From 30765d8bde8c1448ff0feb1d92f67bb6f2874c7e Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Wed, 30 May 2018 16:47:23 -0700
Subject: [PATCH 001/102] win 8.1

---
 .../windows-defender-atp/TOC.md               |   1 +
 ...ows-defender-advanced-threat-protection.md | 100 ++++++++++++++++++
 2 files changed, 101 insertions(+)
 create mode 100644 windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md

diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index e69658d82e..a8defba7ee 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -7,6 +7,7 @@
 ### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
 ### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
 ## [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)
+### [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)
 ### [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
 #### [Onboard machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
 #### [Onboard machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..875feb88d2
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,100 @@
+---
+title: Onboard Windows 7 SP 1 machines on Windows Defender ATP
+description: Onboard Windows 7 SP 1 machines so that they can send sensor data to the Windows Defender ATP sensor
+keywords: Onboard Windows 7 machines, oms, sp1, enterprise, pro, down level
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 06/11/2018
+---
+
+# Onboard Windows 7 SP1 machines
+
+**Applies to:**
+
+- Windows 7 SP1 Enterprise
+- Windows 7 SP1 Pro
+- Windows 8.1
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Windows Defender ATP extends support to also include down-level operating systems, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console.
+
+To onboard down-level Windows client endpoints to Windows Defender ATP, you�ll need to:
+- Configure and update System Center Endpoint Protection clients.
+- Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP as instructed below.
+
+>[!TIP]
+> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
+
+## Configure and update System Center Endpoint Protection clients
+>[!IMPORTANT]
+>This step is required only if your organization uses System Center Endpoint Protection (SCEP).
+
+Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. 
+
+The following steps are required to enable this integration: 
+- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/en-us/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) 
+- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
+
+## Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP
+
+### Before you begin
+Review the following details to verify minimum system requirements:
+- Install the [February monthly update rollout](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) 
+- Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
+- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
+
+1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604).
+
+2. Obtain the workspace ID:
+   - In the Windows Defender ATP navigation pane, select **Settings > Machine management > Onboarding**
+   - Select **Windows 7 SP1 and 8.1** as the operating system
+   - Copy the workspace ID and workspace key
+
+3. Using the Workspace ID and Workspace key choose any of the following installation methods to install the agent:
+    - Manually install the agent using setup<br>
+      On the **Agent Setup Options** page, select **Connect the agent to Azure Log Analytics (OMS)
+    - [Install the agent using command line](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-agent-windows#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-agent-windows#add-a-workspace-using-a-script).
+
+4. If you�re using a proxy server to connect to the Internet see the Configure proxy settings section.
+
+Once completed, you should see onboarded servers in the portal within an hour.
+
+### Configure server proxy and Internet connectivity settings
+ 
+- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway).
+- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
+
+Agent Resource    |    Ports 
+:---|:---
+|    *.oms.opinsights.azure.com    |    443    |
+|    *.blob.core.windows.net    |    443    |
+|    *.azure-automation.net    |    443    |
+|    *.ods.opinsights.azure.com    |    443    |
+|    winatp-gw-cus.microsoft.com     |    443    |
+|    winatp-gw-eus.microsoft.com    |    443    |
+|    winatp-gw-neu.microsoft.com    |    443    |
+|    winatp-gw-weu.microsoft.com    |    443    |
+|winatp-gw-uks.microsoft.com | 443 |
+|winatp-gw-ukw.microsoft.com | 443 | 
+| winatp-gw-aus.microsoft.com | 443| 
+| winatp-gw-aue.microsoft.com |443 | 
+
+
+## Offboard client endpoints
+To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the endpoint will no longer send sensor data to Windows Defender ATP. 
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevele-belowfoldlink)
+
+
+
+
+
+

From af0db775a7d8cefda4fd2bafed457cbe8cefadd5 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Wed, 30 May 2018 16:47:40 -0700
Subject: [PATCH 002/102] remove

---
 ...oard-downlevel-windows-defender-advanced-threat-protection.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
index 875feb88d2..fb9fa92c3a 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
@@ -19,7 +19,6 @@ ms.date: 06/11/2018
 
 - Windows 7 SP1 Enterprise
 - Windows 7 SP1 Pro
-- Windows 8.1
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 [!include[Prerelease information](prerelease.md)]

From 883c7e82eef703451c19dbb246df4050bb86a133 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Thu, 31 May 2018 10:35:04 -0700
Subject: [PATCH 003/102] add downlevel support in preview features topic

---
 ...-windows-defender-advanced-threat-protection.md | 14 +++++++-------
 ...-windows-defender-advanced-threat-protection.md |  9 ++++++++-
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
index fb9fa92c3a..a542df63b1 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
 ---
-title: Onboard Windows 7 SP 1 machines on Windows Defender ATP
-description: Onboard Windows 7 SP 1 machines so that they can send sensor data to the Windows Defender ATP sensor
-keywords: Onboard Windows 7 machines, oms, sp1, enterprise, pro, down level
+title: Onboard previous versions of Windows on Windows Defender ATP
+description: Onboard supported previous versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor
+keywords: onboard, windows, 7, 8, oms, sp1, enterprise, pro, down level
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -13,12 +13,14 @@ ms.localizationpriority: high
 ms.date: 06/11/2018
 ---
 
-# Onboard Windows 7 SP1 machines
+# Onboard Windows previous versions of Windows
 
 **Applies to:**
 
 - Windows 7 SP1 Enterprise
 - Windows 7 SP1 Pro
+- Windows 8.1 Enterprise
+- Windows 8.1 Pro
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 [!include[Prerelease information](prerelease.md)]
@@ -62,7 +64,7 @@ Review the following details to verify minimum system requirements:
       On the **Agent Setup Options** page, select **Connect the agent to Azure Log Analytics (OMS)
     - [Install the agent using command line](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-agent-windows#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-agent-windows#add-a-workspace-using-a-script).
 
-4. If you�re using a proxy server to connect to the Internet see the Configure proxy settings section.
+4. If you're using a proxy server to connect to the Internet see the Configure proxy settings section.
 
 Once completed, you should see onboarded servers in the portal within an hour.
 
@@ -83,8 +85,6 @@ Agent Resource    |    Ports
 |    winatp-gw-weu.microsoft.com    |    443    |
 |winatp-gw-uks.microsoft.com | 443 |
 |winatp-gw-ukw.microsoft.com | 443 | 
-| winatp-gw-aus.microsoft.com | 443| 
-| winatp-gw-aue.microsoft.com |443 | 
 
 
 ## Offboard client endpoints
diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
index 4b90b87fb8..90008c037e 100644
--- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/24/2018
+ms.date: 06/11/2018
 ---
 
 # Windows Defender ATP preview features
@@ -42,12 +42,19 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 
 ## Preview features
 The following features are included in the preview release:
+- [Onboard previous versions of Windows](onboard-downlevel--windows-defender-advanced-threat-protection.md)<br>
+Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor
+  - Windows 7 SP1 Enterprise
+  - Windows 7 SP1 Pro
+  - Windows 8.1 Enterprise
+  - Windows 8.1 Pro 
 
 - [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md)<br>
 Windows Defender ATP supports the onboarding of the following servers:
     - Windows Server 2012 R2
     - Windows Server 2016
     - Windows Server, version 1803
+    
 
 - [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)<br>
 Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access Windows Defender ATP data using Microsoft Graph.

From 7551ecb60a5997c4d6baa36f1e4eedada6f8fdea Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Thu, 31 May 2018 10:58:28 -0700
Subject: [PATCH 004/102] fix broken link

---
 .../preview-windows-defender-advanced-threat-protection.md      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
index 90008c037e..13702b6849 100644
--- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
@@ -42,7 +42,7 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 
 ## Preview features
 The following features are included in the preview release:
-- [Onboard previous versions of Windows](onboard-downlevel--windows-defender-advanced-threat-protection.md)<br>
+- [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)<br>
 Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor
   - Windows 7 SP1 Enterprise
   - Windows 7 SP1 Pro

From 204035dad996656cec2d0d76dd0104035c29a6f8 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Fri, 8 Jun 2018 14:14:16 -0700
Subject: [PATCH 005/102] fixed issue

---
 windows/whats-new/whats-new-windows-10-version-1803.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index 180c949a49..fad1f39565 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -169,7 +169,7 @@ In the Feedback and Settings page under Privacy Settings you can now delete the
 
 ### Security Baselines
 
-A draft of the new [security baseline for Windows 10 version 1803](https://blogs.technet.microsoft.com/secguide/2018/03/27/security-baseline-for-windows-10-v1803-redstone-4-draft/) has been published. 
+The new [security baseline for Windows 10 version 1803](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10) has been published. 
 
 ### Windows Defender Antivirus
 

From f7a9d43d7439d8df9e87541e0b9a5779a4211a0b Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Fri, 8 Jun 2018 14:16:28 -0700
Subject: [PATCH 006/102] fixed issue

---
 windows/whats-new/whats-new-windows-10-version-1803.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index fad1f39565..8107213fac 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: greg-lindsay
-ms.date: 05/10/2018
+ms.date: 06/08/2018
 ms.localizationpriority: high
 ---
 

From 7ebd39f45254da85432b45ae1d1bdba0861f2817 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Fri, 8 Jun 2018 14:23:19 -0700
Subject: [PATCH 007/102] removed note about autdit mode not available

---
 .../applocker/configure-an-applocker-policy-for-audit-only.md   | 2 --
 1 file changed, 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
index 58bfcf7ebb..1127619715 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
@@ -21,8 +21,6 @@ This topic for IT professionals describes how to set AppLocker policies to **Aud
 After AppLocker rules are created within the rule collection, you can configure the enforcement setting to **Enforce rules** or **Audit only**.
 
 When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
-
->**Note:**  There is no audit mode for the DLL rule collection. DLL rules affect specific apps. Therefore, test the impact of these rules first before deploying them to production. To enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md).
  
 You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
 

From 4c978edb61c62ef01c0c1be07be776ee33cc34e8 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Fri, 8 Jun 2018 14:26:22 -0700
Subject: [PATCH 008/102] removed note about audit mode not available

---
 .../applocker/configure-an-applocker-policy-for-audit-only.md   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
index 1127619715..3330eda208 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 09/21/2017
+ms.date: 06/08/2018
 ---
 
 # Configure an AppLocker policy for audit only

From 3bbc5d43d1cc7184c3bb393f94bae28b831b811c Mon Sep 17 00:00:00 2001
From: Dune Desormeaux <dudeso@microsoft.com>
Date: Fri, 8 Jun 2018 16:14:11 -0700
Subject: [PATCH 009/102] Clarify WDATP + WDAV compatibility wording

WDAV won't always be in passive mode if WDATP is enabled. Clarifying this.
---
 .../windows-defender-antivirus-compatibility.md                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 6d409e7449..eae5b16c1e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -71,7 +71,7 @@ Passive mode | Windows Defender AV will not be used as the antivirus app, and th
 Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)]] 
 Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
 
-Passive mode is enabled if you are enrolled in Windows Defender ATP because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks. 
+Passive mode is enabled if you are enrolled in Windows Defender ATP and you are using a third party antimalware product because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks. 
 
 Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app.
     

From 983cfd76af8cfa48f920e94c4b499a19668d1409 Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Fri, 8 Jun 2018 23:19:00 +0000
Subject: [PATCH 010/102] Merged PR 8950: small formatting fix

---
 windows/privacy/manage-windows-endpoints.md | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/windows/privacy/manage-windows-endpoints.md b/windows/privacy/manage-windows-endpoints.md
index d0be3c4145..e43a9ddff4 100644
--- a/windows/privacy/manage-windows-endpoints.md
+++ b/windows/privacy/manage-windows-endpoints.md
@@ -502,8 +502,7 @@ In addition to the endpoints listed for Windows 10 Enterprise, the following end
 | *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
 | *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
 | *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
-| *prod.do.dsp.mp.microsoft.com | TLSv1.2/
-HTTPS | Used for Windows Update downloads of apps and OS updates. |
+| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
 | .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
 | telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
 | 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
@@ -594,8 +593,7 @@ TLSv1.2 | Used to check for updates to maps that have been downloaded for offlin
 | *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
 | *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
 | *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
-| *prod.do.dsp.mp.microsoft.com | TLSv1.2/
-HTTPS | Used for Windows Update downloads of apps and OS updates. |
+| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
 | 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
 | 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
 | 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |

From 41d5e00c6a519f9c7eedd5553f7addd3706135bc Mon Sep 17 00:00:00 2001
From: Dune Desormeaux <dudeso@microsoft.com>
Date: Fri, 8 Jun 2018 16:20:59 -0700
Subject: [PATCH 011/102] Dudeso-dd clarity

Switch to active voice
---
 .../windows-defender-antivirus-compatibility.md                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index eae5b16c1e..47d5189976 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -71,7 +71,7 @@ Passive mode | Windows Defender AV will not be used as the antivirus app, and th
 Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)]] 
 Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
 
-Passive mode is enabled if you are enrolled in Windows Defender ATP and you are using a third party antimalware product because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks. 
+If you are enrolled in Windows Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks. 
 
 Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app.
     

From 046155ed06c52330fb5df8df1bab69ca2a4ba7b8 Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Fri, 8 Jun 2018 16:46:29 -0700
Subject: [PATCH 012/102] New round of revisions

---
 ...ment-configuration-file-with-powershell.md | 47 +++++++------
 ...user-configuration-file-with-powershell.md | 34 ++++++----
 .../appv-auto-clean-unpublished-packages.md   | 67 +++++++------------
 .../app-v/appv-available-mdm-settings.md      | 23 ++++++-
 4 files changed, 95 insertions(+), 76 deletions(-)

diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
index ce1b3601b9..42754ef837 100644
--- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
@@ -1,6 +1,6 @@
 ---
-title: How to Apply the Deployment Configuration File by Using Windows PowerShell (Windows 10)
-description: How to Apply the Deployment Configuration File by Using Windows PowerShell
+title: How to apply the deployment configuration file by using Windows PowerShell (Windows 10)
+description: How to apply the deployment configuration file by using Windows PowerShell for Windows 10.
 author: MaggiePucciEvans
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
@@ -8,35 +8,42 @@ ms.sitesec: library
 ms.prod: w10
 ms.date: 04/19/2017
 ---
+# How to apply the deployment configuration file by using Windows PowerShell
 
+>Applies to: Windows 10, version 1607
 
-# How to Apply the Deployment Configuration File by Using Windows PowerShell
+The dynamic deployment configuration file is applied when a package is added or set to a computer running the App-V client before the package has been published. The file configures the default settings of the package that all users share on the computer running the App-V client. This section will tell you how to use a deployment configuration file. The procedure is based on the following example and assumes the following package and configuration files exist on a computer:
 
-**Applies to**
--   Windows 10, version 1607
+* C:\\Packages\\Contoso\\MyApp.appv
+* C:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml
 
-The dynamic deployment configuration file is applied when a package is added or set to a computer running the App-V client before the package has been published. The file configures the default settings for package for all users on the computer running the App-V client. This section describes the steps used to use a deployment configuration file. The procedure is based on the following example and assumes the following package and configuration files exist on a computer:
+## Apply the deployment configuration file with Windows PowerShell
 
-**c:\\Packages\\Contoso\\MyApp.appv**
+>[!NOTE]
+>The following procedure is an example that uses the following two file paths for the package and configuration files:
+    >
+    >* C:\\Packages\\Contoso\\MyApp.appv
+    >* C:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml
+    >
+>If your package and configuration file use different file paths than the example, feel free to replace them as needed.
 
-**c:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml**
+To specify a new default set of configurations for all users who will run the package on a specific computer, in a Windows PowerShell console, enter the following cmdlet:
 
-**To Apply the Deployment Configuration File Using Windows PowerShell**
+```PowerShell
+Add-AppVClientPackage -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml
+```
 
--   To specify a new default set of configurations for all users who will run the package on a specific computer, in a Windows PowerShell console, type the following:
+>[!NOTE]
+>This command captures the resulting object into $pkg. If the package is already present on the computer, the **Set-AppVclientPackage** cmdlet can be used to apply the deployment configuration document:
+    >
+        ```PowerShell
+        Set-AppVClientPackage -Name Myapp -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml
+        ```
 
-    `Add-AppVClientPackage -Path c:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration c:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml`
-
-    **Note**<br>
-    This command captures the resulting object into $pkg. If the package is already present on the computer, the **Set-AppVclientPackage** cmdlet can be used to apply the deployment configuration document:
-
-    `Set-AppVClientPackage -Name Myapp -Path c:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration c:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml`
-
-     
 ## Have a suggestion for App-V?
 
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
 
 ## Related topics
 
-[Operations for App-V](appv-operations.md)
+* [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
index a59c999681..2632d17e87 100644
--- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
@@ -8,34 +8,42 @@ ms.sitesec: library
 ms.prod: w10
 ms.date: 04/19/2017
 ---
+# How to apply the user configuration file by using Windows PowerShell
 
-
-# How to Apply the User Configuration File by Using Windows PowerShell
-
-**Applies to**
--   Windows 10, version 1607
+>Applies to: Windows 10, version 1607
 
 The dynamic user configuration file is applied when a package is published to a specific user and determines how the package will run.
 
 Use the following procedure to specify a user-specific configuration file. The following procedure is based on the example:
 
-**c:\\Packages\\Contoso\\MyApp.appv**
+* C:\\Packages\\Contoso\\MyApp.appv
 
-**To apply a user Configuration file**
+## Apply a user configuration file
 
-1.  To add the package to the computer using the Windows PowerShell console, type the following command:
+Use the following procedure to specify a user-specific configuration file.
 
-    `Add-AppVClientPackage c:\Packages\Contoso\MyApp.appv`
+>[!NOTE]
+>The following procedure uses the following example file path for its package:
+    >
+    >* C:\\Packages\\Contoso\\MyApp.appv.
+    >
+>f your package file uses a different file path than the example, feel free to replace it.
 
-2.  Use the following command to publish the package to the user and specify the updated the dynamic user configuration file:
+1. Enter the following cmdlet to add the package to the computer using the Windows PowerShell console:
 
-    `Publish-AppVClientPackage $pkg -DynamicUserConfigurationPath c:\Packages\Contoso\config.xml`
+    ```PowerShell
+    Add-AppVClientPackage C:\Packages\Contoso\MyApp.appv
+    ```
+2. Enter the following cmdlet to publish the package to the user and specify the updated the dynamic user configuration file:
 
+    ```PowerShell
+    Publish-AppVClientPackage $pkg -DynamicUserConfigurationPath c:\Packages\Contoso\config.xml
+    ```
 
 ## Have a suggestion for App-V?
 
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
 
 ## Related topics
 
-[Operations for App-V](appv-operations.md)
+* [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
index 23a9fe37c6..5292d2ed73 100644
--- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
+++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
@@ -8,70 +8,55 @@ ms.sitesec: library
 ms.prod: w10
 ms.date: 04/19/2017
 ---
+# Automatically clean up unpublished packages on the App-V client
 
+>Applies to: Windows 10, version 1703
 
-# Automatically cleanup unpublished packages on the App-V client
+Previous versions of App-V have required you to manually remove your unpublished packages from your client devices, to free up additional storage space. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart.
 
-**Applies to**
--   Windows 10, version 1703
+## Clean up with PowerShell cmdlets
 
-Previous versions of App-V have required you to manually remove your unpublished packages from your client devices, to free up additional storage space. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
+You can enter PowerShell cmdlets to turn on the **AutoCleanupEnabled** setting, which will automatically clean up your unpublished App-V packages from your App-V client devices.
 
-## Cleanup by using PowerShell commands
-Using PowerShell, you can turn on the **AutoCleanupEnabled** setting to automatically cleanup your unpublished App-V packages from your App-V client devices.
+### Turn on the AutoCleanupEnabled option
 
-**To turn on the AutoCleanupEnabled option**
+1. Open PowerShell as an admin and enter the following cmdlet to turn on the automatic package clean up functionality:
 
-1. Open PowerShell as an admin and run the following command to turn on the automatic package cleanup functionality:
-
-    ```ps1
+    ```PowerShell
     Set-AppvClientConfiguration -AutoCleanupEnabled 1
     ```
 
-    The command runs and you should see the following info on the PowerShell screen:
-    
-    <table border="1">
-        <tr>
-            <thead>
-                <th>Name</th>
-                <th>Value</th>
-                <th>SetbyGroupPolicy</th>
-            </thead>
-        </tr>
-        <tbody>
-            <tr>
-                <td>AutoCleanupEnabled</td>
-                <td>1</td>
-                <td>False</td>
-            </tr>
-        </tbody>
-    </table>
+    After running the cmdlet, you should see the following info on the PowerShell screen:
 
-2. Run the following command to make sure the configuration is ready to automatically cleanup your packages.
+    |Name|Value|SetbyGroupPolicy|
+    |---|---|---|
+    |AutoCleanupEnabled|1|False|
 
-    ```ps1
+2. Run the following cmdlet to make sure the configuration is ready to automatically clean up your packages.
+
+    ```PowerShell
     Get-AppvClientConfiguration
     ```
-    You should see the **AutoCleanupEnabled** option turned on (shows a value of "1") in the configuration list.
+    If the **AutoCleanupEnabled** option shows a value of **1** in the configuration list, that means the setting is turned on.
 
-## Cleanup by using Group Policy settings
-Using Group Policy, you can turn on the **Enable automatic cleanup of unused appv packages** setting to automatically cleanup your unpublished App-V packages from your App-V client devices.
+## Clean up with Group Policy settings
 
-**To turn on the Enable automatic cleanup of unused appv packages setting**
+Using Group Policy, you can turn on the **Enable automatic clean up of unused App-V packages** setting to automatically clean up your unpublished App-V packages from your App-V client devices.
 
-1. Open your Group Policy editor and double-click the Administrative Templates\System\App-V\PackageManagement\Enable automatic cleanup of unused appv packages setting.
+### Turn on the Enable automatic clean up of unused App-V packages setting
 
-2. Click **Enabled**, and then click **OK**.
+1. Open your Group Policy editor and select the **Administrative Templates\System\App-V\PackageManagement\Enable automatic cleanup of unused App-V packages** setting.
 
-    After your Group Policy updates, the setting is turned on and will cleanup any unpublished App-V packages on the App-V Client after restarting.
+2. Select **Enabled**, then select **OK**.
+
+    After your Group Policy updates and you reset the client, the setting will clean up any unpublished App-V packages on the App-V client.
 
 ### Related topics
+
 - [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
-
 - [Download the Microsoft Application Virtualization 5.0 Client UI Application](https://www.microsoft.com/en-us/download/details.aspx?id=41186)
-
 - [Using the App-V Client Management Console](appv-using-the-client-management-console.md)
 
+## Have a suggestion for App-V?
 
-**Have a suggestion for App-V?**<p>
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
\ No newline at end of file
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 7d050134a8..7544ce59d5 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -8,9 +8,28 @@ ms.sitesec: library
 ms.prod: w10
 ms.date: 04/19/2017
 ---
-
 # Available Mobile Device Management (MDM) settings for App-V
-With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps by using these Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) page. 
+
+With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps by using these Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) page.
+
+|Policy name|Supported versions|URI full path|Data type|Values|
+|---|---|---|---|---|
+|Name|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Name|String|Read-only data, provided by your App-V packages.|
+|Version|Windows 10, version 1703||||
+|Publisher|Windows 10, version 1703||||
+|InstallLocation|Windows 10, version 1703||||
+|InstallDate|Windows 10, version 1703||||
+|Users|Windows 10, version 1703||||
+|AppVPackageID|Windows 10, version 1703||||
+|AppVVersionID|Windows 10, version 1703||||
+|AppVPackageUri|Windows 10, version 1703||||
+|LastError|Windows 10, version 1703||||
+|LastErrorDescription|Windows 10, version 1703||||
+|SyncStatusDescription|Windows 10, version 1703||||
+|SyncProgress|Windows 10, version 1703||||
+|PublishXML|Windows 10, version 1703||||
+|Policy|Windows 10, version 1703||||
+
 
 <table>
     <tr>

From a72487a8239474b30943e627227b6294e4c3cf50 Mon Sep 17 00:00:00 2001
From: Yuhang Zhu <yuhangz@microsoft.com>
Date: Mon, 11 Jun 2018 12:51:50 +0000
Subject: [PATCH 013/102] Merged PR 8963: Remove a statement from
 MicrosoftNetworkClient policy.

This a real edit change. Thanks.
---
 .../policy-configuration-service-provider.md  |  16 +
 ...policy-csp-localpoliciessecurityoptions.md | 365 +++++++++++++++---
 2 files changed, 317 insertions(+), 64 deletions(-)

diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 403a5e2cb4..921e2c246d 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -2048,12 +2048,18 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior" id="localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior">LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways" id="localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways</a>
+  </dd>
   <dd>
     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees" id="localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</a>
   </dd>
   <dd>
     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers" id="localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession" id="localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</a>
+  </dd>
   <dd>
     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways" id="localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</a>
   </dd>
@@ -2075,6 +2081,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam" id="localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam">LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm" id="localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm">LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM</a>
+  </dd>
   <dd>
     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests" id="localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests">LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</a>
   </dd>
@@ -2084,6 +2093,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel" id="localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel">LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</a>
+  </dd>
   <dd>
     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</a>
   </dd>
@@ -4407,17 +4419,21 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon)
 -   [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon)
 -   [LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior)
+-   [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways)
 -   [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees)
 -   [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers)
+-   [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession)
 -   [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways)
 -   [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees)
 -   [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts)
 -   [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccountsandshares)
 -   [LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictanonymousaccesstonamedpipesandshares)
 -   [LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam)
+-   [LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm)
 -   [LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests)
 -   [LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-donotstorelanmanagerhashvalueonnextpasswordchange)
 -   [LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel)
+-   [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients)
 -   [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers)
 -   [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-addremoteserverexceptionsforntlmauthentication)
 -   [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-auditincomingntlmtraffic)
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 49a48f512a..ce338ff2ae 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -6,11 +6,14 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 04/06/2018
+ms.date: 06/05/2018
 ---
 
 # Policy CSP - LocalPoliciesSecurityOptions
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 
 <hr/>
 
@@ -81,12 +84,18 @@ ms.date: 04/06/2018
   <dd>
     <a href="#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior">LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</a>
   </dd>
+  <dd>
+    <a href="#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways</a>
+  </dd>
   <dd>
     <a href="#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</a>
   </dd>
   <dd>
     <a href="#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</a>
   </dd>
+  <dd>
+    <a href="#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</a>
+  </dd>
   <dd>
     <a href="#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</a>
   </dd>
@@ -108,6 +117,9 @@ ms.date: 04/06/2018
   <dd>
     <a href="#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam">LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</a>
   </dd>
+  <dd>
+    <a href="#localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm">LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM</a>
+  </dd>
   <dd>
     <a href="#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests">LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</a>
   </dd>
@@ -117,6 +129,9 @@ ms.date: 04/06/2018
   <dd>
     <a href="#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel">LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</a>
   </dd>
+  <dd>
+    <a href="#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</a>
+  </dd>
   <dd>
     <a href="#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</a>
   </dd>
@@ -838,15 +853,6 @@ GP Info:
 -   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
 
 <!--/RegistryMapped-->
-<!--SupportedValues-->
-
-<!--/SupportedValues-->
-<!--Example-->
-
-<!--/Example-->
-<!--Validation-->
-
-<!--/Validation-->
 <!--/Policy-->
 
 <hr/>
@@ -914,15 +920,6 @@ GP Info:
 -   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
 
 <!--/RegistryMapped-->
-<!--SupportedValues-->
-
-<!--/SupportedValues-->
-<!--Example-->
-
-<!--/Example-->
-<!--Validation-->
-
-<!--/Validation-->
 <!--/Policy-->
 
 <hr/>
@@ -985,15 +982,6 @@ GP Info:
 -   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
 
 <!--/RegistryMapped-->
-<!--SupportedValues-->
-
-<!--/SupportedValues-->
-<!--Example-->
-
-<!--/Example-->
-<!--Validation-->
-
-<!--/Validation-->
 <!--/Policy-->
 
 <hr/>
@@ -1495,6 +1483,83 @@ GP Info:
 
 <hr/>
 
+<!--Policy-->
+<a href="" id="localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways"></a>**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td></td>
+	<td></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Microsoft network client: Digitally sign communications (always)
+
+This security setting determines whether packet signing is required by the SMB client component.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
+
+If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
+
+Default: Disabled.
+
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+<!--/Description-->
+<!--RegistryMapped-->
+GP Info:  
+-   GP English name: *Microsoft network client: Digitally sign communications (always)*
+-   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+<!--/RegistryMapped-->
+<!--SupportedValues-->
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees"></a>**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees**  
 
@@ -1618,6 +1683,72 @@ GP Info:
 
 <hr/>
 
+<!--Policy-->
+<a href="" id="localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession"></a>**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td></td>
+	<td></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Microsoft network server: Amount of idle time required before suspending a session
+
+This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
+
+Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.
+
+For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
+
+Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
+
+<!--/Description-->
+<!--RegistryMapped-->
+GP Info:  
+-   GP English name: *Microsoft network server: Amount of idle time required before suspending session*
+-   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+<!--/RegistryMapped-->
+<!--SupportedValues-->
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways"></a>**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways**  
 
@@ -2051,6 +2182,78 @@ GP Info:
 
 <hr/>
 
+<!--Policy-->
+<a href="" id="localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td></td>
+	<td></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Network security: Allow Local System to use computer identity for NTLM
+
+This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication.
+
+If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.
+
+If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.
+
+By default, this policy is enabled on Windows 7 and above.
+
+By default, this policy is disabled on Windows Vista.
+
+This policy is supported on at least Windows Vista or Windows Server 2008.
+
+Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy.
+
+<!--/Description-->
+<!--RegistryMapped-->
+GP Info:  
+-   GP English name: *Network security: Allow Local System to use computer identity for NTLM*
+-   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+<!--/RegistryMapped-->
+<!--SupportedValues-->
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**  
 
@@ -2246,6 +2449,75 @@ GP Info:
 
 <hr/>
 
+<!--Policy-->
+<a href="" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td></td>
+	<td></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
+
+This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+
+Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated.
+Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.
+
+Default:
+
+Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
+
+Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+<!--/Description-->
+<!--RegistryMapped-->
+GP Info:  
+-   GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients*
+-   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+<!--/RegistryMapped-->
+<!--SupportedValues-->
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers**  
 
@@ -2359,15 +2631,6 @@ GP Info:
 -   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
 
 <!--/RegistryMapped-->
-<!--SupportedValues-->
-
-<!--/SupportedValues-->
-<!--Example-->
-
-<!--/Example-->
-<!--Validation-->
-
-<!--/Validation-->
 <!--/Policy-->
 
 <hr/>
@@ -2429,15 +2692,6 @@ GP Info:
 -   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
 
 <!--/RegistryMapped-->
-<!--SupportedValues-->
-
-<!--/SupportedValues-->
-<!--Example-->
-
-<!--/Example-->
-<!--Validation-->
-
-<!--/Validation-->
 <!--/Policy-->
 
 <hr/>
@@ -2499,15 +2753,6 @@ GP Info:
 -   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
 
 <!--/RegistryMapped-->
-<!--SupportedValues-->
-
-<!--/SupportedValues-->
-<!--Example-->
-
-<!--/Example-->
-<!--Validation-->
-
-<!--/Validation-->
 <!--/Policy-->
 
 <hr/>
@@ -2569,15 +2814,6 @@ GP Info:
 -   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
 
 <!--/RegistryMapped-->
-<!--SupportedValues-->
-
-<!--/SupportedValues-->
-<!--Example-->
-
-<!--/Example-->
-<!--Validation-->
-
-<!--/Validation-->
 <!--/Policy-->
 
 <hr/>
@@ -3406,6 +3642,7 @@ Footnote:
 -   2 - Added in Windows 10, version 1703.
 -   3 - Added in Windows 10, version 1709.
 -   4 - Added in Windows 10, version 1803.
+-   5 - Added in the next major release of Windows 10.
 
 <!--/Policies-->
 

From df4de51f2c1c9ff924c6b3b2938d26838430f9e4 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Mon, 11 Jun 2018 13:08:15 +0000
Subject: [PATCH 014/102] Merged PR 8966: Remove outdated wifi requirement

---
 devices/hololens/hololens-setup.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/devices/hololens/hololens-setup.md b/devices/hololens/hololens-setup.md
index 8850ba0f96..0f62fc2e6e 100644
--- a/devices/hololens/hololens-setup.md
+++ b/devices/hololens/hololens-setup.md
@@ -19,7 +19,6 @@ Before you get started setting up your HoloLens, make sure you have a Wi-Fi netw
 The first time you use your HoloLens, you'll be guided through connecting to a Wi-Fi network. You need to connect HoloLens to a Wi-Fi network with Internet connectivity so that the user account can be authenticated.
 
 - It can be an open Wi-Fi or password-protected Wi-Fi network.
-- The Wi-Fi network cannot require you to navigate to a webpage to connect.
 - The Wi-Fi network cannot require certificates to connect.
 - The Wi-Fi network does not need to provide access to enterprise resources or intranet sites. 
 

From 9c18365310bd10f21e6e73f71f94b1ccbde60149 Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Mon, 11 Jun 2018 10:03:07 -0700
Subject: [PATCH 015/102] Created updated table

---
 .../app-v/appv-available-mdm-settings.md      | 28 +++++++++----------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 7544ce59d5..3e8fa55d1c 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -15,20 +15,20 @@ With Windows 10, version 1703, you can configure, deploy, and manage your App-V
 |Policy name|Supported versions|URI full path|Data type|Values|
 |---|---|---|---|---|
 |Name|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Name|String|Read-only data, provided by your App-V packages.|
-|Version|Windows 10, version 1703||||
-|Publisher|Windows 10, version 1703||||
-|InstallLocation|Windows 10, version 1703||||
-|InstallDate|Windows 10, version 1703||||
-|Users|Windows 10, version 1703||||
-|AppVPackageID|Windows 10, version 1703||||
-|AppVVersionID|Windows 10, version 1703||||
-|AppVPackageUri|Windows 10, version 1703||||
-|LastError|Windows 10, version 1703||||
-|LastErrorDescription|Windows 10, version 1703||||
-|SyncStatusDescription|Windows 10, version 1703||||
-|SyncProgress|Windows 10, version 1703||||
-|PublishXML|Windows 10, version 1703||||
-|Policy|Windows 10, version 1703||||
+|Version|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Version|String|Read-only data, provided by your App-V packages.|
+|Publisher|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Publisher|String|Read-only data, provided by your App-V packages.|
+|InstallLocation|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/InstallLocation|String|Read-only data, provided by your App-V packages.|
+|InstallDate|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/InstallDate|String|Read-only data, provided by your App-V packages.|
+|Users|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Users|String|Read-only data, provided by your App-V packages.|
+|AppVPackageID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/AppVPackageID|String|Read-only data, provided by your App-V packages.|
+|AppVVersionID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/AppVVersionID|String|Read-only data, provided by your App-V packages.|
+|AppVPackageUri|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/AppVPackageUri|String|Read-only data, provided by your App-V packages.|
+|LastError|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/LastError|String|Read-only data, provided by your App-V packages.|
+|LastErrorDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/LastErrorDescription|String|**0**: No errors returned during publish.<br>**1**: Unpublish groups failed during publish.<br>**2**: Publish no-group packages failed during publish.<br>**3**: Publish group packages failed during publish.<br>**4**: Unpublish packages failed during publish.<br>**5**: New policy write failed during publish.<br>**6**: Multiple non-fatal errors occurred during publish.|
+|SyncStatusDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncStatusDescription|String|**0**: App-V publishing is idle.<br>**1**: App-V connection groups publish in progress.<br>**2**: App-V packages (non-connection group) publish in progress.<br>**3**: App-V packages (connection group) publish in progress.<br>**4**: App-V packages unpublish in progress.|
+|SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncProgress|String|**0**: App-V Sync is idle.<br>**1**: App-V Sync is initializing.<br>**2**: App-V Sync is in progress.<br>**3**: App-V Sync is complete.<br>**4**: App-V Sync requires device reboot.|
+|PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.|
+|Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/configurationid/Policy|String|Custom value, entered by admin.|
 
 
 <table>

From 840bcc7b6cca660898932c8db701fd3f25ebca24 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Mon, 11 Jun 2018 10:14:47 -0700
Subject: [PATCH 016/102] added other entities for allowed blocked list
 settings

---
 ...ows-defender-advanced-threat-protection.md | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
index 4b6a427b67..f1e3dbc4a5 100644
--- a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/24/2018
+ms.date: 06/11/2018
 ---
 
 # Manage automation allowed/blocked lists
@@ -38,30 +38,31 @@ You can define the conditions for when entities are identified as malicious or s
 ## Create an allowed or blocked list
 1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.  
 
-2. Select the type of entity you'd like to create an exclusion for. You can choose any of the following entities: 
+2. Select the tab of the type of entity you'd like to create an exclusion for. You can choose any of the following entities: 
    - File hash
    - Certificate
+   - IP address
+   - DNS
+   - Email
+   - Process memory
 
 3. Click **Add system exclusion**.
 
-4. For each attribute specify the exclusion type, details, and the following required values:
-
-    - **Files** -  Hash value
-    - **Certificate** - PEM certificate file
+4. For each attribute specify the exclusion type, details, and their corresponding required values.
     
-5. Click **Update rule**.
+5. Click **Add rule**.
 
 ## Edit a list
 1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.  
 
-2. Select the type of entity you'd like to edit the list from.  
+2. Select the tab of the entity type you'd like to edit the list from.  
 
 3. Update the details of the rule and click **Update rule**.
 
 ## Delete a list 
 1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.  
 
-2. Select the type of entity you'd like to delete the list from.
+2. Select the tab of the entity type you'd like to delete the list from.
 
