - Fix sensor data collection
   - The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
 
+For more information, see [Manage Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage).
 
 ## Related topics
 - [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)