diff --git a/.gitignore b/.gitignore
index 604950802e..a39f55da7b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,4 +12,4 @@ Tools/NuGet/
 packages.config
 
 # User-specific files  
-.vs/
\ No newline at end of file
+.vs/
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 3563a2122e..78c7959ac0 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1,1059 +1,1094 @@
 { 
-  "redirections": [
-    {
-        "source_path": "windows/manage/waas-quick-start.md",
-        "redirect_url": "/itpro/windows/update/waas-quick-start",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/waas-overview.md",
-        "redirect_url": "/itpro/windows/update/waas-overview",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/waas-servicing-strategy-windows-10-updates.md",
-        "redirect_url": "/itpro/windows/update/waas-servicing-strategy-windows-10-updates",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/waas-deployment-rings-windows-10-updates.md",
-        "redirect_url": "/itpro/windows/update/waas-deployment-rings-windows-10-updates",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/waas-servicing-branches-windows-10-updates.md",
-        "redirect_url": "/itpro/windows/update/waas-servicing-branches-windows-10-updates",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/update-compliance-monitor.md",
-        "redirect_url": "/itpro/windows/update/update-compliance-monitor",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/update-compliance-get-started.md",
-        "redirect_url": "/itpro/windows/update/update-compliance-get-started",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/update-compliance-using.md",
-        "redirect_url": "/itpro/windows/update/update-compliance-using",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/waas-optimize-windows-10-updates.md",
-        "redirect_url": "/itpro/windows/update/waas-optimize-windows-10-updates",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/waas-delivery-optimization.md",
-        "redirect_url": "/itpro/windows/update/waas-delivery-optimization",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/waas-branchcache.md",
-        "redirect_url": "/itpro/windows/update/waas-branchcache",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/waas-mobile-updates.md",
-        "redirect_url": "/itpro/windows/update/waas-mobile-updates",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/waas-manage-updates-wufb.md",
-        "redirect_url": "/itpro/windows/update/waas-manage-updates-wufb",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/waas-configure-wufb.md",
-        "redirect_url": "/itpro/windows/update/waas-configure-wufb",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/waas-integrate-wufb.md",
-        "redirect_url": "/itpro/windows/update/waas-integrate-wufb",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/waas-wufb-group-policy.md",
-        "redirect_url": "/itpro/windows/update/waas-wufb-group-policy",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/waas-wufb-intune.md",
-        "redirect_url": "/itpro/windows/update/waas-wufb-intune.md",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/waas-manage-updates-wsus.md",
-        "redirect_url": "/itpro/windows/update/waas-manage-updates-wsus",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/waas-manage-updates-configuration-manager.md",
-        "redirect_url": "/itpro/windows/update/waas-manage-updates-configuration-manager",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/waas-restart.md",
-        "redirect_url": "/itpro/windows/update/waas-restart",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/waas-update-windows-10.md",
-        "redirect_url": "/itpro/windows/update/index",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/manage/configure-windows-telemetry-in-your-organization.md",
-        "redirect_url": "/itpro/windows/configure/configure-windows-telemetry-in-your-organization",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md",
-        "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/manage/set-up-a-device-for-anyone-to-use.md",
-        "redirect_url": "/itpro/windows/configure/set-up-a-device-for-anyone-to-use",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md",
-        "redirect_url": "/itpro/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/guidelines-for-assigned-access-app.md",
-        "redirect_url": "/itpro/windows/configure/guidelines-for-assigned-access-app",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/lock-down-windows-10-to-specific-apps.md",
-        "redirect_url": "/itpro/windows/configure/lock-down-windows-10-to-specific-apps",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md",
-        "redirect_url": "/itpro/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/lockdown-xml.md",
-        "redirect_url": "/itpro/windows/configure/lockdown-xml",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/settings-that-can-be-locked-down.md",
-        "redirect_url": "/itpro/windows/configure/settings-that-can-be-locked-down",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/product-ids-in-windows-10-mobile.md",
-        "redirect_url": "/itpro/windows/configure/product-ids-in-windows-10-mobile",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/manage-tips-and-suggestions.md",
-        "redirect_url": "/itpro/windows/configure/manage-tips-and-suggestions",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/windows-10-start-layout-options-and-policies.md",
-        "redirect_url": "/itpro/windows/configure/windows-10-start-layout-options-and-policies",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/configure-windows-10-taskbar.md",
-        "redirect_url": "/itpro/windows/configure/configure-windows-10-taskbar",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/customize-and-export-start-layout.md",
-        "redirect_url": "/itpro/windows/configure/customize-and-export-start-layout",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/start-layout-xml-desktop.md",
-        "redirect_url": "/itpro/windows/configure/start-layout-xml-desktop",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/start-layout-xml-mobile.md",
-        "redirect_url": "/itpro/windows/configure/start-layout-xml-mobile",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/customize-windows-10-start-screens-by-using-group-policy.md",
-        "redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-group-policy",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md",
-        "redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md",
-        "redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/cortana-at-work-testing-scenarios.md",
-        "redirect_url": "/itpro/windows/configure/cortana-at-work-testing-scenarios",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/cortana-at-work-scenario-1.md",
-        "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-1",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/cortana-at-work-scenario-2.md",
-        "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-2",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/cortana-at-work-scenario-3.md",
-        "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-3",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/cortana-at-work-scenario-4.md",
-        "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-4",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/cortana-at-work-scenario-5.md",
-        "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-5",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/cortana-at-work-scenario-6.md",
-        "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-6",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/cortana-at-work-o365.md",
-        "redirect_url": "/itpro/windows/configure/cortana-at-work-o365",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/cortana-at-work-crm.md",
-        "redirect_url": "/itpro/windows/configure/cortana-at-work-crm",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/cortana-at-work-powerbi.md",
-        "redirect_url": "/itpro/windows/configure/cortana-at-work-powerbi",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/cortana-at-work-voice-commands.md",
-        "redirect_url": "/itpro/windows/configure/cortana-at-work-voice-commands",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/cortana-at-work-policy-settings.md",
-        "redirect_url": "/itpro/windows/configure/cortana-at-work-policy-settings",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/cortana-at-work-feedback.md",
-        "redirect_url": "/itpro/windows/configure/cortana-at-work-feedback",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/stop-employees-from-using-the-windows-store.md",
-        "redirect_url": "/itpro/windows/configure/stop-employees-from-using-the-windows-store",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/configure-devices-without-mdm.md",
-        "redirect_url": "/itpro/windows/configure/configure-devices-without-mdm",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/changes-to-start-policies-in-windows-10.md",
-        "redirect_url": "/itpro/windows/configure/changes-to-start-policies-in-windows-10",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/how-it-pros-can-use-configuration-service-providers.md",
-        "redirect_url": "/itpro/windows/configure/how-it-pros-can-use-configuration-service-providers",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/lock-down-windows-10.md",
-        "redirect_url": "/itpro/windows/configure/index",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/manage-wifi-sense-in-enterprise.md",
-        "redirect_url": "/itpro/windows/configure/manage-wifi-sense-in-enterprise",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/deploy/provisioning-packages.md",
-        "redirect_url": "/itpro/windows/configure/provisioning-packages",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/deploy/provisioning-how-it-works.md",
-        "redirect_url": "/itpro/windows/configure/provisioning-how-it-works",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/deploy/provisioning-install-icd.md",
-        "redirect_url": "/itpro/windows/configure/provisioning-install-icd",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/deploy/provisioning-create-package.md",
-        "redirect_url": "/itpro/windows/configure/provisioning-create-package",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/deploy/provisioning-apply-package.md",
-        "redirect_url": "/itpro/windows/configure/provisioning-apply-package",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/deploy/provisioning-uninstall-package.md",
-        "redirect_url": "/itpro/windows/configure/provisioning-uninstall-package",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/deploy/provision-pcs-for-initial-deployment.md",
-        "redirect_url": "/itpro/windows/configure/provision-pcs-for-initial-deployment",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/deploy/provision-pcs-with-apps-and-certificates.md",
-        "redirect_url": "/itpro/windows/configure/provision-pcs-with-apps",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/deploy/provisioning-script-to-install-app.md",
-        "redirect_url": "/itpro/windows/configure/provisioning-script-to-install-app",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/deploy/provisioning-nfc.md",
-        "redirect_url": "/itpro/windows/configure/provisioning-nfc",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/deploy/provisioning-command-line.md",
-        "redirect_url": "/itpro/windows/configure/provisioning-command-line",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/deploy/provisioning-multivariant.md",
-        "redirect_url": "/itpro/windows/configure/provisioning-multivariant",
-        "redirect_document_id": true
-    },  
-    {
-        "source_path": "windows/keep-secure/create-edp-policy-using-intune.md",
-        "redirect_url": "/itpro/windows/keep-secure/create-wip-policy-using-intune",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/keep-secure/create-edp-policy-using-sccm.md",
-        "redirect_url": "/itpro/windows/keep-secure/create-wip-policy-using-sccm",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/keep-secure/create-vpn-and-edp-policy-using-intune.md",
-        "redirect_url": "/itpro/windows/keep-secure/create-vpn-and-wip-policy-using-intune",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/keep-secure/deploy-edp-policy-using-intune.md",
-        "redirect_url": "/itpro/windows/keep-secure/deploy-wip-policy-using-intune",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/keep-secure/guidance-and-best-practices-edp.md",
-        "redirect_url": "/itpro/windows/keep-secure/guidance-and-best-practices-wip",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/keep-secure/overview-create-edp-policy.md",
-        "redirect_url": "/itpro/windows/keep-secure/overview-create-wip-policy",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/keep-secure/protect-enterprise-data-using-edp.md",
-        "redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/keep-secure/testing-scenarios-for-edp.md",
-        "redirect_url": "/itpro/windows/keep-secure/testing-scenarios-for-wip",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/keep-secure/wip-enterprise-overview.md",
-        "redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/keep-secure/enlightened-microsoft-apps-and-edp.md",
-        "redirect_url": "/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/deploy/update-windows-10-images-with-provisioning-packages.md",
-        "redirect_url": "/itpro/windows/configure/provisioning-packages",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/deploy/upgrade-analytics-prepare-your-environment.md",
-        "redirect_url": "/itpro/windows/deploy/upgrade-analytics-identify-apps",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/deploy/upgrade-analytics-release-notes.md",
-        "redirect_url": "/itpro/windows/deploy/upgrade-analytics-requirements",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/deploy/upgrade-analytics-review-site-discovery.md",
-        "redirect_url": "/itpro/windows/deploy/upgrade-analytics-additional-insights",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md",
-        "redirect_url": "/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection",
-        "redirect_document_id": true
-    },
-    { 
-        "source_path": "windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md",
-        "redirect_url": "https://technet.microsoft.com/library/jj635854.aspx",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md",
-        "redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/keep-secure/device-guard-certification-and-compliance.md",
-        "redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md",
-        "redirect_url": "/itpro/windows/keep-secure/hello-enable-phone-signin",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md",
-        "redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/keep-secure/implement-microsoft-passport-in-your-organization.md",
-        "redirect_url": "/itpro/windows/keep-secure/hello-manage-in-organization",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/keep-secure/manage-identity-verification-using-microsoft-passport.md",