 3. Select the list type by clicking the check-box beside the list type.
 

From da1c082a0a63f06c655ee551e74576227f4a0d84 Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Mon, 11 Jun 2018 10:26:34 -0700
Subject: [PATCH 017/102] Attempt to shorten uri column

---
 .../app-v/appv-available-mdm-settings.md      | 30 +++++++++----------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 3e8fa55d1c..9e95747a79 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -14,21 +14,21 @@ With Windows 10, version 1703, you can configure, deploy, and manage your App-V
 
 |Policy name|Supported versions|URI full path|Data type|Values|
 |---|---|---|---|---|
-|Name|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Name|String|Read-only data, provided by your App-V packages.|
-|Version|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Version|String|Read-only data, provided by your App-V packages.|
-|Publisher|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Publisher|String|Read-only data, provided by your App-V packages.|
-|InstallLocation|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/InstallLocation|String|Read-only data, provided by your App-V packages.|
-|InstallDate|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/InstallDate|String|Read-only data, provided by your App-V packages.|
-|Users|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Users|String|Read-only data, provided by your App-V packages.|
-|AppVPackageID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/AppVPackageID|String|Read-only data, provided by your App-V packages.|
-|AppVVersionID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/AppVVersionID|String|Read-only data, provided by your App-V packages.|
-|AppVPackageUri|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/AppVPackageUri|String|Read-only data, provided by your App-V packages.|
-|LastError|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/LastError|String|Read-only data, provided by your App-V packages.|
-|LastErrorDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/LastErrorDescription|String|**0**: No errors returned during publish.<br>**1**: Unpublish groups failed during publish.<br>**2**: Publish no-group packages failed during publish.<br>**3**: Publish group packages failed during publish.<br>**4**: Unpublish packages failed during publish.<br>**5**: New policy write failed during publish.<br>**6**: Multiple non-fatal errors occurred during publish.|
-|SyncStatusDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncStatusDescription|String|**0**: App-V publishing is idle.<br>**1**: App-V connection groups publish in progress.<br>**2**: App-V packages (non-connection group) publish in progress.<br>**3**: App-V packages (connection group) publish in progress.<br>**4**: App-V packages unpublish in progress.|
-|SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncProgress|String|**0**: App-V Sync is idle.<br>**1**: App-V Sync is initializing.<br>**2**: App-V Sync is in progress.<br>**3**: App-V Sync is complete.<br>**4**: App-V Sync requires device reboot.|
-|PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.|
-|Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/configurationid/Policy|String|Custom value, entered by admin.|
+|Name|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/ <enterprise_id>/<package_family_name>/<package_full_name>/Name|String|Read-only data, provided by your App-V packages.|
+|Version|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/ <enterprise_id>/<package_family_name>/<package_full_name>/Version|String|Read-only data, provided by your App-V packages.|
+|Publisher|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/ <enterprise_id>/<package_family_name>/<package_full_name>/Publisher|String|Read-only data, provided by your App-V packages.|
+|InstallLocation|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/ <enterprise_id>/<package_family_name>/<package_full_name>/InstallLocation|String|Read-only data, provided by your App-V packages.|
+|InstallDate|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/ <enterprise_id>/<package_family_name>/<package_full_name>/InstallDate|String|Read-only data, provided by your App-V packages.|
+|Users|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/ <enterprise_id>/<package_family_name>/<package_full_name>/Users|String|Read-only data, provided by your App-V packages.|
+|AppVPackageID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/ <enterprise_id>/<package_family_name>/<package_full_name>/AppVPackageID|String|Read-only data, provided by your App-V packages.|
+|AppVVersionID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/ <enterprise_id>/<package_family_name>/<package_full_name>/AppVVersionID|String|Read-only data, provided by your App-V packages.|
+|AppVPackageUri|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/ <enterprise_id>/<package_family_name>/<package_full_name>/AppVPackageUri|String|Read-only data, provided by your App-V packages.|
+|LastError|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/LastError|String|Read-only data, provided by your App-V packages.|
+|LastErrorDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/LastErrorDescription|String|**0**: No errors returned during publish.<br>**1**: Unpublish groups failed during publish.<br>**2**: Publish no-group packages failed during publish.<br>**3**: Publish group packages failed during publish.<br>**4**: Unpublish packages failed during publish.<br>**5**: New policy write failed during publish.<br>**6**: Multiple non-fatal errors occurred during publish.|
+|SyncStatusDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/SyncStatusDescription|String|**0**: App-V publishing is idle.<br>**1**: App-V connection groups publish in progress.<br>**2**: App-V packages (non-connection group) publish in progress.<br>**3**: App-V packages (connection group) publish in progress.<br>**4**: App-V packages unpublish in progress.|
+|SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/SyncProgress|String|**0**: App-V Sync is idle.<br>**1**: App-V Sync is initializing.<br>**2**: App-V Sync is in progress.<br>**3**: App-V Sync is complete.<br>**4**: App-V Sync requires device reboot.|
+|PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ Sync/PublishXML|String|Custom value, entered by admin.|
+|Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/ configurationid/Policy|String|Custom value, entered by admin.|
 
 
 <table>

From 148043f8e793881391661712b133c22022217788 Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Mon, 11 Jun 2018 10:27:56 -0700
Subject: [PATCH 018/102] Added bullets

---
 .../app-v/appv-available-mdm-settings.md                    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 9e95747a79..8b09c32feb 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -24,9 +24,9 @@ With Windows 10, version 1703, you can configure, deploy, and manage your App-V
 |AppVVersionID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/ <enterprise_id>/<package_family_name>/<package_full_name>/AppVVersionID|String|Read-only data, provided by your App-V packages.|
 |AppVPackageUri|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/ <enterprise_id>/<package_family_name>/<package_full_name>/AppVPackageUri|String|Read-only data, provided by your App-V packages.|
 |LastError|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/LastError|String|Read-only data, provided by your App-V packages.|
-|LastErrorDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/LastErrorDescription|String|**0**: No errors returned during publish.<br>**1**: Unpublish groups failed during publish.<br>**2**: Publish no-group packages failed during publish.<br>**3**: Publish group packages failed during publish.<br>**4**: Unpublish packages failed during publish.<br>**5**: New policy write failed during publish.<br>**6**: Multiple non-fatal errors occurred during publish.|
-|SyncStatusDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/SyncStatusDescription|String|**0**: App-V publishing is idle.<br>**1**: App-V connection groups publish in progress.<br>**2**: App-V packages (non-connection group) publish in progress.<br>**3**: App-V packages (connection group) publish in progress.<br>**4**: App-V packages unpublish in progress.|
-|SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/SyncProgress|String|**0**: App-V Sync is idle.<br>**1**: App-V Sync is initializing.<br>**2**: App-V Sync is in progress.<br>**3**: App-V Sync is complete.<br>**4**: App-V Sync requires device reboot.|
+|LastErrorDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/LastErrorDescription|String|- **0**: No errors returned during publish.<br>- **1**: Unpublish groups failed during publish.<br>- **2**: Publish no-group packages failed during publish.<br>- **3**: Publish group packages failed during publish.<br>- **4**: Unpublish packages failed during publish.<br>- **5**: New policy write failed during publish.<br>- **6**: Multiple non-fatal errors occurred during publish.|
+|SyncStatusDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/SyncStatusDescription|String|- **0**: App-V publishing is idle.<br>- **1**: App-V connection groups publish in progress.<br>- **2**: App-V packages (non-connection group) publish in progress.<br>- **3**: App-V packages (connection group) publish in progress.<br>- **4**: App-V packages unpublish in progress.|
+|SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/SyncProgress|String|- **0**: App-V Sync is idle.<br>- **1**: App-V Sync is initializing.<br>- **2**: App-V Sync is in progress.<br>- **3**: App-V Sync is complete.<br>- **4**: App-V Sync requires device reboot.|
 |PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ Sync/PublishXML|String|Custom value, entered by admin.|
 |Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/ configurationid/Policy|String|Custom value, entered by admin.|
 

From 37e2e1acf6109387995f304f8b7521386ea843ec Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Mon, 11 Jun 2018 18:42:11 +0000
Subject: [PATCH 019/102] Merged PR 8974: add link for how to update HoloLens
 directly; update Intune kiosk profile

---
 devices/hololens/hololens-microsoft-layout-app.md            | 2 +-
 devices/hololens/hololens-updates.md                         | 2 +-
 .../configuration/lock-down-windows-10-to-specific-apps.md   | 5 +++--
 windows/configuration/setup-kiosk-digital-signage.md         | 4 +++-
 4 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/devices/hololens/hololens-microsoft-layout-app.md b/devices/hololens/hololens-microsoft-layout-app.md
index d2357ed2ee..4f5540e858 100644
--- a/devices/hololens/hololens-microsoft-layout-app.md
+++ b/devices/hololens/hololens-microsoft-layout-app.md
@@ -25,7 +25,7 @@ Microsoft Layout works with a HoloLens, or with a Windows Mixed Reality headset
 
 | OS requirements                   | Details                                                    |
 |:----------------------------------|:-----------------------------------------------------------|
-| Build 10.0.17134.77 or above | See [Manage updates to HoloLens](hololens-updates.md) for instructions on upgrading to this build. |
+| Build 10.0.17134.77 or above | See [Update HoloLens](https://support.microsoft.com/help/12643/hololens-update-hololens) for instructions on upgrading to this build. |
 
 #### Windows Mixed Reality headset requirements
 
diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md
index 0b91b6f361..e10552862b 100644
--- a/devices/hololens/hololens-updates.md
+++ b/devices/hololens/hololens-updates.md
@@ -12,7 +12,7 @@ ms.date: 04/30/2018
 
 # Manage updates to HoloLens
 
-
+>**Looking for how to get the latest update? See [Update HoloLens](https://support.microsoft.com/help/12643/hololens-update-hololens).**
 
 Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. As with desktop devices, administrators can manage updates to the HoloLens operating system using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb).
 
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 7610e6fe75..34225059f4 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -52,7 +52,7 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi
 12. Enter a friendly name for the configuration.
 10. In **Kiosk Mode**, select **Multi app kiosk**.
 13. Select an app type.
-  - For **Add Win32 app**, enter the **App Name** and **Identifier**.
+  - For **Add Win32 app**, enter a friendly name for the app in **App Name**, and enter the path to the app executable in **Identifier**.
   - For **Add managed apps**, select an app that you manage through Intune.
   - For **Add app by AUMID**, enter the Application User Model ID (AUMID) for an installed UWP app.
 14. Select whether to enable the taskbar.
@@ -61,7 +61,8 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi
 17. Select **OK**. You can add additional configurations or finish.
 18. Assign the profile to a device group to configure the devices in that group as kiosks.
 
-
+>[!NOTE]
+>Managed apps are apps that are in the Microsoft Store for Business that is synced with your Intune subscription.
 
 
 
diff --git a/windows/configuration/setup-kiosk-digital-signage.md b/windows/configuration/setup-kiosk-digital-signage.md
index 36581a3438..a2442ee9fb 100644
--- a/windows/configuration/setup-kiosk-digital-signage.md
+++ b/windows/configuration/setup-kiosk-digital-signage.md
@@ -270,7 +270,9 @@ The following steps explain how to configure a kiosk in Microsoft Intune. For ot
 7. Select **Windows 10 and later** for the platform.
 8. Select **Kiosk (Preview)** for the profile type.
 9. Enter a friendly name for the kiosk configuration.
-10. In **Kiosk Mode**, select **Single full-screen app kiosk**.
+10. Select **Kiosk - 1 setting available**.
+10. Select **Add** to add a kiosk configuration.
+10. Enter a friendly name for the kiosk configuration, and then in **Kiosk Mode**, select **Single full-screen app kiosk**.
 10. Select either **Select a managed app** to choose a kiosk app that is managed by Intune, or **Enter UWP app AUMID** to specify the kiosk app by AUMID, and then select the app or enter the AUMID as appropriate.
 1. For the user account, select either **Autologon** to create a user account for the kiosk that will sign in automatically, or **Local user account** to configure an existing user account to run the kiosk. **Local user account** can be a local standard user account on the device or an Azure Active Directory account.
 14. Select **OK**, and then select **Create**.

From 8acf5994725441506f024dc89773edb32bd39547 Mon Sep 17 00:00:00 2001
From: danhwang1 <40180973+danhwang1@users.noreply.github.com>
Date: Mon, 11 Jun 2018 11:45:40 -0700
Subject: [PATCH 020/102] Update supl-ddf-file.md

We have recently made a change in our Location Platform pertaining to SUPL to increase the max number of root certificates from 3 to 6 (as mandated). As a result, we will need to update the necessary public documentation here:  https://docs.microsoft.com/en-us/windows/client-management/mdm/supl-ddf-file
---
 .../client-management/mdm/supl-ddf-file.md    | 198 +++++++++++++++++-
 1 file changed, 197 insertions(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md
index e6ed98d713..4ee4e4ad1d 100644
--- a/windows/client-management/mdm/supl-ddf-file.md
+++ b/windows/client-management/mdm/supl-ddf-file.md
@@ -171,7 +171,7 @@ The XML below is the current version for this CSP.
                 </DFProperties>
               </Node>
               <Node>
-                <NodeName>MCCMNPairs</NodeName>
+                <NodeName>MCCMNCPairs</NodeName>
                 <DFProperties>
                   <AccessType>
                     <Get />
@@ -482,6 +482,201 @@ The XML below is the current version for this CSP.
             </Node>
           </Node>
         </Node>
+        <Node>
+          <NodeName>RootCertificate4</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>Name</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>Specifies the name of the H-SLP root certificate as a string, in the format name.cer.</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>Data</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>The base 64 encoded blob of the H-SLP root certificate.</Description>
+              <DFFormat>
+                <b64 />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>RootCertificate5</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>Name</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>Specifies the name of the H-SLP root certificate as a string, in the format name.cer.</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>Data</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>The base 64 encoded blob of the H-SLP root certificate.</Description>
+              <DFFormat>
+                <b64 />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>RootCertificate6</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>Name</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>Specifies the name of the H-SLP root certificate as a string, in the format name.cer.</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>Data</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>The base 64 encoded blob of the H-SLP root certificate.</Description>
+              <DFFormat>
+                <b64 />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+          </Node>
+        </Node>
         <Node>
           <NodeName>V2UPL1 </NodeName>
           <DFProperties>
@@ -662,6 +857,7 @@ The XML below is the current version for this CSP.
         </Node>
       </Node>
 </MgmtTree>
+
 ```
 
  

From 92466c0e772bfd4e17fddcf0f2c80c95046c2826 Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Mon, 11 Jun 2018 12:37:34 -0700
Subject: [PATCH 021/102] Adjusted spacing

---
 .../app-v/appv-available-mdm-settings.md                      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 8b09c32feb..1c5d1625d3 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -26,8 +26,8 @@ With Windows 10, version 1703, you can configure, deploy, and manage your App-V
 |LastError|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/LastError|String|Read-only data, provided by your App-V packages.|
 |LastErrorDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/LastErrorDescription|String|- **0**: No errors returned during publish.<br>- **1**: Unpublish groups failed during publish.<br>- **2**: Publish no-group packages failed during publish.<br>- **3**: Publish group packages failed during publish.<br>- **4**: Unpublish packages failed during publish.<br>- **5**: New policy write failed during publish.<br>- **6**: Multiple non-fatal errors occurred during publish.|
 |SyncStatusDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/SyncStatusDescription|String|- **0**: App-V publishing is idle.<br>- **1**: App-V connection groups publish in progress.<br>- **2**: App-V packages (non-connection group) publish in progress.<br>- **3**: App-V packages (connection group) publish in progress.<br>- **4**: App-V packages unpublish in progress.|
-|SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/SyncProgress|String|- **0**: App-V Sync is idle.<br>- **1**: App-V Sync is initializing.<br>- **2**: App-V Sync is in progress.<br>- **3**: App-V Sync is complete.<br>- **4**: App-V Sync requires device reboot.|
-|PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ Sync/PublishXML|String|Custom value, entered by admin.|
+|SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncProgress|String|- **0**: App-V Sync is idle.<br>- **1**: App-V Sync is initializing.<br>- **2**: App-V Sync is in progress.<br>- **3**: App-V Sync is complete.<br>- **4**: App-V Sync requires device reboot.|
+|PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.|
 |Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/ configurationid/Policy|String|Custom value, entered by admin.|
 
 

From 769a8b5bab997efd83405d5d51096f6afc8f6619 Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Mon, 11 Jun 2018 13:06:27 -0700
Subject: [PATCH 022/102] Attempt to adjust spacing.

---
 .../app-v/appv-available-mdm-settings.md                      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 1c5d1625d3..7b4de19db8 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -26,8 +26,8 @@ With Windows 10, version 1703, you can configure, deploy, and manage your App-V
 |LastError|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/LastError|String|Read-only data, provided by your App-V packages.|
 |LastErrorDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/LastErrorDescription|String|- **0**: No errors returned during publish.<br>- **1**: Unpublish groups failed during publish.<br>- **2**: Publish no-group packages failed during publish.<br>- **3**: Publish group packages failed during publish.<br>- **4**: Unpublish packages failed during publish.<br>- **5**: New policy write failed during publish.<br>- **6**: Multiple non-fatal errors occurred during publish.|
 |SyncStatusDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/SyncStatusDescription|String|- **0**: App-V publishing is idle.<br>- **1**: App-V connection groups publish in progress.<br>- **2**: App-V packages (non-connection group) publish in progress.<br>- **3**: App-V packages (connection group) publish in progress.<br>- **4**: App-V packages unpublish in progress.|
-|SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncProgress|String|- **0**: App-V Sync is idle.<br>- **1**: App-V Sync is initializing.<br>- **2**: App-V Sync is in progress.<br>- **3**: App-V Sync is complete.<br>- **4**: App-V Sync requires device reboot.|
-|PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.|
+|SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/SyncProgress|String|- **0**: App-V Sync is idle.<br>- **1**: App-V Sync is initializing.<br>- **2**: App-V Sync is in progress.<br>- **3**: App-V Sync is complete.<br>- **4**: App-V Sync requires device reboot.|
+|PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/ PublishXML|String|Custom value, entered by admin.|
 |Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/ configurationid/Policy|String|Custom value, entered by admin.|
 
 

From 2e791f3bf1304fc2ad71c51c5a9f4b2aa7063454 Mon Sep 17 00:00:00 2001
From: Benjamin Howorth <v-behowo@microsoft.com>
Date: Mon, 11 Jun 2018 21:27:30 +0000
Subject: [PATCH 023/102] Updated inclusive-classroom-it-admin.md

---
 education/get-started/inclusive-classroom-it-admin.md | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md
index 16b5c8a0e2..6d3bb808df 100644
--- a/education/get-started/inclusive-classroom-it-admin.md
+++ b/education/get-started/inclusive-classroom-it-admin.md
@@ -37,10 +37,10 @@ ms.date: 03/18/2018
 
 | Creating accessible content features  |  Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  | Office 365 Web  | Office Mac  | Office iPad  |
 |---|---|---|---|---|---|---|---|---|---|
-| Accessibility Checker  | <ul><li>All Office 365 authoring applications on PC, Mac, Web</li></ul>  |   |   |   |   |   |   |   |   |
-| Accessible Templates  | <ul><li>Word for PCs, Mac</li><li>Excel for PCs, Mac</li><li>PowerPoint for PCs, Mac</li><li>Sway on iOS, Web, Windows 10</li></ul>  |   |   |   |   |   |   |   |   |
-| Ability to add alt-text for images  | <ul><li>Word for PCs (includes automatic suggestions for image descriptions)</li><li>SharePoint Online (includes automatic suggestions for image descriptions)</li><li>PowerPoint for PCs (includes automatic suggestions for image descriptions)</li><li>OneNote (includes automatic extraction of text in images)</li><li>All Office 365 authoring applications (include ability to add alt-text manually)</li></ul>  |   |   |   |   |   |   |   |   |
-| Ability to add captions to videos  | <ul><li>PowerPoint for PCs</li><li>Sway on iOS, Web, Windows 10</li></ul>  |   |   |   |   |   |   |   |   |
+| Accessibility Checker  | <ul><li>All Office 365 authoring applications on PC, Mac, Web</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   |   |   |   |
+| Accessible Templates  | <ul><li>Word for PCs, Mac</li><li>Excel for PCs, Mac</li><li>PowerPoint for PCs, Mac</li><li>Sway on iOS, Web, Windows 10</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   |   |   |   |
+| Ability to add alt-text for images  | <ul><li>Word for PCs (includes automatic suggestions for image descriptions)</li><li>SharePoint Online (includes automatic suggestions for image descriptions)</li><li>PowerPoint for PCs (includes automatic suggestions for image descriptions)</li><li>OneNote (includes automatic extraction of text in images)</li><li>All Office 365 authoring applications (include ability to add alt-text manually)</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   |   |   |   |
+| Ability to add captions to videos  | <ul><li>PowerPoint for PCs</li><li>Sway on iOS, Web, Windows 10</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   |   |   |   |
 | Export as tagged PDF  | <ul><li>Word for PCs, Mac</li><li>Sway on iOS, Web, Windows 10</li></ul>  |   |   |   |   |   |   |   |   |
 | Ability to request accessible content  | <ul><li>Outlook Web Access</li></ul>  |   |   |   |   |   |   |   |   |
 </br>
@@ -48,6 +48,5 @@ ms.date: 03/18/2018
 
 | Communication features   | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  | Office 365 Web  | Office Mac  | Office iPad  |
 |---|---|---|---|---|---|---|---|---|---|
-| Translate Language of Document  | <ul><li>Word 2016</li><li>PowerPoint 2016</li></ul>  |   |   |   |   |   |   |   |   |
-| PowerPoint Translator  | <ul><li>PowerPoint 2016 Add-in</li></ul>  |   |   |   |   |   |   |   |   |
+| Microsoft Translator  | <ul><li>Word 2016</li><li>Excel 2016</li><li>"Translator for Outlook" Add-in</li><li>PowerPoint 2016 (and PowerPoint Garage Add-in</li></ul>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   |   |   |
 </br>
\ No newline at end of file

From c124f6d063f0900374e1fa2604aa397b800ae3a7 Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Mon, 11 Jun 2018 15:41:07 -0700
Subject: [PATCH 024/102] Next attempt at spacing adjustment

---
 .../app-v/appv-available-mdm-settings.md                      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 7b4de19db8..b6a44c1356 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -26,8 +26,8 @@ With Windows 10, version 1703, you can configure, deploy, and manage your App-V
 |LastError|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/LastError|String|Read-only data, provided by your App-V packages.|
 |LastErrorDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/LastErrorDescription|String|- **0**: No errors returned during publish.<br>- **1**: Unpublish groups failed during publish.<br>- **2**: Publish no-group packages failed during publish.<br>- **3**: Publish group packages failed during publish.<br>- **4**: Unpublish packages failed during publish.<br>- **5**: New policy write failed during publish.<br>- **6**: Multiple non-fatal errors occurred during publish.|
 |SyncStatusDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/SyncStatusDescription|String|- **0**: App-V publishing is idle.<br>- **1**: App-V connection groups publish in progress.<br>- **2**: App-V packages (non-connection group) publish in progress.<br>- **3**: App-V packages (connection group) publish in progress.<br>- **4**: App-V packages unpublish in progress.|
-|SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/SyncProgress|String|- **0**: App-V Sync is idle.<br>- **1**: App-V Sync is initializing.<br>- **2**: App-V Sync is in progress.<br>- **3**: App-V Sync is complete.<br>- **4**: App-V Sync requires device reboot.|
-|PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/ PublishXML|String|Custom value, entered by admin.|
+|SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncProgress|String|- **0**: App-V Sync is idle.<br>- **1**: App-V Sync is initializing.<br>- **2**: App-V Sync is in progress.<br>- **3**: App-V Sync is complete.<br>- **4**: App-V Sync requires device reboot.|
+|PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.|
 |Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/ configurationid/Policy|String|Custom value, entered by admin.|
 
 

From 05281c5b94d42d29d56c80c5121dfd1632af5004 Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Mon, 11 Jun 2018 16:57:32 -0700
Subject: [PATCH 025/102] Continued updating articles

---
 ...to-packages-with-the-management-console.md | 49 ++++++++-----------
 1 file changed, 21 insertions(+), 28 deletions(-)

diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
index 58b23dd73f..86ded03016 100644
--- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
@@ -8,60 +8,53 @@ ms.sitesec: library
 ms.prod: w10
 ms.date: 04/19/2017
 ---
-
-
 # How to Configure Access to Packages by Using the Management Console
 
-**Applies to**
--   Windows 10, version 1607
+>Applies to: Windows 10, version 1607
 
 Before you deploy an App-V virtualized package, you must configure the Active Directory Domain Services (AD DS) security groups that will be allowed to access and run the applications. The security groups may contain computers or users. Entitling a package to a computer group publishes the package globally to all computers in the group.
 
 Use the following procedure to configure access to virtualized packages.
 
-**To grant access to an App-V package**
+## Grant access to an App-V package
 
-1.  Find the package you want to configure:
+1. Find the package you want to configure:
 
-    1.  Open the App-V Management console.
+    1. Open the App-V Management console.
 
-    2.  To display the **AD ACCESS** page, right-click the package to be configured, and select **Edit active directory access**. Alternatively, select the package and click **EDIT** in the **AD ACCESS** pane.
+    1. Right-click the package to be configured, then select **Edit active directory access** to display the **AD ACCESS** page. Alternatively, select the package and select **EDIT** in the **AD ACCESS** pane.
 
-2.  Provision a security group for the package:
+2. Provision a security group for the package:
 
-    1.  Go to the **FIND VALID ACTIVE DIRECTORY NAMES AND GRANT ACCESS** page.
+    1. Go to the **FIND VALID ACTIVE DIRECTORY NAMES AND GRANT ACCESS** page.
 
-    2.  Using the format **mydomain** \\ **groupname**, type the name or part of the name of an Active Directory group object, and click **Check**.
+    1. Using the format **mydomain** \\ **groupname**, enter the name or part of the name of an Active Directory group object, then select **Check**.
 
-        **Note**  
-        Ensure that you provide an associated domain name for the group that you are searching for.
+        >[!NOTE]  
+        >Ensure that you provide an associated domain name for the group that you are searching for.
 
-         
+3. Grant access to the package by first selecting the desired group, then selecting **Grant Access**. The newly added group is displayed in the **AD ENTITIES WITH ACCESS** pane.
 
-3.  To grant access to the package, select the desired group and click **Grant Access**. The newly added group is displayed in the **AD ENTITIES WITH ACCESS** pane.
+4. Select **Close** to accept the default configuration settings and close the AD ACCESS page.
 
-4.  
+    To customize configurations for a specific group, select the **ASSIGNED CONFIGURATIONS** drop-down and select **Custom**. To make changes to your custom configurations, select **EDIT**. After you grant access, select **Close**.
 
-    To accept the default configuration settings and close the **AD ACCESS** page, click **Close**.
+## Remove access to an App-V package
 
-    To customize configurations for a specific group, click the **ASSIGNED CONFIGURATIONS** drop-down and select **Custom**. To configure the custom configurations, click **EDIT**. After you grant access, click **Close**.
+1. Find the package you want to configure:
 
-**To remove access to an App-V package**
+    1. Open the App-V Management console.
 
-1.  Find the package you want to configure:
+    1. To display the **AD ACCESS** page, right-click the package to be configured, then select **Edit active directory access**. Alternatively, select the package, then select **EDIT** in the **AD ACCESS** pane.
 
-    1.  Open the App-V Management console.
+2. Select the group you want to remove, then select **DELETE**.
 
-    2.  To display the **AD ACCESS** page, right-click the package to be configured, and select **Edit active directory access**. Alternatively, select the package and click **EDIT** in the **AD ACCESS** pane.
-
-2.  Select the group you want to remove, and click **DELETE**.
-
-3.  To close the **AD ACCESS** page, click **Close**.
+3. Select **Close**.
 
 ## Have a suggestion for App-V?
 
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
 
 ## Related topics
 
-[Operations for App-V](appv-operations.md)
+* [Operations for App-V](appv-operations.md)

From c763226d7779d7c9452a8b6611e0a731e6a067e6 Mon Sep 17 00:00:00 2001
From: Peter Lewis <peter@peterlew.is>
Date: Tue, 12 Jun 2018 12:01:16 +0100
Subject: [PATCH 026/102] Fix spelling mistake

Corrected 'ois' to 'is'
---
 devices/surface-hub/manage-windows-updates-for-surface-hub.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index c769840d86..a01bbdbab3 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -44,7 +44,7 @@ Microsoft publishes two types of Surface Hub releases broadly on an ongoing basi
 
 In order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10, including Surface Hub, will be cumulative. This means new feature updates and quality updates will contain the payloads of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 quality update. For example, if a quality update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes.
 
-The Surface Hub operating system receives updates on the [Semi-Annual Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes). Like other editions of Windows 10, the servicing lifetime ois finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
+The Surface Hub operating system receives updates on the [Semi-Annual Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes). Like other editions of Windows 10, the servicing lifetime is finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
 
 For more information on Windows as a Service, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
 

From f762fd133f9936e4f6aafadca5b82cc089fdf059 Mon Sep 17 00:00:00 2001
From: Patti Short <patti.short@microsoft.com>
Date: Tue, 12 Jun 2018 06:14:26 -0700
Subject: [PATCH 027/102] changed the GP path to the policy

---
 browsers/edge/emie-to-improve-compatibility.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md
index fc8a612b80..b6c34c4968 100644
--- a/browsers/edge/emie-to-improve-compatibility.md
+++ b/browsers/edge/emie-to-improve-compatibility.md
@@ -43,14 +43,14 @@ Microsoft Edge doesn't support ActiveX controls, Browser Helper Objects, VBScrip
 
 ### Set up Microsoft Edge to use the Enterprise Mode site list
 
-You must turn on the **Use Enterprise Mode Site List** Group Policy setting before Microsoft Edge can use the Enterprise Mode site list. This Group Policy applies to both Microsoft Edge and IE11, letting Microsoft Edge switch to IE11 as needed, based on the Enterprise Mode site list. For more info about IE11 and Enterprise Mode, see [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377).
+You must turn on the **Configure the Enterprise Mode Site List** Group Policy setting before Microsoft Edge can use the Enterprise Mode site list. This Group Policy applies to both Microsoft Edge and IE11, letting Microsoft Edge switch to IE11 as needed, based on the Enterprise Mode site list. For more info about IE11 and Enterprise Mode, see [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377).
 
 > **Note**<br>
 > If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.<p>If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
 
 **To turn on Enterprise Mode using Group Policy**
 
-1.  Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Allows you to configure the Enterprise Mode Site list** setting.<p>Turning this setting on also requires you to create and store a site list.<p>![Local Group Policy Editor for using a site list](images/edge-emie-grouppolicysitelist.png)
+1.  Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Enterprise Mode Site List** policy.<p>Turning this setting on also requires you to create and store a site list.<p>![Local Group Policy Editor for using a site list](images/edge-emie-grouppolicysitelist.png)
 
 2.  Click **Enabled**, and then in the **Options** area, type the location to your site list.
 

From 96c9a3a425f765ffd432d28053dca331103a068d Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Tue, 12 Jun 2018 13:45:04 +0000
Subject: [PATCH 028/102] Merged PR 8996: fix broken link for Surface Hub
 download

---
 devices/surface-hub/surface-hub-downloads.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md
index 257bc6b58b..8ddafa924a 100644
--- a/devices/surface-hub/surface-hub-downloads.md
+++ b/devices/surface-hub/surface-hub-downloads.md
@@ -18,7 +18,7 @@ This topic provides links to useful Surface Hub documents, such as product datas
 | --- | --- |
 | [Surface Hub Site Readiness Guide (PDF)](http://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf)  | Make sure your site is ready for Surface Hub, including structural and power requirements, and get technical specs for Surface Hub. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov)  |
 | [Surface Hub Setup Guide (English, French, Spanish) (PDF)](http://download.microsoft.com/download/0/1/6/016363A4-8602-4F01-8281-9BE5C814DC78/Setup-Guide_EN-FR-SP.pdf) | Get a quick overview of how to set up the environment for your new Surface Hub. |
-| [Surface Hub Quick Reference Guide (PDF)](http://download.microsoft.com/download/9/E/E/9EE660F8-3FC6-4909-969E-89EA648F06DB/Surface Hub Quick Reference Guide_en-us.pdf)  | Use this quick reference guide to get information about key features and functions of the Surface Hub. |
+| [Surface Hub Quick Reference Guide (PDF)](http://download.microsoft.com/download/9/E/E/9EE660F8-3FC6-4909-969E-89EA648F06DB/Surface%20Hub%20Quick%20Reference%20Guide_en-us.pdf)  | Use this quick reference guide to get information about key features and functions of the Surface Hub. |
 | [Surface Hub User Guide (PDF)](http://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf) | Learn how to use Surface Hub in scheduled or ad-hoc meetings. Invite remote participants, use the built-in tools, save data from your meeting, and more. |
 | [Surface Hub Replacement PC Drivers](https://www.microsoft.com/download/details.aspx?id=52210) | The Surface Hub Replacement PC driver set is available for those customers who have chosen to disable the Surface Hub’s internal PC and use an external computer with their 84” or 55” Surface Hub. This download is meant to be used with the Surface Hub Admin Guide , which contains further details on configuring a Surface Hub Replacement PC.  |
 | [Surface Hub SSD Replacement Guide (PDF)](http://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf) | Learn how to replace the solid state drive (SSD) for the 55- and 84-inch Surface Hub. |

From 0b0dedb2b287abddf0ba8ddc7d423e3e39d94522 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Tue, 12 Jun 2018 10:19:28 -0700
Subject: [PATCH 029/102] added links to how to set startup auth

---
 .../information-protection/bitlocker/bitlocker-security-faq.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
index db335bddd1..a1988d5ced 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
@@ -27,7 +27,7 @@ The recommended practice for BitLocker configuration on an operating system driv
 
 ## What are the implications of using the sleep or hibernate power management options?
 
-BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires BitLocker authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method.
+BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#a-href-idbkmk-unlockpol1arequire-additional-authentication-at-startup) or Mobile Device Management with the [Bitlocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). 
 
 ## What are the advantages of a TPM?
 

From 691fcc8adcef630ede24ab5336814e0586e0a4ba Mon Sep 17 00:00:00 2001
From: jaimeo <jaimeo@microsoft.com>
Date: Tue, 12 Jun 2018 10:23:42 -0700
Subject: [PATCH 030/102] first pass fixing links to dead OMS marketing page

---
 .../update/device-health-get-started.md           | 13 ++++++++-----
 .../update/update-compliance-get-started.md       |  8 ++++++--
 .../upgrade/upgrade-readiness-get-started.md      | 15 +++++++++------
 .../upgrade/upgrade-readiness-requirements.md     | 14 +++++++-------
 4 files changed, 30 insertions(+), 20 deletions(-)

diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md
index 81a57be6d4..5b3a7b3474 100644
--- a/windows/deployment/update/device-health-get-started.md
+++ b/windows/deployment/update/device-health-get-started.md
@@ -5,7 +5,7 @@ keywords: Device Health, oms, operations management suite, prerequisites, requir
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.date: 03/20/2018
+ms.date: 06/12/2018
 ms.pagetype: deploy
 author: jaimeo
 ms.author: jaimeo
@@ -24,13 +24,16 @@ Steps are provided in sections that follow the recommended setup process:
 
 
 
-## Add Device Health to Microsoft Operations Management Suite
+## Add Device Health to Microsoft Operations Management Suite or Azure Log Analytics
 
-Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). 
+Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
 
-**If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)  and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already.
+**If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. Find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)  and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already.
 
-**If you are not yet using Windows Analytics or Azure Log Analytics**, use the following steps to subscribe:
+>[!NOTE]
+>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=DeviceHealthProd) to go directly to the Device Health solution and add it to your workspace.
+
+**If you are not yet using Windows Analytics or Azure Log Analytics**, follow these steps to subscribe:
 
 1.	Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
    [![Operations Management Suite bar with sign-in button](images/uc-02a.png)](images/uc-02.png)
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 6cfecd1c73..9887546277 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -23,12 +23,16 @@ Steps are provided in sections that follow the recommended setup process:
 
 
 
-## Add Update Compliance to Microsoft Operations Management Suite
+## Add Update Compliance to Microsoft Operations Management Suite or Azure Log Analytics
 
-Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). 
+Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
 
 If you are already using OMS, skip to step **6** to add Update Compliance to your workspace.
 
+>[!NOTE]
+>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=WaaSUpdateInsights) to go directly to the Device Health solution and add it to your workspace.
+
+
 If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance:
 
 1.	Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.   
diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md
index e80d01d273..3ee8a1a528 100644
--- a/windows/deployment/upgrade/upgrade-readiness-get-started.md
+++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: jaimeo
 ms.author: jaimeo
-ms.date: 03/20/2018
+ms.date: 06/12/2018
 ms.localizationpriority: high
 ---
 
@@ -35,7 +35,7 @@ When you are ready to begin using Upgrade Readiness, perform the following steps
 
 To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see the following topics, refer to [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-FAQ-troubleshooting), which discusses the issues and provides links to still more detailed information.
 
-## Add Upgrade Readiness to Operations Management Suite
+## Add Upgrade Readiness to Operations Management Suite or Azure Log Analytics
 
 Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
 
@@ -44,11 +44,14 @@ Upgrade Readiness is offered as a solution in the Microsoft Operations Managemen
 
 If you are already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace. While you have this dialog open, you should also consider adding the [Device Health](../update/device-health-monitor.md) and [Update Compliance](../update/update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions.
 
-If you are not using OMS:
+>[!NOTE]
+>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=CompatibilityAssessment) to go directly to the Upgrade Readiness solution and add it to your workspace.
 
-1.  Go to the [Upgrade Readiness page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and select **New Customers >** to start the process.
-2.  Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
-3.  Create a new OMS workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
+If you are not using OMS or Azure Log Analytics:
+
+1.  Go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it.
+2.  Sign in to Operations Management Suite (OMS or Azure Log Analytics You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+3.  Create a new workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
 4.  If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator.
 
     > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens.
diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md
index 21dfb741d1..538d13cb2a 100644
--- a/windows/deployment/upgrade/upgrade-readiness-requirements.md
+++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md
@@ -5,7 +5,7 @@ keywords: windows analytics, oms, operations management suite, prerequisites, re
 ms.prod: w10
 author: jaimeo
 ms.author:
-ms.date: 03/15/2018
+ms.date: 06/12/2018
 ms.localizationpriority: high
 ---
 
@@ -32,19 +32,19 @@ See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-1
 ### Windows 10
 
 Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates.
-The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed.  You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com). 
+The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com). 
 
 While Upgrade Readiness can be used to assist with updating devices from Windows 10 Long-Term Servicing Channel (LTSC) to Windows 10 Semi-Annual Channel, Upgrade Readiness does not support updates to Windows 10 LTSC. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not a supported target with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSC.
 
-## Operations Management Suite
+## Operations Management Suite or Azure Log Analytics
 
-Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
+Upgrade Readiness is offered as a solution in Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
 
-If you’re already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Click the Upgrade Readiness tile in the gallery and then click Add on the solution’s details page. Upgrade Readiness is now visible in your workspace.
+If you’re already using OMS or Azure Log Analytics, you’ll find Upgrade Readiness in the Solutions Gallery. Click the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution’s details page. Upgrade Readiness is now visible in your workspace. You can also 
 
-If you are not using OMS, go to the [Upgrade Readiness page](https://www.microsoft.com/en-us/windowsforbusiness/simplified-updates) on Microsoft.com and select **Sign up** to kick off the OMS onboarding process. During the onboarding process, you’ll create an OMS workspace and add the Upgrade Readiness solution to it.
+If you are not using OMS or Azure Log Analytics, go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it.
 
-Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace.  The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account.  Once the link has been established, you can revoke the administrator permissions.
+>[!IMPORTANT] You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work >or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions.
 
 ## System Center Configuration Manager integration
 

From ff9f493205532351390043b00a4859451d2f2bbf Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Tue, 12 Jun 2018 10:24:27 -0700
Subject: [PATCH 031/102] added links to how to set startup auth

---
 .../bitlocker/bitlocker-security-faq.md                       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
index a1988d5ced..13ee71372a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: high
 author: brianlic-msft
-ms.date: 05/03/2018
+ms.date: 06/12/2018
 ---
 
 # BitLocker Security FAQ
@@ -27,7 +27,7 @@ The recommended practice for BitLocker configuration on an operating system driv
 
 ## What are the implications of using the sleep or hibernate power management options?
 
-BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#a-href-idbkmk-unlockpol1arequire-additional-authentication-at-startup) or Mobile Device Management with the [Bitlocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). 
+BitLocker on operating system drives in its basic configuration (with a TPM but without additional startup authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an additional startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. For increased security, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#a-href-idbkmk-unlockpol1arequire-additional-authentication-at-startup) or Mobile Device Management with the [Bitlocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). 
 
 ## What are the advantages of a TPM?
 

From 49a75ea072dd6c8affa016687153e01b9e1c598a Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Tue, 12 Jun 2018 10:25:42 -0700
Subject: [PATCH 032/102] Cleaning up for pull request

Going to try something funky with that big table.
---
 ...ment-configuration-file-with-powershell.md |  14 +-
 ...user-configuration-file-with-powershell.md |  18 +-
 .../appv-auto-clean-unpublished-packages.md   |  16 +-
 .../app-v/appv-available-mdm-settings.md      | 202 +-----------------
 4 files changed, 23 insertions(+), 227 deletions(-)

diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
index 42754ef837..a3958c5d49 100644
--- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
@@ -6,7 +6,7 @@ ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 06/12/2018
 ---
 # How to apply the deployment configuration file by using Windows PowerShell
 
@@ -20,12 +20,12 @@ The dynamic deployment configuration file is applied when a package is added or
 ## Apply the deployment configuration file with Windows PowerShell
 
 >[!NOTE]
->The following procedure is an example that uses the following two file paths for the package and configuration files:
+>The following example cmdlet uses the following two file paths for the package and configuration files:
     >
     >* C:\\Packages\\Contoso\\MyApp.appv
     >* C:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml
     >
->If your package and configuration file use different file paths than the example, feel free to replace them as needed.
+>If your package and configuration files use different file paths than the example, feel free to replace them as needed.
 
 To specify a new default set of configurations for all users who will run the package on a specific computer, in a Windows PowerShell console, enter the following cmdlet:
 
@@ -35,10 +35,10 @@ Add-AppVClientPackage -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentCon
 
 >[!NOTE]
 >This command captures the resulting object into $pkg. If the package is already present on the computer, the **Set-AppVclientPackage** cmdlet can be used to apply the deployment configuration document:
-    >
-        ```PowerShell
-        Set-AppVClientPackage -Name Myapp -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml
-        ```
+
+    ```PowerShell
+    Set-AppVClientPackage -Name Myapp -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml
+    ```
 
 ## Have a suggestion for App-V?
 
diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
index 2632d17e87..c115854e06 100644
--- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
@@ -1,12 +1,12 @@
 ---
-title: How to Apply the User Configuration File by Using Windows PowerShell (Windows 10)
-description: How to Apply the User Configuration File by Using Windows PowerShell
+title: How to apply the user configuration file by using Windows PowerShell (Windows 10)
+description: How to apply the user configuration file by using Windows PowerShell (Windows 10).
 author: MaggiePucciEvans
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 06/12/2018
 ---
 # How to apply the user configuration file by using Windows PowerShell
 
@@ -14,22 +14,18 @@ ms.date: 04/19/2017
 
 The dynamic user configuration file is applied when a package is published to a specific user and determines how the package will run.
 
-Use the following procedure to specify a user-specific configuration file. The following procedure is based on the example:
-
-* C:\\Packages\\Contoso\\MyApp.appv
-
 ## Apply a user configuration file
 
-Use the following procedure to specify a user-specific configuration file.
+You can follow these steps to specify a user-specific configuration file:
 
 >[!NOTE]
 >The following procedure uses the following example file path for its package:
     >
     >* C:\\Packages\\Contoso\\MyApp.appv.
     >
->f your package file uses a different file path than the example, feel free to replace it.
+>f your package file uses a different file path than the example, feel free to replace it as needed.
 
-1. Enter the following cmdlet to add the package to the computer using the Windows PowerShell console:
+1. Enter the following cmdlet in Windows PowerShell to add the package to the computer:
 
     ```PowerShell
     Add-AppVClientPackage C:\Packages\Contoso\MyApp.appv
@@ -37,7 +33,7 @@ Use the following procedure to specify a user-specific configuration file.
 2. Enter the following cmdlet to publish the package to the user and specify the updated the dynamic user configuration file:
 
     ```PowerShell
-    Publish-AppVClientPackage $pkg -DynamicUserConfigurationPath c:\Packages\Contoso\config.xml
+    Publish-AppVClientPackage $pkg -DynamicUserConfigurationPath C:\Packages\Contoso\config.xml
     ```
 
 ## Have a suggestion for App-V?
diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
index 5292d2ed73..bb51d5cad8 100644
--- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
+++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
@@ -1,18 +1,18 @@
 ---
-title: Automatically cleanup unpublished packages on the App-V client (Windows 10)
-description: How to automatically clean-up any unpublished packages on your App-V client devices.
+title: Automatically clean up unpublished packages on the App-V client (Windows 10)
+description: How to automatically clean up any unpublished packages on your App-V client devices.
 author: eross-msft
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 06/12/2018
 ---
 # Automatically clean up unpublished packages on the App-V client
 
 >Applies to: Windows 10, version 1703
 
-Previous versions of App-V have required you to manually remove your unpublished packages from your client devices, to free up additional storage space. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart.
+If you wanted to free up additional storage space in previous versions of App-V, you would have had to manually remove your unpublished packages from your client devices. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically clean up your unpublished packages after restarting your device.
 
 ## Clean up with PowerShell cmdlets
 
@@ -20,7 +20,7 @@ You can enter PowerShell cmdlets to turn on the **AutoCleanupEnabled** setting,
 
 ### Turn on the AutoCleanupEnabled option
 
-1. Open PowerShell as an admin and enter the following cmdlet to turn on the automatic package clean up functionality:
+1. Open PowerShell as an admin and enter the following cmdlet to turn on the automatic package cleanup functionality:
 
     ```PowerShell
     Set-AppvClientConfiguration -AutoCleanupEnabled 1
@@ -32,7 +32,7 @@ You can enter PowerShell cmdlets to turn on the **AutoCleanupEnabled** setting,
     |---|---|---|
     |AutoCleanupEnabled|1|False|
 
-2. Run the following cmdlet to make sure the configuration is ready to automatically clean up your packages.
+1. Run the following cmdlet to check if the configuration has the cleanup setting turned on.
 
     ```PowerShell
     Get-AppvClientConfiguration
@@ -41,9 +41,9 @@ You can enter PowerShell cmdlets to turn on the **AutoCleanupEnabled** setting,
 
 ## Clean up with Group Policy settings
 
-Using Group Policy, you can turn on the **Enable automatic clean up of unused App-V packages** setting to automatically clean up your unpublished App-V packages from your App-V client devices.
+Using Group Policy, you can turn on the **Enable automatic cleanup of unused App-V packages** setting to automatically clean up your unpublished App-V packages from your App-V client devices.
 
-### Turn on the Enable automatic clean up of unused App-V packages setting
+### Turn on the Enable automatic cleanup of unused App-V packages setting
 
 1. Open your Group Policy editor and select the **Administrative Templates\System\App-V\PackageManagement\Enable automatic cleanup of unused App-V packages** setting.
 
diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index b6a44c1356..6c749e9884 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -28,204 +28,4 @@ With Windows 10, version 1703, you can configure, deploy, and manage your App-V
 |SyncStatusDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/SyncStatusDescription|String|- **0**: App-V publishing is idle.<br>- **1**: App-V connection groups publish in progress.<br>- **2**: App-V packages (non-connection group) publish in progress.<br>- **3**: App-V packages (connection group) publish in progress.<br>- **4**: App-V packages unpublish in progress.|
 |SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncProgress|String|- **0**: App-V Sync is idle.<br>- **1**: App-V Sync is initializing.<br>- **2**: App-V Sync is in progress.<br>- **3**: App-V Sync is complete.<br>- **4**: App-V Sync requires device reboot.|
 |PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.|
-|Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/ configurationid/Policy|String|Custom value, entered by admin.|
-
-
-<table>
-    <tr>
-        <th>Policy name</th>
-        <th>Supported versions</th>
-        <th>Details</th>
-    </tr>
-    <tr>
-        <td>Name</td>
-        <td>Windows 10, version 1703</td>
-        <td>
-            <ul>
-                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/Name</li>
-                <li><strong>Data type.</strong> String</li>
-                <li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <td>Version</td>
-        <td>Windows 10, version 1703</td>
-        <td>
-            <ul>
-                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/Version</li>
-                <li><strong>Data type.</strong> String</li>
-                <li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <td>Publisher</td>
-        <td>Windows 10, version 1703</td>
-        <td>
-            <ul>
-                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/Publisher</li>
-                <li><strong>Data type.</strong> String</li>
-                <li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <td>InstallLocation</td>
-        <td>Windows 10, version 1703</td>
-        <td>
-            <ul>
-                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/InstallLocation</li>
-                <li><strong>Data type.</strong> String</li>
-                <li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <td>InstallDate</td>
-        <td>Windows 10, version 1703</td>
-        <td>
-            <ul>
-                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/InstallDate</li>
-                <li><strong>Data type.</strong> String</li>
-                <li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <td>Users</td>
-        <td>Windows 10, version 1703</td>
-        <td>
-            <ul>
-                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/Users</li>
-                <li><strong>Data type.</strong> String</li>
-                <li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <td>AppVPackageID</td>
-        <td>Windows 10, version 1703</td>
-        <td>
-            <ul>
-                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/AppVPackageID</li>
-                <li><strong>Data type.</strong> String</li>
-                <li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <td>AppVVersionID</td>
-        <td>Windows 10, version 1703</td>
-        <td>
-            <ul>
-                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/AppVVersionID</li>
-                <li><strong>Data type.</strong> String</li>
-                <li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <td>AppVPackageUri</td>
-        <td>Windows 10, version 1703</td>
-        <td>
-            <ul>
-                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/AppVPackageUri</li>
-                <li><strong>Data type.</strong> String</li>
-                <li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <td>LastError</td>
-        <td>Windows 10, version 1703</td>
-        <td>
-            <ul>
-                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/LastError</li>
-                <li><strong>Data type.</strong> String</li>
-                <li><strong>Value.</strong> Read-only data, provided by your App-V client.</li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <td>LastErrorDescription</td>
-        <td>Windows 10, version 1703</td>
-        <td>
-            <ul>
-                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/LastErrorDescription</li>
-                <li><strong>Data type.</strong> String</li>
-                <li><strong>Values.</strong>
-                    <ul>
-                        <li><strong>0.</strong> No errors returned during publish.</li>
-                        <li><strong>1.</strong> Unpublish groups failed during publish.</li>
-                        <li><strong>2.</strong> Publish no-group packages failed during publish.</li>
-                        <li><strong>3.</strong> Publish group packages failed during publish.</li>
-                        <li><strong>4.</strong> Unpublish packages failed during publish.</li>
-                        <li><strong>5.</strong> New policy write failed during publish.</li>
-                        <li><strong>6.</strong> Multiple non-fatal errors occurred during publish.</li>
-                    </ul>
-                </li>
-            </ul>                                                                                                                     
-        </td>
-    </tr>
-    <tr>
-        <td>SyncStatusDescription</td>
-        <td>Windows 10, version 1703</td>
-        <td>
-            <ul>
-                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncStatusDescription</li>
-                <li><strong>Data type.</strong> String</li>
-                <li><strong>Values.</strong>
-                    <ul>
-                        <li><strong>0.</strong> App-V publishing is idle.</li>
-                        <li><strong>1.</strong> App-V connection groups publish in progress.</li>
-                        <li><strong>2.</strong> App-V packages (non-connection group) publish in progress.</li>
-                        <li><strong>3.</strong> App-V packages (connection group) publish in progress.</li>
-                        <li><strong>4.</strong> App-V packages unpublish in progress.</li>
-                    </ul>
-                </li>
-            </ul>                                                                                             
-        </td>
-    </tr>
-    <tr>
-        <td>SyncProgress</td>
-        <td>Windows 10, version 1703</td>
-        <td>
-            <ul>
-                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncProgress</li>
-                <li><strong>Data type.</strong> String</li>
-                <li><strong>Values.</strong>
-                    <ul>
-                        <li><strong>0.</strong> App-V Sync is idle.</li>
-                        <li><strong>1.</strong> App-V Sync is initializing.</li>
-                        <li><strong>2.</strong> App-V Sync is in progress.</li>
-                        <li><strong>3.</strong> App-V Sync is complete.</li>
-                        <li><strong>4.</strong> App-V Sync requires device reboot.</li>
-                    </ul>
-                </li>
-            </ul>                                                                                    
-        </td>
-    </tr>
-    <tr>
-        <td>PublishXML</td>
-        <td>Windows 10, version 1703</td>
-        <td>
-            <ul>
-                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML</li>
-                <li><strong>Data type.</strong> String</li>
-                <li><strong>Value.</strong> Custom value, entered by admin.</li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <td>Policy</td>
-        <td>Windows 10, version 1703</td>
-        <td>
-            <ul>
-                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/configurationid/Policy</li>
-                <li><strong>Data type.</strong> String</li>
-                <li><strong>Value.</strong> Custom value, entered by admin.</li>
-            </ul>
-        </td>
-    </tr>
-</table>
\ No newline at end of file
+|Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/ configurationid/Policy|String|Custom value, entered by admin.|
\ No newline at end of file

From 274ecc83c3c8159d5ab5c48dcd920bdfe64b0ac0 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Tue, 12 Jun 2018 10:26:33 -0700
Subject: [PATCH 033/102] added links to how to set startup auth

---
 .../information-protection/bitlocker/bitlocker-security-faq.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
index 13ee71372a..6aac433261 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
@@ -27,7 +27,7 @@ The recommended practice for BitLocker configuration on an operating system driv
 
 ## What are the implications of using the sleep or hibernate power management options?
 
-BitLocker on operating system drives in its basic configuration (with a TPM but without additional startup authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an additional startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. For increased security, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#a-href-idbkmk-unlockpol1arequire-additional-authentication-at-startup) or Mobile Device Management with the [Bitlocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). 
+BitLocker on operating system drives in its basic configuration (with a TPM but without additional startup authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an additional startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. For improved security, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#a-href-idbkmk-unlockpol1arequire-additional-authentication-at-startup) or Mobile Device Management with the [Bitlocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). 
 
 ## What are the advantages of a TPM?
 

From 4d22e79913ec5ec7a2b975c554a71af6815f5a20 Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Tue, 12 Jun 2018 10:37:48 -0700
Subject: [PATCH 034/102] Attempted spacing fix for middle column

---
 .../app-v/appv-available-mdm-settings.md      | 30 +++++++++----------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 6c749e9884..b53a68364c 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -14,18 +14,18 @@ With Windows 10, version 1703, you can configure, deploy, and manage your App-V
 
 |Policy name|Supported versions|URI full path|Data type|Values|
 |---|---|---|---|---|
-|Name|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/ <enterprise_id>/<package_family_name>/<package_full_name>/Name|String|Read-only data, provided by your App-V packages.|
-|Version|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/ <enterprise_id>/<package_family_name>/<package_full_name>/Version|String|Read-only data, provided by your App-V packages.|
-|Publisher|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/ <enterprise_id>/<package_family_name>/<package_full_name>/Publisher|String|Read-only data, provided by your App-V packages.|
-|InstallLocation|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/ <enterprise_id>/<package_family_name>/<package_full_name>/InstallLocation|String|Read-only data, provided by your App-V packages.|
-|InstallDate|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/ <enterprise_id>/<package_family_name>/<package_full_name>/InstallDate|String|Read-only data, provided by your App-V packages.|
-|Users|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/ <enterprise_id>/<package_family_name>/<package_full_name>/Users|String|Read-only data, provided by your App-V packages.|
-|AppVPackageID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/ <enterprise_id>/<package_family_name>/<package_full_name>/AppVPackageID|String|Read-only data, provided by your App-V packages.|
-|AppVVersionID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/ <enterprise_id>/<package_family_name>/<package_full_name>/AppVVersionID|String|Read-only data, provided by your App-V packages.|
-|AppVPackageUri|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/ <enterprise_id>/<package_family_name>/<package_full_name>/AppVPackageUri|String|Read-only data, provided by your App-V packages.|
-|LastError|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/LastError|String|Read-only data, provided by your App-V packages.|
-|LastErrorDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/LastErrorDescription|String|- **0**: No errors returned during publish.<br>- **1**: Unpublish groups failed during publish.<br>- **2**: Publish no-group packages failed during publish.<br>- **3**: Publish group packages failed during publish.<br>- **4**: Unpublish packages failed during publish.<br>- **5**: New policy write failed during publish.<br>- **6**: Multiple non-fatal errors occurred during publish.|
-|SyncStatusDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/ LastSync/SyncStatusDescription|String|- **0**: App-V publishing is idle.<br>- **1**: App-V connection groups publish in progress.<br>- **2**: App-V packages (non-connection group) publish in progress.<br>- **3**: App-V packages (connection group) publish in progress.<br>- **4**: App-V packages unpublish in progress.|
-|SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncProgress|String|- **0**: App-V Sync is idle.<br>- **1**: App-V Sync is initializing.<br>- **2**: App-V Sync is in progress.<br>- **3**: App-V Sync is complete.<br>- **4**: App-V Sync requires device reboot.|
-|PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.|
-|Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/ configurationid/Policy|String|Custom value, entered by admin.|
\ No newline at end of file
+|Name|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement/<enterprise_id>/ <package_family_name>/<package_full_name>/Name|String|Read-only data, provided by your App-V packages.|
+|Version|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement/<enterprise_id>/ <package_family_name>/<package_full_name>/Version|String|Read-only data, provided by your App-V packages.|
+|Publisher|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement/<enterprise_id>/ <package_family_name>/<package_full_name>/Publisher|String|Read-only data, provided by your App-V packages.|
+|InstallLocation|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement/<enterprise_id>/ <package_family_name>/<package_full_name>/InstallLocation|String|Read-only data, provided by your App-V packages.|
+|InstallDate|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement/<enterprise_id>/ <package_family_name>/<package_full_name>/InstallDate|String|Read-only data, provided by your App-V packages.|
+|Users|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement/<enterprise_id>/ <package_family_name>/<package_full_name>/Users|String|Read-only data, provided by your App-V packages.|
+|AppVPackageID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement/<enterprise_id>/ <package_family_name>/<package_full_name>/AppVPackageID|String|Read-only data, provided by your App-V packages.|
+|AppVVersionID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement/<enterprise_id>/ <package_family_name>/<package_full_name>/AppVVersionID|String|Read-only data, provided by your App-V packages.|
+|AppVPackageUri|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement/<enterprise_id>/ <package_family_name>/<package_full_name>/AppVPackageUri|String|Read-only data, provided by your App-V packages.|
+|LastError|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/<br>AppVPublishing/LastSync/LastError|String|Read-only data, provided by your App-V packages.|
+|LastErrorDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/LastErrorDescription|String|- **0**: No errors returned during publish.<br>- **1**: Unpublish groups failed during publish.<br>- **2**: Publish no-group packages failed during publish.<br>- **3**: Publish group packages failed during publish.<br>- **4**: Unpublish packages failed during publish.<br>- **5**: New policy write failed during publish.<br>- **6**: Multiple non-fatal errors occurred during publish.|
+|SyncStatusDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncStatusDescription|String|- **0**: App-V publishing is idle.<br>- **1**: App-V connection groups publish in progress.<br>- **2**: App-V packages (non-connection group) publish in progress.<br>- **3**: App-V packages (connection group) publish in progress.<br>- **4**: App-V packages unpublish in progress.|
+|SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncProgress|String|- **0**: App-V Sync is idle.<br>- **1**: App-V Sync is initializing.<br>- **2**: App-V Sync is in progress.<br>- **3**: App-V Sync is complete.<br>- **4**: App-V Sync requires device reboot.|
+|PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.|
+|Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVDynamicPolicy/ configurationid/Policy|String|Custom value, entered by admin.|
\ No newline at end of file

From cdebda815d631819f1d4ac932d5c0c99abd2a3e4 Mon Sep 17 00:00:00 2001
From: Benjamin Howorth <v-behowo@microsoft.com>
Date: Tue, 12 Jun 2018 17:40:24 +0000
Subject: [PATCH 035/102] Updated inclusive-classroom-it-admin.md

---
 education/get-started/inclusive-classroom-it-admin.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md
index 6d3bb808df..bcff2649a4 100644
--- a/education/get-started/inclusive-classroom-it-admin.md
+++ b/education/get-started/inclusive-classroom-it-admin.md
@@ -16,7 +16,7 @@ ms.date: 03/18/2018
 
 |Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  | Office 365 Web  | Office Mac  | Office iPad  |
 |---|---|---|---|---|---|---|---|---|---|
-| Read aloud with simultaneous highlighting | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS</li></ul>  |  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   | <p style="text-align: center;">X</p>  |   | |
+| Read aloud with simultaneous highlighting | OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac <br/>Word 2016, Word Online, Word Mac, Word for iOS <br/>Outlook 2016, Outlook Web Access <br/>Office Lens on iOS  |  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   | <p style="text-align: center;">X</p>  |   | |
 | Adjustable text spacing and font size  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iPad</li><li>Outlook Web Access</li><li>Office Lens on iOS</li></ul>  |   | <p style="text-align: center;">X</p>  |<p style="text-align: center;">X</p>   | <p style="text-align: center;">X</p>  |   | <p style="text-align: center;">X</p>  |   |   |
 | Syllabification  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word Online</li><li>Outlook Web Access</li></ul>  |   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   | <p style="text-align: center;">X</p>  |   |   |
 | Parts of speech identification  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   | <p style="text-align: center;">X</p>  |   | <p style="text-align: center;">X</p>  |

From 73311e46a1db5125647ccfac28e05eb1b1b5b579 Mon Sep 17 00:00:00 2001
From: Benjamin Howorth <v-behowo@microsoft.com>
Date: Tue, 12 Jun 2018 17:46:51 +0000
Subject: [PATCH 036/102] Updated inclusive-classroom-it-admin.md, testing
 headings

---
 education/get-started/inclusive-classroom-it-admin.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md
index bcff2649a4..4ce644acdc 100644
--- a/education/get-started/inclusive-classroom-it-admin.md
+++ b/education/get-started/inclusive-classroom-it-admin.md
@@ -14,6 +14,9 @@ ms.author: alhughes
 ms.date: 03/18/2018
 ---
 
+# Inclusive Classroom IT Admin Guide
+
+## Inclusive Classroom features
 |Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  | Office 365 Web  | Office Mac  | Office iPad  |
 |---|---|---|---|---|---|---|---|---|---|
 | Read aloud with simultaneous highlighting | OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac <br/>Word 2016, Word Online, Word Mac, Word for iOS <br/>Outlook 2016, Outlook Web Access <br/>Office Lens on iOS  |  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   | <p style="text-align: center;">X</p>  |   | |
@@ -45,7 +48,6 @@ ms.date: 03/18/2018
 | Ability to request accessible content  | <ul><li>Outlook Web Access</li></ul>  |   |   |   |   |   |   |   |   |
 </br>
 
-
 | Communication features   | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  | Office 365 Web  | Office Mac  | Office iPad  |
 |---|---|---|---|---|---|---|---|---|---|
 | Microsoft Translator  | <ul><li>Word 2016</li><li>Excel 2016</li><li>"Translator for Outlook" Add-in</li><li>PowerPoint 2016 (and PowerPoint Garage Add-in</li></ul>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   |   |   |

From 13238fcf3e90753450b81f1c31ca00d5833af540 Mon Sep 17 00:00:00 2001
From: Benjamin Howorth <v-behowo@microsoft.com>
Date: Tue, 12 Jun 2018 17:54:09 +0000
Subject: [PATCH 037/102] Updated inclusive-classroom-it-admin.md

---
 .../get-started/inclusive-classroom-it-admin.md    | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md
index 4ce644acdc..1367c70c95 100644
--- a/education/get-started/inclusive-classroom-it-admin.md
+++ b/education/get-started/inclusive-classroom-it-admin.md
@@ -17,14 +17,14 @@ ms.date: 03/18/2018
 # Inclusive Classroom IT Admin Guide
 
 ## Inclusive Classroom features
-|Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  | Office 365 Web  | Office Mac  | Office iPad  |
+|Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  |
 |---|---|---|---|---|---|---|---|---|---|
-| Read aloud with simultaneous highlighting | OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac <br/>Word 2016, Word Online, Word Mac, Word for iOS <br/>Outlook 2016, Outlook Web Access <br/>Office Lens on iOS  |  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   | <p style="text-align: center;">X</p>  |   | |
-| Adjustable text spacing and font size  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iPad</li><li>Outlook Web Access</li><li>Office Lens on iOS</li></ul>  |   | <p style="text-align: center;">X</p>  |<p style="text-align: center;">X</p>   | <p style="text-align: center;">X</p>  |   | <p style="text-align: center;">X</p>  |   |   |
-| Syllabification  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word Online</li><li>Outlook Web Access</li></ul>  |   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   | <p style="text-align: center;">X</p>  |   |   |
-| Parts of speech identification  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   | <p style="text-align: center;">X</p>  |   | <p style="text-align: center;">X</p>  |
-| Line focus mode  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS</li></ul>  |   |   |   |   |   | <p style="text-align: center;">X</p>  |   |   |
-| Picture Dictionary  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS</li></ul>  |   |   |   |   |   | <p style="text-align: center;">X</p>  |   | <p style="text-align: center;">X</p>  |
+| Read aloud with simultaneous highlighting | OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac <br/>Word 2016, Word Online, Word Mac, Word for iOS <br/>Outlook 2016, Outlook Web Access <br/>Office Lens on iOS  |  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   | 
+| Adjustable text spacing and font size  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iPad</li><li>Outlook Web Access</li><li>Office Lens on iOS</li></ul>  |   | <p style="text-align: center;">X</p>  |<p style="text-align: center;">X</p>   | <p style="text-align: center;">X</p>  |   | 
+| Syllabification  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word Online</li><li>Outlook Web Access</li></ul>  |   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   | 
+| Parts of speech identification  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   | 
+| Line focus mode  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS</li></ul>  |   |   |   |   |   | 
+| Picture Dictionary  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS</li></ul>  |   |   |   |   |   | 
 </br>
 
 | Writing and proofing features  | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  | Office 365 Web  | Office Mac  | Office iPad  |

From 0ecac91aae729a9c46418e51c7942cb834f959fc Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Tue, 12 Jun 2018 11:05:29 -0700
Subject: [PATCH 038/102] Cleanup

---
 ...ss-to-packages-with-the-management-console.md | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
index 86ded03016..f9a3d2bb7e 100644
--- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
@@ -6,7 +6,7 @@ ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 06/12/2018
 ---
 # How to Configure Access to Packages by Using the Management Console
 
@@ -22,22 +22,22 @@ Use the following procedure to configure access to virtualized packages.
 
     1. Open the App-V Management console.
 
-    1. Right-click the package to be configured, then select **Edit active directory access** to display the **AD ACCESS** page. Alternatively, select the package and select **EDIT** in the **AD ACCESS** pane.
+    1. Right-click the package to be configured, then select **Edit active directory access** to display the **AD Access** page. Alternatively, select the package and select **Edit** in the **AD Access** pane.
 
 2. Provision a security group for the package:
 
-    1. Go to the **FIND VALID ACTIVE DIRECTORY NAMES AND GRANT ACCESS** page.
+    1. Go to the **Find valid Active Directory names and grant access** page.
 
     1. Using the format **mydomain** \\ **groupname**, enter the name or part of the name of an Active Directory group object, then select **Check**.
 
         >[!NOTE]  
         >Ensure that you provide an associated domain name for the group that you are searching for.
 
-3. Grant access to the package by first selecting the desired group, then selecting **Grant Access**. The newly added group is displayed in the **AD ENTITIES WITH ACCESS** pane.
+3. Grant access to the package by first selecting the desired group, then selecting **Grant Access**. The newly added group is displayed in the **AD entities with access** pane.
 
-4. Select **Close** to accept the default configuration settings and close the AD ACCESS page.
+4. Select **Close** to accept the default configuration settings and close the AD Access page.
 
-    To customize configurations for a specific group, select the **ASSIGNED CONFIGURATIONS** drop-down and select **Custom**. To make changes to your custom configurations, select **EDIT**. After you grant access, select **Close**.
+    To customize configurations for a specific group, select the **Assigned configurations** drop-down menu, then select **Custom**. To make changes to your custom configurations, select **Edit**. After you grant access, select **Close**.
 
 ## Remove access to an App-V package
 
@@ -45,9 +45,9 @@ Use the following procedure to configure access to virtualized packages.
 
     1. Open the App-V Management console.
 
-    1. To display the **AD ACCESS** page, right-click the package to be configured, then select **Edit active directory access**. Alternatively, select the package, then select **EDIT** in the **AD ACCESS** pane.
+    1. To display the **AD Access** page, right-click the package to be configured, then select **Edit active directory access**. Alternatively, select the package, then select **Edit** in the **AD Access** pane.
 
-2. Select the group you want to remove, then select **DELETE**.
+2. Select the group you want to remove, then select **Delete**.
 
 3. Select **Close**.
 

From c1e22d64cb659727e61d1f667154e46e5774a200 Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Tue, 12 Jun 2018 11:06:22 -0700
Subject: [PATCH 039/102] Spacing edit

---
 .../app-v/appv-available-mdm-settings.md                      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index b53a68364c..4d0eaf7540 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -27,5 +27,5 @@ With Windows 10, version 1703, you can configure, deploy, and manage your App-V
 |LastErrorDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/LastErrorDescription|String|- **0**: No errors returned during publish.<br>- **1**: Unpublish groups failed during publish.<br>- **2**: Publish no-group packages failed during publish.<br>- **3**: Publish group packages failed during publish.<br>- **4**: Unpublish packages failed during publish.<br>- **5**: New policy write failed during publish.<br>- **6**: Multiple non-fatal errors occurred during publish.|
 |SyncStatusDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncStatusDescription|String|- **0**: App-V publishing is idle.<br>- **1**: App-V connection groups publish in progress.<br>- **2**: App-V packages (non-connection group) publish in progress.<br>- **3**: App-V packages (connection group) publish in progress.<br>- **4**: App-V packages unpublish in progress.|
 |SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncProgress|String|- **0**: App-V Sync is idle.<br>- **1**: App-V Sync is initializing.<br>- **2**: App-V Sync is in progress.<br>- **3**: App-V Sync is complete.<br>- **4**: App-V Sync requires device reboot.|
-|PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.|
-|Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVDynamicPolicy/ configurationid/Policy|String|Custom value, entered by admin.|
\ No newline at end of file
+|PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/<br>AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.|
+|Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVDynamicPolicy/<br>configurationid/Policy|String|Custom value, entered by admin.|
\ No newline at end of file

From b83f8f41c34bc5136e6e2a2678d355293f3affe3 Mon Sep 17 00:00:00 2001
From: "Andrea Bichsel (Aquent LLC)" <v-anbic@microsoft.com>
Date: Tue, 12 Jun 2018 11:26:02 -0700
Subject: [PATCH 040/102] Add new functionality for existing ASR rule.

---
 .../attack-surface-reduction-exploit-guard.md                 | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 5fcdb543ec..344fe9385a 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 06/12/2018
 ---
 
 
@@ -127,6 +127,8 @@ Office apps, such as Word or Excel, will not be allowed to create child processe
 
 This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
 
+In Windows 10, version 1803 and later, this rule also blocks suspicious apps from being launched through Outlook or Access. 
+
 ### Rule: Block Office applications from creating executable content
 
 This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique.

From 9b80f217466ba7935adef9e180a6bf591f3f77ef Mon Sep 17 00:00:00 2001
From: "Andrea Bichsel (Aquent LLC)" <v-anbic@microsoft.com>
Date: Tue, 12 Jun 2018 11:47:21 -0700
Subject: [PATCH 041/102] Add reviewer changes.

---
 .../attack-surface-reduction-exploit-guard.md                 | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 344fe9385a..4085972ad5 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -123,12 +123,10 @@ This rule blocks the following file types from being run or launched from an ema
 
 ### Rule: Block Office applications from creating child processes
 
-Office apps, such as Word or Excel, will not be allowed to create child processes. 
+Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, Outlook, and Access.
 
 This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
 
-In Windows 10, version 1803 and later, this rule also blocks suspicious apps from being launched through Outlook or Access. 
-
 ### Rule: Block Office applications from creating executable content
 
 This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique.

From 3a2606394c93471343771cc38fcc355844beec6a Mon Sep 17 00:00:00 2001
From: Benjamin Howorth <v-behowo@microsoft.com>
Date: Tue, 12 Jun 2018 19:23:14 +0000
Subject: [PATCH 042/102] Updated inclusive-classroom-it-admin.md, fixed up the
 tables

---
 .../inclusive-classroom-it-admin.md           | 54 +++++++++----------
 1 file changed, 27 insertions(+), 27 deletions(-)

diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md
index 1367c70c95..0deaac12fc 100644
--- a/education/get-started/inclusive-classroom-it-admin.md
+++ b/education/get-started/inclusive-classroom-it-admin.md
@@ -18,37 +18,37 @@ ms.date: 03/18/2018
 
 ## Inclusive Classroom features
 |Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  |
-|---|---|---|---|---|---|---|---|---|---|
-| Read aloud with simultaneous highlighting | OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac <br/>Word 2016, Word Online, Word Mac, Word for iOS <br/>Outlook 2016, Outlook Web Access <br/>Office Lens on iOS  |  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   | 
-| Adjustable text spacing and font size  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iPad</li><li>Outlook Web Access</li><li>Office Lens on iOS</li></ul>  |   | <p style="text-align: center;">X</p>  |<p style="text-align: center;">X</p>   | <p style="text-align: center;">X</p>  |   | 
-| Syllabification  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word Online</li><li>Outlook Web Access</li></ul>  |   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   | 
-| Parts of speech identification  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   | 
-| Line focus mode  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS</li></ul>  |   |   |   |   |   | 
-| Picture Dictionary  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS</li></ul>  |   |   |   |   |   | 
+|---|---|---|---|---|---|---|
+| Read aloud with simultaneous highlighting | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including Word for iOS, Word Online, Outlook Web Access, or Office Lens)</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including Outlook PC)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps or Outlook PC)</p>  | 
+| Adjustable text spacing and font size  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iPad</li><li>Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including Word for iOS, Word Online, Outlook Web Access, or Office Lens)</p>  |<p style="text-align: center;">X</p>   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps)</p>  | 
+| Syllabification  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word Online</li><li>Outlook Web Access</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including Word for iOS, Word Online, Outlook Web Access)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including Word iOS)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including Word iOS)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps or Word iOS)</p>  | 
+| Parts of speech identification  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including Word Online, Outlook Web Access)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps)</p>  | 
+| Line focus mode  | <ul><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including Word Online, Outlook Web Access)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps)</p>  | 
+| Picture Dictionary  | <ul><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including Word Online, Outlook Web Access)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps)</p>  | 
 </br>
 
-| Writing and proofing features  | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  | Office 365 Web  | Office Mac  | Office iPad  |
-|---|---|---|---|---|---|---|---|---|---|
-| Dictation  | <ul><li>OneNote 2016, OneNote for Windows 10</li><li>Word 2016</li><li>Outlook 2016</li><li>PowerPoint 2016</li></ul>   |   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   |   |   |   |   |
-| Spelling suggestions for phonetic misspellings  | <ul><li>Word 2016, Word Online, Word for Mac</li><li>Outlook 2016</li></ul>  |   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   |   |   |   |
-| Synonyms alongside spelling suggestions that can be read aloud  | <ul><li>Word 2016</li><li>Outlook 2016</li></ul>  |   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   |   |   |   |
-| Grammar checks  | <ul><li>Word 2016, Word Online, Word for Mac</li><li>Outlook 2016</li></ul>  |   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   |   |   |   |   |
-| Customizable writing critiques  | <ul><li>Word 2016, Word for Mac</li><li>Outlook 2016</li></ul>  |   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   |   |   |   |   |
-| Tell me what you want to do  | <ul><li>Office 2016</li><li>Office Online</li><li>Office on iOS, Android, Windows 10</li></ul>  |   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   | <p style="text-align: center;">X</p>  |   |   |
-| Editor  | <ul><li>Word 2016</li></ul>  |   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   |   |   |   |   |
+| Writing and proofing features  | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  | 
+|---|---|---|---|---|---|---|
+| Dictation  | <ul><li>OneNote 2016, OneNote for Windows 10</li><li>Word 2016</li><li>Outlook 2016</li><li>PowerPoint 2016</li></ul>   |   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   |   |  
+| Spelling suggestions for phonetic misspellings  | <ul><li>Word 2016, Word Online, Word for Mac</li><li>Outlook 2016</li></ul>  |   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   |  
+| Synonyms alongside spelling suggestions that can be read aloud  | <ul><li>Word 2016</li><li>Outlook 2016</li></ul>  |   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   |  
+| Grammar checks  | <ul><li>Word 2016, Word Online, Word for Mac</li><li>Outlook 2016</li></ul>  |   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   |   |  
+| Customizable writing critiques  | <ul><li>Word 2016, Word for Mac</li><li>Outlook 2016</li></ul>  |   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   |   |  
+| Tell me what you want to do  | <ul><li>Office 2016</li><li>Office Online</li><li>Office on iOS, Android, Windows 10</li></ul>  |   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   | 
+| Editor  | <ul><li>Word 2016</li></ul>  |   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   |   |  
 </br>
 
-| Creating accessible content features  |  Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  | Office 365 Web  | Office Mac  | Office iPad  |
-|---|---|---|---|---|---|---|---|---|---|
-| Accessibility Checker  | <ul><li>All Office 365 authoring applications on PC, Mac, Web</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   |   |   |   |
-| Accessible Templates  | <ul><li>Word for PCs, Mac</li><li>Excel for PCs, Mac</li><li>PowerPoint for PCs, Mac</li><li>Sway on iOS, Web, Windows 10</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   |   |   |   |
-| Ability to add alt-text for images  | <ul><li>Word for PCs (includes automatic suggestions for image descriptions)</li><li>SharePoint Online (includes automatic suggestions for image descriptions)</li><li>PowerPoint for PCs (includes automatic suggestions for image descriptions)</li><li>OneNote (includes automatic extraction of text in images)</li><li>All Office 365 authoring applications (include ability to add alt-text manually)</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   |   |   |   |
-| Ability to add captions to videos  | <ul><li>PowerPoint for PCs</li><li>Sway on iOS, Web, Windows 10</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   |   |   |   |
-| Export as tagged PDF  | <ul><li>Word for PCs, Mac</li><li>Sway on iOS, Web, Windows 10</li></ul>  |   |   |   |   |   |   |   |   |
-| Ability to request accessible content  | <ul><li>Outlook Web Access</li></ul>  |   |   |   |   |   |   |   |   |
+| Creating accessible content features  |  Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  | 
+|---|---|---|---|---|---|---|
+| Accessibility Checker  | <ul><li>All Office 365 authoring applications on PC, Mac, Web</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   |  
+| Accessible Templates  | <ul><li>Word for PCs, Mac</li><li>Excel for PCs, Mac</li><li>PowerPoint for PCs, Mac</li><li>Sway on iOS, Web, Windows 10</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   | 
+| Ability to add alt-text for images  | <ul><li>Word for PCs (includes automatic suggestions for image descriptions)</li><li>SharePoint Online (includes automatic suggestions for image descriptions)</li><li>PowerPoint for PCs (includes automatic suggestions for image descriptions)</li><li>OneNote (includes automatic extraction of text in images)</li><li>All Office 365 authoring applications (include ability to add alt-text manually)</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   | 
+| Ability to add captions to videos  | <ul><li>PowerPoint for PCs</li><li>Sway on iOS, Web, Windows 10</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   |  
+| Export as tagged PDF  | <ul><li>Word for PCs, Mac</li><li>Sway on iOS, Web, Windows 10</li></ul>  |   |   |   |   |   |  
+| Ability to request accessible content  | <ul><li>Outlook Web Access</li></ul>  |   |   |   |   |   |  
 </br>
 
-| Communication features   | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  | Office 365 Web  | Office Mac  | Office iPad  |
-|---|---|---|---|---|---|---|---|---|---|
-| Microsoft Translator  | <ul><li>Word 2016</li><li>Excel 2016</li><li>"Translator for Outlook" Add-in</li><li>PowerPoint 2016 (and PowerPoint Garage Add-in</li></ul>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |   |   |   |
+| Communication features   | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  | 
+|---|---|---|---|---|---|---|
+| Microsoft Translator  | <ul><li>Word 2016</li><li>Excel 2016</li><li>"Translator for Outlook" Add-in</li><li>PowerPoint 2016 (and PowerPoint Garage Add-in)</li></ul>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |  
 </br>
\ No newline at end of file

From 596329a76b5009bc00112ffbe93ceaa3bc68d3e8 Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Tue, 12 Jun 2018 12:24:16 -0700
Subject: [PATCH 043/102] Edit spacing

---
 .../application-management/app-v/appv-available-mdm-settings.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 4d0eaf7540..3c0cae1e21 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -28,4 +28,4 @@ With Windows 10, version 1703, you can configure, deploy, and manage your App-V
 |SyncStatusDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncStatusDescription|String|- **0**: App-V publishing is idle.<br>- **1**: App-V connection groups publish in progress.<br>- **2**: App-V packages (non-connection group) publish in progress.<br>- **3**: App-V packages (connection group) publish in progress.<br>- **4**: App-V packages unpublish in progress.|
 |SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncProgress|String|- **0**: App-V Sync is idle.<br>- **1**: App-V Sync is initializing.<br>- **2**: App-V Sync is in progress.<br>- **3**: App-V Sync is complete.<br>- **4**: App-V Sync requires device reboot.|
 |PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/<br>AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.|
-|Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVDynamicPolicy/<br>configurationid/Policy|String|Custom value, entered by admin.|
\ No newline at end of file
+|Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/<br>AppVDynamicPolicy/configurationid/Policy|String|Custom value, entered by admin.|
\ No newline at end of file

From 267d6b1e42cb7642f7a1b5605075a2cac7d8cdb3 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Tue, 12 Jun 2018 19:44:52 +0000
Subject: [PATCH 044/102] Merged PR 9009: fix link

---
 devices/hololens/hololens-provisioning.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
index 86631b4976..c1a90edadb 100644
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@@ -22,7 +22,7 @@ Some of the HoloLens configurations that you can apply in a provisioning package
 - Set up a Wi-Fi connection
 - Apply certificates to the device
 
-To create provisioning packages, you must install Windows Configuration Designer [from Microsoft Store]((https://www.microsoft.com/store/apps/9nblggh4tx22)) or [from the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box.
+To create provisioning packages, you must install Windows Configuration Designer [from Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) or [from the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box.
 
 
 

From 26a9473445983b5435f5f1ff17a105b4f4a6b8da Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Tue, 12 Jun 2018 13:03:25 -0700
Subject: [PATCH 045/102] added new topic for isg

---
 .../TOC.md                                    |   1 +
 ...control-with-intelligent-security-graph.md | 142 ++++++++++++++++++
 2 files changed, 143 insertions(+)
 create mode 100644 windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md

diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md
index 4bf7c5ff89..1d9c033045 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.md
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@@ -18,6 +18,7 @@
 ### [Merge WDAC policies](merge-windows-defender-application-control-policies.md)
 ### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md)
 ### [Deploy WDAC with a managed installer](use-windows-defender-application-control-with-managed-installer.md)
+### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
 ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
 ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
 ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
new file mode 100644
index 0000000000..57f5838a42
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -0,0 +1,142 @@
+---
+title: Deploy Windows Defender Application Control with Intelligent Security Graph (ISG) (Windows 10)
+description: Automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+author: mdsakibMSFT
+ms.date: 03/01/2018
+---
+
+# Use Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph 
+
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016
+
+
+```code
+<Rules> 
+    <Rule> 
+      <Option><b>Enabled:Unsigned System Integrity Policy</b></Option> 
+    </Rule> 
+    <Rule> 
+      <Option>Enabled:Advanced Boot Options Menu</Option> 
+    </Rule> 
+    <Rule> 
+      <Option>Required:Enforce Store Applications</Option> 
+    </Rule> 
+    <Rule> 
+      <Option>Enabled:UMCI</Option> 
+    </Rule> 
+    <Rule> 
+      <Option>Enabled:Managed Installer</Option> 
+    </Rule> 
+    <Rule> 
+      <Option>Enabled:Intelligent Security Graph Authorization</Option> 
+    </Rule> 
+    <Rule> 
+      <Option>Enabled:Invalidate EAs on Reboot</Option> 
+    </Rule> 
+</Rules> 
+```
+
+## Enable service enforcement in AppLocker policy
+
+Since many installation processes rely on services, it is typically necessary to enable tracking of services. 
+Correct tracking of services requires the presence of at least one rule in the rule collection – a simple audit only rule will suffice. 
+For example:
+
+```code
+<RuleCollection Type="Dll" EnforcementMode="AuditOnly" >
+    <FilePathRule Id="86f235ad-3f7b-4121-bc95-ea8bde3a5db5" Name="Dummy Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
+      <Conditions>
+        <FilePathCondition Path="%OSDRIVE%\ThisWillBeBlocked.dll" />
+      </Conditions>
+    </FilePathRule>
+    <RuleCollectionExtensions>
+      <ThresholdExtensions>
+        <Services EnforcementMode="Enabled" />
+      </ThresholdExtensions>
+      <RedstoneExtensions>
+        <SystemApps Allow="Enabled"/>
+      </RedstoneExtensions>
+    </RuleCollectionExtensions>
+  </RuleCollection>
+  <RuleCollection Type="Exe" EnforcementMode="AuditOnly">
+    <FilePathRule Id="9420c496-046d-45ab-bd0e-455b2649e41e" Name="Dummy Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
+      <Conditions>
+        <FilePathCondition Path="%OSDRIVE%\ThisWillBeBlocked.exe" />
+      </Conditions>
+    </FilePathRule>
+    <RuleCollectionExtensions>
+      <ThresholdExtensions>
+        <Services EnforcementMode="Enabled" />
+      </ThresholdExtensions>
+      <RedstoneExtensions>
+        <SystemApps Allow="Enabled"/>
+      </RedstoneExtensions>
+    </RuleCollectionExtensions>
+  </RuleCollection>
+```
+
+### Enable the managed installer option in WDAC policy
+
+In order to enable trust for the binaries laid down by managed installers, the Allow: Managed Installer option must be specified in your WDAC policy.
+This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). 
+An example of the managed installer option being set in policy is shown below.
+
+```code
+<Rules>  
+    <Rule>  
+      <Option>Enabled:Unsigned System Integrity Policy</Option>  
+    </Rule>  
+    <Rule>  
+      <Option>Enabled:Advanced Boot Options Menu</Option>  
+    </Rule>  
+    <Rule>  
+      <Option>Enabled:UMCI</Option>  
+    </Rule>  
+    <Rule>  
+      <Option>Enabled:Inherit Default Policy</Option>  
+    </Rule>
+    <Rule>  
+      <Option>Enabled:Managed Installer </Option>  
+    </Rule>  
+  </Rules>  
+```
+
+## Security considerations with managed installer
+
+Since managed installer is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. 
+It is best suited for deployment to systems where each user is configured as a standard user and where all software is deployed and installed by a software distribution solution, such as System Center Configuration Manager. 
+
+Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed. 
+If the authorized managed installer process performs installations in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. 
+Some application installers include an option to automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization may continue to apply to all files created during the first run of the application. This could result in over-authorization for executables that were not intended.
+To avoid this, ensure that the application deployment solution being used as a managed installer limits running applications as part of installation.   
+
+## Known limitations with managed installer
+
+- Application execution control based on managed installer does not support applications that self-update. 
+If an application deployed by a managed installer subsequently updates itself, the updated application files will no longer include the managed installer origin information and will not be authorized to run. 
+Enterprises should deploy and install all application updates using the managed installer. 
+In some cases, it may be possible to also designate an application binary that performs the self-updates as a managed installer. 
+Proper review for functionality and security should be performed for the application before using this method. 
+
+- Although WDAC policies can be deployed in both audit and enforced mode, the managed installer option is currently only recommended for use with policies set to enforced except in lab environments. 
+Using the managed installer option with WDAC policies set to audit only may result in unexpected behavior if the policy is subsequently changed to enforced mode. 
+
+- Modern apps deployed through a managed installer will not be tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy.
+
+- Executables that extract files and then attempt to execute may not be allowed by the managed installer heuristic. 
+In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. 
+Proper review for functionality and security should be performed for the application before using this method.
+
+- The managed installer heuristic does not authorize drivers. 
+The WDAC policy must have rules that allow the necessary drivers to run.  
+
+- In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. 
+Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. 
+Review for functionality and performance for the related applications using the native images maybe necessary in some cases. 

From 1b3717b4e850e9916028733b3cf8cd0f2e666b80 Mon Sep 17 00:00:00 2001
From: jaimeo <jaimeo@microsoft.com>
Date: Tue, 12 Jun 2018 13:27:24 -0700
Subject: [PATCH 046/102] fixing some typos

---
 windows/deployment/update/update-compliance-get-started.md   | 2 +-
 windows/deployment/upgrade/upgrade-readiness-get-started.md  | 2 +-
 windows/deployment/upgrade/upgrade-readiness-requirements.md | 5 +++--
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 9887546277..9d1b01ce0f 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -30,7 +30,7 @@ Update Compliance is offered as a solution in the Microsoft Operations Managemen
 If you are already using OMS, skip to step **6** to add Update Compliance to your workspace.
 
 >[!NOTE]
->If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=WaaSUpdateInsights) to go directly to the Device Health solution and add it to your workspace.
+>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=WaaSUpdateInsights) to go directly to the Update Compliance solution and add it to your workspace.
 
 
 If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance:
diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md
index 3ee8a1a528..2972c0ff9c 100644
--- a/windows/deployment/upgrade/upgrade-readiness-get-started.md
+++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md
@@ -50,7 +50,7 @@ If you are already using OMS, you’ll find Upgrade Readiness in the Solutions G
 If you are not using OMS or Azure Log Analytics:
 
 1.  Go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it.
-2.  Sign in to Operations Management Suite (OMS or Azure Log Analytics You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+2.  Sign in to Operations Management Suite (OMS) or Azure Log Analytics. You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
 3.  Create a new workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
 4.  If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator.
 
diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md
index 538d13cb2a..7695e28a28 100644
--- a/windows/deployment/upgrade/upgrade-readiness-requirements.md
+++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md
@@ -21,7 +21,7 @@ To perform an in-place upgrade, user computers must be running the latest versio
 
 The compatibility update that sends diagnostic data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Readiness cannot evaluate Windows XP or Windows Vista for upgrade eligibility.
 
-<!--With Windows 10, edition 1607, the compatibility update KB is installed automatically.-->
+<!--With Windows 10, edition 1607, the compatibility update is installed automatically.-->
 
 If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center.
 
@@ -44,7 +44,8 @@ If you’re already using OMS or Azure Log Analytics, you’ll find Upgrade Read
 
 If you are not using OMS or Azure Log Analytics, go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it.
 
->[!IMPORTANT] You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work >or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions.
+>[!IMPORTANT]
+>You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions.
 
 ## System Center Configuration Manager integration
 

From 1e12726a502bb1f81f9de09cedeadf8a8c2cb2c8 Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Tue, 12 Jun 2018 14:04:09 -0700
Subject: [PATCH 047/102] Finished cleanup

---
 ...y-the-deployment-configuration-file-with-powershell.md | 7 ++-----
 ...v-apply-the-user-configuration-file-with-powershell.md | 8 ++++----
 .../app-v/appv-available-mdm-settings.md                  | 4 ++--
 3 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
index a3958c5d49..f55d0d1e05 100644
--- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
@@ -12,10 +12,7 @@ ms.date: 06/12/2018
 
 >Applies to: Windows 10, version 1607
 
-The dynamic deployment configuration file is applied when a package is added or set to a computer running the App-V client before the package has been published. The file configures the default settings of the package that all users share on the computer running the App-V client. This section will tell you how to use a deployment configuration file. The procedure is based on the following example and assumes the following package and configuration files exist on a computer:
-
-* C:\\Packages\\Contoso\\MyApp.appv
-* C:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml
+When you add or set a package to a computer running the App-V client before it's been published, a dynamic deployment configuration file is applied to it. The dynamic deployment configuration file configures the default settings for the package that all users share on the computer running the App-V client. This section will tell you how to use a deployment configuration file.
 
 ## Apply the deployment configuration file with Windows PowerShell
 
@@ -34,7 +31,7 @@ Add-AppVClientPackage -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentCon
 ```
 
 >[!NOTE]
->This command captures the resulting object into $pkg. If the package is already present on the computer, the **Set-AppVclientPackage** cmdlet can be used to apply the deployment configuration document:
+>This command captures the resulting object into $pkg. If the package is already present on the computer, you can use the **Set-AppVclientPackage** cmdlet to apply the deployment configuration document:
 
     ```PowerShell
     Set-AppVClientPackage -Name Myapp -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml
diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
index c115854e06..b51f7ac212 100644
--- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
@@ -12,18 +12,18 @@ ms.date: 06/12/2018
 
 >Applies to: Windows 10, version 1607
 
-The dynamic user configuration file is applied when a package is published to a specific user and determines how the package will run.
+When you publish a package to a specific user, you'll also need to specify a dynamic user configuration file to tell that package how to run.
 