-        "redirect_url": "/itpro/windows/keep-secure/hello-identity-verification",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/keep-secure/microsoft-passport-and-password-changes.md",
-        "redirect_url": "/itpro/windows/keep-secure/hello-and-password-changes",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/keep-secure/microsoft-passport-errors-during-pin-creation.md",
-        "redirect_url": "/itpro/windows/keep-secure/hello-errors-during-pin-creation",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/keep-secure/microsoft-passport-guide.md",
-        "redirect_url": "/itpro/windows/keep-secure/hello-identity-verification",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md",
-        "redirect_url": "/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/keep-secure/passport-event-300.md",
-        "redirect_url": "/itpro/windows/keep-secure/hello-event-300",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/keep-secure/prepare-people-to-use-microsoft-passport.md",
-        "redirect_url": "/itpro/windows/keep-secure/hello-prepare-people-to-use",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/keep-secure/why-a-pin-is-better-than-a-password.md",
-        "redirect_url": "/itpro/windows/keep-secure/hello-why-pin-is-better-than-password",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/keep-secure/windows-hello-in-enterprise.md",
-        "redirect_url": "/itpro/windows/keep-secure/hello-biometrics-in-enterprise",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/app-inventory-managemement-windows-store-for-business.md",
-        "redirect_url": "/itpro/windows/manage/app-inventory-management-windows-store-for-business",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/application-development-for-windows-as-a-service.md",
-        "redirect_url": "https://msdn.microsoft.com/windows/uwp/get-started/application-development-for-windows-as-a-service",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/appv-accessibility.md",
-        "redirect_url": "/itpro/windows/manage/appv-getting-started",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/appv-accessing-the-client-management-console.md",
-        "redirect_url": "/itpro/windows/manage/appv-using-the-client-management-console",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/appv-install-the-appv-client-for-shared-content-store-mode.md",
-        "redirect_url": "/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/appv-modify-client-configuration-with-the-admx-template-and-group-policy.md",
-        "redirect_url": "/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/manage/appv-planning-for-migrating-from-a-previous-version-of-appv.md",
-        "redirect_url": "/itpro/windows/manage/appv-migrating-to-appv-from-a-previous-version",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md",
-        "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/disconnect-your-organization-from-microsoft.md",
-        "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/manage/introduction-to-windows-10-servicing.md",
-        "redirect_url": "/itpro/windows/update/index",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/manage-cortana-in-enterprise.md",
-        "redirect_url": "/itpro/windows/configure/cortana-at-work-overview",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/manage-inventory-windows-store-for-business.md",
-        "redirect_url": "/itpro/windows/manage/app-inventory-managemement-windows-store-for-business",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/uev-accessibility.md",
-        "redirect_url": "/itpro/windows/manage/uev-for-windows",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/manage/uev-privacy-statement.md",
-        "redirect_url": "/itpro/windows/manage/uev-security-considerations",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/plan/act-community-ratings-and-process.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/plan/act-database-configuration.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/act-database-migration.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/act-deployment-options.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/act-glossary.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/activating-and-closing-windows-in-acm.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/act-lps-share-permissions.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/act-operatingsystem-application-report.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/act-operatingsystem-computer-report.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/act-operatingsystem-device-report.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/act-product-and-documentation-resources.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/act-settings-dialog-box-preferences-tab.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/act-settings-dialog-box-settings-tab.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/act-toolbar-icons-in-acm.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/act-tools-packages-and-services.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/act-user-interface-reference.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/adding-or-editing-an-issue.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/adding-or-editing-a-solution.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/analyzing-your-compatibility-data.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/application-dialog-box.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/categorizing-your-compatibility-data.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/chromebook-migration-guide.md",
-        "redirect_url": "edu/windows/chromebook-migration-guide",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/plan/common-compatibility-issues.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/compatibility-monitor-users-guide.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/computer-dialog-box.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/configuring-act.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/creating-and-editing-issues-and-solutions.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/creating-an-inventory-collector-package.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/creating-a-runtime-analysis-package.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/customizing-your-report-views.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/deciding-which-applications-to-test.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/deleting-a-data-collection-package.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/deploying-an-inventory-collector-package.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/deploying-a-runtime-analysis-package.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/deploy-windows-10-in-a-school.md",
-        "redirect_url": "/edu/windows/deploy-windows-10-in-a-school",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/plan/example-filter-queries.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/exporting-a-data-collection-package.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/filtering-your-compatibility-data.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/fixing-compatibility-issues.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/identifying-computers-for-inventory-collection.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/integration-with-management-solutions-.md",
-        "redirect_url": "/itpro/windows/update/waas-manage-updates-wufb",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/internet-explorer-web-site-report.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/labeling-data-in-acm.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/log-file-locations-for-data-collection-packages.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/managing-your-data-collection-packages.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/organizational-tasks-for-each-report-type.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/organizing-your-compatibility-data.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/prioritizing-your-compatibility-data.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/ratings-icons-in-acm.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/resolving-an-issue.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/saving-opening-and-exporting-reports.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/selecting-the-send-and-receive-status-for-an-application.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/selecting-your-compatibility-rating.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/selecting-your-deployment-status.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/sending-and-receiving-compatibility-data.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/settings-for-acm.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/setup-and-deployment.md",
-        "redirect_url": "/itpro/windows/update/waas-manage-updates-wufb",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/software-requirements-for-act.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/software-requirements-for-rap.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/taking-inventory-of-your-organization.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/testing-compatibility-on-the-target-platform.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/troubleshooting-act.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/troubleshooting-act-database-issues.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/troubleshooting-the-act-configuration-wizard.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/troubleshooting-the-act-log-processing-service.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/using-act.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/using-compatibility-monitor-to-send-feedback.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/viewing-your-compatibility-reports.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/websiteurl-dialog-box.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/welcome-to-act.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/whats-new-in-act-60.md",
-        "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/windows-10-guidance-for-education-environments.md",
-        "redirect_url": "/edu/windows/index",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/plan/windows-10-servicing-options.md",
-        "redirect_url": "/itpro/windows/update/waas-overview",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/plan/windows-update-for-business.md",
-        "redirect_url": "/itpro/windows/update/waas-manage-updates-wufb",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/whats-new/applocker.md",
-        "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/whats-new/bitlocker.md",
-        "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/whats-new/change-history-for-what-s-new-in-windows-10.md",
-        "redirect_url": "/itpro/windows/whats-new/index",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/whats-new/credential-guard.md",
-        "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/whats-new/device-guard-overview.md",
-        "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/whats-new/device-management.md",
-        "redirect_url": "/itpro/windows/manage/manage-corporate-devices",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/whats-new/edge-ie11-whats-new-overview.md",
-        "redirect_url": "/itpro/microsoft-edge/enterprise-guidance-using-microsoft-edge-and-ie11",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/whats-new/edp-whats-new-overview.md",
-        "redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/whats-new/lockdown-features-windows-10.md",
-        "redirect_url": "/itpro/windows/configure/lockdown-features-windows-10",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/whats-new/microsoft-passport.md",
-        "redirect_url": "/itpro/windows/keep-secure/hello-identity-verification",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/whats-new/new-provisioning-packages.md",
-        "redirect_url": "/itpro/windows/configure/provisioning-packages",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/whats-new/security-auditing.md",
-        "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/whats-new/trusted-platform-module.md",
-        "redirect_url": "/itpro/windows/keep-secure/trusted-platform-module-overview",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/whats-new/user-account-control.md",
-        "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/whats-new/windows-spotlight.md",
-        "redirect_url": "/itpro/windows/configure/windows-spotlight",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/whats-new/windows-store-for-business-overview.md",
-        "redirect_url": "/itpro/windows/manage/windows-store-for-business-overview",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/whats-new/windows-update-for-business.md",
-        "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
-        "redirect_document_id": false
-    },
-    {
-        "source_path": "windows/keep-secure/windows-10-security-guide.md",
-        "redirect_url": "/itpro/windows/keep-secure/overview-of-threat-mitigations-in-windows-10",
-        "redirect_document_id": true
-    },
-    {
-        "source_path": "windows/whats-new/security.md",
-        "redirect_url": "/itpro/windows/keep-secure/overview-of-threat-mitigations-in-windows-10",
-        "redirect_document_id": false
-    },
-  ]
+"redirections": [
+{
+"source_path": "windows/manage/cortana-at-work-scenario-7.md",
+"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-7",
+"redirect_document_id": true
+},
+{
+"source_path": "devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md",
+"redirect_url": "/itpro/surface-hub/finishing-your-surface-hub-meeting",
+"redirect_document_id": true
+},
+{
+"source_path": "devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md",
+"redirect_url": "/itpro/surface-hub/provisioning-packages-for-surface-hub",
+"redirect_document_id": true
+},
+{
+"source_path": "devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md",
+"redirect_url": "/itpro/surface-hub/admin-group-management-for-surface-hub",
+"redirect_document_id": true
+},
+{
+"source_path": "devices/surface-hub/surface-hub-administrators-guide.md",
+"redirect_url": "/itpro/surface-hub/index",
+"redirect_document_id": true
+},
+{
+"source_path": "devices/surface-hub/intro-to-surface-hub.md",
+"redirect_url": "/itpro/surface-hub/index",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/manage/waas-quick-start.md",
+"redirect_url": "/itpro/windows/update/waas-quick-start",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/waas-overview.md",
+"redirect_url": "/itpro/windows/update/waas-overview",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/waas-servicing-strategy-windows-10-updates.md",
+"redirect_url": "/itpro/windows/update/waas-servicing-strategy-windows-10-updates",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/waas-deployment-rings-windows-10-updates.md",
+"redirect_url": "/itpro/windows/update/waas-deployment-rings-windows-10-updates",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/waas-servicing-branches-windows-10-updates.md",
+"redirect_url": "/itpro/windows/update/waas-servicing-branches-windows-10-updates",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/update-compliance-monitor.md",