 ## Apply a user configuration file
 
-You can follow these steps to specify a user-specific configuration file:
+Here's how to specify a user-specific configuration file:
 
 >[!NOTE]
->The following procedure uses the following example file path for its package:
+>The following example cmdlets use this example file path for its package:
     >
     >* C:\\Packages\\Contoso\\MyApp.appv.
     >
->f your package file uses a different file path than the example, feel free to replace it as needed.
+>If your package file uses a different file path than the example, feel free to replace it as needed.
 
 1. Enter the following cmdlet in Windows PowerShell to add the package to the computer:
 
diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 3c0cae1e21..9ccb2510ea 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -6,11 +6,11 @@ ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 06/12/2018
 ---
 # Available Mobile Device Management (MDM) settings for App-V
 
-With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps by using these Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) page.
+With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps with the following Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) page.
 
 |Policy name|Supported versions|URI full path|Data type|Values|
 |---|---|---|---|---|

From 326a6637c42d37100cb6c98c2bee6e70a5ffb4c4 Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Tue, 12 Jun 2018 14:09:06 -0700
Subject: [PATCH 048/102] Attempt to fix cmdlet formatting

---
 ...ply-the-deployment-configuration-file-with-powershell.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
index f55d0d1e05..1fe64baff9 100644
--- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
@@ -33,9 +33,9 @@ Add-AppVClientPackage -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentCon
 >[!NOTE]
 >This command captures the resulting object into $pkg. If the package is already present on the computer, you can use the **Set-AppVclientPackage** cmdlet to apply the deployment configuration document:
 
-    ```PowerShell
-    Set-AppVClientPackage -Name Myapp -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml
-    ```
+  ```PowerShell
+  Set-AppVClientPackage -Name Myapp -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml
+  ```
 
 ## Have a suggestion for App-V?
 

From bdbea031da2c54910b31f5f32ac28bbb108032ff Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Tue, 12 Jun 2018 14:28:50 -0700
Subject: [PATCH 049/102] Attempt to fix formatting again for powershell cmdlet

---
 ...ply-the-deployment-configuration-file-with-powershell.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
index 1fe64baff9..220186db45 100644
--- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
@@ -33,9 +33,9 @@ Add-AppVClientPackage -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentCon
 >[!NOTE]
 >This command captures the resulting object into $pkg. If the package is already present on the computer, you can use the **Set-AppVclientPackage** cmdlet to apply the deployment configuration document:
 
-  ```PowerShell
-  Set-AppVClientPackage -Name Myapp -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml
-  ```
+      ```PowerShell
+      Set-AppVClientPackage -Name Myapp -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml
+      ```
 
 ## Have a suggestion for App-V?
 

From 2ca39b9ba2e77070b0894ef0fba582e6bdae0e4e Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Tue, 12 Jun 2018 14:30:14 -0700
Subject: [PATCH 050/102] Attempt to fix formatting again with brackets

---
 ...y-the-deployment-configuration-file-with-powershell.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
index 220186db45..90a114d137 100644
--- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
@@ -32,10 +32,10 @@ Add-AppVClientPackage -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentCon
 
 >[!NOTE]
 >This command captures the resulting object into $pkg. If the package is already present on the computer, you can use the **Set-AppVclientPackage** cmdlet to apply the deployment configuration document:
-
-      ```PowerShell
-      Set-AppVClientPackage -Name Myapp -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml
-      ```
+>
+>      ```PowerShell
+>      Set-AppVClientPackage -Name Myapp -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml
+>      ```
 
 ## Have a suggestion for App-V?
 

From c0fa70b9c025b0cfb0377a9708071550d405376c Mon Sep 17 00:00:00 2001
From: Benjamin Howorth <v-behowo@microsoft.com>
Date: Tue, 12 Jun 2018 21:44:36 +0000
Subject: [PATCH 051/102] Updated inclusive-classroom-it-admin.md, added final
 3 sections

---
 .../inclusive-classroom-it-admin.md           | 36 ++++++++++++++++---
 1 file changed, 32 insertions(+), 4 deletions(-)

diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md
index 0deaac12fc..4daed3a54b 100644
--- a/education/get-started/inclusive-classroom-it-admin.md
+++ b/education/get-started/inclusive-classroom-it-admin.md
@@ -1,7 +1,7 @@
 ---
 title: Inclusive Classroom IT Admin Guide
 description: Learning which Inclusive Classroom features are available in which apps and in which versions of Microsoft Office.
-keywords: Test
+keywords: Inclusive Classroom, Admin, Administrator, Microsoft Intune, Intune, Ease of Access, Office 365, account
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -11,12 +11,19 @@ ms.pagetype: edu
 ROBOTS: noindex,nofollow
 author: alhughes
 ms.author: alhughes
-ms.date: 03/18/2018
+ms.date: 06/12/2018
 ---
 
 # Inclusive Classroom IT Admin Guide
+The following guide will show you what Inclusive Classroom features are available in which apps and which versions of Office. 
+You will also learn how to deploy apps using Intune, turn on or off Ease of access settings for users, and change how you pay for your Office 365 subscription.
 
-## Inclusive Classroom features
+1. [Inclusive Classroom features](#features)
+2. [Deploying apps with Microsoft Intune](#intune)
+3. [How to disable the Ease of Accesss settings for text in Windows 10](#ease)
+4. [How to change your Office 365 account from monthly, semi-annual, or yearly](#account)
+
+## <a name="features"></a>Inclusive Classroom features
 |Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  |
 |---|---|---|---|---|---|---|
 | Read aloud with simultaneous highlighting | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including Word for iOS, Word Online, Outlook Web Access, or Office Lens)</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including Outlook PC)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps or Outlook PC)</p>  | 
@@ -51,4 +58,25 @@ ms.date: 03/18/2018
 | Communication features   | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  | 
 |---|---|---|---|---|---|---|
 | Microsoft Translator  | <ul><li>Word 2016</li><li>Excel 2016</li><li>"Translator for Outlook" Add-in</li><li>PowerPoint 2016 (and PowerPoint Garage Add-in)</li></ul>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p>  |  
-</br>
\ No newline at end of file
+</br>
+
+## <a name="intune"></a>Deploying apps with Microsoft Intune
+Microsoft Intune can be used to deploy apps such as Immersive Reader and Mirosoft Translator to all the computers connected in the same groups.
+1. Go to the <a href="https://admin.manage.microsoft.com" target="_blank">Intune for Education portal</a> and login with your account.
+2. Select the **Apps** page.
+3. Find the app your looking for either in the included list or if it's not there you can select **Add app** and download it from the Microsoft Store.
+4. Selecting your app will show you if it has been deployed to any of the groups that have been set up. From the **Groups** page you can select **Change group assignment** and choose which groups you want to deploy the app(s) to.
+
+## <a name="ease"></a>How to disable the Ease of Accesss settings for text in Windows 10
+The Ease of Access settings in Windows 10 are very useful accessibility tools, but not every one needs them activated for their computer. With the following instructions you can turn off users ability to get to the Ease of access settings.
+1. Go to the <a href="https://admin.manage.microsoft.com" target="_blank">Intune for Education portal</a> and login with your account.
+2. Select the **Groups** page and then select your desired group.
+3. Select **Settings** and under the **User access and device settings** section you find the toggle to set Ease of access to **Blocked** or **Not blocked**.
+4. Select **Save** after making your selection.
+
+## <a name="account"></a>How to change your Office 365 account from monthly, semi-annual, or yearly
+Depending on how you plan to do billing, you can have Office 365 accounts that are set to renew monthly, semi-annually, or yearly.
+1. Sign in to your <a href="https://account.microsoft.com/services" target="_blank">services and subscriptions<a/> with your Microsoft account.
+2. Find the subscription in the list, then select **Change how you pay**. 
+    >**Note:** If you don't see **Change how you pay**, it could be because auto-renew is not turned on. You won't be able to change how you pay if auto-renew is off because the subscription has already been paid and will end when its duration expires.
+3. Choose a new way to pay from the list or select **Add a new way to pay** and follow the instructions. 
\ No newline at end of file

From 9a9257760d00e1b8a9e70a9431528ceeee2dcd32 Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Tue, 12 Jun 2018 14:58:38 -0700
Subject: [PATCH 052/102] Next attempt to fix formatting

---
 ...ply-the-deployment-configuration-file-with-powershell.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
index 90a114d137..9010d42763 100644
--- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
@@ -33,9 +33,9 @@ Add-AppVClientPackage -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentCon
 >[!NOTE]
 >This command captures the resulting object into $pkg. If the package is already present on the computer, you can use the **Set-AppVclientPackage** cmdlet to apply the deployment configuration document:
 >
->      ```PowerShell
->      Set-AppVClientPackage -Name Myapp -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml
->      ```
+>  ```PowerShell
+>  Set-AppVClientPackage -Name Myapp -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml
+>  ```
 
 ## Have a suggestion for App-V?
 

From 750fbbabb8e7b7e8425a0952e168d68458bf673c Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Tue, 12 Jun 2018 15:21:45 -0700
Subject: [PATCH 053/102] Fixed formatting and placement of related topics
 section for consistency

---
 .../app-v/appv-auto-clean-unpublished-packages.md    | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
index bb51d5cad8..25e56caeaf 100644
--- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
+++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
@@ -51,12 +51,12 @@ Using Group Policy, you can turn on the **Enable automatic cleanup of unused App
 
     After your Group Policy updates and you reset the client, the setting will clean up any unpublished App-V packages on the App-V client.
 
-### Related topics
+## Have a suggestion for App-V?
+
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
+
+## Related topics
 
 - [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
 - [Download the Microsoft Application Virtualization 5.0 Client UI Application](https://www.microsoft.com/en-us/download/details.aspx?id=41186)
-- [Using the App-V Client Management Console](appv-using-the-client-management-console.md)
-
-## Have a suggestion for App-V?
-
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
\ No newline at end of file
+- [Using the App-V Client Management Console](appv-using-the-client-management-console.md)
\ No newline at end of file

From d2bb6ad6664ece3cdacfe3b75056256968e7961c Mon Sep 17 00:00:00 2001
From: Benjamin Howorth <v-behowo@microsoft.com>
Date: Tue, 12 Jun 2018 23:40:56 +0000
Subject: [PATCH 054/102] Updated inclusive-classroom-it-admin.md

---
 .../get-started/inclusive-classroom-it-admin.md      | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md
index 4daed3a54b..e095d037d3 100644
--- a/education/get-started/inclusive-classroom-it-admin.md
+++ b/education/get-started/inclusive-classroom-it-admin.md
@@ -15,8 +15,8 @@ ms.date: 06/12/2018
 ---
 
 # Inclusive Classroom IT Admin Guide
-The following guide will show you what Inclusive Classroom features are available in which apps and which versions of Office. 
-You will also learn how to deploy apps using Intune, turn on or off Ease of access settings for users, and change how you pay for your Office 365 subscription.
+The following guide will show you what Inclusive Classroom features are available in which apps and which versions of Microsoft Office. 
+You will also learn how to deploy apps using Microsoft Intune, turn on or off Ease of access settings for users, and change how you pay for your Office 365 subscription.
 
 1. [Inclusive Classroom features](#features)
 2. [Deploying apps with Microsoft Intune](#intune)
@@ -64,19 +64,19 @@ You will also learn how to deploy apps using Intune, turn on or off Ease of acce
 Microsoft Intune can be used to deploy apps such as Immersive Reader and Mirosoft Translator to all the computers connected in the same groups.
 1. Go to the <a href="https://admin.manage.microsoft.com" target="_blank">Intune for Education portal</a> and login with your account.
 2. Select the **Apps** page.
-3. Find the app your looking for either in the included list or if it's not there you can select **Add app** and download it from the Microsoft Store.
+3. Find the app you're looking for either in the included list or, if it's not there, you can select **Add app** and download it from the Microsoft Store.
 4. Selecting your app will show you if it has been deployed to any of the groups that have been set up. From the **Groups** page you can select **Change group assignment** and choose which groups you want to deploy the app(s) to.
 
-## <a name="ease"></a>How to disable the Ease of Accesss settings for text in Windows 10
+## <a name="ease"></a>How to disable the Ease of Access settings for text in Windows 10
 The Ease of Access settings in Windows 10 are very useful accessibility tools, but not every one needs them activated for their computer. With the following instructions you can turn off users ability to get to the Ease of access settings.
 1. Go to the <a href="https://admin.manage.microsoft.com" target="_blank">Intune for Education portal</a> and login with your account.
 2. Select the **Groups** page and then select your desired group.
-3. Select **Settings** and under the **User access and device settings** section you find the toggle to set Ease of access to **Blocked** or **Not blocked**.
+3. Select **Settings** and under the **User access and device settings** section you will find the toggle to set **Ease of access** to **Blocked** or **Not blocked**.
 4. Select **Save** after making your selection.
 
 ## <a name="account"></a>How to change your Office 365 account from monthly, semi-annual, or yearly
 Depending on how you plan to do billing, you can have Office 365 accounts that are set to renew monthly, semi-annually, or yearly.
-1. Sign in to your <a href="https://account.microsoft.com/services" target="_blank">services and subscriptions<a/> with your Microsoft account.
+1. Sign-in to your <a href="https://account.microsoft.com/services" target="_blank">services and subscriptions<a/> with your Microsoft account.
 2. Find the subscription in the list, then select **Change how you pay**. 
     >**Note:** If you don't see **Change how you pay**, it could be because auto-renew is not turned on. You won't be able to change how you pay if auto-renew is off because the subscription has already been paid and will end when its duration expires.
 3. Choose a new way to pay from the list or select **Add a new way to pay** and follow the instructions. 
\ No newline at end of file

From e2cb4b031ab11b5695b30b435ef8e6ba34d75011 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 12 Jun 2018 17:24:28 -0700
Subject: [PATCH 055/102] update applies to, fix char, modify console use

---
 ...evel-windows-defender-advanced-threat-protection.md | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
index a542df63b1..677d282889 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
 ---
 title: Onboard previous versions of Windows on Windows Defender ATP
 description: Onboard supported previous versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor
-keywords: onboard, windows, 7, 8, oms, sp1, enterprise, pro, down level
+keywords: onboard, windows, 7, oms, sp1, enterprise, pro, down level
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 06/11/2018
+ms.date: 06/17/2018
 ---
 
 # Onboard Windows previous versions of Windows
@@ -19,15 +19,13 @@ ms.date: 06/11/2018
 
 - Windows 7 SP1 Enterprise
 - Windows 7 SP1 Pro
-- Windows 8.1 Enterprise
-- Windows 8.1 Pro
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 [!include[Prerelease information](prerelease.md)]
 
-Windows Defender ATP extends support to also include down-level operating systems, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console.
+Windows Defender ATP extends support to also include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions.
 
-To onboard down-level Windows client endpoints to Windows Defender ATP, you�ll need to:
+To onboard down-level Windows client endpoints to Windows Defender ATP, you'll need to:
 - Configure and update System Center Endpoint Protection clients.
 - Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP as instructed below.
 

From 99c0736647e9edddff7cbc6cfaec77009de4bbaa Mon Sep 17 00:00:00 2001
From: Martin Adler <1208749+EagleIJoe@users.noreply.github.com>
Date: Wed, 13 Jun 2018 12:51:37 +0200
Subject: [PATCH 056/102] Corrected examples XML syntax

Upper case boolean values caused parser error
Ending XML closing tag invalidates file
---
 .../app-v/appv-auto-batch-updating.md         | 92 +++++++++----------
 1 file changed, 45 insertions(+), 47 deletions(-)

diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md
index 1d96b18fb8..ff99b0273a 100644
--- a/windows/application-management/app-v/appv-auto-batch-updating.md
+++ b/windows/application-management/app-v/appv-auto-batch-updating.md
@@ -41,29 +41,28 @@ Updating multiple apps at the same time requires that you create a **ConfigFile*
         **Example:**
         ```XML
         <?xml version="1.0"?>
-            <Applications>
-                <Application>
-                    <AppName>Skype for Windows Update</AppName>
-                    <InstallerFolder>D:\Install\Update\SkypeforWindows</InstallerFolder>
-                    <Installer>SkypeSetup.exe</Installer>
-                    <InstallerOptions>/S</InstallerOptions>
-                    <Package>C:\App-V_Package\Microsoft_Apps\skypeupdate.appv</Package>
-                    <TimeoutInMinutes>20</TimeoutInMinutes>
-                    <Cmdlet>True</Cmdlet>
-                    <Enabled>True</Enabled>
-                </Application>
-                <Application>
-                    <AppName>Microsoft Power BI Update</AppName>
-                    <InstallerFolder>D:\Install\Update\PowerBI</InstallerFolder>
-                    <Installer>PBIDesktop.msi</Installer>
-                    <InstallerOptions>/S</InstallerOptions>
-                    <Package>C:\App-V_Package\MS_Apps\powerbiupdate.appv</Package>
-                    <TimeoutInMinutes>20</TimeoutInMinutes>
-                    <Cmdlet>True</Cmdlet>
-                    <Enabled>True</Enabled>
-                </Application>
-            </Applications>
-        </xml>
+        <Applications>
+            <Application>
+                <AppName>Skype for Windows Update</AppName>
+                <InstallerFolder>D:\Install\Update\SkypeforWindows</InstallerFolder>
+                <Installer>SkypeSetup.exe</Installer>
+                <InstallerOptions>/S</InstallerOptions>
+                <Package>C:\App-V_Package\Microsoft_Apps\skypeupdate.appv</Package>
+                <TimeoutInMinutes>20</TimeoutInMinutes>
+                <Cmdlet>true</Cmdlet>
+                <Enabled>true</Enabled>
+            </Application>
+            <Application>
+                <AppName>Microsoft Power BI Update</AppName>
+                <InstallerFolder>D:\Install\Update\PowerBI</InstallerFolder>
+                <Installer>PBIDesktop.msi</Installer>
+                <InstallerOptions>/S</InstallerOptions>
+                <Package>C:\App-V_Package\MS_Apps\powerbiupdate.appv</Package>
+                <TimeoutInMinutes>20</TimeoutInMinutes>
+                <Cmdlet>true</Cmdlet>
+                <Enabled>true</Enabled>
+            </Application>
+        </Applications>
         ```
 
 3. Save your completed file under the name **ConfigFile**.
@@ -101,29 +100,28 @@ Updating multipe apps at the same time requires that you create a **ConfigFile**
 
         ```XML
         <?xml version="1.0"?>
-            <Applications>
-                <Application>
-                    <AppName>Skype for Windows Update</AppName>
-                    <InstallerFolder>D:\Install\Update\SkypeforWindows</InstallerFolder>
-                    <Installer>SkypeSetup.exe</Installer>
-                    <InstallerOptions>/S</InstallerOptions>
-                    <Package>C:\App-V_Package\Microsoft_Apps\skypeupdate.appv</Package>
-                    <TimeoutInMinutes>20</TimeoutInMinutes>
-                    <Cmdlet>False</Cmdlet>
-                    <Enabled>True</Enabled>
-                </Application>
-                <Application>
-                    <AppName>Microsoft Power BI Update</AppName>
-                    <InstallerFolder>D:\Install\Update\PowerBI</InstallerFolder>
-                    <Installer>PBIDesktop.msi</Installer>
-                    <InstallerOptions>/S</InstallerOptions>
-                    <Package>C:\App-V_Package\MS_Apps\powerbiupdate.appv</Package>
-                    <TimeoutInMinutes>20</TimeoutInMinutes>
-                    <Cmdlet>False</Cmdlet>
-                    <Enabled>True</Enabled>
-                </Application>
-            </Applications>
-        </xml>
+        <Applications>
+            <Application>
+                <AppName>Skype for Windows Update</AppName>
+                <InstallerFolder>D:\Install\Update\SkypeforWindows</InstallerFolder>
+                <Installer>SkypeSetup.exe</Installer>
+                <InstallerOptions>/S</InstallerOptions>
+                <Package>C:\App-V_Package\Microsoft_Apps\skypeupdate.appv</Package>
+                <TimeoutInMinutes>20</TimeoutInMinutes>
+                <Cmdlet>false</Cmdlet>
+                <Enabled>true</Enabled>
+            </Application>
+            <Application>
+                <AppName>Microsoft Power BI Update</AppName>
+                <InstallerFolder>D:\Install\Update\PowerBI</InstallerFolder>
+                <Installer>PBIDesktop.msi</Installer>
+                <InstallerOptions>/S</InstallerOptions>
+                <Package>C:\App-V_Package\MS_Apps\powerbiupdate.appv</Package>
+                <TimeoutInMinutes>20</TimeoutInMinutes>
+                <Cmdlet>false</Cmdlet>
+                <Enabled>true</Enabled>
+            </Application>
+        </Applications>
         ```   
 
 ### Start the App-V Sequencer interface and app installation process
@@ -157,4 +155,4 @@ There are three types of log files that occur when you sequence multiple apps at
 
 ## Have a suggestion for App-V?
 
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
\ No newline at end of file
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).

From 9ab71bdb870712272a40959d82dff6fa8c1d547b Mon Sep 17 00:00:00 2001
From: Frank Gorgenyi <Frank.Gorgenyi@microsoft.com>
Date: Wed, 13 Jun 2018 12:37:34 +0000
Subject: [PATCH 057/102] Merged PR 9015: Change Quick Pair to Swift Pair.

Change Quick Pair to Swift Pair.
---
 windows/client-management/mdm/policy-csp-bluetooth.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index 519bdfeb1f..1fb3b009d6 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -236,14 +236,14 @@ The following list shows the supported values:
 
 <!--/Scope-->
 <!--Description-->
-Added in Windows 10, version 1803. This policy allows the IT admin to block users on these managed devices from using Quick Pair and other proximity based scenarios.
+Added in Windows 10, version 1803. This policy allows the IT admin to block users on these managed devices from using Swift Pair and other proximity based scenarios.
 
 <!--/Description-->
 <!--SupportedValues-->
 The following list shows the supported values:  
 
--   0 - Disallow. Block users on these managed devices from using Quick Pair and other proximity based scenarios
--   1 - Allow. Allow users on these managed devices to use Quick Pair and other proximity based scenarios
+-   0 - Disallow. Block users on these managed devices from using Swift Pair and other proximity based scenarios
+-   1 - Allow. Allow users on these managed devices to use Swift Pair and other proximity based scenarios
 
 <!--/SupportedValues-->
 <!--/Policy-->

From 18f3d7f9b13a10de950050a888ccd3deb47c0780 Mon Sep 17 00:00:00 2001
From: Christopher McClister <christopher.mcclister@gmail.com>
Date: Wed, 13 Jun 2018 08:26:54 -0700
Subject: [PATCH 058/102] Added ms.collection meta data to Education hub per
 Lauren Moynihan

---
 education/index.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/education/index.md b/education/index.md
index 424b52680d..c78b456b9e 100644
--- a/education/index.md
+++ b/education/index.md
@@ -6,6 +6,7 @@ description: Learn about product documentation and resources available for schoo
 author: CelesteDG
 ms.topic: hub-page
 ms.author: celested
+ms.collection: ITAdminEDU
 ms.date: 10/30/2017
 ---
 <div id="main" class="v2">

From 79dfc736790d239eb0172e2ea9365323a5fc00f2 Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Wed, 13 Jun 2018 08:52:54 -0700
Subject: [PATCH 059/102] Updated metadata dates

---
 ...v-apply-the-deployment-configuration-file-with-powershell.md | 2 +-
 .../appv-apply-the-user-configuration-file-with-powershell.md   | 2 +-
 .../app-v/appv-auto-clean-unpublished-packages.md               | 2 +-
 .../application-management/app-v/appv-available-mdm-settings.md | 2 +-
 ...-configure-access-to-packages-with-the-management-console.md | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
index 9010d42763..8d3a64000e 100644
--- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
@@ -6,7 +6,7 @@ ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 06/12/2018
+ms.date: 06/13/2018
 ---
 # How to apply the deployment configuration file by using Windows PowerShell
 
diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
index b51f7ac212..d8a04ef887 100644
--- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
@@ -6,7 +6,7 @@ ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 06/12/2018
+ms.date: 06/13/2018
 ---
 # How to apply the user configuration file by using Windows PowerShell
 
diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
index 25e56caeaf..cd9c6096a7 100644
--- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
+++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
@@ -6,7 +6,7 @@ ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 06/12/2018
+ms.date: 06/13/2018
 ---
 # Automatically clean up unpublished packages on the App-V client
 
diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 9ccb2510ea..d254a8b4b7 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -6,7 +6,7 @@ ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 06/12/2018
+ms.date: 06/13/2018
 ---
 # Available Mobile Device Management (MDM) settings for App-V
 
diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
index f9a3d2bb7e..f44af0a19a 100644
--- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
@@ -6,7 +6,7 @@ ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 06/12/2018
+ms.date: 06/13/2018
 ---
 # How to Configure Access to Packages by Using the Management Console
 

From 436fe714e3178bc5f9be0c3b65482a4cacdac780 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 13 Jun 2018 09:56:48 -0700
Subject: [PATCH 060/102] added bold to code snippet

---
 ...control-with-intelligent-security-graph.md | 151 ++++++------------
 1 file changed, 53 insertions(+), 98 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 57f5838a42..c5c738cc8e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -15,11 +15,39 @@ ms.date: 03/01/2018
 -   Windows 10
 -   Windows Server 2016
 
+Application execution control can be difficult to implement in enterprises that do not have processes to effectively control the deployment of applications centrally through an IT managed system. 
+In such environments, users are empowered to acquire the applications they need for work, making accounting for all the applications that would need to be authorized for execution control a daunting task.  
 
-```code
+Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) provides a new option, known as Intelligent Security Graph (ISG) authorization, that allows IT administrators to automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation. The ISG option helps IT organizations take a significant first step towards going from having no application control at all to a simple means of preventing the execution of unknown and known bad software.
+
+## How does the integration between WDAC and the Intelligent Security Graph work? 
+
+The ISG relies on Microsoft’s vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the ISG authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed the reputation data is used to help make the right policy authorization decision.   
+
+After that initial download and installation, the WDAC component will check for the presence of the positive reputation information when evaluating other application execution control rules specified in the policy. If there are no deny rules present for the file, it will be authorized based on the known good reputation classification.  
+
+The reputation data on the client is rechecked periodically and enterprises can also specify that any cached reputation results are flushed on reboot.    
+
+>[!NOTE]
+>Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, for example custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both System Center Configuration Manager (SCCM) and Microsoft Intune can be used to create and push a WDAC policy to your client machines.  
+
+Other examples of WDAC policies are available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies and can help authorize Windows OS components, WHQL signed drivers and all Store apps. Admins can reference and customize them as needed for their Windows Defender Application Control deployment or [create a custom WDAC policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy). 
+
+## Configuring Intelligent Security Graph authorization for Windows Defender Application Control 
+
+Setting up the ISG authorization is easy regardless of what management solution you use. Configuring the ISG option involves these basic steps: 
+
+- [Ensure that the ISG option is enabled in the WDAC policy XML](#ensure-that-the-intelligent-security-graph-option-is-enabled-in-the-wdac-policy-xml) 
+- [Enable the necessary services to allow WDAC to use the ISG correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client) 
+
+### Ensure that the Intelligent Security Graph option is enabled in the WDAC policy XML 
+
+In order to enable trust for executables based on classifications in the ISG, the Enabled: Intelligent Security Graph authorization option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition it is recommended from a security perspective to also enable the Enabled:Invalidate EAs on Reboot option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG. Caution is advised if devices will regularly transition to and from environments that may not be able to access the ISG. An example of both options being set is shown below. 
+
+<pre>
 <Rules> 
     <Rule> 
-      <Option><b>Enabled:Unsigned System Integrity Policy</b></Option> 
+      <Option>Enabled:Unsigned System Integrity Policy</Option> 
     </Rule> 
     <Rule> 
       <Option>Enabled:Advanced Boot Options Menu</Option> 
@@ -27,12 +55,12 @@ ms.date: 03/01/2018
     <Rule> 
       <Option>Required:Enforce Store Applications</Option> 
     </Rule> 
-    <Rule> 
-      <Option>Enabled:UMCI</Option> 
-    </Rule> 
-    <Rule> 
-      <Option>Enabled:Managed Installer</Option> 
-    </Rule> 
+    <b><Rule></b> 
+      <b><Option>Enabled:UMCI</Option></b> 
+    <b></Rule></b> 
+    <b><Rule></b> 
+      <b><Option>Enabled:Managed Installer</Option></b> 
+    <b></Rule></b> 
     <Rule> 
       <Option>Enabled:Intelligent Security Graph Authorization</Option> 
     </Rule> 
@@ -40,103 +68,30 @@ ms.date: 03/01/2018
       <Option>Enabled:Invalidate EAs on Reboot</Option> 
     </Rule> 
 </Rules> 
+</pre>
+
+### Enable the necessary services to allow WDAC to use the ISG correctly on the client
+
+In order for the heuristics used by the ISG to function properly, a number of component in Windows need to be enabled. The easiest way to do this is to run the appidtel executable in c:\windows\system32.
+
+```
+appidtel start
 ```
 
-## Enable service enforcement in AppLocker policy
+For WDAC policies deployed over MDM using the AppLocker CSP this step is not required as the CSP will enable the necessary components. ISG enabled through the SCCM WDAC UX will not need this step but if custom policies are being deployed outside of the WDAC UX through SCCM then this step is required.   
 
-Since many installation processes rely on services, it is typically necessary to enable tracking of services. 
-Correct tracking of services requires the presence of at least one rule in the rule collection – a simple audit only rule will suffice. 
-For example:
+## Security considerations with using the Intelligent Security Graph 
 
-```code
-<RuleCollection Type="Dll" EnforcementMode="AuditOnly" >
-    <FilePathRule Id="86f235ad-3f7b-4121-bc95-ea8bde3a5db5" Name="Dummy Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
-      <Conditions>
-        <FilePathCondition Path="%OSDRIVE%\ThisWillBeBlocked.dll" />
-      </Conditions>
-    </FilePathRule>
-    <RuleCollectionExtensions>
-      <ThresholdExtensions>
-        <Services EnforcementMode="Enabled" />
-      </ThresholdExtensions>
-      <RedstoneExtensions>
-        <SystemApps Allow="Enabled"/>
-      </RedstoneExtensions>
-    </RuleCollectionExtensions>
-  </RuleCollection>
-  <RuleCollection Type="Exe" EnforcementMode="AuditOnly">
-    <FilePathRule Id="9420c496-046d-45ab-bd0e-455b2649e41e" Name="Dummy Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
-      <Conditions>
-        <FilePathCondition Path="%OSDRIVE%\ThisWillBeBlocked.exe" />
-      </Conditions>
-    </FilePathRule>
-    <RuleCollectionExtensions>
-      <ThresholdExtensions>
-        <Services EnforcementMode="Enabled" />
-      </ThresholdExtensions>
-      <RedstoneExtensions>
-        <SystemApps Allow="Enabled"/>
-      </RedstoneExtensions>
-    </RuleCollectionExtensions>
-  </RuleCollection>
-```
+Since the ISG is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. It is best suited for deployment to systems where each user is configured as a standard user and there are other monitoring systems in place like Windows Defender Advanced Threat Protection to help provide optics into what users are doing. 
 
-### Enable the managed installer option in WDAC policy
+Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of WDAC when the ISG option is allowed by circumventing or corrupting the heuristics used to assign reputation to application executables. The ISG option uses the same heuristic tracking as managed installer and so for application installers that include an option to automatically run the application at the end of the installation process the heuristic may over-authorize.  
 
-In order to enable trust for the binaries laid down by managed installers, the Allow: Managed Installer option must be specified in your WDAC policy.
-This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). 
-An example of the managed installer option being set in policy is shown below.
+## Known limitations with using the Intelligent Security Graph
 
-```code
-<Rules>  
-    <Rule>  
-      <Option>Enabled:Unsigned System Integrity Policy</Option>  
-    </Rule>  
-    <Rule>  
-      <Option>Enabled:Advanced Boot Options Menu</Option>  
-    </Rule>  
-    <Rule>  
-      <Option>Enabled:UMCI</Option>  
-    </Rule>  
-    <Rule>  
-      <Option>Enabled:Inherit Default Policy</Option>  
-    </Rule>
-    <Rule>  
-      <Option>Enabled:Managed Installer </Option>  
-    </Rule>  
-  </Rules>  
-```
+Since the ISG relies on identifying executables as being known good there are cases where it may classify legitimate executables as unknown leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate trusted in WDAC policy or by deployment through a WDAC managed installer. Typically this is due to an installer or application using a dynamic file as part of execution. These files do not tend to build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG.  
 
-## Security considerations with managed installer
+Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business it is straightforward to authorize modern apps with signer rules in the WDAC policy.
 
-Since managed installer is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. 
-It is best suited for deployment to systems where each user is configured as a standard user and where all software is deployed and installed by a software distribution solution, such as System Center Configuration Manager. 
+The ISG heuristic does not authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.  
 
-Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed. 
-If the authorized managed installer process performs installations in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. 
-Some application installers include an option to automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization may continue to apply to all files created during the first run of the application. This could result in over-authorization for executables that were not intended.
-To avoid this, ensure that the application deployment solution being used as a managed installer limits running applications as part of installation.   
-
-## Known limitations with managed installer
-
-- Application execution control based on managed installer does not support applications that self-update. 
-If an application deployed by a managed installer subsequently updates itself, the updated application files will no longer include the managed installer origin information and will not be authorized to run. 
-Enterprises should deploy and install all application updates using the managed installer. 
-In some cases, it may be possible to also designate an application binary that performs the self-updates as a managed installer. 
-Proper review for functionality and security should be performed for the application before using this method. 
-
-- Although WDAC policies can be deployed in both audit and enforced mode, the managed installer option is currently only recommended for use with policies set to enforced except in lab environments. 
-Using the managed installer option with WDAC policies set to audit only may result in unexpected behavior if the policy is subsequently changed to enforced mode. 
-
-- Modern apps deployed through a managed installer will not be tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy.
-
-- Executables that extract files and then attempt to execute may not be allowed by the managed installer heuristic. 
-In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. 
-Proper review for functionality and security should be performed for the application before using this method.
-
-- The managed installer heuristic does not authorize drivers. 
-The WDAC policy must have rules that allow the necessary drivers to run.  
-
-- In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. 
-Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. 
-Review for functionality and performance for the related applications using the native images maybe necessary in some cases. 
+In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. Review for functionality and performance for the related applications using the native images maybe necessary in some cases. 
\ No newline at end of file

From a33af7a063e817c9dd78174e6b196fd2c63e774d Mon Sep 17 00:00:00 2001
From: "Andrea Bichsel (Aquent LLC)" <v-anbic@microsoft.com>
Date: Wed, 13 Jun 2018 13:32:24 -0700
Subject: [PATCH 061/102] Corrected ASR rule functions.

---
 .../attack-surface-reduction-exploit-guard.md                  | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 4085972ad5..ef39fda490 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 06/12/2018
+ms.date: 06/13/2018
 ---
 
 
@@ -174,7 +174,6 @@ This rule attempts to block Office files that contain macro code that is capable
 This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list:
  
 - Executable files (such as .exe, .dll, or .scr) 
-- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
  
 ### Rule: Use advanced protection against ransomware
  

From e7903a90bbcc957f988d2d36f2e6274084f47ae4 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 13 Jun 2018 13:52:18 -0700
Subject: [PATCH 062/102] fixed formatting

---
 ...control-with-intelligent-security-graph.md | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index c5c738cc8e..f5dfca7d37 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -22,7 +22,7 @@ Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) pro
 
 ## How does the integration between WDAC and the Intelligent Security Graph work? 
 
-The ISG relies on Microsoft’s vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the ISG authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed the reputation data is used to help make the right policy authorization decision.   
+The ISG relies on Microsoft’s vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the ISG authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed, the reputation data is used to help make the right policy authorization decision.   
 
 After that initial download and installation, the WDAC component will check for the presence of the positive reputation information when evaluating other application execution control rules specified in the policy. If there are no deny rules present for the file, it will be authorized based on the known good reputation classification.  
 
@@ -42,9 +42,9 @@ Setting up the ISG authorization is easy regardless of what management solution
 
 ### Ensure that the Intelligent Security Graph option is enabled in the WDAC policy XML 
 
-In order to enable trust for executables based on classifications in the ISG, the Enabled: Intelligent Security Graph authorization option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition it is recommended from a security perspective to also enable the Enabled:Invalidate EAs on Reboot option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG. Caution is advised if devices will regularly transition to and from environments that may not be able to access the ISG. An example of both options being set is shown below. 
+In order to enable trust for executables based on classifications in the ISG, the **Enabled: Intelligent Security Graph authorization** option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition, it is recommended from a security perspective to also enable the **Enabled:Invalidate EAs on Reboot** option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG. Caution is advised if devices will regularly transition to and from environments that may not be able to access the ISG. The following example shows both options being set. 
 
-<pre>
+```code
 <Rules> 
     <Rule> 
       <Option>Enabled:Unsigned System Integrity Policy</Option> 
@@ -55,12 +55,12 @@ In order to enable trust for executables based on classifications in the ISG, th
     <Rule> 
       <Option>Required:Enforce Store Applications</Option> 
     </Rule> 
-    <b><Rule></b> 
-      <b><Option>Enabled:UMCI</Option></b> 
-    <b></Rule></b> 
-    <b><Rule></b> 
-      <b><Option>Enabled:Managed Installer</Option></b> 
-    <b></Rule></b> 
+    <Rule>
+      <Option>Enabled:UMCI</Option>
+    </Rule>
+    <Rule>
+      <Option>Enabled:Managed Installer</Option> 
+    </Rule>
     <Rule> 
       <Option>Enabled:Intelligent Security Graph Authorization</Option> 
     </Rule> 
@@ -68,7 +68,7 @@ In order to enable trust for executables based on classifications in the ISG, th
       <Option>Enabled:Invalidate EAs on Reboot</Option> 
     </Rule> 
 </Rules> 
-</pre>
+```
 
 ### Enable the necessary services to allow WDAC to use the ISG correctly on the client
 
@@ -88,9 +88,9 @@ Users with administrator privileges or malware running as an administrator user
 
 ## Known limitations with using the Intelligent Security Graph
 
-Since the ISG relies on identifying executables as being known good there are cases where it may classify legitimate executables as unknown leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate trusted in WDAC policy or by deployment through a WDAC managed installer. Typically this is due to an installer or application using a dynamic file as part of execution. These files do not tend to build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG.  
+Since the ISG relies on identifying executables as being known good, there are cases where it may classify legitimate executables as unknown, leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate trusted in the WDAC policy or by deployment through a WDAC managed installer. Typically, this is due to an installer or application using a dynamic file as part of execution. These files do not tend to build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG.  
 
-Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business it is straightforward to authorize modern apps with signer rules in the WDAC policy.
+Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business. it is straightforward to authorize modern apps with signer rules in the WDAC policy.
 
 The ISG heuristic does not authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.  
 

From a84f2885449ccb019c65048e9c19d06cf8b925ca Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 13 Jun 2018 13:56:08 -0700
Subject: [PATCH 063/102] fixed formatting

---
 ...ndows-defender-application-control-with-managed-installer.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
index efb071bcb1..badaf77f39 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: high
 author: mdsakibMSFT
-ms.date: 03/01/2018
+ms.date: 06/13/2018
 ---
 
 # Deploy Managed Installer for Windows Defender Application Control

From 1650ac230c4b901630c9680ebb31c309a2e57356 Mon Sep 17 00:00:00 2001
From: "Andrea Bichsel (Aquent LLC)" <v-anbic@microsoft.com>
Date: Wed, 13 Jun 2018 14:01:22 -0700
Subject: [PATCH 064/102] Incorp review

---
 .../attack-surface-reduction-exploit-guard.md                | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 4085972ad5..c1ad13b4dd 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 06/12/2018
+ms.date: 06/13/2018
 ---
 
 
@@ -187,6 +187,9 @@ Local Security Authority Subsystem Service (LSASS) authenticates users who log i
 >[!IMPORTANT]
 >[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
  
+ >[!NOTE]
+ >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat.
+
 ### Rule: Block process creations originating from PSExec and WMI commands
  
 This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.

From facc92390c2c008d60e772efc1edc7fe874b90ec Mon Sep 17 00:00:00 2001
From: Zane <34351912+zburtondbrs@users.noreply.github.com>
Date: Wed, 13 Jun 2018 16:02:17 -0500
Subject: [PATCH 065/102] Update set-the-default-browser-using-group-policy.md

The KB does not specify that this is a computer policy. Since there is not an equivalent user policy, I think that this should be explicitly stated.
---
 .../set-the-default-browser-using-group-policy.md               | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
index 899c3da6e3..900f6cbb17 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
@@ -17,7 +17,7 @@ You can use the Group Policy setting, **Set a default associations configuration
 
  **To set the default browser as Internet Explorer 11**
 
-1.  Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.<p>
+1.  Open your Group Policy editor and go to the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.<p>
 Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268).
 
     ![set default associations group policy setting](images/setdefaultbrowsergp.png)

From 3f87dc491dbdba52acb699e5b5c0926809cefd10 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Wed, 13 Jun 2018 14:02:51 -0700
Subject: [PATCH 066/102] minor updates

---
 ...privacy-windows-defender-advanced-threat-protection.md | 6 +++---
 ...censing-windows-defender-advanced-threat-protection.md | 2 +-
 ...rements-windows-defender-advanced-threat-protection.md | 6 +++---
 ...ot-siem-windows-defender-advanced-threat-protection.md | 8 ++++----
 4 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
index 7a7abff824..1f6735881b 100644
--- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 03/06/2018
+ms.date: 06/13/2018
 ---
 
 # Windows Defender ATP data storage and privacy
@@ -27,7 +27,7 @@ This section covers some of the most frequently asked questions regarding privac
 
 ## What data does Windows Defender ATP collect?
 
-Microsoft will collect and store information from your configured machines in a database specific to the service for administration, tracking, and reporting purposes.
+Windows Defender ATP will collect and store information from your configured machines in a customer dedicate and segregated tenant specific to the service for administration, tracking, and reporting purposes. 
 
 Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version).
 
@@ -51,7 +51,7 @@ In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wik
 
 ## Do I have the flexibility to select where to store my data?
 
-When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the United Kingdom, Europe, or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States.
+When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States.
 
 ## Is my data isolated from other customer data?
 Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
diff --git a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
index e64acc561c..30c94ffd40 100644
--- a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
@@ -66,7 +66,7 @@ When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows.
 
 	You will need to set up your preferences for the Windows Defender ATP portal.
 
-3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the United Kingdom, Europe, or The United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
+3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
 
 	> [!WARNING]
 	> This option cannot be changed without completely offboarding from Windows Defender ATP and completing a new enrollment process.
diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
index c4a8127477..bd53b3a21d 100644
--- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -36,14 +36,14 @@ For more information, see [Windows 10 Enterprise edition](https://www.microsoft.
 ### Licensing requirements
 Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
 
--	Windows 10 Enterprise E5
--	Windows 10 Education E5
+- Windows 10 Enterprise E5
+- Windows 10 Education E5
 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
 
 For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
 
 ### Network and data storage and configuration requirements
-When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in the United Kingdom, Europe, or United States datacenter.
+When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter.
 
 > [!NOTE]
 > -   You cannot change your data storage location after the first-time setup.
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
index ba867a62e4..eb4b206317 100644
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
@@ -63,10 +63,10 @@ If you encounter an error when trying to get a refresh token when using the thre
     - For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector`
 
 5. Add the following URL:
-   - For US:  `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`.
-   - For Europe: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback`
-   - For United Kingdom: `https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback`
-
+  - For the European Union: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback`
+  - For the United Kingdom: `https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback`
+  - For the United States:  `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`.
+ 
 6. Click **Save**.
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink) 

From 71d2e1e786e30009f3965a6be272a1a3b8300ad6 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Wed, 13 Jun 2018 14:17:05 -0700
Subject: [PATCH 067/102] typo

---
 ...orage-privacy-windows-defender-advanced-threat-protection.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
index 1f6735881b..872a54ee9b 100644
--- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
@@ -27,7 +27,7 @@ This section covers some of the most frequently asked questions regarding privac
 
 ## What data does Windows Defender ATP collect?
 
-Windows Defender ATP will collect and store information from your configured machines in a customer dedicate and segregated tenant specific to the service for administration, tracking, and reporting purposes. 
+Windows Defender ATP will collect and store information from your configured machines in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes. 
 
 Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version).
 

From 3d417b579cb5b4eb36bb5138848946614ce23637 Mon Sep 17 00:00:00 2001
From: Patti Short <35278231+shortpatti@users.noreply.github.com>
Date: Wed, 13 Jun 2018 14:24:29 -0700
Subject: [PATCH 068/102] Revert "Update supl-ddf-file.md"

---
 .../client-management/mdm/supl-ddf-file.md    | 198 +-----------------
 1 file changed, 1 insertion(+), 197 deletions(-)

diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md
index 4ee4e4ad1d..e6ed98d713 100644
--- a/windows/client-management/mdm/supl-ddf-file.md
+++ b/windows/client-management/mdm/supl-ddf-file.md
@@ -171,7 +171,7 @@ The XML below is the current version for this CSP.
                 </DFProperties>
               </Node>
               <Node>
-                <NodeName>MCCMNCPairs</NodeName>
+                <NodeName>MCCMNPairs</NodeName>
                 <DFProperties>
                   <AccessType>
                     <Get />
@@ -482,201 +482,6 @@ The XML below is the current version for this CSP.
             </Node>
           </Node>
         </Node>
-        <Node>
-          <NodeName>RootCertificate4</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description>Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error.</Description>
-            <DFFormat>
-              <node />
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <DDFName></DDFName>
-            </DFType>
-          </DFProperties>
-          <Node>
-            <NodeName>Name</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-                <Replace />
-              </AccessType>
-              <Description>Specifies the name of the H-SLP root certificate as a string, in the format name.cer.</Description>
-              <DFFormat>
-                <chr />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Permanent />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>Data</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-                <Replace />
-              </AccessType>
-              <Description>The base 64 encoded blob of the H-SLP root certificate.</Description>
-              <DFFormat>
-                <b64 />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Permanent />
-              </Scope>
-              <DFType>
-                <DDFName></DDFName>
-              </DFType>
-            </DFProperties>
-          </Node>
-        </Node>
-        <Node>
-          <NodeName>RootCertificate5</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description>Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error.</Description>
-            <DFFormat>
-              <node />
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <DDFName></DDFName>
-            </DFType>
-          </DFProperties>
-          <Node>
-            <NodeName>Name</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-                <Replace />
-              </AccessType>
-              <Description>Specifies the name of the H-SLP root certificate as a string, in the format name.cer.</Description>
-              <DFFormat>
-                <chr />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Permanent />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>Data</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-                <Replace />
-              </AccessType>
-              <Description>The base 64 encoded blob of the H-SLP root certificate.</Description>
-              <DFFormat>
-                <b64 />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Permanent />
-              </Scope>
-              <DFType>
-                <DDFName></DDFName>
-              </DFType>
-            </DFProperties>
-          </Node>
-        </Node>
-        <Node>
-          <NodeName>RootCertificate6</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description>Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error.</Description>
-            <DFFormat>
-              <node />
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <DDFName></DDFName>
-            </DFType>
-          </DFProperties>
-          <Node>
-            <NodeName>Name</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-                <Replace />
-              </AccessType>
-              <Description>Specifies the name of the H-SLP root certificate as a string, in the format name.cer.</Description>
-              <DFFormat>
-                <chr />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Permanent />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>Data</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-                <Replace />
-              </AccessType>
-              <Description>The base 64 encoded blob of the H-SLP root certificate.</Description>
-              <DFFormat>
-                <b64 />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Permanent />
-              </Scope>
-              <DFType>
-                <DDFName></DDFName>
-              </DFType>
-            </DFProperties>
-          </Node>
-        </Node>
         <Node>
           <NodeName>V2UPL1 </NodeName>
           <DFProperties>
@@ -857,7 +662,6 @@ The XML below is the current version for this CSP.
         </Node>
       </Node>
 </MgmtTree>
-
 ```
 
  

From 57d57e319c5160365e228cfcea219843476ecf32 Mon Sep 17 00:00:00 2001
From: Luis Masieri <32968351+lmasieri@users.noreply.github.com>
Date: Wed, 13 Jun 2018 14:29:15 -0700
Subject: [PATCH 069/102] Update
 whats-new-microsoft-store-business-education.md

---
 .../whats-new-microsoft-store-business-education.md             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index fc29d300b3..e2988a84c9 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -68,7 +68,7 @@ We’ve been working on bug fixes and performance improvements to provide you a
 - Bug fixes and performance improvements
 
 [October 2017](release-history-microsoft-store-business-education.md#october-2017)
-- Bug fixes and permformance improvements 
+- Bug fixes and performance improvements 
 
 [September 2017](release-history-microsoft-store-business-education.md#september-2017)
 - Manage Windows device deployment with Windows Autopilot Deployment

From 8d57c7fd279afa47296b097d02db39f7b2052b9d Mon Sep 17 00:00:00 2001
From: Benjamin Howorth <v-behowo@microsoft.com>
Date: Wed, 13 Jun 2018 22:38:16 +0000
Subject: [PATCH 070/102] Updated inclusive-classroom-it-admin.md, final
 changes before pull request

---
 .../inclusive-classroom-it-admin.md           | 26 +++++++++----------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md
index e095d037d3..63c0d3cb23 100644
--- a/education/get-started/inclusive-classroom-it-admin.md
+++ b/education/get-started/inclusive-classroom-it-admin.md
@@ -20,18 +20,18 @@ You will also learn how to deploy apps using Microsoft Intune, turn on or off Ea
 
 1. [Inclusive Classroom features](#features)
 2. [Deploying apps with Microsoft Intune](#intune)
-3. [How to disable the Ease of Accesss settings for text in Windows 10](#ease)
+3. [How to show/hide the Ease of Accesss settings for text in Windows 10](#ease)
 4. [How to change your Office 365 account from monthly, semi-annual, or yearly](#account)
 
 ## <a name="features"></a>Inclusive Classroom features
 |Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  |
 |---|---|---|---|---|---|---|
-| Read aloud with simultaneous highlighting | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including Word for iOS, Word Online, Outlook Web Access, or Office Lens)</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including Outlook PC)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps or Outlook PC)</p>  | 
-| Adjustable text spacing and font size  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iPad</li><li>Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including Word for iOS, Word Online, Outlook Web Access, or Office Lens)</p>  |<p style="text-align: center;">X</p>   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps)</p>  | 
-| Syllabification  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word Online</li><li>Outlook Web Access</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including Word for iOS, Word Online, Outlook Web Access)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including Word iOS)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including Word iOS)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps or Word iOS)</p>  | 
-| Parts of speech identification  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including Word Online, Outlook Web Access)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps)</p>  | 
-| Line focus mode  | <ul><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including Word Online, Outlook Web Access)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps)</p>  | 
-| Picture Dictionary  | <ul><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including Word Online, Outlook Web Access)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(Not including any OneNote apps)</p>  | 
+| Read aloud with simultaneous highlighting | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Outlook PC)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps or Outlook PC)</p>  | 
+| Adjustable text spacing and font size  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iPad</li><li>Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)</p>  |<p style="text-align: center;">X</p>   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | 
+| Syllabification  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word Online</li><li>Outlook Web Access</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word for iOS, Word Online, Outlook Web Access)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word iOS)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word iOS)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps or Word iOS)</p>  | 
+| Parts of speech identification  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word Online, Outlook Web Access)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(ot includingN any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | 
+| Line focus mode  | <ul><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word Online, Outlook Web Access)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | 
+| Picture Dictionary  | <ul><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word Online, Outlook Web Access)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | 
 </br>
 
 | Writing and proofing features  | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  | 
@@ -50,7 +50,7 @@ You will also learn how to deploy apps using Microsoft Intune, turn on or off Ea
 | Accessibility Checker  | <ul><li>All Office 365 authoring applications on PC, Mac, Web</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   |  
 | Accessible Templates  | <ul><li>Word for PCs, Mac</li><li>Excel for PCs, Mac</li><li>PowerPoint for PCs, Mac</li><li>Sway on iOS, Web, Windows 10</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   | 
 | Ability to add alt-text for images  | <ul><li>Word for PCs (includes automatic suggestions for image descriptions)</li><li>SharePoint Online (includes automatic suggestions for image descriptions)</li><li>PowerPoint for PCs (includes automatic suggestions for image descriptions)</li><li>OneNote (includes automatic extraction of text in images)</li><li>All Office 365 authoring applications (include ability to add alt-text manually)</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   | 
-| Ability to add captions to videos  | <ul><li>PowerPoint for PCs</li><li>Sway on iOS, Web, Windows 10</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   |  
+| Ability to add captions to videos  | <ul><li>PowerPoint for PCs</li><li>Sway on iOS, Web, Windows 10</li><li>Microsoft Stream (includes ability to have captions auto-generated for videos in English and Spanish)</li></ul>  |   | <p style="text-align: center;">X</p>  |   |   |   |  
 | Export as tagged PDF  | <ul><li>Word for PCs, Mac</li><li>Sway on iOS, Web, Windows 10</li></ul>  |   |   |   |   |   |  
 | Ability to request accessible content  | <ul><li>Outlook Web Access</li></ul>  |   |   |   |   |   |  
 </br>
@@ -61,14 +61,14 @@ You will also learn how to deploy apps using Microsoft Intune, turn on or off Ea
 </br>
 
 ## <a name="intune"></a>Deploying apps with Microsoft Intune
-Microsoft Intune can be used to deploy apps such as Immersive Reader and Mirosoft Translator to all the computers connected in the same groups.
-1. Go to the <a href="https://admin.manage.microsoft.com" target="_blank">Intune for Education portal</a> and login with your account.
+Microsoft Intune can be used to deploy apps such as Immersive Reader and Microsoft Translator to all the devices connected in the same groups.
+1. Go to the <a href="https://admin.manage.microsoft.com" target="_blank">Intune for Education portal</a> and log in with your account.
 2. Select the **Apps** page.
-3. Find the app you're looking for either in the included list or, if it's not there, you can select **Add app** and download it from the Microsoft Store.
+3. Find the app you're looking for in the included list (if it's not there, you can select **Add app** and download it from the Microsoft Store). 
 4. Selecting your app will show you if it has been deployed to any of the groups that have been set up. From the **Groups** page you can select **Change group assignment** and choose which groups you want to deploy the app(s) to.
 
-## <a name="ease"></a>How to disable the Ease of Access settings for text in Windows 10
-The Ease of Access settings in Windows 10 are very useful accessibility tools, but not every one needs them activated for their computer. With the following instructions you can turn off users ability to get to the Ease of access settings.
+## <a name="ease"></a>How to show/hide the Ease of access settings for text in Windows 10
+The Ease of access settings in Windows 10 are very useful accessibility tools, but having those options could be a bit much for everyone in a group to have in their device. With the following instructions you can chose to hide or show the Ease of access settings on users' devices.
 1. Go to the <a href="https://admin.manage.microsoft.com" target="_blank">Intune for Education portal</a> and login with your account.
 2. Select the **Groups** page and then select your desired group.
 3. Select **Settings** and under the **User access and device settings** section you will find the toggle to set **Ease of access** to **Blocked** or **Not blocked**.

From aee53922e55ffb6f767a3a81744308ceacfeafe4 Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Thu, 14 Jun 2018 13:16:03 +0000
Subject: [PATCH 071/102] Merged PR 9058: fixing formatting

---
 windows/privacy/manage-windows-endpoints.md | 20 +++++++-------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/windows/privacy/manage-windows-endpoints.md b/windows/privacy/manage-windows-endpoints.md
index e43a9ddff4..ba3adcb3c4 100644
--- a/windows/privacy/manage-windows-endpoints.md
+++ b/windows/privacy/manage-windows-endpoints.md
@@ -34,7 +34,7 @@ We used the following methodology to derive these network endpoints:
 2.	Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
 3.	Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.  
 4.	Compile reports on traffic going to public IP addresses.
-5.  The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
+5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
 
 > [!NOTE]
 > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
@@ -529,8 +529,7 @@ In addition to the endpoints listed for Windows 10 Enterprise, the following end
 | dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
 | fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
 | fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2/
-HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
 | fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
 | fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
 | g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. |
@@ -552,11 +551,9 @@ HTTPS | Enables connections to Windows Update, Microsoft Update, and the online
 | pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
 | pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
 | purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| ris.api.iris.microsoft.com.akadns.net | TLSv1.2/
-HTTPS | Used to retrieve Windows Spotlight metadata. |
+| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. |
 | settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
-| sls.update.microsoft.com.nsatc.net | TLSv1.2/
-HTTPS | Enables connections to Windows Update. |
+| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. |
 | star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. |
 | storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
 | storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
@@ -578,8 +575,7 @@ HTTPS | Enables connections to Windows Update. |
 | **Destination** | **Protocol** | **Description** |
 | --- | --- | --- |
 | *.*.akamai.net | HTTP | Used to download content. |
-| *.*.akamaiedge.net | HTTP/
-TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. |
 | *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
 | *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. |
 | *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
@@ -618,8 +614,7 @@ TLSv1.2 | Used to check for updates to maps that have been downloaded for offlin
 | evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
 | fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
 | fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2/
-HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
 | fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
 | fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
 | fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
@@ -704,8 +699,7 @@ HTTPS | Enables connections to Windows Update, Microsoft Update, and the online
 | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
 | fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
 | fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| g.msn.com.nsatc.net | HTTP/
-TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. |
 | geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
 | geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
 | go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |

From c7b5756f6843a2fece5d8b4a69c5b33cbe369f75 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Thu, 14 Jun 2018 14:42:13 +0000
Subject: [PATCH 072/102] Merged PR 9060: Fixed heading

---
 devices/hololens/hololens-kiosk.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index 0abcc7ac79..745543c41c 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -42,7 +42,8 @@ If you use [MDM, Microsoft Intune](#intune-kiosk), or a [provisioning package](#
 >[!NOTE]
 >Because a single-app kiosk launches the kiosk app when a user signs in, there is no Start screen displayed.
 
-### Start layout file for Intune
+<span id="start-layout-file-for-intune" />
+### Start layout file for MDM (Intune and others)
 
 Save the following sample as an XML file. You will select this file when you configure the kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile).
 

From 719eeb5302d3965fcfb66f4146c873480c4b48ad Mon Sep 17 00:00:00 2001
From: JohnRajunas <john.rajunas@microsoft.com>
Date: Thu, 14 Jun 2018 12:38:36 -0400
Subject: [PATCH 073/102] Update
 windows-10-start-layout-options-and-policies.md

I think adding the reference to CopyProfile not being supported will help insure IT Pros do not consider using it as a alternative to the options detailed here
---
 .../windows-10-start-layout-options-and-policies.md             | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md
index 58bb51fd67..82f903e308 100644
--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@@ -30,6 +30,8 @@ Organizations might want to deploy a customized Start and taskbar configuration
 >Start and taskbar configuration can be applied to devices running Windows 10 Pro, version 1703.
 >
 >Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/library/jj649079.aspx).
+>
+>Using CopyProfile for Start menu customization in Windows 10 isn't supported. For more information [Customize the Default User Profile by Using CopyProfile](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile)
 
 
 

From 74700422bc9d02a594ddcacb94f21e06ff34a6c1 Mon Sep 17 00:00:00 2001
From: Paul Fitzgerald <paul.fitzgerald@microsoft.com>
Date: Thu, 14 Jun 2018 11:38:46 -0500
Subject: [PATCH 074/102] Update upgrade-readiness-deployment-script.md

Updated URL to point to new location for referenced information.
---
 .../deployment/upgrade/upgrade-readiness-deployment-script.md   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
index c28763cabf..774f54ce73 100644
--- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
+++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
@@ -229,7 +229,7 @@ The deployment script displays the following exit codes to let you know if it wa
     </tr>
     <tr>
         <td>32 - Appraiser version on the machine is outdated. </td>
-        <td>The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for Windows 7 SP1/Windows 8.1.</td>
+        <td>The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-get-started#deploy-the-compatibility-update-and-related-updates) for Windows 7 SP1/Windows 8.1.</td>
     </tr>
     <tr>
         <td>33 - **CompatTelRunner.exe** exited with an exit code </td>

From 4e484666e0081fa699d83a97ed82149fc7d2bd30 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Thu, 14 Jun 2018 20:21:21 +0000
Subject: [PATCH 075/102] Merged PR 9074: update Intune kiosk instructions for
 HoloLens

---
 devices/hololens/hololens-kiosk.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index 745543c41c..9b54f8a335 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -93,7 +93,7 @@ You will [create an XML file](#ppkg-kiosk) to define the kiosk configuration to
 <span id="intune-kiosk"/>
 ## Set up kiosk mode using Microsoft Intune or MDM (Windows 10, version 1803)
 
-For HoloLens devices that are managed by Microsoft Intune, you [create a device restriction profile](https://docs.microsoft.com/intune/device-profile-create) and configure the [Kiosk (Preview) settings](https://docs.microsoft.com/intune/device-restrictions-windows-holographic#kiosk-preview).
+For HoloLens devices that are managed by Microsoft Intune, you [create a device profile](https://docs.microsoft.com/intune/device-profile-create) and configure the [Kiosk settings](https://docs.microsoft.com/intune/kiosk-settings).
 
 For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#create-xml-file), and make sure to include the [Start layout](#start-layout-for-a-provisioning-package) in the XML file.  
 
@@ -213,8 +213,7 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest*
 
 ## More information
 
-Watch how to configure a kiosk in Microsoft Intune.
->[!VIDEO https://www.microsoft.com/videoplayer/embed/ce9992ab-9fea-465d-b773-ee960b990c4a?autoplay=false]
+
 
 Watch how to configure a kiosk in a provisioning package.
 >[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
\ No newline at end of file

From b16e9511dadc13693353b005cc91c44179f0c52d Mon Sep 17 00:00:00 2001
From: Benjamin Howorth <v-behowo@microsoft.com>
Date: Thu, 14 Jun 2018 20:56:50 +0000
Subject: [PATCH 076/102] Updated inclusive-classroom-it-admin.md, fixing text
 issue

---
 education/get-started/inclusive-classroom-it-admin.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md
index 63c0d3cb23..856e1c3a19 100644
--- a/education/get-started/inclusive-classroom-it-admin.md
+++ b/education/get-started/inclusive-classroom-it-admin.md
@@ -29,7 +29,7 @@ You will also learn how to deploy apps using Microsoft Intune, turn on or off Ea
 | Read aloud with simultaneous highlighting | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)</p>  | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Outlook PC)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps or Outlook PC)</p>  | 
 | Adjustable text spacing and font size  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iPad</li><li>Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)</p>  |<p style="text-align: center;">X</p>   | <p style="text-align: center;">X</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | 
 | Syllabification  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word Online</li><li>Outlook Web Access</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word for iOS, Word Online, Outlook Web Access)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word iOS)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word iOS)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps or Word iOS)</p>  | 
-| Parts of speech identification  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word Online, Outlook Web Access)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(ot includingN any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | 
+| Parts of speech identification  | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word Online, Outlook Web Access)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | 
 | Line focus mode  | <ul><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word Online, Outlook Web Access)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | 
 | Picture Dictionary  | <ul><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul>  |   | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word Online, Outlook Web Access)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p>  | 
 </br>

From eda252e46e8678735d766bd9d59dff4366b42805 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Thu, 14 Jun 2018 14:28:17 -0700
Subject: [PATCH 077/102] added new block list

---
 .../microsoft-recommended-block-rules.md      | 549 +++++++++++++++++-
 ...control-with-intelligent-security-graph.md |   4 +-
 2 files changed, 547 insertions(+), 6 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index ae37d52989..0dbc282f16 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: high
 author: jsuther1974
-ms.date: 06/08/2018
+ms.date: 06/14/2018
 ---
 