+"redirect_url": "/itpro/windows/update/update-compliance-monitor",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/update-compliance-get-started.md",
+"redirect_url": "/itpro/windows/update/update-compliance-get-started",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/update-compliance-using.md",
+"redirect_url": "/itpro/windows/update/update-compliance-using",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/waas-optimize-windows-10-updates.md",
+"redirect_url": "/itpro/windows/update/waas-optimize-windows-10-updates",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/waas-delivery-optimization.md",
+"redirect_url": "/itpro/windows/update/waas-delivery-optimization",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/waas-branchcache.md",
+"redirect_url": "/itpro/windows/update/waas-branchcache",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/waas-mobile-updates.md",
+"redirect_url": "/itpro/windows/update/waas-mobile-updates",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/waas-manage-updates-wufb.md",
+"redirect_url": "/itpro/windows/update/waas-manage-updates-wufb",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/waas-configure-wufb.md",
+"redirect_url": "/itpro/windows/update/waas-configure-wufb",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/waas-integrate-wufb.md",
+"redirect_url": "/itpro/windows/update/waas-integrate-wufb",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/waas-wufb-group-policy.md",
+"redirect_url": "/itpro/windows/update/waas-wufb-group-policy",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/waas-wufb-intune.md",
+"redirect_url": "/itpro/windows/update/waas-wufb-intune.md",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/waas-manage-updates-wsus.md",
+"redirect_url": "/itpro/windows/update/waas-manage-updates-wsus",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/waas-manage-updates-configuration-manager.md",
+"redirect_url": "/itpro/windows/update/waas-manage-updates-configuration-manager",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/waas-restart.md",
+"redirect_url": "/itpro/windows/update/waas-restart",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/waas-update-windows-10.md",
+"redirect_url": "/itpro/windows/update/index",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/manage/configure-windows-telemetry-in-your-organization.md",
+"redirect_url": "/itpro/windows/configure/configure-windows-telemetry-in-your-organization",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md",
+"redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/manage/set-up-a-device-for-anyone-to-use.md",
+"redirect_url": "/itpro/windows/configure/set-up-a-device-for-anyone-to-use",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md",
+"redirect_url": "/itpro/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/guidelines-for-assigned-access-app.md",
+"redirect_url": "/itpro/windows/configure/guidelines-for-assigned-access-app",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/lock-down-windows-10-to-specific-apps.md",
+"redirect_url": "/itpro/windows/configure/lock-down-windows-10-to-specific-apps",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md",
+"redirect_url": "/itpro/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/lockdown-xml.md",
+"redirect_url": "/itpro/windows/configure/lockdown-xml",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/settings-that-can-be-locked-down.md",
+"redirect_url": "/itpro/windows/configure/settings-that-can-be-locked-down",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/product-ids-in-windows-10-mobile.md",
+"redirect_url": "/itpro/windows/configure/product-ids-in-windows-10-mobile",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/manage-tips-and-suggestions.md",
+"redirect_url": "/itpro/windows/configure/manage-tips-and-suggestions",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/windows-10-start-layout-options-and-policies.md",
+"redirect_url": "/itpro/windows/configure/windows-10-start-layout-options-and-policies",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/configure-windows-10-taskbar.md",
+"redirect_url": "/itpro/windows/configure/configure-windows-10-taskbar",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/customize-and-export-start-layout.md",
+"redirect_url": "/itpro/windows/configure/customize-and-export-start-layout",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/start-layout-xml-desktop.md",
+"redirect_url": "/itpro/windows/configure/start-layout-xml-desktop",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/start-layout-xml-mobile.md",
+"redirect_url": "/itpro/windows/configure/start-layout-xml-mobile",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/customize-windows-10-start-screens-by-using-group-policy.md",
+"redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-group-policy",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md",
+"redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md",
+"redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/cortana-at-work-testing-scenarios.md",
+"redirect_url": "/itpro/windows/configure/cortana-at-work-testing-scenarios",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/cortana-at-work-scenario-1.md",
+"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-1",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/cortana-at-work-scenario-2.md",
+"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-2",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/cortana-at-work-scenario-3.md",
+"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-3",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/cortana-at-work-scenario-4.md",
+"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-4",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/cortana-at-work-scenario-5.md",
+"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-5",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/cortana-at-work-scenario-6.md",
+"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-6",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/cortana-at-work-o365.md",
+"redirect_url": "/itpro/windows/configure/cortana-at-work-o365",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/cortana-at-work-crm.md",
+"redirect_url": "/itpro/windows/configure/cortana-at-work-crm",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/cortana-at-work-powerbi.md",
+"redirect_url": "/itpro/windows/configure/cortana-at-work-powerbi",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/cortana-at-work-voice-commands.md",
+"redirect_url": "/itpro/windows/configure/cortana-at-work-voice-commands",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/cortana-at-work-policy-settings.md",
+"redirect_url": "/itpro/windows/configure/cortana-at-work-policy-settings",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/cortana-at-work-feedback.md",
+"redirect_url": "/itpro/windows/configure/cortana-at-work-feedback",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/stop-employees-from-using-the-windows-store.md",
+"redirect_url": "/itpro/windows/configure/stop-employees-from-using-the-windows-store",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/configure-devices-without-mdm.md",
+"redirect_url": "/itpro/windows/configure/configure-devices-without-mdm",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/changes-to-start-policies-in-windows-10.md",
+"redirect_url": "/itpro/windows/configure/changes-to-start-policies-in-windows-10",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/how-it-pros-can-use-configuration-service-providers.md",
+"redirect_url": "/itpro/windows/configure/how-it-pros-can-use-configuration-service-providers",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/lock-down-windows-10.md",
+"redirect_url": "/itpro/windows/configure/index",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/manage-wifi-sense-in-enterprise.md",
+"redirect_url": "/itpro/windows/configure/manage-wifi-sense-in-enterprise",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/deploy/provisioning-packages.md",
+"redirect_url": "/itpro/windows/configure/provisioning-packages",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/deploy/provisioning-how-it-works.md",
+"redirect_url": "/itpro/windows/configure/provisioning-how-it-works",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/deploy/provisioning-install-icd.md",
+"redirect_url": "/itpro/windows/configure/provisioning-install-icd",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/deploy/provisioning-create-package.md",
+"redirect_url": "/itpro/windows/configure/provisioning-create-package",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/deploy/provisioning-apply-package.md",
+"redirect_url": "/itpro/windows/configure/provisioning-apply-package",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/deploy/provisioning-uninstall-package.md",
+"redirect_url": "/itpro/windows/configure/provisioning-uninstall-package",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/deploy/provision-pcs-for-initial-deployment.md",
+"redirect_url": "/itpro/windows/configure/provision-pcs-for-initial-deployment",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/deploy/provision-pcs-with-apps-and-certificates.md",
+"redirect_url": "/itpro/windows/configure/provision-pcs-with-apps",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/deploy/provisioning-script-to-install-app.md",
+"redirect_url": "/itpro/windows/configure/provisioning-script-to-install-app",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/deploy/provisioning-nfc.md",
+"redirect_url": "/itpro/windows/configure/provisioning-nfc",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/deploy/provisioning-command-line.md",
+"redirect_url": "/itpro/windows/configure/provisioning-command-line",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/deploy/provisioning-multivariant.md",
+"redirect_url": "/itpro/windows/configure/provisioning-multivariant",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/create-edp-policy-using-intune.md",
+"redirect_url": "/itpro/windows/keep-secure/create-wip-policy-using-intune",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/create-edp-policy-using-sccm.md",
+"redirect_url": "/itpro/windows/keep-secure/create-wip-policy-using-sccm",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/create-vpn-and-edp-policy-using-intune.md",
+"redirect_url": "/itpro/windows/keep-secure/create-vpn-and-wip-policy-using-intune",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/hello-enable-phone-signin.md",
+"redirect_url": "/itpro/windows/keep-secure/hello-identity-verification",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/keep-secure/deploy-edp-policy-using-intune.md",
+"redirect_url": "/itpro/windows/keep-secure/deploy-wip-policy-using-intune",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/guidance-and-best-practices-edp.md",
+"redirect_url": "/itpro/windows/keep-secure/guidance-and-best-practices-wip",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/overview-create-edp-policy.md",
+"redirect_url": "/itpro/windows/keep-secure/overview-create-wip-policy",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/protect-enterprise-data-using-edp.md",
+"redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/testing-scenarios-for-edp.md",
+"redirect_url": "/itpro/windows/keep-secure/testing-scenarios-for-wip",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/wip-enterprise-overview.md",
+"redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/keep-secure/enlightened-microsoft-apps-and-edp.md",
+"redirect_url": "/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/deploy/update-windows-10-images-with-provisioning-packages.md",
+"redirect_url": "/itpro/windows/configure/provisioning-packages",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/deploy/upgrade-analytics-prepare-your-environment.md",
+"redirect_url": "/itpro/windows/deploy/upgrade-analytics-identify-apps",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/deploy/upgrade-analytics-release-notes.md",
+"redirect_url": "/itpro/windows/deploy/upgrade-analytics-requirements",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/deploy/upgrade-analytics-review-site-discovery.md",
+"redirect_url": "/itpro/windows/deploy/upgrade-analytics-additional-insights",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md",
+"redirect_url": "/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection",
+"redirect_document_id": true
+},
+{ 
+"source_path": "windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md",
+"redirect_url": "https://technet.microsoft.com/library/jj635854.aspx",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md",
+"redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/device-guard-certification-and-compliance.md",
+"redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md",
+"redirect_url": "/itpro/windows/keep-secure/hello-enable-phone-signin",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md",
+"redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/keep-secure/implement-microsoft-passport-in-your-organization.md",
+"redirect_url": "/itpro/windows/keep-secure/hello-manage-in-organization",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/manage-identity-verification-using-microsoft-passport.md",
+"redirect_url": "/itpro/windows/keep-secure/hello-identity-verification",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/microsoft-passport-and-password-changes.md",
+"redirect_url": "/itpro/windows/keep-secure/hello-and-password-changes",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/microsoft-passport-errors-during-pin-creation.md",
+"redirect_url": "/itpro/windows/keep-secure/hello-errors-during-pin-creation",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/microsoft-passport-guide.md",
+"redirect_url": "/itpro/windows/keep-secure/hello-identity-verification",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md",
+"redirect_url": "/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/keep-secure/passport-event-300.md",
+"redirect_url": "/itpro/windows/keep-secure/hello-event-300",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/prepare-people-to-use-microsoft-passport.md",
+"redirect_url": "/itpro/windows/keep-secure/hello-prepare-people-to-use",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/why-a-pin-is-better-than-a-password.md",
+"redirect_url": "/itpro/windows/keep-secure/hello-why-pin-is-better-than-password",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/windows-hello-in-enterprise.md",
+"redirect_url": "/itpro/windows/keep-secure/hello-biometrics-in-enterprise",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/app-inventory-managemement-windows-store-for-business.md",
+"redirect_url": "/itpro/windows/manage/app-inventory-management-windows-store-for-business",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/application-development-for-windows-as-a-service.md",
+"redirect_url": "https://msdn.microsoft.com/windows/uwp/get-started/application-development-for-windows-as-a-service",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/appv-accessibility.md",
+"redirect_url": "/itpro/windows/manage/appv-getting-started",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/appv-accessing-the-client-management-console.md",
+"redirect_url": "/itpro/windows/manage/appv-using-the-client-management-console",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/appv-install-the-appv-client-for-shared-content-store-mode.md",