 # Microsoft recommended block rules
@@ -384,7 +384,278 @@ Microsoft recommends that you block the following Microsoft-signed applications
   <Deny ID="ID_DENY_D_245" FriendlyName="PowerShell 245" Hash="4BFB3F95CA1B79DA3C6B0A2ECB432059E686F967"/> 
   <Deny ID="ID_DENY_D_246" FriendlyName="PowerShell 246" Hash="0C4688AACD02829850DE0F792AC06D3C87895412A910EA76F7F9BF31B3B4A3E9"/> 
   <Deny ID="ID_DENY_D_247" FriendlyName="PowerShell 247" Hash="6DC048AFA50B5B1B0AD7DD3125AC83D46FED730A"/> 
-  <Deny ID="ID_DENY_D_248" FriendlyName="PowerShell 248" Hash="432F666CCE8CD222484E263AE02F63E0038143DD6AD07B3EB1633CD3C498C13D"/> 
+  <Deny ID="ID_DENY_D_248" FriendlyName="PowerShell 248" Hash="432F666CCE8CD222484E263AE02F63E0038143DD6AD07B3EB1633CD3C498C13D"/>
+  <Deny ID="ID_DENY_D_287" FriendlyName="PowerShellShell 287" Hash="2B45C165F5E0BFD932397B18980BA680E2E82BD1"/>
+  <Deny ID="ID_DENY_D_288" FriendlyName="PowerShellShell 288" Hash="1DD0AD6B85DAEBAE7555DC37EA6C160EA38F75E3D4847176F77562A59025660A"/>
+  <Deny ID="ID_DENY_D_289" FriendlyName="PowerShellShell 289" Hash="A8C9E28F25C9C5F479691F2F49339F4448747638"/>
+  <Deny ID="ID_DENY_D_290" FriendlyName="PowerShellShell 290" Hash="F8FA17038CD532BF5D0D6D3AC55CE34E45EB690637D38D399CAB14B09807EB6C"/>
+  <Deny ID="ID_DENY_D_291" FriendlyName="PowerShellShell 291" Hash="4BAFD867B59328E7BB853148FE6D16B9411D7A12"/>
+  <Deny ID="ID_DENY_D_292" FriendlyName="PowerShellShell 292" Hash="D1F22B37902C2DD53FA27438436D9D236A196C10C8E492A8F4A14768644592D3"/>
+  <Deny ID="ID_DENY_D_293" FriendlyName="PowerShellShell 293" Hash="3BA0605C08935B340BEFDC83C0D92B1CE52B8348"/>
+  <Deny ID="ID_DENY_D_294" FriendlyName="PowerShellShell 294" Hash="B794B01CE561F2791D4ED3EADE523D03D2BE7B4CEFE9AAFC685ECE8ACF515ED2"/>
+  <Deny ID="ID_DENY_D_295" FriendlyName="PowerShellShell 295" Hash="8B74A22710A532A71532E4F0B1C60AABDCAA29AB"/>
+  <Deny ID="ID_DENY_D_296" FriendlyName="PowerShellShell 296" Hash="EB335007DF9897BCD2ED5C647BA724F07658E8597E73E353479201000CF2EF79"/>
+  <Deny ID="ID_DENY_D_297" FriendlyName="PowerShellShell 297" Hash="10E2CD3A2CFA0549590F740139F464626DEE2092"/>
+  <Deny ID="ID_DENY_D_298" FriendlyName="PowerShellShell 298" Hash="61DEC96B91F3F152DFDA84B28EBB184808A21C4C183CC0584C66AC7E20F0DDB6"/>
+  <Deny ID="ID_DENY_D_299" FriendlyName="PowerShellShell 299" Hash="98E84F46B3EB3AD7420C9715722145AFB0C065A7"/>
+  <Deny ID="ID_DENY_D_300" FriendlyName="PowerShellShell 300" Hash="67398990D42DFF84F8BE33B486BF492EBAF61671820BB9DCF039D1F8738EC5A4"/>
+  <Deny ID="ID_DENY_D_301" FriendlyName="PowerShellShell 301" Hash="58F399EC75708720E722FBD038F0EC089BF5A8C0"/>
+  <Deny ID="ID_DENY_D_302" FriendlyName="PowerShellShell 302" Hash="C523FFF884C44251337470870E0B158230961845FC1E953F877D515668524F2E"/>
+  <Deny ID="ID_DENY_D_303" FriendlyName="PowerShellShell 303" Hash="41EE8E9559FC0E772FC26EBA87ED4D77E60DC76C"/>
+  <Deny ID="ID_DENY_D_304" FriendlyName="PowerShellShell 304" Hash="219AD97976987C614B00C0CD1229B4245F2F1453F5AF90B907664D0BF6ADFE78"/>
+  <Deny ID="ID_DENY_D_305" FriendlyName="PowerShellShell 305" Hash="7F7E646892FCEB8D6A19647F00C1153014955C45"/>
+  <Deny ID="ID_DENY_D_306" FriendlyName="PowerShellShell 306" Hash="5825FF16398F12B4999B9A12849A757DD0884F9908220FB33E720F170DA288D5"/>
+  <Deny ID="ID_DENY_D_307" FriendlyName="PowerShellShell 307" Hash="7EA8A590583008446583F0AE7D66537FAD63619D"/>
+  <Deny ID="ID_DENY_D_308" FriendlyName="PowerShellShell 308" Hash="26DD094717B15B3D39600D909A9CAEBCF5C616C6277933BCC01326E8C475A128"/>
+  <Deny ID="ID_DENY_D_309" FriendlyName="PowerShellShell 309" Hash="5F6CDF52C1E184B080B89EB234DE179C19F110BA"/>
+  <Deny ID="ID_DENY_D_310" FriendlyName="PowerShellShell 310" Hash="41FB90606E3C66D21C703D84C943F8CB35772030B689D9A9895CB3EF7C863FB2"/>
+  <Deny ID="ID_DENY_D_311" FriendlyName="PowerShellShell 311" Hash="91C1DACBD6773BFC7F9305418A6683B8311949CF"/>
+  <Deny ID="ID_DENY_D_312" FriendlyName="PowerShellShell 312" Hash="EB678387D01938D88E6F2F46712269D54D845EB6A8AAC3FCA256DC2160D42975"/>
+  <Deny ID="ID_DENY_D_313" FriendlyName="PowerShellShell 313" Hash="A05294D23A4A7DC91692013C0EC4373598A28B21"/>
+  <Deny ID="ID_DENY_D_314" FriendlyName="PowerShellShell 314" Hash="ABEEA4903403D2C07489436E59955ECFEEF893C63D1FDBED234343F6A6D472B1"/>
+  <Deny ID="ID_DENY_D_315" FriendlyName="PowerShellShell 315" Hash="B155C278617845EC6318E4009E4CED6639FAB951"/>
+  <Deny ID="ID_DENY_D_316" FriendlyName="PowerShellShell 316" Hash="59549FEEB4D64BA3AF50F925FECC8107422D3F54AF6106E5B0152B2F50912980"/>
+  <Deny ID="ID_DENY_D_317" FriendlyName="PowerShellShell 317" Hash="465D848F11CECE4452E831D248D326360B73A319"/>
+  <Deny ID="ID_DENY_D_318" FriendlyName="PowerShellShell 318" Hash="B9C9F208C6E50AABF91D234227D09D7C6CAB2FDB229163103E7C1F541F71C213"/>
+  <Deny ID="ID_DENY_D_319" FriendlyName="PowerShellShell 319" Hash="F0B9D75B53A268C0AC30584738C3A5EC33420A2E"/>
+  <Deny ID="ID_DENY_D_320" FriendlyName="PowerShellShell 320" Hash="365A7812DFC448B1FE9CEA83CF55BC62189C4E72BAD84276BD5F1DAB47CB3EFF"/>
+  <Deny ID="ID_DENY_D_321" FriendlyName="PowerShellShell 321" Hash="8ADCDD18EB178B6A43CF5E11EC73212C90B91988"/>
+  <Deny ID="ID_DENY_D_322" FriendlyName="PowerShellShell 322" Hash="51BD119BE2FBEFEC560F618DBBBB8203A251F455B1DF825F37B1DFFDBE120DF2"/>
+  <Deny ID="ID_DENY_D_323" FriendlyName="PowerShellShell 323" Hash="D2011097B6038D8507B26B7618FF07DA0FF01234"/>
+  <Deny ID="ID_DENY_D_324" FriendlyName="PowerShellShell 324" Hash="BA3D20A577F355612E53428D573767C48A091AE965FCB30CC348619F1CB85A02"/>
+  <Deny ID="ID_DENY_D_325" FriendlyName="PowerShellShell 325" Hash="57ABBC8E2FE88E04C57CDDD13D58C9CE03455D25"/>
+  <Deny ID="ID_DENY_D_326" FriendlyName="PowerShellShell 326" Hash="0280C4714BC806BFC1863BE9E84D38F203942DD35C6AF2EB96958FD011E4D23D"/>
+  <Deny ID="ID_DENY_D_327" FriendlyName="PowerShellShell 327" Hash="DEB07053D6059B56109DFF885720D5721EB0F55C"/>
+  <Deny ID="ID_DENY_D_328" FriendlyName="PowerShellShell 328" Hash="E374A14871C35DB57D6D67281C16F5F9EF77ABE248DE92C1A937C6526133FA36"/>
+  <Deny ID="ID_DENY_D_329" FriendlyName="PowerShellShell 329" Hash="AC33BA432B35A662E2D9D015D6283308FD046251"/>
+  <Deny ID="ID_DENY_D_330" FriendlyName="PowerShellShell 330" Hash="93B22B0D5369327247DF491AABD3CE78421D0D68FE8A3931E0CDDF5F858D3AA7"/>
+  <Deny ID="ID_DENY_D_331" FriendlyName="PowerShellShell 331" Hash="05126413310F4A1BA2F7D2AD3305E2E3B6A1B00D"/>
+  <Deny ID="ID_DENY_D_332" FriendlyName="PowerShellShell 332" Hash="108A73F4AE78786C9955ED71EFD916465A36175F8DC85FD82DDA6410FBFCDB52"/>
+  <Deny ID="ID_DENY_D_333" FriendlyName="PowerShellShell 333" Hash="B976F316FB5EE6E5A325320E7EE5FBF487DA9CE5"/>
+  <Deny ID="ID_DENY_D_334" FriendlyName="PowerShellShell 334" Hash="D54CCD405D3E904CAECA3A6F7BE1737A9ACE20F7593D0F6192B811EF17744DD6"/>
+  <Deny ID="ID_DENY_D_335" FriendlyName="PowerShellShell 335" Hash="F3471DBF534995307AEA230D228BADFDCA9E4021"/>
+  <Deny ID="ID_DENY_D_336" FriendlyName="PowerShellShell 336" Hash="2048F33CCD924D224154307C28DDC6AC1C35A1859F118AB2B6536FB954FC44EF"/>
+  <Deny ID="ID_DENY_D_337" FriendlyName="PowerShellShell 337" Hash="1FAC9087885C2FEBD7F57CC9AACE8AF94294C8FB"/>
+  <Deny ID="ID_DENY_D_338" FriendlyName="PowerShellShell 338" Hash="942E0D0BA5ECBF64A3B2D0EA1E08C793712A4C89BC1BC3B6C32A419AE38FACC1"/>
+  <Deny ID="ID_DENY_D_339" FriendlyName="PowerShellShell 339" Hash="5B67EE19AA7E4B42E58127A63520D44A0679C6CE"/>
+  <Deny ID="ID_DENY_D_340" FriendlyName="PowerShellShell 340" Hash="2B6A59053953737D345B97FA1AFB23C379809D1532BAF31E710E48ED7FA2D735"/>
+  <Deny ID="ID_DENY_D_341" FriendlyName="PowerShellShell 341" Hash="1ABC67650B169E7C437853922805706D488EEEA2"/>
+  <Deny ID="ID_DENY_D_342" FriendlyName="PowerShellShell 342" Hash="754CA97A95464F1A1687C83AE3ECC6670B80A50503067DEBF6135077C886BCF4"/>
+  <Deny ID="ID_DENY_D_343" FriendlyName="PowerShellShell 343" Hash="0E280FF775F406836985ECA66BAA9BA17D12E38B"/>
+  <Deny ID="ID_DENY_D_344" FriendlyName="PowerShellShell 344" Hash="19C9A6D1AE90AEA163E35930FAB1B57D3EC78CA5FE192D6E510CED2DAB5DD03B"/>
+  <Deny ID="ID_DENY_D_345" FriendlyName="PowerShellShell 345" Hash="4E6081C3BBB2809C417E2D03412E29FF7317DA54"/>
+  <Deny ID="ID_DENY_D_346" FriendlyName="PowerShellShell 346" Hash="3AE4505A552EA04C7664C610E81172CA329981BF53ECC6758C03357EB653F5D1"/>
+  <Deny ID="ID_DENY_D_347" FriendlyName="PowerShellShell 347" Hash="61BED1C7CD54B2F60923D26CD2F6E48C063AFED5"/>
+  <Deny ID="ID_DENY_D_348" FriendlyName="PowerShellShell 348" Hash="9405CBE91B7519290F90577DCCF5796C514746DE6390322C1624BA258D284EE9"/>
+  <Deny ID="ID_DENY_D_349" FriendlyName="PowerShellShell 349" Hash="63AA55C3B46EFAFC8625F8D5562AB504E4CBB78F"/>
+  <Deny ID="ID_DENY_D_350" FriendlyName="PowerShellShell 350" Hash="FF54885D30A13008D60F6D0B96CE802209C89A2A7D9D86A85804E66B6DE29A5D"/>
+  <Deny ID="ID_DENY_D_351" FriendlyName="PowerShellShell 351" Hash="20845E4440DA2D9AB3559D4B6890691CACD0E93E"/>
+  <Deny ID="ID_DENY_D_352" FriendlyName="PowerShellShell 352" Hash="3C9098C4BFD818CE8CFA130F6E6C90876B97D57ABBEAFABB565C487F1DD33ECC"/>
+  <Deny ID="ID_DENY_D_353" FriendlyName="PowerShellShell 353" Hash="4A473F14012EB9BF7DCEA80B86C2612A6D9D914E"/>
+  <Deny ID="ID_DENY_D_354" FriendlyName="PowerShellShell 354" Hash="1C6914B58F70A9860F67311C32258CD9072A367BF30203DA9D8C48188D888E65"/>
+  <Deny ID="ID_DENY_D_355" FriendlyName="PowerShellShell 355" Hash="641871FD5D9875DB75BFC58B7B53672D2C645F01"/>
+  <Deny ID="ID_DENY_D_356" FriendlyName="PowerShellShell 356" Hash="C115A974DD2C56574E93A4800247A23B98B9495F6EF41460D1EC139266A2484D"/>
+  <Deny ID="ID_DENY_D_357" FriendlyName="PowerShellShell 357" Hash="A21E254C18D3D53B832AD381FF58B36E6737FFB6"/>
+  <Deny ID="ID_DENY_D_358" FriendlyName="PowerShellShell 358" Hash="D214AF2AD9204118EB670D08D80D4CB9FFD74A978726240360C35AD5A57F8E7D"/>
+  <Deny ID="ID_DENY_D_359" FriendlyName="PowerShellShell 359" Hash="102B072F29122BC3A89B924987A7BF1AC3C598DB"/>
+  <Deny ID="ID_DENY_D_360" FriendlyName="PowerShellShell 360" Hash="DA444773FE7AD8309FA9A0ABCDD63B302E6FC91E750903843FBA2A7F370DB0C0"/>
+  <Deny ID="ID_DENY_D_361" FriendlyName="PowerShellShell 361" Hash="EAD58EBB00001E678B9698A209308CC7406E1BCC"/>
+  <Deny ID="ID_DENY_D_362" FriendlyName="PowerShellShell 362" Hash="34A5F48629F9FDAEBAB9468EF7F1683EFA856AAD32E3C0CC0F92B5641D722EDC"/>
+  <Deny ID="ID_DENY_D_363" FriendlyName="PowerShellShell 363" Hash="727EDB00C15DC5D3C14368D88023FDD5A74C0B06"/>
+  <Deny ID="ID_DENY_D_364" FriendlyName="PowerShellShell 364" Hash="5720BEE5CBE7D724B67E07C53E22FB869F8F9B1EB95C4F71D61D240A1ED8D8AD"/>
+  <Deny ID="ID_DENY_D_365" FriendlyName="PowerShellShell 365" Hash="A43137EC82721A81C3E05DC5DE74F0549DE6A130"/>
+  <Deny ID="ID_DENY_D_366" FriendlyName="PowerShellShell 366" Hash="1731118D97F278C18E2C6922A016DA7C55970C6C4C5441710D1B0464EED6EAEB"/>
+  <Deny ID="ID_DENY_D_367" FriendlyName="PowerShellShell 367" Hash="17EC94CB9BF98E605F9352987CA33DCE8F5733CD"/>
+  <Deny ID="ID_DENY_D_368" FriendlyName="PowerShellShell 368" Hash="AFE0CC143108BBDBE60771B6894406785C471BA5730F06EE8185D0A71617B583"/>
+  <Deny ID="ID_DENY_D_369" FriendlyName="PowerShellShell 369" Hash="F6E9C098737F0905E53B92D4AD49C199EC76D24B"/>
+  <Deny ID="ID_DENY_D_370" FriendlyName="PowerShellShell 370" Hash="50A57BFCD20380DDEFD2A717D7937D49380D4D5931CC6CC403C904139546CB1D"/>
+  <Deny ID="ID_DENY_D_371" FriendlyName="PowerShellShell 371" Hash="2118ACC512464EE95946F064560C15C58341B80C"/>
+  <Deny ID="ID_DENY_D_372" FriendlyName="PowerShellShell 372" Hash="005990EE785C1CA7EAEC82DA29F5B363049DC117A18823D83C10B86B5E8D0A5F"/>
+  <Deny ID="ID_DENY_D_373" FriendlyName="PowerShellShell 373" Hash="54FAE3A389FDD2F5C21293D2317E87766AF0473D"/>
+  <Deny ID="ID_DENY_D_374" FriendlyName="PowerShellShell 374" Hash="70F4E503D7484DF5B5F73D9A753E585BFADB8B8EBA42EB482B6A66DB17C87881"/>
+  <Deny ID="ID_DENY_D_375" FriendlyName="PowerShellShell 375" Hash="B4831AF4B25527EF0C172DAA5E4CA26DE105D30B"/>
+  <Deny ID="ID_DENY_D_376" FriendlyName="PowerShellShell 376" Hash="D410A37042A2DC53AD1801EBB2EF507B4AE475870522A298567B79DA61C3E9C8"/>
+  <Deny ID="ID_DENY_D_377" FriendlyName="PowerShellShell 377" Hash="85BBC0CDC34BD5A56113B0DCB6795BCEBADE63FA"/>
+  <Deny ID="ID_DENY_D_378" FriendlyName="PowerShellShell 378" Hash="C6F8E3A3F2C513CEDD2F21D486BF0116BAF2E2EE4D631A9BE4760860B1161848"/>
+  <Deny ID="ID_DENY_D_379" FriendlyName="PowerShellShell 379" Hash="46105ACE7ABEC3A6E6226183F2F7F8E90E3639A5"/>
+  <Deny ID="ID_DENY_D_380" FriendlyName="PowerShellShell 380" Hash="F60BE088F226CA1E2308099C3B1C2A54DB4C41D2BE678504D03547B9E1E023F6"/>
+  <Deny ID="ID_DENY_D_381" FriendlyName="PowerShellShell 381" Hash="C9478352ACE4BE6D6B70BBE710C2E2128FEFC7FE"/>
+  <Deny ID="ID_DENY_D_382" FriendlyName="PowerShellShell 382" Hash="F4A81E7D4BD3B8762FAED760047877E06E40EC991D968BD6A6929B848804C1A4"/>
+  <Deny ID="ID_DENY_D_383" FriendlyName="PowerShellShell 383" Hash="9E56E910919FF65BCCF5D60A8F9D3EBE27EF1381"/>
+  <Deny ID="ID_DENY_D_384" FriendlyName="PowerShellShell 384" Hash="34887B225444A18158B632CAEA4FEF6E7D691FEA3E36C12D4152AFAB260668EB"/>
+  <Deny ID="ID_DENY_D_385" FriendlyName="PowerShellShell 385" Hash="1FD04D4BD5F9E41FA8278F3F9B05FE8702ADB4C8"/>
+  <Deny ID="ID_DENY_D_386" FriendlyName="PowerShellShell 386" Hash="6586176AEBE8307829A1E03D878EF6F500E8C5032E50198DF66F54D3B56EA718"/>
+  <Deny ID="ID_DENY_D_387" FriendlyName="PowerShellShell 387" Hash="DEBC3DE2AD99FC5E885A358A6994E6BD39DABCB0"/>
+  <Deny ID="ID_DENY_D_388" FriendlyName="PowerShellShell 388" Hash="FDF54A4A3089062FFFA4A41FEBF38F0ABC9D502B57749348DF6E78EA2A33DDEA"/>
+  <Deny ID="ID_DENY_D_389" FriendlyName="PowerShellShell 389" Hash="6AA06D07D9DE8FE7E13B66EDFA07232B56F7E21D"/>
+  <Deny ID="ID_DENY_D_390" FriendlyName="PowerShellShell 390" Hash="DD3E74CFB8ED64FA5BE9136C305584CD2E529D92B360651DD06A6DC629E23449"/>
+  <Deny ID="ID_DENY_D_391" FriendlyName="PowerShellShell 391" Hash="5C858042246FDDDB281C1BFD2FEFC9BAABC3F7AD"/>
+  <Deny ID="ID_DENY_D_392" FriendlyName="PowerShellShell 392" Hash="20E65B1BE06A99507412FC0E75D158EE1D9D43AE5F492BE4A87E3AA29A148310"/>
+  <Deny ID="ID_DENY_D_393" FriendlyName="PowerShellShell 393" Hash="2ABCD0525D31D4BB2D0131364FBE1D94A02A3E2A"/>
+  <Deny ID="ID_DENY_D_394" FriendlyName="PowerShellShell 394" Hash="806EC87F1EFA428627989318C882CD695F55F60A1E865C621C9F2B14E4E1FC2E"/>
+  <Deny ID="ID_DENY_D_395" FriendlyName="PowerShellShell 395" Hash="E2967D755D0F79FA8EA7A8585106926CA87F89CB"/>
+  <Deny ID="ID_DENY_D_396" FriendlyName="PowerShellShell 396" Hash="07382BE9D8ACBAFDA953C842BAAE600A82A69183D6B63F91B061671C4AF9434B"/>
+  <Deny ID="ID_DENY_D_397" FriendlyName="PowerShellShell 397" Hash="75EF6F0B78098FB1766DCC853E004476033499CF"/>
+  <Deny ID="ID_DENY_D_398" FriendlyName="PowerShellShell 398" Hash="699A9D17E1247F05767E82BFAFBD96DBE07AE521E23D39613D4A39C3F8CF4971"/>
+  <Deny ID="ID_DENY_D_399" FriendlyName="PowerShellShell 399" Hash="E73178C487AF6B9F182B2CCA25774127B0303093"/>
+  <Deny ID="ID_DENY_D_400" FriendlyName="PowerShellShell 400" Hash="0BD1FE62BE97032ADDAAB41B445D00103302D3CE8A03A798A36FEAA0F89939FF"/>
+  <Deny ID="ID_DENY_D_401" FriendlyName="PowerShellShell 401" Hash="EBF20FEECA95F83B9F5C22B97EB44DD7EB2C7B5F"/>
+  <Deny ID="ID_DENY_D_402" FriendlyName="PowerShellShell 402" Hash="B5AE0EAA5AF4245AD9B37C8C1FC5220081B92A13950C54D82E824D2D3B840A7C"/>
+  <Deny ID="ID_DENY_D_403" FriendlyName="PowerShellShell 403" Hash="5E53A4235DC549D0195A9DDF607288CEDE7BF115"/>
+  <Deny ID="ID_DENY_D_404" FriendlyName="PowerShellShell 404" Hash="FE57195757977E4485BF5E5D72A24EA65E33F8EAA7245381453960D5646FAF58"/>
+  <Deny ID="ID_DENY_D_405" FriendlyName="PowerShellShell 405" Hash="014BC30E1FC12F270824F01DC7C934497A573124"/>
+  <Deny ID="ID_DENY_D_406" FriendlyName="PowerShellShell 406" Hash="65B3B357C356DAE26E5B036820C193989C0F9E8E08131B3186F9443FF9A511E4"/>
+  <Deny ID="ID_DENY_D_407" FriendlyName="PowerShellShell 407" Hash="128D7D03E4B85DBF95427D72EFF833DAB5E92C33"/>
+  <Deny ID="ID_DENY_D_408" FriendlyName="PowerShellShell 408" Hash="EACFC615FDE29BD858088AF42E0917E4B4CA5991EFB4394FB3129735D7299235"/>
+  <Deny ID="ID_DENY_D_409" FriendlyName="PowerShellShell 409" Hash="C7D70B96440D215173F35412D56CF9329886D8D3"/>
+  <Deny ID="ID_DENY_D_410" FriendlyName="PowerShellShell 410" Hash="B00C54F1AA77D88335675EAF07ED834E68FD96DD7606914C2867F9C506AB0A56"/>
+  <Deny ID="ID_DENY_D_411" FriendlyName="PowerShellShell 411" Hash="8287B536E8E63F024DE1248D0FE3E6A759E9ACEE"/>
+  <Deny ID="ID_DENY_D_412" FriendlyName="PowerShellShell 412" Hash="B714D4A700A56BC1D4B3F59DFC1F5835CB97CBEF3927523BF71AF96B00F0FFA4"/>
+  <Deny ID="ID_DENY_D_413" FriendlyName="PowerShellShell 413" Hash="6BC1E70F0EA84E88AC28BEAF74C10F3ABDF99209"/>
+  <Deny ID="ID_DENY_D_414" FriendlyName="PowerShellShell 414" Hash="93CB3907D1A9473E8A90593250C4A95EAE3A7066E9D8A57535CBDF82AA4AD4C2"/>
+  <Deny ID="ID_DENY_D_415" FriendlyName="PowerShellShell 415" Hash="AC9F095DD4AE80B124F55541761AA1F35E49A575"/>
+  <Deny ID="ID_DENY_D_416" FriendlyName="PowerShellShell 416" Hash="0D8A0FB3BF3CF80D44ED20D9F1E7292E9EE5A49ABCE68592DED55A71B0ACAECE"/>
+  <Deny ID="ID_DENY_D_417" FriendlyName="PowerShellShell 417" Hash="3C7265C3393C585D32E509B2D2EC048C73AC5EE6"/>
+  <Deny ID="ID_DENY_D_418" FriendlyName="PowerShellShell 418" Hash="7F1E03E956CA38CC0C491CB958D6E61A52491269CDB363BC488B525F80C56424"/>
+  <Deny ID="ID_DENY_D_419" FriendlyName="PowerShellShell 419" Hash="89CEAB6518DA4E7F75B3C75BC04A112D3637B737"/>
+  <Deny ID="ID_DENY_D_420" FriendlyName="PowerShellShell 420" Hash="6581E491FBFF954A1A4B9CEA69B63951D67EB56DF871ED8B055193595F042B0D"/>
+  <Deny ID="ID_DENY_D_421" FriendlyName="PowerShellShell 421" Hash="4BFB3F95CA1B79DA3C6B0A2ECB432059E686F967"/>
+  <Deny ID="ID_DENY_D_422" FriendlyName="PowerShellShell 422" Hash="0C4688AACD02829850DE0F792AC06D3C87895412A910EA76F7F9BF31B3B4A3E9"/>
+  <Deny ID="ID_DENY_D_423" FriendlyName="PowerShellShell 423" Hash="BDBE541D269EC8235563842D024F9E37883DFB57"/>
+  <Deny ID="ID_DENY_D_424" FriendlyName="PowerShellShell 424" Hash="441076C7FD0AD481E6AC3198F08BE80EA9EB2926CA81D733F798D03DBEFD683E"/>
+  <Deny ID="ID_DENY_D_425" FriendlyName="PowerShellShell 425" Hash="BDB3DAC80667A0B931835D5D658C08F236B413D1"/>
+  <Deny ID="ID_DENY_D_426" FriendlyName="PowerShellShell 426" Hash="51287BACB692AAC5A8659774D982B304DC0C0B4A4D8F41CBCCD47D69796786DE"/>
+  <Deny ID="ID_DENY_D_427" FriendlyName="PowerShellShell 427" Hash="EA157E01147629D1F59503D8335FB6EBC688B2C1"/>
+  <Deny ID="ID_DENY_D_428" FriendlyName="PowerShellShell 428" Hash="14C160DF95736EC1D7C6C55B9D0F81832E8FE0DB6C5931B23E45A559995A1000"/>
+  <Deny ID="ID_DENY_D_429" FriendlyName="PowerShellShell 429" Hash="272EF88BBA9B4B54D242FFE1E96D07DBF53497A0"/>
+  <Deny ID="ID_DENY_D_430" FriendlyName="PowerShellShell 430" Hash="AFC0968EDCE9E5FC1BC392382833EBEF3265B32D3ECBB529D89A1DF33A31E9BD"/>
+  <Deny ID="ID_DENY_D_431" FriendlyName="PowerShellShell 431" Hash="029198F05598109037A0E9E332EC052317E834DA"/>
+  <Deny ID="ID_DENY_D_432" FriendlyName="PowerShellShell 432" Hash="70B4BB6C2B7E9237FB14ABBC94955012285E2CAA74F91455EE52809CDAD4E7FC"/>
+  <Deny ID="ID_DENY_D_433" FriendlyName="PowerShellShell 433" Hash="5B8E45EECA32C2F0968C2252229D768B0DB796A0"/>
+  <Deny ID="ID_DENY_D_434" FriendlyName="PowerShellShell 434" Hash="B4D336B32C27E3D3FEBE4B06252DDE9683814E7E903C98448972AAB7389DFC02"/>
+  <Deny ID="ID_DENY_D_435" FriendlyName="PowerShellShell 435" Hash="6792915D3C837A39BD04AD169488009BB1EA372C"/>
+  <Deny ID="ID_DENY_D_436" FriendlyName="PowerShellShell 436" Hash="23B10EC5FC7EAEB9F8D147163463299328FAED4B973BB862ECD3F28D6794DA9D"/>
+  <Deny ID="ID_DENY_D_437" FriendlyName="PowerShellShell 437" Hash="EC41A3FB8D6E3B0F55F6583C14C45B6238753019"/>
+  <Deny ID="ID_DENY_D_438" FriendlyName="PowerShellShell 438" Hash="76CA6B396796351685198D6189E865AFD7FB9E6C5CEFA9EA0B5F0A9F1FC98D57"/>
+  <Deny ID="ID_DENY_D_439" FriendlyName="PowerShellShell 439" Hash="A15964475D213FB752B42E7DCDDBF4B14D623D14"/>
+  <Deny ID="ID_DENY_D_440" FriendlyName="PowerShellShell 440" Hash="61A68B436D828193E0C7B44D2AF83D22A9CB557B90186E4E6AC998CE5E3BFE8A"/>
+  <Deny ID="ID_DENY_D_441" FriendlyName="PowerShellShell 441" Hash="24F9CF6C5E9671A295AD0DEED74737FB6E9146DE"/>
+  <Deny ID="ID_DENY_D_442" FriendlyName="PowerShellShell 442" Hash="C2E862CC578F54A53496EEE2DCB534A106AFD55C7288362AF6499B45F8D8755E"/>
+  <Deny ID="ID_DENY_D_443" FriendlyName="PowerShellShell 443" Hash="F87C726CCB5E64C6F363C21255935D5FEA9E4A0E"/>
+  <Deny ID="ID_DENY_D_444" FriendlyName="PowerShellShell 444" Hash="B7B42C3C8C61FD2616C16BBCF36EA15EC26A67536E94764D72A91CE04B89AAA4"/>
+  <Deny ID="ID_DENY_D_445" FriendlyName="PowerShellShell 445" Hash="4EB2C3A4B551FC028E00F2E7DA9D0F1E38728571"/>
+  <Deny ID="ID_DENY_D_446" FriendlyName="PowerShellShell 446" Hash="30EAC589069FB79D540080B04B7FDBB8A9B1DF4E96B9D7C98519E49A1ED56851"/>
+  <Deny ID="ID_DENY_D_447" FriendlyName="PowerShellShell 447" Hash="2DF4350DE3C97C9D4FD2973F8C5EA8AE621D22A8"/>
+  <Deny ID="ID_DENY_D_448" FriendlyName="PowerShellShell 448" Hash="015CE571E8503A353E2250D4D0DA19493B3311F3437527E6DDD2D2B6439FA2EB"/>
+  <Deny ID="ID_DENY_D_449" FriendlyName="PowerShellShell 449" Hash="993425279D204D1D14C3EB989DEB4805ADC558CF"/>
+  <Deny ID="ID_DENY_D_450" FriendlyName="PowerShellShell 450" Hash="BDADDD710E47EB8D24B78E542F3996B0EA2CA577ABD515785819302DB15839DD"/>
+  <Deny ID="ID_DENY_D_451" FriendlyName="PowerShellShell 451" Hash="1A16008D330330182AA555B1D3E9BE0B2D6BECBF"/>
+  <Deny ID="ID_DENY_D_452" FriendlyName="PowerShellShell 452" Hash="D7685E259D0328937487856A3AB68B6D9D420DD4E02541F4D71164DFA65B4644"/>
+  <Deny ID="ID_DENY_D_453" FriendlyName="PowerShellShell 453" Hash="2CB781B3BD79FD277D92332ACA22C04430F9D692"/>
+  <Deny ID="ID_DENY_D_454" FriendlyName="PowerShellShell 454" Hash="92AE03F0090C0A5DF329B4B3FFEDBA622B0521BA699FA303C24120A30ED4C9E6"/>
+  <Deny ID="ID_DENY_D_455" FriendlyName="PowerShellShell 455" Hash="BA4B3A92123FBCE66398020AFBCC0BCA1D1AAAD7"/>
+  <Deny ID="ID_DENY_D_456" FriendlyName="PowerShellShell 456" Hash="D8D361E3690676C7FDC483003BFC5C0C39FB16B42DFC881FB8D42A1064740B0B"/>
+  <Deny ID="ID_DENY_D_457" FriendlyName="PowerShellShell 457" Hash="D5A9460A941FB5B49EAFDD57575CFB23F27779D3"/>
+  <Deny ID="ID_DENY_D_458" FriendlyName="PowerShellShell 458" Hash="4BDAAC1654328E4D37B6ED89DA351155438E558F51458F2129AFFAC5B596CD61"/>
+  <Deny ID="ID_DENY_D_459" FriendlyName="PowerShellShell 459" Hash="3E5294910C59394DA93962128968E6C23016A028"/>
+  <Deny ID="ID_DENY_D_460" FriendlyName="PowerShellShell 460" Hash="DA700D4F58BCEA1D5A9CAD4F20AC725C6A354F9DA40E4F8F95E1C3DC7B84F550"/>
+  <Deny ID="ID_DENY_D_461" FriendlyName="PowerShellShell 461" Hash="C30355B5E6FA3F793A3CC0A649945829723DD85C"/>
+  <Deny ID="ID_DENY_D_462" FriendlyName="PowerShellShell 462" Hash="4EB14099165177F0F3A1FACE32E72CF2DD221DB44155E73AFF94CB7DA195EF22"/>
+  <Deny ID="ID_DENY_D_463" FriendlyName="PowerShellShell 463" Hash="C647D17850941CFB5B9C8AF49A48569B52230274"/>
+  <Deny ID="ID_DENY_D_464" FriendlyName="PowerShellShell 464" Hash="0BCBDE8791E3D6D7A7C8FC6F25E14383014E6B43D9720A04AF0BD4BDC37F79E0"/>
+  <Deny ID="ID_DENY_D_465" FriendlyName="PowerShellShell 465" Hash="CA6E0BAB6B28E1592D0FC5940023C7A81E2568F8"/>
+  <Deny ID="ID_DENY_D_466" FriendlyName="PowerShellShell 466" Hash="366E00E2F517D4D404133AEFEF6F917DFA156E3E46D350A8CBBE59BE1FB877A2"/>
+  <Deny ID="ID_DENY_D_467" FriendlyName="PowerShellShell 467" Hash="7D9FFFA86DDCD227A3B4863D995456308BAC2403"/>
+  <Deny ID="ID_DENY_D_468" FriendlyName="PowerShellShell 468" Hash="4439BBF61DC012AFC8190199AF5722C3AE26F365DEE618D0D945D75FD1AABF3C"/>
+  <Deny ID="ID_DENY_D_469" FriendlyName="PowerShellShell 469" Hash="8FFDD4576F2B6D4999326CFAF67727BFB471FA21"/>
+  <Deny ID="ID_DENY_D_470" FriendlyName="PowerShellShell 470" Hash="94630AB6F60A7193A6E27E312AF9B71DA265D42AD49465F4EEA11EBF134BA54A"/>
+  <Deny ID="ID_DENY_D_471" FriendlyName="PowerShellShell 471" Hash="78B8454F78E216B629E43B4E40765F73BFE0D6C6"/>
+  <Deny ID="ID_DENY_D_472" FriendlyName="PowerShellShell 472" Hash="498BB1688410EE243D61FB5C7B37457FA6C0A9A32D136AF70FAD43D5F37D7A81"/>
+  <Deny ID="ID_DENY_D_473" FriendlyName="PowerShellShell 473" Hash="B1CF2A18B281F73FE6685B5CE74D1BA50BE9AFE5"/>
+  <Deny ID="ID_DENY_D_474" FriendlyName="PowerShellShell 474" Hash="095B79953F9E3E2FB721693FBFAD5841112D592B6CA7EB2055B262DEB7C7008A"/>
+  <Deny ID="ID_DENY_D_475" FriendlyName="PowerShellShell 475" Hash="8AF579DE1D7E590A13BD1DAE5BFDB39476068A05"/>
+  <Deny ID="ID_DENY_D_476" FriendlyName="PowerShellShell 476" Hash="9917A3055D194F47AB295FA3F917E4BD2F08DDF45C04C65C591A020E1507A573"/>
+  <Deny ID="ID_DENY_D_477" FriendlyName="PowerShellShell 477" Hash="DD64046BAB221CF4110FF230FA5060310A4D9610"/>
+  <Deny ID="ID_DENY_D_478" FriendlyName="PowerShellShell 478" Hash="A55AF37229D7E249C8CAFED3432E595AA77FAF8B62990C07938220E957679081"/>
+  <Deny ID="ID_DENY_D_479" FriendlyName="PowerShellShell 479" Hash="421D1142105358B8360454E43FD15767DA111DBA"/>
+  <Deny ID="ID_DENY_D_480" FriendlyName="PowerShellShell 480" Hash="692CABD40C1EDFCB6DC50591F31FAE30848E579D6EF4D2CA0811D06B086CF8BE"/>
+  <Deny ID="ID_DENY_D_481" FriendlyName="PowerShellShell 481" Hash="720D826A84284E18E0003526A0CD9B7FF0C4A98A"/>
+  <Deny ID="ID_DENY_D_482" FriendlyName="PowerShellShell 482" Hash="CB5DF9D0D25571948C3D257882E07C7FA5E768448E0DEBF637E110F9FF575808"/>
+  <Deny ID="ID_DENY_D_483" FriendlyName="PowerShellShell 483" Hash="2F587293F16DFCD06F3BF8B8348FF68827ECD307"/>
+  <Deny ID="ID_DENY_D_484" FriendlyName="PowerShellShell 484" Hash="B2F4A5FE21D5961F464CAB3E88C0ED88154B0C1A422629474AD5C9EDC11880B6"/>
+  <Deny ID="ID_DENY_D_485" FriendlyName="PowerShellShell 485" Hash="6DC048AFA50B5B1B0AD7DD3125AC83D46FED730A"/>
+  <Deny ID="ID_DENY_D_486" FriendlyName="PowerShellShell 486" Hash="432F666CCE8CD222484E263AE02F63E0038143DD6AD07B3EB1633CD3C498C13D"/>
+  <Deny ID="ID_DENY_D_487" FriendlyName="PowerShellShell 487" Hash="CD9D9789B3B31562C4BE44B6BEEA8815C5EDAE1F"/>
+  <Deny ID="ID_DENY_D_488" FriendlyName="PowerShellShell 488" Hash="FCAF8DC3C7A5D3B29B19A9C5F89324BF65B50C440AC0316B08532CEA2F1FF9B0"/>
+  <Deny ID="ID_DENY_D_489" FriendlyName="PowerShellShell 489" Hash="4F5D66B449C4D2FDEA532F9B5DBECA5ACA8195EF"/>
+  <Deny ID="ID_DENY_D_490" FriendlyName="PowerShellShell 490" Hash="39F2F19A5C6708CE8CE4E1ABBEBA8D3D1A6220391CA86B2D319E347B46005C97"/>
+  <Deny ID="ID_DENY_D_491" FriendlyName="PowerShellShell 491" Hash="A4390EF2D77F76DC4EFE55FF74EE1D06C303FDAE"/>
+  <Deny ID="ID_DENY_D_492" FriendlyName="PowerShellShell 492" Hash="3246A0CB329B030DA104E04B1A0728DE83724B08C724FD0238CE4578A0245576"/>
+  <Deny ID="ID_DENY_D_493" FriendlyName="PowerShellShell 493" Hash="E180486F0CC90AF4FB8283ADCF571884894513C8"/>
+  <Deny ID="ID_DENY_D_494" FriendlyName="PowerShellShell 494" Hash="3800E38275E6BB3B4645CDAD14CD756239BB9A87EF261DC1B68072B6DB2850C0"/>
+  <Deny ID="ID_DENY_D_495" FriendlyName="PowerShellShell 495" Hash="AC53AE4C8AB56D84393D67D820BEBDC3218739D3"/>
+  <Deny ID="ID_DENY_D_496" FriendlyName="PowerShellShell 496" Hash="49580C9459C3917E6F982C8E0D753D293DFA2E4FD1152F78FF7C73CF8B422507"/>
+  <Deny ID="ID_DENY_D_497" FriendlyName="PowerShellShell 497" Hash="00419E981EDC8613E600C939677F7B460855BF7E"/>
+  <Deny ID="ID_DENY_D_498" FriendlyName="PowerShellShell 498" Hash="61B724BCFC3DA1CC1583DB0BC42EFE166E92D8D3CE91E58A29F7AEBEFAE2149F"/>
+  <Deny ID="ID_DENY_D_499" FriendlyName="PowerShellShell 499" Hash="25F52340199A0EA352C8B1A7014BCB610B232523"/>
+  <Deny ID="ID_DENY_D_500" FriendlyName="PowerShellShell 500" Hash="64D6D1F3A053908C5635BD6BDA36BC8E72D518C7ECE8DA761C0DDE70C50BB632"/>
+  <Deny ID="ID_DENY_D_501" FriendlyName="PowerShellShell 501" Hash="F4DB0CDF3A3FD163A9B90789CC6D14D326AD609C"/>
+  <Deny ID="ID_DENY_D_502" FriendlyName="PowerShellShell 502" Hash="5D249D8366077713024552CA8D08F164E975AFF89E8909E35A43F02B0DC66F70"/>
+  <Deny ID="ID_DENY_D_503" FriendlyName="PowerShellShell 503" Hash="231A02EAB7EB192638BC89AB61A5077346FF22B9"/>
+  <Deny ID="ID_DENY_D_504" FriendlyName="PowerShellShell 504" Hash="4D544170DE5D9916678EA43A7C6F796FC02EFA9197C6E0C01A1D832BF554F748"/>
+  <Deny ID="ID_DENY_D_505" FriendlyName="PowerShellShell 505" Hash="A9745E20419EC1C90B23FE965D3C2DF028AF39DC"/>
+  <Deny ID="ID_DENY_D_506" FriendlyName="PowerShellShell 506" Hash="71B5B58EAA0C90397BC9546BCCA8C657500499CD2087CD7D7E1753D54C07E71D"/>
+  <Deny ID="ID_DENY_D_507" FriendlyName="PowerShellShell 507" Hash="15EF1F7DBC474732E122A0147640ACBD9DA1775C"/>
+  <Deny ID="ID_DENY_D_508" FriendlyName="PowerShellShell 508" Hash="04724BF232D5F169FBB0DB6821E35D772619FB4F24069BE0EC571BA622ACC4D2"/>
+  <Deny ID="ID_DENY_D_509" FriendlyName="PowerShellShell 509" Hash="7959AB2B34A5F490AD54782D135BF155592DF13F"/>
+  <Deny ID="ID_DENY_D_510" FriendlyName="PowerShellShell 510" Hash="DD03CD6B5655B4EB9DD259F26E1585389804C23DB39C10122B6BC0E8886B4C2A"/>
+  <Deny ID="ID_DENY_D_511" FriendlyName="PowerShellShell 511" Hash="CCA8C8FB699496BD50AE296B20CC9ADC3496DECE"/>
+  <Deny ID="ID_DENY_D_512" FriendlyName="PowerShellShell 512" Hash="75E6C2DD81FE2664DF466C9C2EB0F923B0C6D992FF653B673793A896D8860957"/>
+  <Deny ID="ID_DENY_D_513" FriendlyName="PowerShellShell 513" Hash="080DEC3B15AD5AFE9BF3B0943A36285E92BAF469"/>
+  <Deny ID="ID_DENY_D_514" FriendlyName="PowerShellShell 514" Hash="F1391E78F17EA6097906B99C6F4F0AE8DD2E519856F837A3BCC58FBB87DAAE62"/>
+  <Deny ID="ID_DENY_D_515" FriendlyName="PowerShellShell 515" Hash="B3B7A653DD1A10EE9A3D35C818D227E2E3C3B5FB"/>
+  <Deny ID="ID_DENY_D_516" FriendlyName="PowerShellShell 516" Hash="43E2D91C0C6A8473BE178F1793E5E34966D700F71362297ECF4B5D46239603E3"/>
+  <Deny ID="ID_DENY_D_517" FriendlyName="PowerShellShell 517" Hash="D82583F7D5EA477C94630AC5AAEB771C85BD4B0A"/>
+  <Deny ID="ID_DENY_D_518" FriendlyName="PowerShellShell 518" Hash="9B0F39AB233628A971ACEC53029C9B608CAB99868F1A1C5ABE20BC1BD1C2B70E"/>
+  <Deny ID="ID_DENY_D_519" FriendlyName="PowerShellShell 519" Hash="AAE22FD137E8B7217222974DCE60B9AD4AF2A512"/>
+  <Deny ID="ID_DENY_D_520" FriendlyName="PowerShellShell 520" Hash="DAC9E963A3897D7F7AB2B4FEBBD4894A15441246639CE3E8EE74B0228F312742"/>
+  <Deny ID="ID_DENY_D_521" FriendlyName="PowerShellShell 521" Hash="8DAB1D74CAEDBAA8D17805CF00D64A44F5831C12"/>
+  <Deny ID="ID_DENY_D_522" FriendlyName="PowerShellShell 522" Hash="AC1CE3AA9023E23F2F63D5A3536294B914686057336402E059DEF6559D1CE723"/>
+  <Deny ID="ID_DENY_D_523" FriendlyName="PowerShellShell 523" Hash="266896FD257AD8EE9FC73B3A50306A573714EA8A"/>
+  <Deny ID="ID_DENY_D_524" FriendlyName="PowerShellShell 524" Hash="8E36BD08084C73AF674F2DAD568EE3BA2C85769FA7B3400CB62F7A7BD028BE9A"/>
+  <Deny ID="ID_DENY_D_525" FriendlyName="PowerShellShell 525" Hash="2AB804E1FF982AE0EDB591BC61AA909CF32E99C5"/>
+  <Deny ID="ID_DENY_D_526" FriendlyName="PowerShellShell 526" Hash="253120422B0DD987C293CAF5928FA820414C0A01622FD0EAF304A750FC5AEEFE"/>
+  <Deny ID="ID_DENY_D_527" FriendlyName="PowerShellShell 527" Hash="25CA971D7EDFAA7A48FA19B8399301853809D7CC"/>
+  <Deny ID="ID_DENY_D_528" FriendlyName="PowerShellShell 528" Hash="0A10C71CB5CC8A801F84F2CCD8041D13DB55711435388D9500C53D122688D4E5"/>
+  <Deny ID="ID_DENY_D_529" FriendlyName="PowerShellShell 529" Hash="46E05FD4D62451C1DCB0287B32B3D77AD41544EA"/>
+  <Deny ID="ID_DENY_D_530" FriendlyName="PowerShellShell 530" Hash="D86F930445F0715D0D7E4C3B089399280FBA2ACE0E4125BA5D3DAB9FAC1A6D3A"/>
+  <Deny ID="ID_DENY_D_531" FriendlyName="PowerShellShell 531" Hash="479C9429691314D3E21E4F4CA8B95D5BD2BDDEDA"/>
+  <Deny ID="ID_DENY_D_532" FriendlyName="PowerShellShell 532" Hash="2BA4E369D267A9ABDEBA50DA2CB5FC56A8EE4382C5BCFCFFD121350B88A6F0E1"/>
+  <Deny ID="ID_DENY_D_533" FriendlyName="PowerShellShell 533" Hash="FF205856A3209227D571EAD4B8C1E611E7FF9924"/>
+  <Deny ID="ID_DENY_D_534" FriendlyName="PowerShellShell 534" Hash="A63B38CE17DA60C4C431FC42C4507A0B7C19B384AC9E121E2988AD026E71ED63"/>
+  <Deny ID="ID_DENY_D_535" FriendlyName="PowerShellShell 535" Hash="7FCB424E67DDAC49413B45D7DCD636AD70E23B41"/>
+  <Deny ID="ID_DENY_D_536" FriendlyName="PowerShellShell 536" Hash="7E6F9A738520F78D1E9D0D0883FB07DD9188408CBE7C2937BDE1590F90C61753"/>
+  <Deny ID="ID_DENY_D_537" FriendlyName="PowerShellShell 537" Hash="46936F4F0AFE4C87D2E55595F74DDDFFC9AD94EE"/>
+  <Deny ID="ID_DENY_D_538" FriendlyName="PowerShellShell 538" Hash="9843DC862BC7491A279A09EFD8FF122EB23C57CA"/>
+  <Deny ID="ID_DENY_D_539" FriendlyName="PowerShellShell 539" Hash="11F11FB1E57F299383A615D6A28436E02A1C1A83"/>
+  <Deny ID="ID_DENY_D_540" FriendlyName="PowerShellShell 540" Hash="C593ABE79DFFB1504CFCDB1A6AD65D24996E7B97"/>
+  <Deny ID="ID_DENY_D_541" FriendlyName="PowerShellShell 541" Hash="93E22F2BA6C8B1C09F100F9C0E3B06FAF2D1DDB6"/>
+  <Deny ID="ID_DENY_D_542" FriendlyName="PowerShellShell 542" Hash="5A8D9712CF7893C335FFB7414748625D524227FE"/>
+  <Deny ID="ID_DENY_D_543" FriendlyName="PowerShellShell 543" Hash="B5FFFEE20F25691A59F3894644AEF088B4845761"/>
+  <Deny ID="ID_DENY_D_544" FriendlyName="PowerShellShell 544" Hash="3334059FF4484C43A5D08CEC3E43E2D27EDB927B"/>
+  <Deny ID="ID_DENY_D_545" FriendlyName="PowerShellShell 545" Hash="00B6993F59990C3DFEA33584BDB050F91313B17A"/>
+  <Deny ID="ID_DENY_D_546" FriendlyName="PowerShellShell 546" Hash="7518F60A0B33011D19873908559961F96A9B4FC0"/>
+  <Deny ID="ID_DENY_D_547" FriendlyName="PowerShellShell 547" Hash="A1D1AF7675C2596D0DF977F57B54372298A56EE0F3E1FF2D974D387D7F69DD4E"/>
+  <Deny ID="ID_DENY_D_548" FriendlyName="PowerShellShell 548" Hash="3C1743CBC43B80F5AF5B17239B03A8727B4BE81F14052BDE37685E2D54214071"/>
+  <Deny ID="ID_DENY_D_549" FriendlyName="PowerShellShell 549" Hash="C7DC8B00F0BDA000D1F3CF0FBC7AB32D443C377C0130BB5153A0390E712DDDE5"/>
+  <Deny ID="ID_DENY_D_550" FriendlyName="PowerShellShell 550" Hash="ED5A4747C8AEEB1AC2F4FDB8EB0B9BFC240F2B3C00BF7C6CDB372BFFEC0F8ABE"/>
+  <Deny ID="ID_DENY_D_551" FriendlyName="PowerShellShell 551" Hash="939C291D4A2592209EC7664EC832670FA0AC1009F974F47489D866751F4B862F"/>
+  <Deny ID="ID_DENY_D_552" FriendlyName="PowerShellShell 552" Hash="497A2D4207B2AE6EF09424591624A86A64A2C8E451389ED9A3256E6274556A7B"/>
+  <Deny ID="ID_DENY_D_553" FriendlyName="PowerShellShell 553" Hash="732BC385B191C8436B42CD1441DC234FFDD5EC1BD18A32894F093EECA3DD8FBC"/>
+  <Deny ID="ID_DENY_D_554" FriendlyName="PowerShellShell 554" Hash="CBD19FDB6338DB02299A3F3FFBBEBF216B18013B3377D1D31E51491C0C5F074C"/>
+  <Deny ID="ID_DENY_D_555" FriendlyName="PowerShellShell 555" Hash="3A316A0A470744EB7D18339B76E786564D1E96130766A9895B2222C4066CE820"/>
+  <Deny ID="ID_DENY_D_556" FriendlyName="PowerShellShell 556" Hash="68A4A1E8F4E1B903408ECD24608659B390B9E7154EB380D94ADE7FEB5EA470E7"/>
+ 
   <!-- pubprn.vbs
   --> 
   <!-- rs2 x86fre
@@ -797,7 +1068,277 @@ Microsoft recommends that you block the following Microsoft-signed applications
   <FileRuleRef RuleID="ID_DENY_D_283"/> 
   <FileRuleRef RuleID="ID_DENY_D_284"/> 
   <FileRuleRef RuleID="ID_DENY_D_285"/> 
-  <FileRuleRef RuleID="ID_DENY_D_286"/> 
+  <FileRuleRef RuleID="ID_DENY_D_286"/>
+  <FileRuleRef RuleID="ID_DENY_D_287"/>
+  <FileRuleRef RuleID="ID_DENY_D_288"/>
+  <FileRuleRef RuleID="ID_DENY_D_289"/>
+  <FileRuleRef RuleID="ID_DENY_D_290"/>
+  <FileRuleRef RuleID="ID_DENY_D_291"/>
+  <FileRuleRef RuleID="ID_DENY_D_292"/>
+  <FileRuleRef RuleID="ID_DENY_D_293"/>
+  <FileRuleRef RuleID="ID_DENY_D_294"/>
+  <FileRuleRef RuleID="ID_DENY_D_295"/>
+  <FileRuleRef RuleID="ID_DENY_D_296"/>
+  <FileRuleRef RuleID="ID_DENY_D_297"/>
+  <FileRuleRef RuleID="ID_DENY_D_298"/>
+  <FileRuleRef RuleID="ID_DENY_D_299"/>
+  <FileRuleRef RuleID="ID_DENY_D_300"/>
+  <FileRuleRef RuleID="ID_DENY_D_301"/>
+  <FileRuleRef RuleID="ID_DENY_D_302"/>
+  <FileRuleRef RuleID="ID_DENY_D_303"/>
+  <FileRuleRef RuleID="ID_DENY_D_304"/>
+  <FileRuleRef RuleID="ID_DENY_D_305"/>
+  <FileRuleRef RuleID="ID_DENY_D_306"/>
+  <FileRuleRef RuleID="ID_DENY_D_307"/>
+  <FileRuleRef RuleID="ID_DENY_D_308"/>
+  <FileRuleRef RuleID="ID_DENY_D_309"/>
+  <FileRuleRef RuleID="ID_DENY_D_310"/>
+  <FileRuleRef RuleID="ID_DENY_D_311"/>
+  <FileRuleRef RuleID="ID_DENY_D_312"/>
+  <FileRuleRef RuleID="ID_DENY_D_313"/>
+  <FileRuleRef RuleID="ID_DENY_D_314"/>
+  <FileRuleRef RuleID="ID_DENY_D_315"/>
+  <FileRuleRef RuleID="ID_DENY_D_316"/>
+  <FileRuleRef RuleID="ID_DENY_D_317"/>
+  <FileRuleRef RuleID="ID_DENY_D_318"/>
+  <FileRuleRef RuleID="ID_DENY_D_319"/>
+  <FileRuleRef RuleID="ID_DENY_D_320"/>
+  <FileRuleRef RuleID="ID_DENY_D_321"/>
+  <FileRuleRef RuleID="ID_DENY_D_322"/>
+  <FileRuleRef RuleID="ID_DENY_D_323"/>
+  <FileRuleRef RuleID="ID_DENY_D_324"/>
+  <FileRuleRef RuleID="ID_DENY_D_325"/>
+  <FileRuleRef RuleID="ID_DENY_D_326"/>
+  <FileRuleRef RuleID="ID_DENY_D_327"/>
+  <FileRuleRef RuleID="ID_DENY_D_328"/>
+  <FileRuleRef RuleID="ID_DENY_D_329"/>
+  <FileRuleRef RuleID="ID_DENY_D_330"/>
+  <FileRuleRef RuleID="ID_DENY_D_331"/>
+  <FileRuleRef RuleID="ID_DENY_D_332"/>
+  <FileRuleRef RuleID="ID_DENY_D_333"/>
+  <FileRuleRef RuleID="ID_DENY_D_334"/>
+  <FileRuleRef RuleID="ID_DENY_D_335"/>
+  <FileRuleRef RuleID="ID_DENY_D_336"/>
+  <FileRuleRef RuleID="ID_DENY_D_337"/>
+  <FileRuleRef RuleID="ID_DENY_D_338"/>
+  <FileRuleRef RuleID="ID_DENY_D_339"/>
+  <FileRuleRef RuleID="ID_DENY_D_340"/>
+  <FileRuleRef RuleID="ID_DENY_D_341"/>
+  <FileRuleRef RuleID="ID_DENY_D_342"/>
+  <FileRuleRef RuleID="ID_DENY_D_343"/>
+  <FileRuleRef RuleID="ID_DENY_D_344"/>
+  <FileRuleRef RuleID="ID_DENY_D_345"/>
+  <FileRuleRef RuleID="ID_DENY_D_346"/>
+  <FileRuleRef RuleID="ID_DENY_D_347"/>
+  <FileRuleRef RuleID="ID_DENY_D_348"/>
+  <FileRuleRef RuleID="ID_DENY_D_349"/>
+  <FileRuleRef RuleID="ID_DENY_D_350"/>
+  <FileRuleRef RuleID="ID_DENY_D_351"/>
+  <FileRuleRef RuleID="ID_DENY_D_352"/>
+  <FileRuleRef RuleID="ID_DENY_D_353"/>
+  <FileRuleRef RuleID="ID_DENY_D_354"/>
+  <FileRuleRef RuleID="ID_DENY_D_355"/>
+  <FileRuleRef RuleID="ID_DENY_D_356"/>
+  <FileRuleRef RuleID="ID_DENY_D_357"/>
+  <FileRuleRef RuleID="ID_DENY_D_358"/>
+  <FileRuleRef RuleID="ID_DENY_D_359"/>
+  <FileRuleRef RuleID="ID_DENY_D_360"/>
+  <FileRuleRef RuleID="ID_DENY_D_361"/>
+  <FileRuleRef RuleID="ID_DENY_D_362"/>
+  <FileRuleRef RuleID="ID_DENY_D_363"/>
+  <FileRuleRef RuleID="ID_DENY_D_364"/>
+  <FileRuleRef RuleID="ID_DENY_D_365"/>
+  <FileRuleRef RuleID="ID_DENY_D_366"/>
+  <FileRuleRef RuleID="ID_DENY_D_367"/>
+  <FileRuleRef RuleID="ID_DENY_D_368"/>
+  <FileRuleRef RuleID="ID_DENY_D_369"/>
+  <FileRuleRef RuleID="ID_DENY_D_370"/>
+  <FileRuleRef RuleID="ID_DENY_D_371"/>
+  <FileRuleRef RuleID="ID_DENY_D_372"/>
+  <FileRuleRef RuleID="ID_DENY_D_373"/>
+  <FileRuleRef RuleID="ID_DENY_D_374"/>
+  <FileRuleRef RuleID="ID_DENY_D_375"/>
+  <FileRuleRef RuleID="ID_DENY_D_376"/>
+  <FileRuleRef RuleID="ID_DENY_D_377"/>
+  <FileRuleRef RuleID="ID_DENY_D_378"/>
+  <FileRuleRef RuleID="ID_DENY_D_379"/>
+  <FileRuleRef RuleID="ID_DENY_D_380"/>
+  <FileRuleRef RuleID="ID_DENY_D_381"/>
+  <FileRuleRef RuleID="ID_DENY_D_382"/>
+  <FileRuleRef RuleID="ID_DENY_D_383"/>
+  <FileRuleRef RuleID="ID_DENY_D_384"/>
+  <FileRuleRef RuleID="ID_DENY_D_385"/>
+  <FileRuleRef RuleID="ID_DENY_D_386"/>
+  <FileRuleRef RuleID="ID_DENY_D_387"/>
+  <FileRuleRef RuleID="ID_DENY_D_388"/>
+  <FileRuleRef RuleID="ID_DENY_D_389"/>
+  <FileRuleRef RuleID="ID_DENY_D_390"/>
+  <FileRuleRef RuleID="ID_DENY_D_391"/>
+  <FileRuleRef RuleID="ID_DENY_D_392"/>
+  <FileRuleRef RuleID="ID_DENY_D_393"/>
+  <FileRuleRef RuleID="ID_DENY_D_394"/>
+  <FileRuleRef RuleID="ID_DENY_D_395"/>
+  <FileRuleRef RuleID="ID_DENY_D_396"/>
+  <FileRuleRef RuleID="ID_DENY_D_397"/>
+  <FileRuleRef RuleID="ID_DENY_D_398"/>
+  <FileRuleRef RuleID="ID_DENY_D_399"/>
+  <FileRuleRef RuleID="ID_DENY_D_400"/>
+  <FileRuleRef RuleID="ID_DENY_D_401"/>
+  <FileRuleRef RuleID="ID_DENY_D_402"/>
+  <FileRuleRef RuleID="ID_DENY_D_403"/>
+  <FileRuleRef RuleID="ID_DENY_D_404"/>
+  <FileRuleRef RuleID="ID_DENY_D_405"/>
+  <FileRuleRef RuleID="ID_DENY_D_406"/>
+  <FileRuleRef RuleID="ID_DENY_D_407"/>
+  <FileRuleRef RuleID="ID_DENY_D_408"/>
+  <FileRuleRef RuleID="ID_DENY_D_409"/>
+  <FileRuleRef RuleID="ID_DENY_D_410"/>
+  <FileRuleRef RuleID="ID_DENY_D_411"/>
+  <FileRuleRef RuleID="ID_DENY_D_412"/>
+  <FileRuleRef RuleID="ID_DENY_D_413"/>
+  <FileRuleRef RuleID="ID_DENY_D_414"/>
+  <FileRuleRef RuleID="ID_DENY_D_415"/>
+  <FileRuleRef RuleID="ID_DENY_D_416"/>
+  <FileRuleRef RuleID="ID_DENY_D_417"/>
+  <FileRuleRef RuleID="ID_DENY_D_418"/>
+  <FileRuleRef RuleID="ID_DENY_D_419"/>
+  <FileRuleRef RuleID="ID_DENY_D_420"/>
+  <FileRuleRef RuleID="ID_DENY_D_421"/>
+  <FileRuleRef RuleID="ID_DENY_D_422"/>
+  <FileRuleRef RuleID="ID_DENY_D_423"/>
+  <FileRuleRef RuleID="ID_DENY_D_424"/>
+  <FileRuleRef RuleID="ID_DENY_D_425"/>
+  <FileRuleRef RuleID="ID_DENY_D_426"/>
+  <FileRuleRef RuleID="ID_DENY_D_427"/>
+  <FileRuleRef RuleID="ID_DENY_D_428"/>
+  <FileRuleRef RuleID="ID_DENY_D_429"/>
+  <FileRuleRef RuleID="ID_DENY_D_430"/>
+  <FileRuleRef RuleID="ID_DENY_D_431"/>
+  <FileRuleRef RuleID="ID_DENY_D_432"/>
+  <FileRuleRef RuleID="ID_DENY_D_433"/>
+  <FileRuleRef RuleID="ID_DENY_D_434"/>
+  <FileRuleRef RuleID="ID_DENY_D_435"/>
+  <FileRuleRef RuleID="ID_DENY_D_436"/>
+  <FileRuleRef RuleID="ID_DENY_D_437"/>
+  <FileRuleRef RuleID="ID_DENY_D_438"/>
+  <FileRuleRef RuleID="ID_DENY_D_439"/>
+  <FileRuleRef RuleID="ID_DENY_D_440"/>
+  <FileRuleRef RuleID="ID_DENY_D_441"/>
+  <FileRuleRef RuleID="ID_DENY_D_442"/>
+  <FileRuleRef RuleID="ID_DENY_D_443"/>
+  <FileRuleRef RuleID="ID_DENY_D_444"/>
+  <FileRuleRef RuleID="ID_DENY_D_445"/>
+  <FileRuleRef RuleID="ID_DENY_D_446"/>
+  <FileRuleRef RuleID="ID_DENY_D_447"/>
+  <FileRuleRef RuleID="ID_DENY_D_448"/>
+  <FileRuleRef RuleID="ID_DENY_D_449"/>
+  <FileRuleRef RuleID="ID_DENY_D_450"/>
+  <FileRuleRef RuleID="ID_DENY_D_451"/>
+  <FileRuleRef RuleID="ID_DENY_D_452"/>
+  <FileRuleRef RuleID="ID_DENY_D_453"/>
+  <FileRuleRef RuleID="ID_DENY_D_454"/>
+  <FileRuleRef RuleID="ID_DENY_D_455"/>
+  <FileRuleRef RuleID="ID_DENY_D_456"/>
+  <FileRuleRef RuleID="ID_DENY_D_457"/>
+  <FileRuleRef RuleID="ID_DENY_D_458"/>
+  <FileRuleRef RuleID="ID_DENY_D_459"/>
+  <FileRuleRef RuleID="ID_DENY_D_460"/>
+  <FileRuleRef RuleID="ID_DENY_D_461"/>
+  <FileRuleRef RuleID="ID_DENY_D_462"/>
+  <FileRuleRef RuleID="ID_DENY_D_463"/>
+  <FileRuleRef RuleID="ID_DENY_D_464"/>
+  <FileRuleRef RuleID="ID_DENY_D_465"/>
+  <FileRuleRef RuleID="ID_DENY_D_466"/>
+  <FileRuleRef RuleID="ID_DENY_D_467"/>
+  <FileRuleRef RuleID="ID_DENY_D_468"/>
+  <FileRuleRef RuleID="ID_DENY_D_469"/>
+  <FileRuleRef RuleID="ID_DENY_D_470"/>
+  <FileRuleRef RuleID="ID_DENY_D_471"/>
+  <FileRuleRef RuleID="ID_DENY_D_472"/>
+  <FileRuleRef RuleID="ID_DENY_D_473"/>
+  <FileRuleRef RuleID="ID_DENY_D_474"/>
+  <FileRuleRef RuleID="ID_DENY_D_475"/>
+  <FileRuleRef RuleID="ID_DENY_D_476"/>
+  <FileRuleRef RuleID="ID_DENY_D_477"/>
+  <FileRuleRef RuleID="ID_DENY_D_478"/>
+  <FileRuleRef RuleID="ID_DENY_D_479"/>
+  <FileRuleRef RuleID="ID_DENY_D_480"/>
+  <FileRuleRef RuleID="ID_DENY_D_481"/>
+  <FileRuleRef RuleID="ID_DENY_D_482"/>
+  <FileRuleRef RuleID="ID_DENY_D_483"/>
+  <FileRuleRef RuleID="ID_DENY_D_484"/>
+  <FileRuleRef RuleID="ID_DENY_D_485"/>
+  <FileRuleRef RuleID="ID_DENY_D_486"/>
+  <FileRuleRef RuleID="ID_DENY_D_487"/>
+  <FileRuleRef RuleID="ID_DENY_D_488"/>
+  <FileRuleRef RuleID="ID_DENY_D_489"/>
+  <FileRuleRef RuleID="ID_DENY_D_490"/>
+  <FileRuleRef RuleID="ID_DENY_D_491"/>
+  <FileRuleRef RuleID="ID_DENY_D_492"/>
+  <FileRuleRef RuleID="ID_DENY_D_493"/>
+  <FileRuleRef RuleID="ID_DENY_D_494"/>
+  <FileRuleRef RuleID="ID_DENY_D_495"/>
+  <FileRuleRef RuleID="ID_DENY_D_496"/>
+  <FileRuleRef RuleID="ID_DENY_D_497"/>
+  <FileRuleRef RuleID="ID_DENY_D_498"/>
+  <FileRuleRef RuleID="ID_DENY_D_499"/>
+  <FileRuleRef RuleID="ID_DENY_D_500"/>
+  <FileRuleRef RuleID="ID_DENY_D_501"/>
+  <FileRuleRef RuleID="ID_DENY_D_502"/>
+  <FileRuleRef RuleID="ID_DENY_D_503"/>
+  <FileRuleRef RuleID="ID_DENY_D_504"/>
+  <FileRuleRef RuleID="ID_DENY_D_505"/>
+  <FileRuleRef RuleID="ID_DENY_D_506"/>
+  <FileRuleRef RuleID="ID_DENY_D_507"/>
+  <FileRuleRef RuleID="ID_DENY_D_508"/>
+  <FileRuleRef RuleID="ID_DENY_D_509"/>
+  <FileRuleRef RuleID="ID_DENY_D_510"/>
+  <FileRuleRef RuleID="ID_DENY_D_511"/>
+  <FileRuleRef RuleID="ID_DENY_D_512"/>
+  <FileRuleRef RuleID="ID_DENY_D_513"/>
+  <FileRuleRef RuleID="ID_DENY_D_514"/>
+  <FileRuleRef RuleID="ID_DENY_D_515"/>
+  <FileRuleRef RuleID="ID_DENY_D_516"/>
+  <FileRuleRef RuleID="ID_DENY_D_517"/>
+  <FileRuleRef RuleID="ID_DENY_D_518"/>
+  <FileRuleRef RuleID="ID_DENY_D_519"/>
+  <FileRuleRef RuleID="ID_DENY_D_520"/>
+  <FileRuleRef RuleID="ID_DENY_D_521"/>
+  <FileRuleRef RuleID="ID_DENY_D_522"/>
+  <FileRuleRef RuleID="ID_DENY_D_523"/>
+  <FileRuleRef RuleID="ID_DENY_D_524"/>
+  <FileRuleRef RuleID="ID_DENY_D_525"/>
+  <FileRuleRef RuleID="ID_DENY_D_526"/>
+  <FileRuleRef RuleID="ID_DENY_D_527"/>
+  <FileRuleRef RuleID="ID_DENY_D_528"/>
+  <FileRuleRef RuleID="ID_DENY_D_529"/>
+  <FileRuleRef RuleID="ID_DENY_D_530"/>
+  <FileRuleRef RuleID="ID_DENY_D_531"/>
+  <FileRuleRef RuleID="ID_DENY_D_532"/>
+  <FileRuleRef RuleID="ID_DENY_D_533"/>
+  <FileRuleRef RuleID="ID_DENY_D_534"/>
+  <FileRuleRef RuleID="ID_DENY_D_535"/>
+  <FileRuleRef RuleID="ID_DENY_D_536"/>
+  <FileRuleRef RuleID="ID_DENY_D_537"/>
+  <FileRuleRef RuleID="ID_DENY_D_538"/>
+  <FileRuleRef RuleID="ID_DENY_D_539"/>
+  <FileRuleRef RuleID="ID_DENY_D_540"/>
+  <FileRuleRef RuleID="ID_DENY_D_541"/>
+  <FileRuleRef RuleID="ID_DENY_D_542"/>
+  <FileRuleRef RuleID="ID_DENY_D_543"/>
+  <FileRuleRef RuleID="ID_DENY_D_544"/>
+  <FileRuleRef RuleID="ID_DENY_D_545"/>
+  <FileRuleRef RuleID="ID_DENY_D_546"/>
+  <FileRuleRef RuleID="ID_DENY_D_547"/>
+  <FileRuleRef RuleID="ID_DENY_D_548"/>
+  <FileRuleRef RuleID="ID_DENY_D_549"/>
+  <FileRuleRef RuleID="ID_DENY_D_550"/>
+  <FileRuleRef RuleID="ID_DENY_D_551"/>
+  <FileRuleRef RuleID="ID_DENY_D_552"/>
+  <FileRuleRef RuleID="ID_DENY_D_553"/>
+  <FileRuleRef RuleID="ID_DENY_D_554"/>
+  <FileRuleRef RuleID="ID_DENY_D_555"/>
+  <FileRuleRef RuleID="ID_DENY_D_556"/>
   </FileRulesRef>
   </ProductSigners>
   </SigningScenario>
@@ -806,7 +1347,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
   <CiSigners /> 
   <HvciOptions>0</HvciOptions> 
   </SiPolicy>
-  
+
   ```
 <br />
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index f5dfca7d37..44da35710f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: high
 author: mdsakibMSFT
-ms.date: 03/01/2018
+ms.date: 06/14/2018
 ---
 
 # Use Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph 
@@ -42,7 +42,7 @@ Setting up the ISG authorization is easy regardless of what management solution
 
 ### Ensure that the Intelligent Security Graph option is enabled in the WDAC policy XML 
 
-In order to enable trust for executables based on classifications in the ISG, the **Enabled: Intelligent Security Graph authorization** option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition, it is recommended from a security perspective to also enable the **Enabled:Invalidate EAs on Reboot** option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG. Caution is advised if devices will regularly transition to and from environments that may not be able to access the ISG. The following example shows both options being set. 
+In order to enable trust for executables based on classifications in the ISG, the **Enabled:Intelligent Security Graph authorization** option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition, it is recommended from a security perspective to also enable the **Enabled:Invalidate EAs on Reboot** option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG. Caution is advised if devices will regularly transition to and from environments that may not be able to access the ISG. The following example shows both options being set. 
 
 ```code
 <Rules> 

From b4295544c7e8ccac5962e8725e34e804ec3faaac Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Thu, 14 Jun 2018 17:07:02 -0700
Subject: [PATCH 078/102] update allowed blocked lists

---
 ...ced-hunting-windows-defender-advanced-threat-protection.md | 4 +++-
 ...locked-list-windows-defender-advanced-threat-protection.md | 4 +---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
index c5a0aa9147..c8d4b355cc 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/24/2018
+ms.date: 06/13/2018
 ---
 
 # Query data using Advanced hunting in Windows Defender ATP
@@ -54,6 +54,8 @@ We then add a filter on the _FileName_  to contain only instances of _powershell
 Afterwards, we add a filter on the _ProcessCommandLine_
 Finally, we  project only the columns we're interested in exploring and limit the results to 100 and click **Run query**.
 
+You have the option of expanding the screen view so you can focus on your hunting query and related results.
+
 ### Use operators
 The query language is very powerful and has a lot of available operators, some of them are - 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
index f1e3dbc4a5..824dbb804b 100644
--- a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 06/11/2018
+ms.date: 06/14/2018
 ---
 
 # Manage automation allowed/blocked lists
@@ -43,8 +43,6 @@ You can define the conditions for when entities are identified as malicious or s
    - Certificate
    - IP address
    - DNS
-   - Email
-   - Process memory
 
 3. Click **Add system exclusion**.
 

From 71d4da50d7a5d86a7ed8c273037d4e3e3d60101d Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Fri, 15 Jun 2018 16:13:27 +0000
Subject: [PATCH 079/102] Merged PR 9102: fixes for issues 1062 and 1093

---
 education/windows/use-set-up-school-pcs-app.md             | 4 ++--
 windows/configuration/customize-and-export-start-layout.md | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 24bde1c0c2..22dd70e019 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -2,7 +2,7 @@
 title: Use Set up School PCs app
 description: Learn how the Set up School PCs app works and how to use it.
 keywords: shared cart, shared PC, school, Set up School PCs, overview, how to use
-ms.prod: w10
+ms.prod: w10
 ms.technology: Windows
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -198,7 +198,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
 
     If you select this option, this adds a **Guest** account button in the PC's sign-in screen to allow anyone to use the PC.
  
-  - Select **Enable Autopilot Reset** to reset student PCs from the lock screen any time and apply original settings and device management enrollment (Azure AD and MDM) so they’re ready to use. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app.
+  - Select **Enable Autopilot Reset** to reset student PCs from the lock screen any time and apply original settings and device management enrollment (Azure AD and MDM) so they're ready to use. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app.
   - To change the default lock screen background or to use your school's custom lock screen background, click **Browse** to select a new lock screen background.
 
     **Figure 4** - Configure student PC settings
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index 12baa5bed8..a45bae0f51 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -91,9 +91,9 @@ When you have the Start layout that you want your users to see, use the [Export-
 
 **To export the Start layout to an .xml file**
 
-1.  Right Click Start, select **Windows PowerShell (Admin)**.
+1.  While signed in with the same account that you used to customize Start, right-click Start, and select **Windows PowerShell**.
 
-2.  At the Administrator: Windows PowerShell command prompt, enter the following command:
+2.  At the Windows PowerShell command prompt, enter the following command:
 
     `Export-StartLayout –path <path><file name>.xml `
 

From 44556bdf66cbc5623247429d5704186711455657 Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Fri, 15 Jun 2018 09:44:19 -0700
Subject: [PATCH 080/102] Updated metadata dates

---
 ...v-apply-the-deployment-configuration-file-with-powershell.md | 2 +-
 .../appv-apply-the-user-configuration-file-with-powershell.md   | 2 +-
 .../app-v/appv-auto-clean-unpublished-packages.md               | 2 +-
 .../application-management/app-v/appv-available-mdm-settings.md | 2 +-
 ...-configure-access-to-packages-with-the-management-console.md | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
index 8d3a64000e..be2acfa151 100644
--- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
@@ -6,7 +6,7 @@ ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 06/13/2018
+ms.date: 06/15/2018
 ---
 # How to apply the deployment configuration file by using Windows PowerShell
 
diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
index d8a04ef887..7f5e05afcd 100644
--- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
@@ -6,7 +6,7 @@ ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 06/13/2018
+ms.date: 06/15/2018
 ---
 # How to apply the user configuration file by using Windows PowerShell
 
diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
index cd9c6096a7..2495e28dd7 100644
--- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
+++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
@@ -6,7 +6,7 @@ ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 06/13/2018
+ms.date: 06/15/2018
 ---
 # Automatically clean up unpublished packages on the App-V client
 
diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index d254a8b4b7..d890609518 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -6,7 +6,7 @@ ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 06/13/2018
+ms.date: 06/15/2018
 ---
 # Available Mobile Device Management (MDM) settings for App-V
 
diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
index f44af0a19a..c19612e466 100644
--- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
@@ -6,7 +6,7 @@ ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 06/13/2018
+ms.date: 06/15/2018
 ---
 # How to Configure Access to Packages by Using the Management Console
 

From c1596ae7343b017e05a8b049ef8e3fe921d39c8f Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Fri, 15 Jun 2018 09:47:01 -0700
Subject: [PATCH 081/102] Fixed title caps and metadata.

---
 ...figure-access-to-packages-with-the-management-console.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
index c19612e466..ae0bc52550 100644
--- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
@@ -1,6 +1,6 @@
 ---
-title: How to Configure Access to Packages by Using the Management Console (Windows 10)
-description: How to Configure Access to Packages by Using the Management Console
+title: How to configure access to packages by using the Management console (Windows 10)
+description: How to configure access to packages by using the App-V Management console.
 author: MaggiePucciEvans
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.prod: w10
 ms.date: 06/15/2018
 ---
-# How to Configure Access to Packages by Using the Management Console
+# How to configure access to packages by using the Management console
 
 >Applies to: Windows 10, version 1607
 

From 82c8ac310d17860dfdbf10d3ab6a79e082155b7b Mon Sep 17 00:00:00 2001
From: jcaparas <macapara@microsoft.com>
Date: Fri, 15 Jun 2018 11:21:31 -0700
Subject: [PATCH 082/102] add back 8.1

---
 ...oard-downlevel-windows-defender-advanced-threat-protection.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
index 677d282889..170be8e9ca 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
@@ -19,6 +19,7 @@ ms.date: 06/17/2018
 
 - Windows 7 SP1 Enterprise
 - Windows 7 SP1 Pro
+- Windows 8.1
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 [!include[Prerelease information](prerelease.md)]

From 2a6d288cd256df5de84c5b43ebb9f65f82eb2651 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Fri, 15 Jun 2018 11:34:43 -0700
Subject: [PATCH 083/102] Add back win 8, add note for integration bullet list

---
 ...rd-downlevel-windows-defender-advanced-threat-protection.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
index 677d282889..fb1c18120c 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
@@ -19,6 +19,7 @@ ms.date: 06/17/2018
 
 - Windows 7 SP1 Enterprise
 - Windows 7 SP1 Pro
+- Windows 8.1
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 [!include[Prerelease information](prerelease.md)]
@@ -39,6 +40,8 @@ To onboard down-level Windows client endpoints to Windows Defender ATP, you'll n
 Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. 
 
 The following steps are required to enable this integration: 
+>[!NOTE]
+>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
 - Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/en-us/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) 
 - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
 

From 66d4f6be4a5fd2e65e957c79587995996ec89e36 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Fri, 15 Jun 2018 11:57:41 -0700
Subject: [PATCH 084/102] fix spcae

---
 ...oard-downlevel-windows-defender-advanced-threat-protection.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
index fb1c18120c..490838a802 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
@@ -42,6 +42,7 @@ Windows Defender ATP integrates with System Center Endpoint Protection to provid
 The following steps are required to enable this integration: 
 >[!NOTE]
 >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
+
 - Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/en-us/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) 
 - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
 

From 145451a9a405ef7d3afe8f5b510f3dc83d3f95e0 Mon Sep 17 00:00:00 2001
From: "Andrea Bichsel (Aquent LLC)" <v-anbic@microsoft.com>
Date: Fri, 15 Jun 2018 12:22:38 -0700
Subject: [PATCH 085/102] Fixed link.

---
 .../customize-attack-surface-reduction.md                     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index f8f6992650..10bb054f45 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 06/15/2018
 ---
 
 # Customize Attack surface reduction
@@ -54,7 +54,7 @@ This could potentially allow unsafe files to run and infect your devices.
 
 You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions.
 
-Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). 
+Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). 
 
 Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe.
 

From 0c6b3fea5789a82ac578b3527a6d2789d5f4b271 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Fri, 15 Jun 2018 13:38:01 -0700
Subject: [PATCH 086/102] update applies to, add notes for win 7

---
 ...ows-defender-advanced-threat-protection.md | 28 ++++++++++---------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
index 490838a802..19ee48959a 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
@@ -13,18 +13,19 @@ ms.localizationpriority: high
 ms.date: 06/17/2018
 ---
 
-# Onboard Windows previous versions of Windows
+# Onboard previous versions of Windows
 
 **Applies to:**
 
 - Windows 7 SP1 Enterprise
 - Windows 7 SP1 Pro
-- Windows 8.1
+- Windows 8.1 Pro
+- Windows 8.1 Enterprise
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 [!include[Prerelease information](prerelease.md)]
 
-Windows Defender ATP extends support to also include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions.
+Windows Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions.
 
 To onboard down-level Windows client endpoints to Windows Defender ATP, you'll need to:
 - Configure and update System Center Endpoint Protection clients.
@@ -40,9 +41,6 @@ To onboard down-level Windows client endpoints to Windows Defender ATP, you'll n
 Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. 
 
 The following steps are required to enable this integration: 
->[!NOTE]
->Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
-
 - Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/en-us/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) 
 - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
 
@@ -50,8 +48,12 @@ The following steps are required to enable this integration:
 
 ### Before you begin
 Review the following details to verify minimum system requirements:
-- Install the [February monthly update rollout](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) 
+- Install the [February monthly update rollout](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
+  >[!NOTE]
+  >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. 
 - Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
+  >[!NOTE]
+  >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
 - Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
 
 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604).
@@ -63,16 +65,16 @@ Review the following details to verify minimum system requirements:
 
 3. Using the Workspace ID and Workspace key choose any of the following installation methods to install the agent:
     - Manually install the agent using setup<br>
-      On the **Agent Setup Options** page, select **Connect the agent to Azure Log Analytics (OMS)
-    - [Install the agent using command line](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-agent-windows#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-agent-windows#add-a-workspace-using-a-script).
+      On the **Agent Setup Options** page, select **Connect the agent to Azure Log Analytics (OMS)**
+    - [Install the agent using command line](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-agent-windows#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-agent-windows#add-a-workspace-using-a-script)
 
-4. If you're using a proxy server to connect to the Internet see the Configure proxy settings section.
+4. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
 
-Once completed, you should see onboarded servers in the portal within an hour.
+Once completed, you should see onboarded endpoints in the portal within an hour.
 
-### Configure server proxy and Internet connectivity settings
+### Configure proxy and Internet connectivity settings
  
-- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway).
+- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway).
 - If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
 
 Agent Resource    |    Ports 

From 7db1e9769fa78176d937658b3cb36a1161ff4bb6 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Fri, 15 Jun 2018 14:15:15 -0700
Subject: [PATCH 087/102] fix spacing

---
 ...d-downlevel-windows-defender-advanced-threat-protection.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
index 19ee48959a..dea7005b3f 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
@@ -49,11 +49,15 @@ The following steps are required to enable this integration:
 ### Before you begin
 Review the following details to verify minimum system requirements:
 - Install the [February monthly update rollout](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
+  
   >[!NOTE]
   >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. 
+
 - Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
+  
   >[!NOTE]
   >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
+
 - Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
 
 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604).

From 5cf6a869a5ad1a91b4c9c658820694cec6d2e76d Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Fri, 15 Jun 2018 14:26:01 -0700
Subject: [PATCH 088/102] add browser support

---
 ...quirements-windows-defender-advanced-threat-protection.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
index bd53b3a21d..f42a764acb 100644
--- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 06/04/2018
+ms.date: 06/15/2018
 ---
 
 # Minimum requirements for Windows Defender ATP
@@ -42,6 +42,9 @@ Windows Defender Advanced Threat Protection requires one of the following Micros
 
 For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
 
+### Browser requirements
+Internet Explorer and Microsoft Edge are supported. Any HTML5 compliant browsers are also supported. 
+
 ### Network and data storage and configuration requirements
 When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter.
 

From 973d18a9b8fec6972023e8c4c3f5fbcac9f44af0 Mon Sep 17 00:00:00 2001
From: Liza Poggemeyer <elizapo@microsoft.com>
Date: Fri, 15 Jun 2018 22:45:20 +0000
Subject: [PATCH 089/102] Merged PR 9122: removed checks from pro for
 workstations as they're not downgradable

removed checks from pro for workstations as they're not downgradable
---
 windows/deployment/upgrade/windows-10-downgrade-paths.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/deployment/upgrade/windows-10-downgrade-paths.md b/windows/deployment/upgrade/windows-10-downgrade-paths.md
index 4422179d21..3fc6d13445 100644
--- a/windows/deployment/upgrade/windows-10-downgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-downgrade-paths.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 ms.localizationpriority: high
 ms.pagetype: mobile
 author: greg-lindsay
-ms.date: 06/07/2018
+ms.date: 06/15/2018
 ---
 
 # Windows 10 downgrade paths
@@ -77,9 +77,9 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a
     <tr>
         <td>Pro for Workstations</td>
         <td></td>
-        <td align="center">✔</td>
         <td></td>
-        <td align="center">✔</td>
+        <td></td>
+        <td></td>
         <td></td>
         <td></td>
         <td></td>

From a9aed01d22a0c5c5a80654dbb70e1515ab7e8e2c Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Fri, 15 Jun 2018 15:51:40 -0700
Subject: [PATCH 090/102] Starting next round, fixed caps in old doc

---
 ...to-packages-with-the-management-console.md |  6 +-
 ...on-groups-to-ignore-the-package-version.md | 59 ++++++++++---------
 2 files changed, 33 insertions(+), 32 deletions(-)

diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
index ae0bc52550..40fdccf15e 100644
--- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
@@ -1,6 +1,6 @@
 ---
-title: How to configure access to packages by using the Management console (Windows 10)
-description: How to configure access to packages by using the App-V Management console.
+title: How to configure access to packages by using the Management Console (Windows 10)
+description: How to configure access to packages by using the App-V Management Console.
 author: MaggiePucciEvans
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.prod: w10
 ms.date: 06/15/2018
 ---
-# How to configure access to packages by using the Management console
+# How to configure access to packages by using the Management Console
 
 >Applies to: Windows 10, version 1607
 
diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
index 06b310e729..c097aa2216 100644
--- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
+++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
@@ -1,64 +1,65 @@
 ---
-title: How to Make a Connection Group Ignore the Package Version (Windows 10)
-description: How to Make a Connection Group Ignore the Package Version
+title: How to make a connection group ignore the package version (Windows 10)
+description: How to make a connection group ignore the package version.
 author: MaggiePucciEvans
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 06/15/2018
 ---
+# How to make a connection group ignore the package version
 
+> Applies to: Windows 10, version 1607
 
-# How to Make a Connection Group Ignore the Package Version
+You can use Application Virtualization (App-V) to configure a connection group to use any version of a package, simplifying package upgrades and reducing the number of connection groups you need to create.
 
-**Applies to**
--   Windows 10, version 1607
+You can also configure a connection group to accept any version of a package, so that you can upgrade the package without having to disable the connection group.
 
-Application Virtualization (App-V) lets you configure a connection group to use any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.
+- If the connection group has access to multiple versions of a package, App-V will use the latest version.
 
-You can configure a connection group to accept any version of a package, which enables you to upgrade the package without having to disable the connection group:
+- If the connection group contains an optional package with an incorrect version, App-V ignores the package and won’t block the connection group’s virtual environment from being created.
 
-- If the connection group has access to multiple versions of a package, the latest version is used.
+- If the connection group contains a non-optional package that has an incorrect version, App-V won't be able to create the connection group’s virtual environment.
 
-- If the connection group contains an optional package that has an incorrect version, the package is ignored and won’t block the connection group’s virtual environment from being created.
+## Make a connection group ignore the package version with the App-V Server Management Console
 
-- If the connection group contains a non-optional package that has an incorrect version, the connection group’s virtual environment cannot be created.
-
-## To make a connection group ignore the package version by using the App-V Server Management Console
-
-1. In the Management Console, select **CONNECTION GROUPS**.
+1. In the Management Console, select **Connection Groups**.
 
 2. Select the correct connection group from the Connection Groups library.
 
-3. Click **EDIT** in the CONNECTED PACKAGES pane.
+3. Select **Edit** in the Connected Packages pane.
 
-4. Select **Use Any Version** check box next to the package name, and click **Apply**.
+4. Select the **Use Any Version** check box next to the package name, then select **Apply**.
 
-For more about adding or upgrading packages, see [How to Add or Upgrade Packages by Using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md).
+For more about adding or upgrading packages, see [How to add or upgrade packages by using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md).
 
-##  To make a connection group ignore the package version from the App-V client on a stand-alone computer
+## Make a connection group ignore the package version from the App-V client on a stand-alone computer
 
 1. Create the connection group XML document.
 
-2. For the package to be upgraded, set the **Package** tag attribute **VersionID** to an asterisk (<strong>*</strong>).
+2. Set the **Package** tag attribute **VersionID** to an asterisk (<strong>*</strong>) to upgrade the package.
 
-3. Use the following cmdlet to add the connection group, and include the path to the connection group XML document:
+3. Enter the following cmdlet (including the path to the connection group XML document) to add the connection group:
+
+    ```PowerShell
+    Add-AppvClientConnectionGroup
+    ```
+
+    For more information about how to use the **Add-AppvClientConnectionGroup** cmdlet, see [**Add-AppvClientConnectionGroup**](https://docs.microsoft.com/en-us/powershell/module/appvclient/add-appvclientconnectiongroup?view=win10-ps).
 
-    `Add-AppvClientConnectionGroup`
-    
 4. When you upgrade a package, use the following cmdlets to remove the old package, add the upgraded package, and publish the upgraded package:
 
-    - RemoveAppvClientPackage
-    - Add-AppvClientPackage
-    - Publish-AppvClientPackage
+    - [**Remove-AppvClientPackage**](https://docs.microsoft.com/en-us/powershell/module/appvclient/remove-appvclientpackage?view=win10-ps)
+    - [**Add-AppvClientPackage**](https://docs.microsoft.com/en-us/powershell/module/appvclient/add-appvclientpackage?view=win10-ps)
+    - [**Publish-AppvClientPackage**](https://docs.microsoft.com/en-us/powershell/module/appvclient/publish-appvclientpackage?view=win10-ps)
 
-For more information, see [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md).
+For more information, see [How to manage App-V packages running on a stand-alone computer by using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md).
 
 ## Have a suggestion for App-V?
 
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
 
 ## Related topics
 
-[Managing Connection Groups](appv-managing-connection-groups.md)
+- [Managing connection groups](appv-managing-connection-groups.md)
\ No newline at end of file

From f28e196aef04ec317dc22f243189c1f58f92526c Mon Sep 17 00:00:00 2001
From: Liza Poggemeyer <elizapo@microsoft.com>
Date: Sat, 16 Jun 2018 00:51:01 +0000
Subject: [PATCH 091/102] Merged PR 9127: Table fixes

---
 ...ploy-the-app-v-50-server-using-a-script.md | 121 +++++-------
 .../how-to-move-the-mbam-25-databases.md      | 175 +++++-------------
 ...rated-features-of-an-mbam-25-deployment.md | 175 +++---------------
 ...ploy-mdop-group-policy--admx--templates.md |  19 +-
 4 files changed, 122 insertions(+), 368 deletions(-)

diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-50-server-using-a-script.md b/mdop/appv-v5/how-to-deploy-the-app-v-50-server-using-a-script.md
index 432f95693e..403b4c37a9 100644
--- a/mdop/appv-v5/how-to-deploy-the-app-v-50-server-using-a-script.md
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-50-server-using-a-script.md
@@ -7,7 +7,7 @@ ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 06/16/2016
+ms.date: 06/15/2018
 ---
 
 
@@ -16,18 +16,17 @@ ms.date: 06/16/2016
 
 In order to complete the **appv\_server\_setup.exe** Server setup successfully using the command line, you must specify and combine multiple parameters.
 
-**To Install the App-V 5.0 server using a script**
+Use the following tables for more information about installing the App-V 5.0 server using the command line.
 
--   Use the following tables for more information about installing the App-V 5.0 server using the command line.
+>[!NOTE]  
+>The information in the following tables can also be accessed using the command line by typing the following command:
+>```
+> appv\_server\_setup.exe /?
+>```
 
-    **Note**  
-    The information in the following tables can also be accessed using the command line by typing the following command: **appv\_server\_setup.exe /?**.
+## Common parameters and Examples
 
-     
-
-    **Common parameters and Examples**
-
-    <table>
+<table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -67,10 +66,8 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
     </tr>
     </tbody>
     </table>
-
      
-
-    <table>
+<table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -109,11 +106,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
     <p>/EXISTING_MANAGEMENT_DB_NAME =”AppVManagement”</p></td>
     </tr>
     </tbody>
-    </table>
+    </table>  
 
-     
-
-    <table>
+<table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -153,10 +148,8 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
     </tr>
     </tbody>
     </table>
-
-     
-
-    <table>
+    
+<table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -191,9 +184,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
     </tbody>
     </table>
 
-     
-
-    <table>
+<table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -228,9 +219,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
     </tbody>
     </table>
 
-     
-
-    <table>
+<table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -255,9 +244,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
     </tbody>
     </table>
 
-     
-
-    <table>
+<table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -298,9 +285,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
     </tbody>
     </table>
 
-     
-
-    <table>
+<table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -339,9 +324,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
     </tbody>
     </table>
 
-     
-
-    <table>
+<table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -380,9 +363,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
     </tbody>
     </table>
 
-     
-
-    <table>
+<table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -417,9 +398,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
     </tbody>
     </table>
 
-     
-
-    <table>
+<table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -454,13 +433,11 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
     </tbody>
     </table>
 
-     
+## Parameter Definitions
 
-    **Parameter Definitions**
+### General Parameters
 
-    **General Parameters**
-
-    <table>
+<table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -503,11 +480,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
     </tbody>
     </table>
 
-     
+### Management Server Installation Parameters
 
-    **Management Server Installation Parameters**
-
-    <table>
+<table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -538,11 +513,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
     </tbody>
     </table>
 
-     
+### Parameters for the Management Server Database
 
-    **Parameters for the Management Server Database**
-
-    <table>
+<table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -585,11 +558,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
     </tbody>
     </table>
 
-     
+### Parameters for Installing Publishing Server
 
-    **Parameters for Installing Publishing Server**
-
-    <table>
+<table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -620,11 +591,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
     </tbody>
     </table>
 
-     
+### Parameters for Reporting Server
 
-    **Parameters for Reporting Server**
-
-    <table>
+<table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -653,9 +622,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
 
      
 
-    **Parameters for using an Existing Reporting Server Database**
+### Parameters for using an Existing Reporting Server Database
 
-    <table>
+<table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -690,11 +659,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
     </tbody>
     </table>
 
-     
+### Parameters for installing Reporting Server Database
 
-    **Parameters for installing Reporting Server Database**
-
-    <table>
+<table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -733,11 +700,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
     </tbody>
     </table>
 
-     
+### Parameters for using an existing Management Server Database
 
-    **Parameters for using an existing Management Server Database**
-
-    <table>
+<table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -770,15 +735,13 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
     <td align="left"><p>Specifies the name of the existing management database that should be used. Example usage: <strong>/EXISITING_MANAGEMENT_DB_NAME=”AppVMgmtDB”</strong>. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.</p>
     <p></p>
     <p><strong>Got a suggestion for App-V</strong>? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). <strong>Got an App-V issu</strong>e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).</p></td>
-    </tr>
-    </tbody>
-    </table>
-
-     
+</tr>
+</tbody>
+</table>
+  
 
 ## Related topics
 
-
 [Deploying the App-V 5.0 Server](deploying-the-app-v-50-server.md)
 
  
diff --git a/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md b/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md
index c8ba024eef..2a97dc6cbb 100644
--- a/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md
+++ b/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md
@@ -7,7 +7,7 @@ ms.pagetype: mdop, security
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.prod: w10
-ms.date: 05/23/2018
+ms.date: 06/15/2018
 ---
 
 # How to Move the MBAM 2.5 Databases
@@ -64,8 +64,8 @@ The high-level steps for moving the Recovery Database are:
 
 To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following:
 
-```syntax
-PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
+```powershell
+Stop-Website "Microsoft BitLocker Administration and Monitoring"
 
 ```
 
@@ -130,8 +130,8 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
 
 4.  In Windows PowerShell, run the script that is stored in the file and similar to the following:
 
-    ```syntax
-    PS C:\> Invoke-Sqlcmd -InputFile
+    ```powershell
+    Invoke-Sqlcmd -InputFile
     'Z:\BackupMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
     ```
 5.  Use the following value to replace the values in the code example with values that match your environment:
@@ -144,24 +144,24 @@ Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** fi
 
 To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
 
-```syntax
-PS C:\> Copy-Item “Z:\MBAM Recovery Database Data.bak”
+```powershell
+Copy-Item “Z:\MBAM Recovery Database Data.bak”
 \\$SERVERNAME$\$DESTINATIONSHARE$
 
-PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFile”
+Copy-Item “Z:\SQLServerInstanceCertificateFile”
 \\$SERVERNAME$\$DESTINATIONSHARE$
 
-PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFilePrivateKey”
+Copy-Item “Z:\SQLServerInstanceCertificateFilePrivateKey”
 \\$SERVERNAME$\$DESTINATIONSHARE$
 
 ```
 Use the information in the following table to replace the values in the code example with values that match your environment.
 