+"redirect_url": "/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/appv-modify-client-configuration-with-the-admx-template-and-group-policy.md",
+"redirect_url": "/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/manage/appv-planning-for-migrating-from-a-previous-version-of-appv.md",
+"redirect_url": "/itpro/windows/manage/appv-migrating-to-appv-from-a-previous-version",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md",
+"redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/disconnect-your-organization-from-microsoft.md",
+"redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/manage/introduction-to-windows-10-servicing.md",
+"redirect_url": "/itpro/windows/update/index",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/manage-cortana-in-enterprise.md",
+"redirect_url": "/itpro/windows/configure/cortana-at-work-overview",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/manage-inventory-windows-store-for-business.md",
+"redirect_url": "/itpro/windows/manage/app-inventory-managemement-windows-store-for-business",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/uev-accessibility.md",
+"redirect_url": "/itpro/windows/manage/uev-for-windows",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/uev-privacy-statement.md",
+"redirect_url": "/itpro/windows/manage/uev-security-considerations",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/plan/act-community-ratings-and-process.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/plan/act-database-configuration.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/act-database-migration.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/act-deployment-options.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/act-glossary.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/activating-and-closing-windows-in-acm.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/act-lps-share-permissions.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/act-operatingsystem-application-report.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/act-operatingsystem-computer-report.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/act-operatingsystem-device-report.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/act-product-and-documentation-resources.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/act-settings-dialog-box-preferences-tab.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/act-settings-dialog-box-settings-tab.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/act-toolbar-icons-in-acm.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/act-tools-packages-and-services.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/act-user-interface-reference.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/adding-or-editing-an-issue.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/adding-or-editing-a-solution.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/analyzing-your-compatibility-data.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/application-dialog-box.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/categorizing-your-compatibility-data.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/chromebook-migration-guide.md",
+"redirect_url": "edu/windows/chromebook-migration-guide",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/plan/common-compatibility-issues.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/compatibility-monitor-users-guide.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/computer-dialog-box.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/configuring-act.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/creating-and-editing-issues-and-solutions.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/creating-an-inventory-collector-package.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/creating-a-runtime-analysis-package.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/customizing-your-report-views.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/deciding-which-applications-to-test.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/deleting-a-data-collection-package.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/deploying-an-inventory-collector-package.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/deploying-a-runtime-analysis-package.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/deploy-windows-10-in-a-school.md",
+"redirect_url": "/edu/windows/deploy-windows-10-in-a-school",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/plan/example-filter-queries.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/exporting-a-data-collection-package.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/filtering-your-compatibility-data.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/fixing-compatibility-issues.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/identifying-computers-for-inventory-collection.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/integration-with-management-solutions-.md",
+"redirect_url": "/itpro/windows/update/waas-manage-updates-wufb",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/internet-explorer-web-site-report.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/labeling-data-in-acm.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/log-file-locations-for-data-collection-packages.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/managing-your-data-collection-packages.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/organizational-tasks-for-each-report-type.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/organizing-your-compatibility-data.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/prioritizing-your-compatibility-data.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/ratings-icons-in-acm.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/resolving-an-issue.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/saving-opening-and-exporting-reports.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/selecting-the-send-and-receive-status-for-an-application.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/selecting-your-compatibility-rating.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/selecting-your-deployment-status.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/sending-and-receiving-compatibility-data.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/settings-for-acm.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/setup-and-deployment.md",
+"redirect_url": "/itpro/windows/update/waas-manage-updates-wufb",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/software-requirements-for-act.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/software-requirements-for-rap.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/taking-inventory-of-your-organization.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/testing-compatibility-on-the-target-platform.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/troubleshooting-act.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/troubleshooting-act-database-issues.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/troubleshooting-the-act-configuration-wizard.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/troubleshooting-the-act-log-processing-service.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/using-act.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/using-compatibility-monitor-to-send-feedback.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/viewing-your-compatibility-reports.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/websiteurl-dialog-box.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/welcome-to-act.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/whats-new-in-act-60.md",
+"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/windows-10-guidance-for-education-environments.md",
+"redirect_url": "/edu/windows/index",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/plan/windows-10-servicing-options.md",
+"redirect_url": "/itpro/windows/update/waas-overview",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/plan/windows-update-for-business.md",
+"redirect_url": "/itpro/windows/update/waas-manage-updates-wufb",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/whats-new/applocker.md",
+"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/whats-new/bitlocker.md",
+"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/whats-new/change-history-for-what-s-new-in-windows-10.md",
+"redirect_url": "/itpro/windows/whats-new/index",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/whats-new/credential-guard.md",
+"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/whats-new/device-guard-overview.md",
+"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/whats-new/device-management.md",
+"redirect_url": "/itpro/windows/manage/manage-corporate-devices",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/whats-new/edge-ie11-whats-new-overview.md",
+"redirect_url": "/itpro/microsoft-edge/enterprise-guidance-using-microsoft-edge-and-ie11",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/whats-new/edp-whats-new-overview.md",
+"redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/whats-new/lockdown-features-windows-10.md",
+"redirect_url": "/itpro/windows/configure/lockdown-features-windows-10",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/whats-new/microsoft-passport.md",
+"redirect_url": "/itpro/windows/keep-secure/hello-identity-verification",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/whats-new/new-provisioning-packages.md",
+"redirect_url": "/itpro/windows/configure/provisioning-packages",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/whats-new/security-auditing.md",
+"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/whats-new/trusted-platform-module.md",
+"redirect_url": "/itpro/windows/keep-secure/trusted-platform-module-overview",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/whats-new/user-account-control.md",
+"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/whats-new/windows-spotlight.md",
+"redirect_url": "/itpro/windows/configure/windows-spotlight",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/whats-new/windows-store-for-business-overview.md",
+"redirect_url": "/itpro/windows/manage/windows-store-for-business-overview",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/whats-new/windows-update-for-business.md",
+"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/keep-secure/windows-10-security-guide.md",
+"redirect_url": "/itpro/windows/keep-secure/overview-of-threat-mitigations-in-windows-10",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/whats-new/security.md",
+"redirect_url": "/itpro/windows/keep-secure/overview-of-threat-mitigations-in-windows-10",
+"redirect_document_id": false
+},
+]
 }
\ No newline at end of file
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000000..a2c95fc155
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,395 @@
+Attribution 4.0 International
+
+=======================================================================
+
+Creative Commons Corporation ("Creative Commons") is not a law firm and
+does not provide legal services or legal advice. Distribution of
+Creative Commons public licenses does not create a lawyer-client or
+other relationship. Creative Commons makes its licenses and related
+information available on an "as-is" basis. Creative Commons gives no
+warranties regarding its licenses, any material licensed under their
+terms and conditions, or any related information. Creative Commons
+disclaims all liability for damages resulting from their use to the
+fullest extent possible.
+
+Using Creative Commons Public Licenses
+
+Creative Commons public licenses provide a standard set of terms and
+conditions that creators and other rights holders may use to share
+original works of authorship and other material subject to copyright
+and certain other rights specified in the public license below. The
+following considerations are for informational purposes only, are not
+exhaustive, and do not form part of our licenses.
+
+     Considerations for licensors: Our public licenses are
+     intended for use by those authorized to give the public
+     permission to use material in ways otherwise restricted by
+     copyright and certain other rights. Our licenses are
+     irrevocable. Licensors should read and understand the terms
+     and conditions of the license they choose before applying it.
+     Licensors should also secure all rights necessary before
+     applying our licenses so that the public can reuse the
+     material as expected. Licensors should clearly mark any
+     material not subject to the license. This includes other CC-
+     licensed material, or material used under an exception or
+     limitation to copyright. More considerations for licensors:
+	wiki.creativecommons.org/Considerations_for_licensors
+
+     Considerations for the public: By using one of our public
+     licenses, a licensor grants the public permission to use the
+     licensed material under specified terms and conditions. If
+     the licensor's permission is not necessary for any reason--for
+     example, because of any applicable exception or limitation to
+     copyright--then that use is not regulated by the license. Our
+     licenses grant only permissions under copyright and certain
+     other rights that a licensor has authority to grant. Use of
+     the licensed material may still be restricted for other
+     reasons, including because others have copyright or other
+     rights in the material. A licensor may make special requests,
+     such as asking that all changes be marked or described.
+     Although not required by our licenses, you are encouraged to
+     respect those requests where reasonable. More_considerations
+     for the public: 
+	wiki.creativecommons.org/Considerations_for_licensees
+
+=======================================================================
+
+Creative Commons Attribution 4.0 International Public License
+
+By exercising the Licensed Rights (defined below), You accept and agree
+to be bound by the terms and conditions of this Creative Commons
+Attribution 4.0 International Public License ("Public License"). To the
+extent this Public License may be interpreted as a contract, You are
+granted the Licensed Rights in consideration of Your acceptance of
+these terms and conditions, and the Licensor grants You such rights in
+consideration of benefits the Licensor receives from making the
+Licensed Material available under these terms and conditions.
+
+
+Section 1 -- Definitions.
+
+  a. Adapted Material means material subject to Copyright and Similar
+     Rights that is derived from or based upon the Licensed Material
+     and in which the Licensed Material is translated, altered,
+     arranged, transformed, or otherwise modified in a manner requiring
+     permission under the Copyright and Similar Rights held by the
+     Licensor. For purposes of this Public License, where the Licensed
+     Material is a musical work, performance, or sound recording,
+     Adapted Material is always produced where the Licensed Material is
+     synched in timed relation with a moving image.
+
+  b. Adapter's License means the license You apply to Your Copyright
+     and Similar Rights in Your contributions to Adapted Material in