-| **Parameter**        | **Description**                                               |
-|----------------------|---------------------------------------------------------------|
-| $SERVERNAME$       | Name of the server to which the files will be copied.         |
+| **Parameter**        | **Description**  |
+|----------------------|------------------|
+| $SERVERNAME$       | Name of the server to which the files will be copied. |
 | $DESTINATIONSHARE$ | Name of the share and path to which the files will be copied. |
-|---|---|
+
 
 ### Restore the Recovery Database on Server B
 
@@ -173,7 +173,7 @@ Use the information in the following table to replace the values in the code exa
 
 4.  To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
 
-    ```syntax
+    ```
     -- Restore MBAM Recovery Database.
 
     USE master
@@ -219,8 +219,8 @@ Use the information in the following table to replace the values in the code exa
 
 6.  In Windows PowerShell, run the script that is stored in the file and similar to the following:
 
-    ```syntax
-    PS C:\> Invoke-Sqlcmd -InputFile 'Z:\RestoreMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
+    ```powershell
+    Invoke-Sqlcmd -InputFile 'Z:\RestoreMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
     ```
 7.  Use the following value to replace the values in the code example with values that match your environment.
 
@@ -245,19 +245,19 @@ Use the information in the following table to replace the values in the code exa
 
 6.  To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following:
 
-    ```syntax
-    PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\MBAM Server\\Web" /v
+    ```powershell
+    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\MBAM Server\\Web" /v
     RecoveryDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial
     Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f
 
-    PS C:\> Set-WebConfigurationProperty
+    Set-WebConfigurationProperty
     'connectionStrings/add[@name="KeyRecoveryConnectionString"]' -PSPath
     "IIS:\sites\Microsoft Bitlocker Administration and
     Monitoring\MBAMAdministrationService" -Name "connectionString" -Value “Data
     Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and
     Hardware;Integrated Security=SSPI;”
 
-    PS C:\> Set-WebConfigurationProperty
+    Set-WebConfigurationProperty
     'connectionStrings/add[\@name="Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString"]'
     -PSPath "IIS:\sites\Microsoft Bitlocker Administration and
     Monitoring\MBAMRecoveryAndHardwareService" -Name "connectionString" -Value
@@ -271,52 +271,11 @@ Use the information in the following table to replace the values in the code exa
 
 7.  Use the following table to replace the values in the code example with values that match your environment.
 
-    ```html
-    <table>
+   |Parameter|Description|
+   |---------|-----------|
+   |$SERVERNAME$/\$SQLINSTANCENAME$|Server name and instance of SQL Server where the Recovery Database is located.|
+   |$DATABASE$|Name of the Recovery database.|
 
-    <colgroup>
-
-    <col width="50%" />
-
-    <col width="50%" />
-
-    </colgroup>
-
-    <thead>
-
-    <tr class="header">
-
-    <th align="left">Parameter</th>
-
-    <th align="left">Description</th>
-
-    </tr>
-
-    </thead>
-
-    <tbody>
-
-    <tr class="odd">
-
-    <td align="left"><p>$SERVERNAME$\$SQLINSTANCENAME$</p></td>
-
-    <td align="left"><p>Server name and instance of SQL Server where the Recovery Database is located.</p></td>
-
-    </tr>
-
-    <tr class="even">
-
-    <td align="left"><p>$DATABASE$</p></td>
-
-    <td align="left"><p>Name of the Recovery database.</p></td>
-
-    </tr>
-
-    </tbody>
-
-    </table>
-
-    ```
 
 ### Install MBAM Server software and run the MBAM Server Configuration wizard on Server B
 
@@ -334,8 +293,8 @@ On the server that is running the Administration and Monitoring Website, use the
 
 To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
 
-```syntax 
-PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring"
+```powershell 
+Start-Website "Microsoft BitLocker Administration and Monitoring"
 ```
 
 >[!NOTE]  
@@ -366,8 +325,8 @@ The high-level steps for moving the Compliance and Audit Database are:
 
 To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following:
 
-```syntax
-PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
+```powershell
+Stop-Website "Microsoft BitLocker Administration and Monitoring"
 
 ```
 
@@ -380,8 +339,7 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
 
 2.  To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
 
-    ```syntax
-
+    ```
     USE master;
 
     GO
@@ -414,8 +372,8 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
 
 3.  Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following:
 
-    ```syntax
-    PS C:\> Invoke-Sqlcmd -InputFile "Z:\BackupMBAMComplianceStatusDatabaseScript.sql" –ServerInstance     $SERVERNAME$\$SQLINSTANCENAME$
+    ```powershell
+    Invoke-Sqlcmd -InputFile "Z:\BackupMBAMComplianceStatusDatabaseScript.sql" –ServerInstance     $SERVERNAME$\$SQLINSTANCENAME$
 
     ```
 
@@ -429,10 +387,9 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
 
 2.  To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
 
-    ```syntax
-    PS C:\> Copy-Item "Z:\MBAM Compliance Status Database Data.bak"
+    ```powershell
+    Copy-Item "Z:\MBAM Compliance Status Database Data.bak"
     \\$SERVERNAME$\$DESTINATIONSHARE$
-
     ```
 
 3.  Using the following table, replace the values in the code example with values that match your environment.
@@ -441,7 +398,7 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
     |----------------------|---------------------------------------------------------------|
     | $SERVERNAME$       | Name of the server to which the files will be copied.         |
     | $DESTINATIONSHARE$ | Name of the share and path to which the files will be copied. |
-    |---|---|
+    
 
 ### Restore the Compliance and Audit Database on Server B
 
@@ -453,7 +410,7 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
 
 4.  To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
 
-    ```syntax
+    ```
     -- Create MBAM Compliance Status Database Data logical backup devices.
 
     Use master
@@ -472,8 +429,8 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
 
 5.  In Windows PowerShell, run the script that is stored in the file and similar to the following:
 
-    ```syntax
-    PS C:\> Invoke-Sqlcmd -InputFile "Z:\RestoreMBAMComplianceStatusDatabaseScript.sql" -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
+    ```powershell
+    Invoke-Sqlcmd -InputFile "Z:\RestoreMBAMComplianceStatusDatabaseScript.sql" -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
 
     ```
 
@@ -500,8 +457,8 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
 
 6.  To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following:
 
-    ```syntax
-    PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v
+    ```powershell
+    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v
     ComplianceDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial
     Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f
 
@@ -512,52 +469,10 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
 
 7.  Using the following table, replace the values in the code example with values that match your environment.
 
-    ```html
-    <table>
-
-    <colgroup>
-
-    <col width="50%" />
-
-    <col width="50%" />
-
-    </colgroup>
-
-    <thead>
-
-    <tr class="header">
-
-    <th align="left">Parameter</th>
-
-    <th align="left">Description</th>
-
-    </tr>
-
-    </thead>
-
-    <tbody>
-
-    <tr class="odd">
-
-    <td align="left"><p>$SERVERNAME$\$SQLINSTANCENAME$</p></td>
-
-    <td align="left"><p>Server name and instance of SQL Server where the Recovery Database is located.</p></td>
-
-    </tr>
-
-    <tr class="even">
-
-    <td align="left"><p>$DATABASE$</p></td>
-
-    <td align="left"><p>Name of the recovered database.</p></td>
-
-    </tr>
-
-    </tbody>
-
-    </table>
-
-    ```
+   |Parameter | Description |
+   |---------|------------|
+   |$SERVERNAME$\$SQLINSTANCENAME$ | Server name and instance of SQL Server where the Recovery Database is located.|
+   |$DATABASE$|Name of the recovered database.|
 
 ### Install MBAM Server software and run the MBAM Server Configuration wizard on Server B
 
@@ -575,8 +490,8 @@ On the server that is running the Administration and Monitoring Website, use the
 
 To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
 
-```syntax
-PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring"
+```powershell
+Start-Website "Microsoft BitLocker Administration and Monitoring"
 
 ```
 
diff --git a/mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md b/mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md
index cc36387362..81fdf55268 100644
--- a/mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md
+++ b/mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md
@@ -7,7 +7,7 @@ ms.pagetype: mdop, security
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.prod: w10
-ms.date: 06/16/2016
+ms.date: 06/15/2018
 ---
 
 
@@ -34,178 +34,61 @@ The following image and table explain the features in an MBAM Stand-alone topolo
 
 ![mbab2\-5](images/mbam2-5-standalonecomponents.png)
 
-Feature type
-Feature
-Description
-Database
-
-Recovery Database
-
-This database stores recovery data that is collected from MBAM client computers.
-
-This feature is configured on a server running Windows Server and a supported SQL Server instance.
-
-Compliance and Audit Database
-
-This database stores compliance data, which is used primarily for the Reports that SQL Server Reporting Services hosts.
-
-This feature is configured on a server running Windows Server and a supported SQL Server instance.
-
-Compliance and Audit Reports
-
-Reporting Web Service
-
-This web service enables communication between the Administration and Monitoring Website and the SQL Server instance where reporting data is stored.
-
-This feature is installed on a server running Windows Server.
-
-Reporting Website (Administration and Monitoring Website)
-
-You view Reports from the Administration and Monitoring Website. The Reports provide recovery audit and compliance status data about the client computers in your enterprise.
-
-This feature is configured on a server running Windows Server.
-
-SQL Server Reporting Services (SSRS)
-
-Reports are configured in an SSRS database instance. Reports can be viewed directly from SSRS or from the Administration and Monitoring Website.
-
-This feature is configured on a server running Windows Server and a supported SQL Server instance that is running SSRS.
-
-Self-Service Server
-
-Self-Service Web Service
-
-This web service is used by the MBAM Client and the Administration and Monitoring Website and Self-Service Portal to communicate to the Recovery Database.
-
-This feature is installed on a computer running Windows Server.
+|Feature type|Description|Database|
+|-|-|-|
+|Recovery Database|This database stores recovery data that is collected from MBAM client computers.|This feature is configured on a server running Windows Server and a supported SQL Server instance.|
+|Compliance and Audit Database|This database stores compliance data, which is used primarily for the Reports that SQL Server Reporting Services hosts.|This feature is configured on a server running Windows Server and a supported SQL Server instance.|
+|Compliance and Audit Reports|||
+|Reporting Web Service|This web service enables communication between the Administration and Monitoring Website and the SQL Server instance where reporting data is stored.|This feature is installed on a server running Windows Server.|
+|Reporting Website (Administration and Monitoring Website)|You view Reports from the Administration and Monitoring Website. The Reports provide recovery audit and compliance status data about the client computers in your enterprise.|This feature is configured on a server running Windows Server.|
+|SQL Server Reporting Services (SSRS)|Reports are configured in an SSRS database instance. Reports can be viewed directly from SSRS or from the Administration and Monitoring Website.|This feature is configured on a server running Windows Server and a supported SQL Server instance that is running SSRS.|
+|Self-Service Server|||
+|Self-Service Web Service|This web service is used by the MBAM Client and the Administration and Monitoring Website and Self-Service Portal to communicate to the Recovery Database.|This feature is installed on a computer running Windows Server.|
+|Self-Service Website (Self-Service Portal)|This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.|This feature is configured on a computer running Windows Server.|
+|Administration and Monitoring Server|||
+|Administration and Monitoring Web Service|The Monitoring Web Service is used by the MBAM Client and the websites to communicate to the databases.|This feature is installed on a computer running Windows Server.|
 
 **Important**  
 The Self-Service Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1, in which the MBAM Client, the Administration and Monitoring Website, and the Self-Service Portal communicate directly with the Recovery Database.
 
- 
-
-Self-Service Website (Self-Service Portal)
-
-This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.
-
-This feature is configured on a computer running Windows Server.
-
-Administration and Monitoring Server
-
-Administration and Monitoring Web Service
-
-The Monitoring Web Service is used by the MBAM Client and the websites to communicate to the databases.
-
-This feature is installed on a computer running Windows Server.
-
 **Important**  
 The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM Client and the websites communicate directly with the Recovery Database.
-
- 
-
-Administration and Monitoring Website (also known as the Help Desk
-
-This Website is used by Help Desk users (users with the MBAM Report Users rights) to help end users regain access to their computers when they forget their PIN or password.
-
-This feature is configured on a computer running Windows Server.
-
  
 
 ## <a href="" id="bkmk-cmintegrated"></a>System Center Configuration Manager Integration topology
 
-
 The following image and table explain the features in the System Center Configuration Manager Integration topology.
 
 ![mbam2\-5](images/mbam2-5-cmcomponents.png)
 
-Feature type
-Feature
-Description
-Self-Service Server
-
-Self-Service Web Service
-
-This web service is used by the MBAM Client and the Self-Service Portal to communicate to the Recovery Database.
-
-This feature is installed on a computer running Windows Server.
-
 **Important**  
 The Self-Service Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1, in which the MBAM Client, the Administration and Monitoring Website, and the Self-Service Portal communicate directly with the Recovery Database.
 
- 
-
-Self-Service Website
-
-This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.
-
-This feature is configured on a computer running Windows Server.
-
-Administration and Monitoring Server/Recovery Audit Report
-
-Administration and Monitoring Web Service
-
-This web service enables communication between the Administration and Monitoring Website and the SQL Server databases where reporting data is stored.
-
-This feature is installed on a server running Windows Server.
-
 **Warning**  
 The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM Client and the websites communicate directly with the Recovery Database.
 
- 
-
-Administration and Monitoring Website
-
-The Recovery Audit report is viewed from the Administration and Monitoring Website. Use the Configuration Manager console to view all other reports, or view reports directly from SQL Server Reporting Services.
-
-This feature is configured on a server running Windows Server.
-
-Databases
-
-Recovery Database
-
-This database stores recovery data that is collected from MBAM client computers.
-
-This feature is configured on a server running Windows Server and a supported SQL Server instance.
-
-Audit Database
-
-This database stores audit information about recovery attempts and activity.
-
-This feature is configured on a server running Windows Server and a supported SQL Server instance.
-
-Configuration Manager Features
-
-Configuration Manager Management console
-
-This console is built into Configuration Manager and is used to view reports.
-
-For viewing reports only, this feature can be installed on any server or client computer.
-
-Configuration Manager Reports
-
-Reports show compliance and recovery audit data for client computers in your enterprise.
-
-The Reports feature is installed on a server running Windows Server and SSRS, and Reports run on a supported SQL Server instance. A reporting services point must be defined in Configuration Manager on the server that is running SSRS.
-
-SQL Server Reporting Services
-
-SSRS enables the MBAM Reports. Reports can be viewed directly from SSRS or from the Configuration Manager console.
-
-SSRS is installed on a server running Windows Server. A reporting services point must be defined in Configuration Manager on the server that is running SSRS.
-
- 
-
+|Feature type|Description|
+|-|-|
+|Self-Service Server|||
+|Self-Service Web Service|This web service is used by the MBAM Client and the Self-Service Portal to communicate to the Recovery Database.|This feature is installed on a computer running Windows Server.|
+|Self-Service Website|This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.|This feature is configured on a computer running Windows Server.|
+|Administration and Monitoring Server/Recovery Audit Report|||
+|Administration and Monitoring Web Service|This web service enables communication between the Administration and Monitoring Website and the SQL Server databases where reporting data is stored.|This feature is installed on a server running Windows Server.|
+|Administration and Monitoring Website|The Recovery Audit report is viewed from the Administration and Monitoring Website. Use the Configuration Manager console to view all other reports, or view reports directly from SQL Server Reporting Services.|This feature is configured on a server running Windows Server.|
+|Databases|||
+|Recovery Database|This database stores recovery data that is collected from MBAM client computers.|This feature is configured on a server running Windows Server and a supported SQL Server instance.|
+|Audit Database|This database stores audit information about recovery attempts and activity.|This feature is configured on a server running Windows Server and a supported SQL Server instance.|
+|Configuration Manager Features|||
+|Configuration Manager Management console|This console is built into Configuration Manager and is used to view reports.|For viewing reports only, this feature can be installed on any server or client computer.|
+|Configuration Manager Reports|Reports show compliance and recovery audit data for client computers in your enterprise.|The Reports feature is installed on a server running Windows Server and SSRS, and Reports run on a supported SQL Server instance. A reporting services point must be defined in Configuration Manager on the server that is running SSRS.|
+|SQL Server Reporting Services|SSRS enables the MBAM Reports. Reports can be viewed directly from SSRS or from the Configuration Manager console.|SSRS is installed on a server running Windows Server. A reporting services point must be defined in Configuration Manager on the server that is running SSRS.|
 
 ## Related topics
 
-
 [High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md)
 
 [Getting Started with MBAM 2.5](getting-started-with-mbam-25.md)
 
- 
-
- 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
diff --git a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
index a838e4c9c7..b183080d0a 100644
--- a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
+++ b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
@@ -7,7 +7,7 @@ ms.pagetype: mdop
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w8
-ms.date: 07/26/2017
+ms.date: 06/15/2018
 ---
 
 
@@ -18,7 +18,6 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
 
 ## MDOP Group Policy templates
 
-
 **How to download and deploy the MDOP Group Policy templates**
 
 1.  Download the latest [MDOP Group Policy templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531) 
@@ -28,17 +27,15 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
     **Warning**  
     Do not extract the templates directly to the Group Policy deployment directory. Multiple technologies and versions are bundled in this file.
 
-     
-
 3.  In the extracted folder, locate the technology-version .admx file. Certain MDOP technologies have multiple sets of Group Policy Objects (GPOs). For example, MBAM includes MBAM Management settings and MBAM User settings.
 
 4.  Locate the appropriate .adml file by language-culture (that is, *en-us* for English-United States).
 
 5.  Copy the .admx and .adml files to a policy definition folder. Depending on where you store the templates, you can configure Group Policy settings from the local device or from any computer on the domain.
 
-    **Local files:** To configure Group Policy settings from the local device, copy template files to the following locations:
+   - **Local files:** To configure Group Policy settings from the local device, copy template files to the following locations:
 
-    <table>
+   <table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -61,11 +58,9 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
     </tbody>
     </table>
 
-     
+   - **Domain central store:** To enable Group Policy settings configuration by a Group Policy administrator from any computer on the domain, copy files to the following locations on the domain controller:
 
-    **Domain central store:** To enable Group Policy settings configuration by a Group Policy administrator from any computer on the domain, copy files to the following locations on the domain controller:
-
-    <table>
+   <table>
     <colgroup>
     <col width="50%" />
     <col width="50%" />
@@ -89,9 +84,7 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
     </tbody>
     </table>
 
-     
-
-6.  Edit the Group Policy settings using Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM) to configure Group Policy settings for the MDOP technology.
+6. Edit the Group Policy settings using Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM) to configure Group Policy settings for the MDOP technology.
 
 ### MDOP Group Policy by technology
 

From 68afb6871d519437310481f93af865b63cc0a514 Mon Sep 17 00:00:00 2001
From: danhwang1 <40180973+danhwang1@users.noreply.github.com>
Date: Fri, 15 Jun 2018 18:01:23 -0700
Subject: [PATCH 092/102] Update supl-ddf-file.md

Updated an indent error.
---
 .../client-management/mdm/supl-ddf-file.md    | 197 +++++++++++++++++-
 1 file changed, 196 insertions(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md
index e6ed98d713..0fe52da790 100644
--- a/windows/client-management/mdm/supl-ddf-file.md
+++ b/windows/client-management/mdm/supl-ddf-file.md
@@ -171,7 +171,7 @@ The XML below is the current version for this CSP.
                 </DFProperties>
               </Node>
               <Node>
-                <NodeName>MCCMNPairs</NodeName>
+                <NodeName>MCCMNCPairs</NodeName>
                 <DFProperties>
                   <AccessType>
                     <Get />
@@ -477,7 +477,202 @@ The XML below is the current version for this CSP.
                       <DDFName></DDFName>
                     </DFType>
                   </DFProperties>
+                </Node>                
+              </Node>
+              <Node>
+                <NodeName>RootCertificate4</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Get />
+                  </AccessType>
+                  <Description>Specifies the root certificate for the H-SLP server.</Description>
+                  <DFFormat>
+                    <node />
+                  </DFFormat>
+                  <Occurrence>
+                    <One />
+                  </Occurrence>
+                  <Scope>
+                    <Permanent />
+                  </Scope>
+                  <DFType>
+                    <DDFName></DDFName>
+                  </DFType>
+                </DFProperties>
+                <Node>
+                  <NodeName>Name</NodeName>
+                  <DFProperties>
+                    <AccessType>
+                      <Get />
+                      <Replace />
+                    </AccessType>
+                    <Description>Specifies the name of the H-SLP root certificate as a string, in the format name.cer.</Description>
+                    <DFFormat>
+                      <chr />
+                    </DFFormat>
+                    <Occurrence>
+                      <One />
+                    </Occurrence>
+                    <Scope>
+                      <Permanent />
+                    </Scope>
+                    <DFType>
+                      <MIME>text/plain</MIME>
+                    </DFType>
+                  </DFProperties>
                 </Node>
+                <Node>
+                  <NodeName>Data</NodeName>
+                  <DFProperties>
+                    <AccessType>
+                      <Get />
+                      <Replace />
+                    </AccessType>
+                    <Description>The base 64 encoded blob of the H-SLP root certificate.</Description>
+                    <DFFormat>
+                      <b64 />
+                    </DFFormat>
+                    <Occurrence>
+                      <One />
+                    </Occurrence>
+                    <Scope>
+                      <Permanent />
+                    </Scope>
+                    <DFType>
+                      <DDFName></DDFName>
+                    </DFType>
+                  </DFProperties>
+                </Node>                
+              </Node>
+              <Node>
+                <NodeName>RootCertificate5</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Get />
+                  </AccessType>
+                  <Description>Specifies the root certificate for the H-SLP server.</Description>
+                  <DFFormat>
+                    <node />
+                  </DFFormat>
+                  <Occurrence>
+                    <One />
+                  </Occurrence>
+                  <Scope>
+                    <Permanent />
+                  </Scope>
+                  <DFType>
+                    <DDFName></DDFName>
+                  </DFType>
+                </DFProperties>
+                <Node>
+                  <NodeName>Name</NodeName>
+                  <DFProperties>
+                    <AccessType>
+                      <Get />
+                      <Replace />
+                    </AccessType>
+                    <Description>Specifies the name of the H-SLP root certificate as a string, in the format name.cer.</Description>
+                    <DFFormat>
+                      <chr />
+                    </DFFormat>
+                    <Occurrence>
+                      <One />
+                    </Occurrence>
+                    <Scope>
+                      <Permanent />
+                    </Scope>
+                    <DFType>
+                      <MIME>text/plain</MIME>
+                    </DFType>
+                  </DFProperties>
+                </Node>
+                <Node>
+                  <NodeName>Data</NodeName>
+                  <DFProperties>
+                    <AccessType>
+                      <Get />
+                      <Replace />
+                    </AccessType>
+                    <Description>The base 64 encoded blob of the H-SLP root certificate.</Description>
+                    <DFFormat>
+                      <b64 />
+                    </DFFormat>
+                    <Occurrence>
+                      <One />
+                    </Occurrence>
+                    <Scope>
+                      <Permanent />
+                    </Scope>
+                    <DFType>
+                      <DDFName></DDFName>
+                    </DFType>
+                  </DFProperties>
+                </Node>                
+              </Node>
+              <Node>
+                <NodeName>RootCertificate6</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Get />
+                  </AccessType>
+                  <Description>Specifies the root certificate for the H-SLP server.</Description>
+                  <DFFormat>
+                    <node />
+                  </DFFormat>
+                  <Occurrence>
+                    <One />
+                  </Occurrence>
+                  <Scope>
+                    <Permanent />
+                  </Scope>
+                  <DFType>
+                    <DDFName></DDFName>
+                  </DFType>
+                </DFProperties>
+                <Node>
+                  <NodeName>Name</NodeName>
+                  <DFProperties>
+                    <AccessType>
+                      <Get />
+                      <Replace />
+                    </AccessType>
+                    <Description>Specifies the name of the H-SLP root certificate as a string, in the format name.cer.</Description>
+                    <DFFormat>
+                      <chr />
+                    </DFFormat>
+                    <Occurrence>
+                      <One />
+                    </Occurrence>
+                    <Scope>
+                      <Permanent />
+                    </Scope>
+                    <DFType>
+                      <MIME>text/plain</MIME>
+                    </DFType>
+                  </DFProperties>
+                </Node>
+                <Node>
+                  <NodeName>Data</NodeName>
+                  <DFProperties>
+                    <AccessType>
+                      <Get />
+                      <Replace />
+                    </AccessType>
+                    <Description>The base 64 encoded blob of the H-SLP root certificate.</Description>
+                    <DFFormat>
+                      <b64 />
+                    </DFFormat>
+                    <Occurrence>
+                      <One />
+                    </Occurrence>
+                    <Scope>
+                      <Permanent />
+                    </Scope>
+                    <DFType>
+                      <DDFName></DDFName>
+                    </DFType>
+                  </DFProperties>
+                </Node>                
               </Node>
             </Node>
           </Node>

From 9e7cbc736ea7b92fe643d6da1cc7b144ea753103 Mon Sep 17 00:00:00 2001
From: Chris Nylen <30357366+chnylen@users.noreply.github.com>
Date: Mon, 18 Jun 2018 09:37:30 -0400
Subject: [PATCH 093/102] Update credential-guard-requirements.md

Clarifying TPM requirements. Line 97 states that TPM 1.2 is supported as well as 2.0.
---
 .../credential-guard/credential-guard-requirements.md           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 0e81b79e6d..7d32f96c99 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -28,7 +28,7 @@ For Windows Defender Credential Guard to provide protection, the computers you a
 To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses:
 - Support for Virtualization-based security (required)
 - Secure boot (required)
-- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)
+- TPM 1.2 or 2.0, either discrete or firmware (preferred - provides binding to hardware)
 - UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
 
 The Virtualization-based security requires:

From 6ebc7791f5bfb0102fe1d142ee49cba1df252c7b Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Mon, 18 Jun 2018 09:14:19 -0700
Subject: [PATCH 094/102] moved steps to create the cert template

---
 .../bitlocker-how-to-enable-network-unlock.md | 80 +++++++++----------
 1 file changed, 40 insertions(+), 40 deletions(-)

diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index 7ed9c2166c..0b99703f80 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 04/19/2017
+ms.date: 06/18/2018
 ---
 
 # BitLocker: How to enable Network Unlock
@@ -83,7 +83,7 @@ The server side configuration to enable Network Unlock also requires provisionin
 
 The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012.
 
-### <a href="" id="bkmk-stepone"></a>Step One: Install the WDS Server role
+### Install the WDS Server role
 
 The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager.
 
@@ -95,7 +95,7 @@ Install-WindowsFeature WDS-Deployment
 
 You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Doman Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard.
 
-### <a href="" id="bkmk-steptwo"></a>Step Two: Confirm the WDS Service is running
+### Confirm the WDS Service is running
 
 To confirm the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service.
 
@@ -104,7 +104,7 @@ To confirm the service is running using Windows PowerShell, use the following co
 ``` syntax
 Get-Service WDSServer
 ```
-### <a href="" id="bkmk-stepthree"></a>Step Three: Install the Network Unlock feature
+### Install the Network Unlock feature
 
 To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console.
 
@@ -113,7 +113,37 @@ To install the feature using Windows PowerShell, use the following command:
 ``` syntax
 Install-WindowsFeature BitLocker-NetworkUnlock
 ```
-### <a href="" id="bkmk-stepfour"></a>Step Four: Create the Network Unlock certificate
+### Create the certificate template for Network Unlock
+
+A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates.
+
+1.  Open the Certificates Template snap-in (certtmpl.msc).
+2.  Locate the User template. Right-click the template name and select **Duplicate Template**.
+3.  On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8 respectively. Ensure the **Show resulting changes** dialog box is selected.
+4.  Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option.
+5.  Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected.
+6.  Select the **Cryptography** tab. Set the **Minimum key size** to 2048. (Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility we recommend using the **Microsoft Software Key Storage Provider**.)
+7.  Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider you selected, such as the **Microsoft Software Key Storage Provider**.
+8.  Select the **Subject Name** tab. Select **Supply in the request**. Select **OK** if the certificate templates pop-up dialog appears.
+9.  Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options.
+10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit…**.
+11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**.
+12. On the **Edit Application Policies Extension** dialog box, select **Add**.
+13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy:
+
+    -   **Name:** **BitLocker Network Unlock**
+    -   **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
+
+14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**.
+15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
+16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
+17. Select **OK** to complete configuration of the template.
+
+To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
+
+After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock.
+
+### Create the Network Unlock certificate
 
 Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate.
 
@@ -184,7 +214,7 @@ Certreq example:
 5.  Launch Certificates - Local Machine by running **certlm.msc**.
 6.  Create a .pfx file by opening the **Certificates – Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
 
-### <a href="" id="bkmk-stepfive"></a>Step Five: Deploy the private key and certificate to the WDS server
+### Deploy the private key and certificate to the WDS server
 
 With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following:
 
@@ -193,7 +223,7 @@ With the certificate and key created, deploy them to the infrastructure to prope
 3.  In the **File to Import** dialog, choose the .pfx file created previously.
 4.  Enter the password used to create the .pfx and complete the wizard.
 
-### <a href="" id="bkmk-stepsix"></a>Step Six: Configure Group Policy settings for Network Unlock
+### Configure Group Policy settings for Network Unlock
 
 With certificate and key deployed to the WDS server for Network Unlock, the final step is to use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group Policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console.
 
@@ -218,7 +248,7 @@ The following steps describe how to deploy the required Group Policy setting:
 
 >**Note:**  Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.
  
-### <a href="" id="bkmk-stepseven"></a>Step Seven: Require TPM+PIN protectors at startup
+### Require TPM+PIN protectors at startup
 
 An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following:
 
@@ -226,36 +256,6 @@ An additional step is for enterprises to use TPM+PIN protectors for an extra lev
 2.  Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option.
 3.  Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
 
-### <a href="" id="bkmk-createcerttmpl"></a>Create the certificate template for Network Unlock
-
-The following steps detail how to create a certificate template for use with BitLocker Network Unlock. A properly configured Active Directory Services Certification Authority can use this certificate to create and issue Network Unlock certificates.
-
-1.  Open the Certificates Template snap-in (certtmpl.msc).
-2.  Locate the User template. Right-click the template name and select **Duplicate Template**.
-3.  On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8 respectively. Ensure the **Show resulting changes** dialog box is selected.
-4.  Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option.
-5.  Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected.
-6.  Select the **Cryptography** tab. Set the **Minimum key size** to 2048. (Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility we recommend using the **Microsoft Software Key Storage Provider**.)
-7.  Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider you selected, such as the **Microsoft Software Key Storage Provider**.
-8.  Select the **Subject Name** tab. Select **Supply in the request**. Select **OK** if the certificate templates pop-up dialog appears.
-9.  Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options.
-10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit…**.
-11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**.
-12. On the **Edit Application Policies Extension** dialog box, select **Add**.
-13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy:
-
-    -   **Name:** **BitLocker Network Unlock**
-    -   **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
-
-14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**.
-15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
-16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
-17. Select **OK** to complete configuration of the template.
-
-To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
-
-After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock.
-
 ### Subnet policy configuration files on WDS Server (Optional)
 
 By default, all clients with the correct Network Unlock Certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which subnet(s) Network Unlock clients can use to unlock.
@@ -285,13 +285,13 @@ The subnet policy configuration file must use a “\[SUBNETS\]” section to ide
 
 To disallow the use of a certificate altogether, its subnet list may contain the line “DISABLED".
 
-### <a href="" id="bkmk-turnoffnetworkunlock"></a>Turning off Network Unlock
+## Turning off Network Unlock
 
 To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
 
 >**Note:**  Removing the FVENKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
  
-### <a href="" id="bkmk-updatecerts"></a>Update Network Unlock certificates
+## Update Network Unlock certificates
 
 To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server and then update the Network Unlock certificate Group Policy setting on the domain controller.
 

From 3af088fa761532e1cdd483deeec31dfd886494e9 Mon Sep 17 00:00:00 2001
From: Heidi Lohr <helohr@microsoft.com>
Date: Mon, 18 Jun 2018 09:21:42 -0700
Subject: [PATCH 095/102] Updated metadata

---
 ...-configure-access-to-packages-with-the-management-console.md | 2 +-
 ...configure-connection-groups-to-ignore-the-package-version.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
index 40fdccf15e..3423d1c211 100644
--- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
@@ -6,7 +6,7 @@ ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 06/15/2018
+ms.date: 06/18/2018
 ---
 # How to configure access to packages by using the Management Console
 
diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
index c097aa2216..8c896d56e2 100644
--- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
+++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
@@ -6,7 +6,7 @@ ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 06/15/2018
+ms.date: 06/18/2018
 ---
 # How to make a connection group ignore the package version
 

From c0e13999bf913fd7a52ce15e35ea117c928f802f Mon Sep 17 00:00:00 2001
From: Jason Groce <jasgro@microsoft.com>
Date: Mon, 18 Jun 2018 16:39:12 +0000
Subject: [PATCH 096/102] Merged PR 9133: Adding text for overview heading

Adding text for overview heading; there was an anchor link there but no text.
---
 .../information-protection/bitlocker/bitlocker-overview.md   | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index 37b3f8e0ef..2cccdefa60 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -18,12 +18,11 @@ ms.date: 10/16/2017
 
 This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
 
-## <a href="" id="bkmk-over"></a>
+## <a href="" id="bkmk-over"></a>BitLocker overview
 
 BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
 
-BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been 
-tampered with while the system was offline.
+BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
 
 On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM.
 

From 4c3c32b5d389d1592b4f0d11baeec5b697eef314 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Mon, 18 Jun 2018 10:05:01 -0700
Subject: [PATCH 097/102] update date

---
 ...ard-downlevel-windows-defender-advanced-threat-protection.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
index dea7005b3f..fd94b42fc9 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 06/17/2018
+ms.date: 06/18/2018
 ---
 
 # Onboard previous versions of Windows

From 5326b3bc2a6e099e5fa2546c57b37549982a5e13 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Mon, 18 Jun 2018 10:10:18 -0700
Subject: [PATCH 098/102] date

---
 ...ard-downlevel-windows-defender-advanced-threat-protection.md | 2 +-
 .../preview-windows-defender-advanced-threat-protection.md      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
index fd94b42fc9..940c705412 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
 ---
 title: Onboard previous versions of Windows on Windows Defender ATP
 description: Onboard supported previous versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor
-keywords: onboard, windows, 7, oms, sp1, enterprise, pro, down level
+keywords: onboard, windows, 7, 81, oms, sp1, enterprise, pro, down level
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
index 13702b6849..ed796f2f36 100644
--- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 06/11/2018
+ms.date: 06/18/2018
 ---
 
 # Windows Defender ATP preview features

From 122ab1e235c9123eaa426f83a94f55fb821426cd Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Mon, 18 Jun 2018 10:23:42 -0700
Subject: [PATCH 099/102] added link to how to unblock vsc

---
 .../virtual-smart-card-deploy-virtual-smart-cards.md        | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index d68c571a53..06c5e2b538 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -64,7 +64,7 @@ A TPM virtual smart card simulates a physical smart card, and it uses the TPM to
 -   **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
 
 -   **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout.
-    For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
+    For more information, see [Blocked virtual smart card](#blocked-virtual-smart-card) and [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md). 
 
 There are several options for creating virtual smart cards, depending on the size of the deployment and budget of the organization. The lowest cost option is using Tpmvscmgr.exe to create cards individually on users’ computers. Alternatively, a virtual smart card management solution can be purchased to more easily accomplish virtual smart card creation on a larger scale and aid in further phases of deployment. Virtual smart cards can be created on computers that are to be provisioned for an employee or on those that are already in an employee’s possession. In either approach, there should be some central control over personalization and provisioning. If a computer is intended for use by multiple employees, multiple virtual smart cards can be created on a computer.
 
@@ -261,7 +261,9 @@ The most common scenario in an organization is reissuing virtual smart cards, wh
 
 #### Blocked virtual smart card
 
-The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card. Unlocking the virtual smart card does not reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire.
+The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card and change the PIN. Unlocking the virtual smart card does not reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire.
+
+For more information about setting the Allow Integrated Unblock policy, see [Allow Integrated Unblock screen to be displayed at the time of logon](https://docs.microsoft.com/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon).
 
 ## See also
 

From ed5a4444a7be5a778a785925d376e3cf67602f0f Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Mon, 18 Jun 2018 11:16:23 -0700
Subject: [PATCH 100/102] update top level onboard topic

---
 ...ows-defender-advanced-threat-protection.md | 139 +++++++++---------
 1 file changed, 70 insertions(+), 69 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
index e5ee209594..d46258d563 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
@@ -1,70 +1,71 @@
----
-title: Onboard machines to the Windows Defender ATP service
-description: Onboard Windows 10 machines, servers, non-Windows machines and learn how to run a detection test.
-keywords: onboarding, windows defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy, mdm, local script, detection test
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: high
-ms.date: 04/24/2018
----
-
-# Onboard machines to the Windows Defender ATP service
-
-**Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
-- macOS
-- Linux
-- Windows Server 2012 R2
-- Windows Server 2016
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-[!include[Prerelease information](prerelease.md)]
-
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
-
-You need to onboard to Windows Defender ATP before you can use the service.
-
-For more information, see [Onboard your Windows 10 machines to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be).
-
-## Licensing requirements
-Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
-
-  -	Windows 10 Enterprise E5
-  -	Windows 10 Education E5
-  - Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
-
-For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
-
-## Windows Defender Antivirus configuration requirement
-The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. 
-
-You must configure the signature updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
-
-When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy.
-
-If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md).
-
-
-For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
-
-
-## In this section
-Topic | Description
-:---|:---
-[Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to onboard machines for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise.
-[Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) |  Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP 
-[Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data. 
-[Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) | Run a script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service.
-[Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
-[Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding.
-
+---
+title: Onboard machines to the Windows Defender ATP service
+description: Onboard Windows 10 machines, servers, non-Windows machines and learn how to run a detection test.
+keywords: onboarding, windows defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy, mdm, local script, detection test
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 06/18/2018
+---
+
+# Onboard machines to the Windows Defender ATP service
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- macOS
+- Linux
+- Windows Server 2012 R2
+- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
+You need to onboard to Windows Defender ATP before you can use the service.
+
+For more information, see [Onboard your Windows 10 machines to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be).
+
+## Licensing requirements
+Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
+
+  -	Windows 10 Enterprise E5
+  -	Windows 10 Education E5
+  - Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
+
+For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
+
+## Windows Defender Antivirus configuration requirement
+The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. 
+
+You must configure the signature updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
+
+When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy.
+
+If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md).
+
+
+For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+
+
+## In this section
+Topic | Description
+:---|:---
+[Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to onboard machines for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise.
+[Onboard previous versions of Windows](onboard-configure-windows-defender-advanced-threat-protection
.md)|
+[Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) |  Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP 
+[Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data. 
+[Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) | Run a script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service.
+[Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
+[Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding.
+
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
\ No newline at end of file

From 3eff6b0f71ec0c7efcd1d36a015d08a1ba72174b Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Mon, 18 Jun 2018 11:34:26 -0700
Subject: [PATCH 101/102] add downlevel support

---
 ...ard-configure-windows-defender-advanced-threat-protection.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
index d46258d563..2c409b2bbb 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
@@ -61,7 +61,7 @@ For more information, see [Windows Defender Antivirus compatibility](../windows-
 Topic | Description
 :---|:---
 [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to onboard machines for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise.
-[Onboard previous versions of Windows](onboard-configure-windows-defender-advanced-threat-protection
.md)|
+[Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)| Onboard Windows 7 and Windows 8.1 machines to Windows Defender ATP 
 [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) |  Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP 
 [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data. 
 [Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) | Run a script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service.

From 76e170355cc65fa23b5d297d37c57e92821b782f Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Mon, 18 Jun 2018 11:39:56 -0700
Subject: [PATCH 102/102] remove dns

---
 ...blocked-list-windows-defender-advanced-threat-protection.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
index 824dbb804b..27426578b6 100644
--- a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
@@ -42,8 +42,7 @@ You can define the conditions for when entities are identified as malicious or s
    - File hash
    - Certificate
    - IP address
-   - DNS
-
+  
 3. Click **Add system exclusion**.
 
 4. For each attribute specify the exclusion type, details, and their corresponding required values.