+     accordance with the terms and conditions of this Public License.
+
+  c. Copyright and Similar Rights means copyright and/or similar rights
+     closely related to copyright including, without limitation,
+     performance, broadcast, sound recording, and Sui Generis Database
+     Rights, without regard to how the rights are labeled or
+     categorized. For purposes of this Public License, the rights
+     specified in Section 2(b)(1)-(2) are not Copyright and Similar
+     Rights.
+
+  d. Effective Technological Measures means those measures that, in the
+     absence of proper authority, may not be circumvented under laws
+     fulfilling obligations under Article 11 of the WIPO Copyright
+     Treaty adopted on December 20, 1996, and/or similar international
+     agreements.
+
+  e. Exceptions and Limitations means fair use, fair dealing, and/or
+     any other exception or limitation to Copyright and Similar Rights
+     that applies to Your use of the Licensed Material.
+
+  f. Licensed Material means the artistic or literary work, database,
+     or other material to which the Licensor applied this Public
+     License.
+
+  g. Licensed Rights means the rights granted to You subject to the
+     terms and conditions of this Public License, which are limited to
+     all Copyright and Similar Rights that apply to Your use of the
+     Licensed Material and that the Licensor has authority to license.
+
+  h. Licensor means the individual(s) or entity(ies) granting rights
+     under this Public License.
+
+  i. Share means to provide material to the public by any means or
+     process that requires permission under the Licensed Rights, such
+     as reproduction, public display, public performance, distribution,
+     dissemination, communication, or importation, and to make material
+     available to the public including in ways that members of the
+     public may access the material from a place and at a time
+     individually chosen by them.
+
+  j. Sui Generis Database Rights means rights other than copyright
+     resulting from Directive 96/9/EC of the European Parliament and of
+     the Council of 11 March 1996 on the legal protection of databases,
+     as amended and/or succeeded, as well as other essentially
+     equivalent rights anywhere in the world.
+
+  k. You means the individual or entity exercising the Licensed Rights
+     under this Public License. Your has a corresponding meaning.
+
+
+Section 2 -- Scope.
+
+  a. License grant.
+
+       1. Subject to the terms and conditions of this Public License,
+          the Licensor hereby grants You a worldwide, royalty-free,
+          non-sublicensable, non-exclusive, irrevocable license to
+          exercise the Licensed Rights in the Licensed Material to:
+
+            a. reproduce and Share the Licensed Material, in whole or
+               in part; and
+
+            b. produce, reproduce, and Share Adapted Material.
+
+       2. Exceptions and Limitations. For the avoidance of doubt, where
+          Exceptions and Limitations apply to Your use, this Public
+          License does not apply, and You do not need to comply with
+          its terms and conditions.
+
+       3. Term. The term of this Public License is specified in Section
+          6(a).
+
+       4. Media and formats; technical modifications allowed. The
+          Licensor authorizes You to exercise the Licensed Rights in
+          all media and formats whether now known or hereafter created,
+          and to make technical modifications necessary to do so. The
+          Licensor waives and/or agrees not to assert any right or
+          authority to forbid You from making technical modifications
+          necessary to exercise the Licensed Rights, including
+          technical modifications necessary to circumvent Effective
+          Technological Measures. For purposes of this Public License,
+          simply making modifications authorized by this Section 2(a)
+          (4) never produces Adapted Material.
+
+       5. Downstream recipients.
+
+            a. Offer from the Licensor -- Licensed Material. Every
+               recipient of the Licensed Material automatically
+               receives an offer from the Licensor to exercise the
+               Licensed Rights under the terms and conditions of this
+               Public License.
+
+            b. No downstream restrictions. You may not offer or impose
+               any additional or different terms or conditions on, or
+               apply any Effective Technological Measures to, the
+               Licensed Material if doing so restricts exercise of the
+               Licensed Rights by any recipient of the Licensed
+               Material.
+
+       6. No endorsement. Nothing in this Public License constitutes or
+          may be construed as permission to assert or imply that You
+          are, or that Your use of the Licensed Material is, connected
+          with, or sponsored, endorsed, or granted official status by,
+          the Licensor or others designated to receive attribution as
+          provided in Section 3(a)(1)(A)(i).
+
+  b. Other rights.
+
+       1. Moral rights, such as the right of integrity, are not
+          licensed under this Public License, nor are publicity,
+          privacy, and/or other similar personality rights; however, to
+          the extent possible, the Licensor waives and/or agrees not to
+          assert any such rights held by the Licensor to the limited
+          extent necessary to allow You to exercise the Licensed
+          Rights, but not otherwise.
+
+       2. Patent and trademark rights are not licensed under this
+          Public License.
+
+       3. To the extent possible, the Licensor waives any right to
+          collect royalties from You for the exercise of the Licensed
+          Rights, whether directly or through a collecting society
+          under any voluntary or waivable statutory or compulsory
+          licensing scheme. In all other cases the Licensor expressly
+          reserves any right to collect such royalties.
+
+
+Section 3 -- License Conditions.
+
+Your exercise of the Licensed Rights is expressly made subject to the
+following conditions.
+
+  a. Attribution.
+
+       1. If You Share the Licensed Material (including in modified
+          form), You must:
+
+            a. retain the following if it is supplied by the Licensor
+               with the Licensed Material:
+
+                 i. identification of the creator(s) of the Licensed
+                    Material and any others designated to receive
+                    attribution, in any reasonable manner requested by
+                    the Licensor (including by pseudonym if
+                    designated);
+
+                ii. a copyright notice;
+
+               iii. a notice that refers to this Public License;
+
+                iv. a notice that refers to the disclaimer of
+                    warranties;
+
+                 v. a URI or hyperlink to the Licensed Material to the
+                    extent reasonably practicable;
+
+            b. indicate if You modified the Licensed Material and
+               retain an indication of any previous modifications; and
+
+            c. indicate the Licensed Material is licensed under this
+               Public License, and include the text of, or the URI or
+               hyperlink to, this Public License.
+
+       2. You may satisfy the conditions in Section 3(a)(1) in any
+          reasonable manner based on the medium, means, and context in
+          which You Share the Licensed Material. For example, it may be
+          reasonable to satisfy the conditions by providing a URI or
+          hyperlink to a resource that includes the required
+          information.
+
+       3. If requested by the Licensor, You must remove any of the
+          information required by Section 3(a)(1)(A) to the extent
+          reasonably practicable.
+
+       4. If You Share Adapted Material You produce, the Adapter's
+          License You apply must not prevent recipients of the Adapted
+          Material from complying with this Public License.
+
+
+Section 4 -- Sui Generis Database Rights.
+
+Where the Licensed Rights include Sui Generis Database Rights that
+apply to Your use of the Licensed Material:
+
+  a. for the avoidance of doubt, Section 2(a)(1) grants You the right
+     to extract, reuse, reproduce, and Share all or a substantial
+     portion of the contents of the database;
+
+  b. if You include all or a substantial portion of the database
+     contents in a database in which You have Sui Generis Database
+     Rights, then the database in which You have Sui Generis Database
+     Rights (but not its individual contents) is Adapted Material; and
+
+  c. You must comply with the conditions in Section 3(a) if You Share
+     all or a substantial portion of the contents of the database.
+
+For the avoidance of doubt, this Section 4 supplements and does not
+replace Your obligations under this Public License where the Licensed
+Rights include other Copyright and Similar Rights.
+
+
+Section 5 -- Disclaimer of Warranties and Limitation of Liability.
+
+  a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+     EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+     AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+     ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+     IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+     WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+     PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+     ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+     KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+     ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+
+  b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+     TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+     NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+     INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+     COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+     USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+     ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+     DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+     IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+
+  c. The disclaimer of warranties and limitation of liability provided
+     above shall be interpreted in a manner that, to the extent
+     possible, most closely approximates an absolute disclaimer and
+     waiver of all liability.
+
+
+Section 6 -- Term and Termination.
+
+  a. This Public License applies for the term of the Copyright and
+     Similar Rights licensed here. However, if You fail to comply with
+     this Public License, then Your rights under this Public License
+     terminate automatically.
+
+  b. Where Your right to use the Licensed Material has terminated under
+     Section 6(a), it reinstates:
+
+       1. automatically as of the date the violation is cured, provided
+          it is cured within 30 days of Your discovery of the
+          violation; or
+
+       2. upon express reinstatement by the Licensor.
+
+     For the avoidance of doubt, this Section 6(b) does not affect any
+     right the Licensor may have to seek remedies for Your violations
+     of this Public License.
+
+  c. For the avoidance of doubt, the Licensor may also offer the
+     Licensed Material under separate terms or conditions or stop
+     distributing the Licensed Material at any time; however, doing so
+     will not terminate this Public License.
+
+  d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
+     License.
+
+
+Section 7 -- Other Terms and Conditions.
+
+  a. The Licensor shall not be bound by any additional or different
+     terms or conditions communicated by You unless expressly agreed.
+
+  b. Any arrangements, understandings, or agreements regarding the
+     Licensed Material not stated herein are separate from and
+     independent of the terms and conditions of this Public License.
+
+
+Section 8 -- Interpretation.
+
+  a. For the avoidance of doubt, this Public License does not, and
+     shall not be interpreted to, reduce, limit, restrict, or impose
+     conditions on any use of the Licensed Material that could lawfully
+     be made without permission under this Public License.
+
+  b. To the extent possible, if any provision of this Public License is
+     deemed unenforceable, it shall be automatically reformed to the
+     minimum extent necessary to make it enforceable. If the provision
+     cannot be reformed, it shall be severed from this Public License
+     without affecting the enforceability of the remaining terms and
+     conditions.
+
+  c. No term or condition of this Public License will be waived and no
+     failure to comply consented to unless expressly agreed to by the
+     Licensor.
+
+  d. Nothing in this Public License constitutes or may be interpreted
+     as a limitation upon, or waiver of, any privileges and immunities
+     that apply to the Licensor or You, including from the legal
+     processes of any jurisdiction or authority.
+
+
+=======================================================================
+
+Creative Commons is not a party to its public
+licenses. Notwithstanding, Creative Commons may elect to apply one of
+its public licenses to material it publishes and in those instances
+will be considered the “Licensor.” The text of the Creative Commons
+public licenses is dedicated to the public domain under the CC0 Public
+Domain Dedication. Except for the limited purpose of indicating that
+material is shared under a Creative Commons public license or as
+otherwise permitted by the Creative Commons policies published at
+creativecommons.org/policies, Creative Commons does not authorize the
+use of the trademark "Creative Commons" or any other trademark or logo
+of Creative Commons without its prior written consent including,
+without limitation, in connection with any unauthorized modifications
+to any of its public licenses or any other arrangements,
+understandings, or agreements concerning use of licensed material. For
+the avoidance of doubt, this paragraph does not form part of the
+public licenses.
+
+Creative Commons may be contacted at creativecommons.org.
\ No newline at end of file
diff --git a/LICENSE-CODE b/LICENSE-CODE
new file mode 100644
index 0000000000..b17b032a43
--- /dev/null
+++ b/LICENSE-CODE
@@ -0,0 +1,17 @@
+The MIT License (MIT)
+Copyright (c) Microsoft Corporation
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and 
+associated documentation files (the "Software"), to deal in the Software without restriction, 
+including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, 
+and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, 
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial 
+portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT 
+NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, 
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
\ No newline at end of file
diff --git a/README.md b/README.md
index 8864d2a10e..01059ee91d 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,8 @@
+## Microsoft Open Source Code of Conduct
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
+
 # Windows IT professional documentation
 
 Welcome! This repository houses the docs that are written for IT professionals for the following products:
diff --git a/ThirdPartyNotices b/ThirdPartyNotices
new file mode 100644
index 0000000000..a0bd09d68f
--- /dev/null
+++ b/ThirdPartyNotices
@@ -0,0 +1,15 @@
+##Legal Notices
+Microsoft and any contributors grant you a license to the Microsoft documentation and other content
+in this repository under the [Creative Commons Attribution 4.0 International Public License](https://creativecommons.org/licenses/by/4.0/legalcode),
+see the [LICENSE](LICENSE) file, and grant you a license to any code in the repository under the [MIT License](https://opensource.org/licenses/MIT), see the
+[LICENSE-CODE](LICENSE-CODE) file.
+
+Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation
+may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries.
+The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks.
+Microsoft's general trademark guidelines can be found at http://go.microsoft.com/fwlink/?LinkID=254653.
+
+Privacy information can be found at https://privacy.microsoft.com/en-us/
+
+Microsoft and any contributors reserve all others rights, whether under their respective copyrights, patents,
+or trademarks, whether by implication, estoppel or otherwise.
\ No newline at end of file
diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md
index b22ded8a4f..207acd7b9a 100644
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@@ -60,7 +60,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
     - If you disable or don't configure this policy setting (default), it can be turned on and configured by the employee in the Clear browsing data options area, under Settings.
 
 ### Allow Developer Tools
-- **Supported versions:** Windows 10, Version 1511 or later
+- **Supported versions:** Windows 10, version 1511 or later
 
 - **Description:** This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge.
     - If you enable or don’t configure this setting (default), the F12 Developer Tools are available in Microsoft Edge.
@@ -68,7 +68,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
     - If you disable this setting, the F12 Developer Tools aren’t available in Microsoft Edge.
 
 ### Allow Extensions
-- **Supported versions:** Windows 10, Version 1607 or later
+- **Supported versions:** Windows 10, version 1607 or later
 
 - **Description:** This policy setting lets you decide whether employees can use Edge Extensions.
 
@@ -77,7 +77,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
     - If you disable this setting, employees can’t use Edge Extensions.
 
 ### Allow InPrivate browsing
-- **Supported versions:** Windows 10, Version 1511 or later
+- **Supported versions:** Windows 10, version 1511 or later
 
 - **Description:** This policy setting lets you decide whether employees can browse using InPrivate website browsing.
 
@@ -86,7 +86,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
     - If you disable this setting, employees can’t use InPrivate website browsing.
 
 ### Allow Microsoft Compatibility List
-- **Supported versions:** Windows 10, Version 1607 or later
+- **Supported versions:** Windows 10, version 1607 or later
 
 - **Description:** This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat.
 
@@ -172,7 +172,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
     - If you don’t configure this setting (default), employees can choose whether to send Do Not Track requests to websites asking for tracking info.
 
 ### Configure Favorites
-- **Supported versions:** Windows 10, Version 1511 or later
+- **Supported versions:** Windows 10, version 1511 or later
 
 - **Description:** This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time.
 
@@ -214,7 +214,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
     - If you don’t configure this setting (default), employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.
 
 ### Configure Start pages
-- **Supported versions:** Windows 10, Version 1511 or later
+- **Supported versions:** Windows 10, version 1511 or later
 
 - **Description:** This policy setting lets you configure one or more Start pages, for domain-joined devices. Your employees won't be able to change this after you set it.
 
@@ -282,7 +282,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
     - If you disable or don't configure this setting (default), employees can’t sync their favorites between Internet Explorer and Microsoft Edge.
 
 ### Prevent access to the about:flags page
-- **Supported versions:** Windows 10, Version 1607 or later
+- **Supported versions:** Windows 10, version 1607 or later
 
 - **Description:** This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features.
 
@@ -291,7 +291,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
     - If you disable or don’t configure this setting (default), employees can access the about:flags page.
 
 ### Prevent bypassing Windows Defender SmartScreen prompts for files
-- **Supported versions:** Windows 10, Version 1511 or later
+- **Supported versions:** Windows 10, version 1511 or later
 
 - **Description:** This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files.
 
@@ -300,7 +300,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
     - If you disable or don’t configure this setting (default), employees can ignore Windows Defender SmartScreen warnings and continue the download process.
 
 ### Prevent bypassing Windows Defender SmartScreen prompts for sites
-- **Supported versions:** Windows 10, Version 1511 or later
+- **Supported versions:** Windows 10, version 1511 or later
 
 - **Description:** This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites.
 
@@ -327,7 +327,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
     - If you disable or don't configure this setting (default), employees will see the First Run page when opening Microsoft Edge for the first time.
 
 ### Prevent using Localhost IP address for WebRTC
-- **Supported versions:** Windows 10, Version 1511 or later
+- **Supported versions:** Windows 10, version 1511 or later
 
 - **Description:** This policy setting lets you decide whether an employee’s Localhost IP address shows while making calls using the WebRTC protocol. By default, this setting is turned off.
 
@@ -362,7 +362,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
     - If you don't configure this setting (default), the default search engine is set to the one specified in App settings.
 
 ### Show message when opening sites in Internet Explorer
-- **Supported versions:** Windows 10, Version 1607 and later
+- **Supported versions:** Windows 10, version 1607 and later
 
 - **Description:** This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
 
@@ -452,7 +452,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
         - **2.** Blocks all cookies from all sites.
 
 ### AllowDeveloperTools
-- **Supported versions:** Windows 10, Version 1511 or later
+- **Supported versions:** Windows 10, version 1511 or later
 
 - **Supported devices:** Desktop
 
@@ -486,7 +486,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
         - **1.** Employees can send Do Not Track headers to websites requesting tracking info.    
 
 ### AllowExtensions
-- **Supported versions:** Windows 10, Version 1607 and later
+- **Supported versions:** Windows 10, version 1607 and later
 
 - **Supported devices:** Desktop
 
@@ -537,7 +537,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
         - **1 (default).** An employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.
 
 ### AllowInPrivate
-- **Supported versions:** Windows 10, Version 1511 or later
+- **Supported versions:** Windows 10, version 1511 or later
 
 - **Supported devices:** Both
 
@@ -730,7 +730,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
             >If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.<p>If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
 
 ### Favorites
-- **Supported versions:** Windows 10, Version 1511 or later
+- **Supported versions:** Windows 10, version 1511 or later
 
 - **Supported devices:** Both
 
@@ -752,7 +752,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
             URLs must be on separate lines and aren't shared between Microsoft Edge and Internet Explorer 11.
 
 ### FirstRunURL
-- **Supported versions:** Windows 10, Version 1511 or later
+- **Supported versions:** Windows 10, version 1511 or later
 
 - **Supported devices:** Mobile
 
@@ -771,7 +771,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
                 <contoso.one>
 
 ### HomePages
-- **Supported versions:** Windows 10, Version 1511 or later
+- **Supported versions:** Windows 10, version 1511 or later
 
 - **Supported devices:** Desktop
 
@@ -790,7 +790,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
                 <contoso.com/support><fabrikam.com/support>
 
 ### PreventAccessToAboutFlagsInMicrosoftEdge
-- **Supported versions:** Windows 10, Version 1607 and later
+- **Supported versions:** Windows 10, version 1607 and later
 
 - **Supported devices:** Desktop
 
@@ -841,7 +841,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
         - **1.** Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge.
 
 ### PreventSmartScreenPromptOverride
-- **Supported versions:** Windows 10, Version 1511 or later
+- **Supported versions:** Windows 10, version 1511 or later
 
 - **Supported devices:** Both
 
@@ -858,7 +858,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
         - **1.** Turns on Windows Defender SmartScreen.
 
 ### PreventSmartScreenPromptOverrideForFiles
-- **Supported versions:** Windows 10, Version 1511 or later
+- **Supported versions:** Windows 10, version 1511 or later
 
 - **Supported devices:** Both
 
@@ -875,7 +875,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
         - **1.** Stops employees from ignoring the Windows Defender SmartScreen warnings about unverified files.
 
 ### PreventUsingLocalHostIPAddressForWebRTC
-- **Supported versions:** Windows 10, Version 1511 or later
+- **Supported versions:** Windows 10, version 1511 or later
 
 - **Supported devices:** Desktop
 
@@ -926,7 +926,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
         - **1.** Allows you to configure the default search engine for your employees.
 
 ### ShowMessageWhenOpeningInteretExplorerSites
-- **Supported versions:** Windows 10, Version 1607 and later
+- **Supported versions:** Windows 10, version 1607 and later
 
 - **Supported devices:** Desktop
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
index 1949a24903..1717c9f622 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
@@ -11,6 +11,11 @@ ms.sitesec: library
 # Change history for Internet Explorer 11
 This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
 
+## March 2017
+|New or changed topic | Description |
+|----------------------|-------------|
+|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to add the Allow VBScript to run in Internet Explorer and the Hide the button (next to the New Tab button) that opens Microsoft Edge settings. |
+
 ## November 2016
 |New or changed topic | Description |
 |----------------------|-------------|
diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
index d63465dbe0..149ef61a09 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
@@ -16,63 +16,33 @@ Internet Explorer 11 gives you some new Group Policy settings to help you manag
 
 |Policy |Category Path |Supported on |Explanation |
 |-------|--------------|-------------|------------|
-|Turn off loading websites and content in the background to optimize performance |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view.<p>If you enable this policy setting, IE doesn't load any websites or content in the background.<p>If you disable this policy setting, IE preemptively loads websites and content in the background.<p>If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default. |
-|Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10 |This policy setting allows IE to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user’s keystrokes are sent to Microsoft through Microsoft services.<p>If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.<p>If you disable this policy setting, users won’t receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.<p>If you don’t configure this policy setting, users can change the **Suggestions** setting on the **Settings** charm. |
-|Turn off phone number detection |Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing |IE11 on Windows 10 |This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system.<p>If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting.<p>If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting.<p>If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on. |
-|Allow IE to use the SPDY/3 network protocol |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests to optimize the latency of network requests through compression, multiplexing and prioritization.<p>If you enable this policy setting, Internet Explorer uses the SPDY/3 network protocol.<p>If you disable this policy setting, Internet Explorer won't use the SPDY/3 network protocol.<p>If you don't configure this policy setting, users can turn this behavior on or off, on the **Advanced* tab of the **Internet Options** dialog box. The default is on.<p>**Note**<br>We've replaced the SPDY/3 protocol with the HTTP2 protocol in Windows 10. You can configure the HTTP2 protocol by using the **Allow IE to use the HTTP2 network protocol** setting. |
 |Allow IE to use the HTTP2 network protocol |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE uses the HTTP2 network protocol. HTTP2 works with HTTP requests to optimize the latency of network requests through compression, multiplexing, and prioritization.<p>If you enable this policy setting, IE uses the HTTP2 network protocol.<p>If you disable this policy setting, IE won't use the HTTP2 network protocol.<p>If you don't configure this policy setting, users can turn this behavior on or off, using the **Internet Explorer Advanced Internet Options** settings. The default is on. |
+|Allow IE to use the SPDY/3 network protocol |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests to optimize the latency of network requests through compression, multiplexing and prioritization.<p>If you enable this policy setting, Internet Explorer uses the SPDY/3 network protocol.<p>If you disable this policy setting, Internet Explorer won't use the SPDY/3 network protocol.<p>If you don't configure this policy setting, users can turn this behavior on or off, on the **Advanced* tab of the **Internet Options** dialog box. The default is on.<p>**Note**<br>We've replaced the SPDY/3 protocol with the HTTP2 protocol in Windows 10. You can configure the HTTP2 protocol by using the **Allow IE to use the HTTP2 network protocol** setting. |
+|Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10 |This policy setting allows IE to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user’s keystrokes are sent to Microsoft through Microsoft services.<p>If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.<p>If you disable this policy setting, users won’t receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.<p>If you don’t configure this policy setting, users can change the **Suggestions** setting on the **Settings** charm. |
+|Allow only approved domains to use the TDC ActiveX control |<ul><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone</li></ul> |IE11 in Windows 10 |This policy setting determines whether users can run the Tabular Data Control (TDC) ActiveX control, based on security zone. By default, the TDC ActiveX Control is disabled in the **Internet** and **Restricted Sites** security zones.<p>If you enable this policy setting, users won’t be able to run the TDC ActiveX control from all sites in the specified zone.<p>If you disable this policy setting, users can run the TDC Active X control from all sites in the specified zone. |
+|Allow SSL3 Fallback |Administrative Templates\Windows Components\Internet Explorer\Security Features |Internet Explorer 11 on Windows 10 |This policy setting allows you to stop websites from falling back to using Secure Socket Layer (SSL) 3.0 or lower, if Transport Layer Security (TLS) 1.0 or higher, fails. This setting doesn’t affect which security protocols are enabled.<p>If you enable this policy setting and a website fails while using the TLS 1.0 or higher security protocols, Internet Explorer will try to fallback and use SSL 3.0 or lower security protocols.<p>If you disable or don’t configure this setting, Internet Explorer uses the default system protocols.<p>**Important:**<br>By default, SSL 3.0 is disabled. If you choose to enable SSL 3.0, we recommend that you disable or don't configure this setting to help mitigate potential man-in-the-middle attacks. |
+|Allow VBScript to run in Internet Explorer|<ul><li> Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Internet Zone</li><li> Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Intranet Zone</li><li> Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Local Machine Zone</li><li> Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Internet Zone</li><li> Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Intranet Zone</li><li> Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Local Machine Zone</li><li> Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Restricted Sites Zone</li><li> Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Trusted Sites Zone</li><li> Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Restricted Sites Zone</li><li> Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Trusted Sites Zone</li></ul> |Internet Explorer 11|This policy setting lets you decide whether VBScript can run on pages in specific Internet Explorer zones.<p>If you enable this policy setting (default), you must also pick one of the following options from the Options box:<ul><li>Enable. VBScript runs on pages in specific zones, without any interaction.</li><li>Prompt. Employees are prompted whether to allow VBScript to run in the zone.</li><li>Disable. VBScript is prevented from running in the zone.</li></ul><p>If you disable or don’t configure this policy setting, VBScript runs without any interaction in the specified zone.|
+|Always send Do Not Track header |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |At least Internet Explorer 10 |This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.<p>If you enable this policy setting, IE sends a `DNT:1` header with all HTTP and HTTPS requests. The `DNT:1` header signals to the servers not to track the user.<p>**In Internet Explorer 9 and 10:**<br>If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.<p>**In at least IE11:**<br>If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.<p>If you don't configure the policy setting, users can select the **Always send Do Not Track header** option on the **Advanced* tab of the **Internet Options** dialog box. By selecting this option, IE sends a `DNT:1` header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a `DNT:0` header. By default, this option is enabled. |
 |Don't run antimalware programs against ActiveX controls<br>(Internet, Restricted Zones) |<ul><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone</li></ul> |IE11 on Windows 10 |This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.<p>If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using the Internet Explorer's **Security** settings. |
 |Don't run antimalware programs against ActiveX controls<br>(Intranet, Trusted, Local Machine Zones) |<ul><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone</li></ul> |IE11 on Windows 10 |This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.<p>If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer's **Security** settings. |
-|Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.<p>**Important**<br>When using 64-bit processes, some ActiveX controls and toolbars might not be available. |
-|Turn off sending UTF-8 query strings for URLs |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.<p>If you enable this policy setting, you must specify when to use UTF-8 to encode query strings:<ul><li>**0.** Never encode query strings.</li><li>**1.** Only encode query strings for URLs that aren't in the Intranet zone.</li><li>**2.** Only encode query strings for URLs that are in the Intranet zone.</li><li>**3.** Always encode query strings.</li></ul><p>If you disable or don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Options settings. The default is to encode all query strings in UTF-8. |
-|Turn off sending URL path as UTF-8 |User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\URL Encoding |At least Windows Internet Explorer 7 |This policy setting determines whether to let IE send the path portion of a URL using the UTF-8 standard. This standard defines characters so they're readable in any language and lets you exchange Internet addresses (URLs) with characters included in any language.<p>If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting.<p>If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting.<p>If you don't configure this policy setting, users can turn this behavior on or off. |
-|Turn off the flip ahead with page prediction feature |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |At least Internet Explorer 10 on Windows 8 |This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.<p>If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.<p>If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.<p>If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.<p>**Note**<br>Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop. |
-|Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data |Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History |At least Windows Internet Explorer 9 |**In Internet Explorer 9 and Internet Explorer 10:**<br>This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the **Personalized Tracking Protection List**, which blocks third-party items while the user is browsing.<p>**In IE11:**<br>This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions, stored in the **Delete Browsing History** dialog box, for visited websites.<p>If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks **Delete**.<p>If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks **Delete**.<p>If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking **Delete**. |
-|Always send Do Not Track header |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |At least Internet Explorer 10 |This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.<p>If you enable this policy setting, IE sends a `DNT:1` header with all HTTP and HTTPS requests. The `DNT:1` header signals to the servers not to track the user.<p>**In Internet Explorer 9 and 10:**<br>If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.<p>**In at least IE11:**<br>If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.<p>If you don't configure the policy setting, users can select the **Always send Do Not Track header** option on the **Advanced* tab of the **Internet Options** dialog box. By selecting this option, IE sends a `DNT:1` header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a `DNT:0` header. By default, this option is enabled. |
-|Turn off the ability to launch report site problems using a menu option |Administrative Templates\Windows Components\Internet Explorer\Browser menus |Internet Explorer 11 |This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.<p>If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.<p>If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. |
-|Allow only approved domains to use the TDC ActiveX control |<ul><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone</li></ul> |IE11 in Windows 10 |This policy setting determines whether users can run the Tabular Data Control (TDC) ActiveX control, based on security zone. By default, the TDC ActiveX Control is disabled in the **Internet** and **Restricted Sites** security zones.<p>If you enable this policy setting, users won’t be able to run the TDC ActiveX control from all sites in the specified zone.<p>If you disable this policy setting, users can run the TDC Active X control from all sites in the specified zone. |
-|Turn on Site Discovery XML output |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.<p>If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.<p>If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.<p>**Note:**<br>Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
-|Turn on Site Discovery WMI output |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.<p>If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as System Center Configuration Manager.<p>If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.<p>**Note:**<br>Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
+|Hide the button (next to the New Tab button) that opens Microsoft Edge |User Configuration\Administrative Templates\Windows Components/Internet Explorer\Internet Settings\Advanced Settings\Browsing\ |IE11 on Windows 10, Windows Insider Program |This policy setting lets you decide whether employees can see the open Microsoft Edge button, which appears next to the New Tab button.<p>If you enable this policy setting, the button to open Microsoft Edge from Internet Explorer will be hidden.<p>If you disable this policy setting, the button to open Microsoft Edge from Internet Explorer appears.<p>If you don't configure this policy setting, the button to open Microsoft Edge from Internet Explorer can be configured by your employees. |
+|Let users turn on and use Enterprise Mode from the **Tools** menu |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10 |This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.<p>If you enable this policy setting, users can see and use the **Enterprise Mode** option from the **Tools** menu. If you enable this setting, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.<p>If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally. |
 |Limit Site Discovery output by Domain |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to control which domains are included in the discovery function of the Internet Explorer Site Discovery Toolkit.<p>If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in your specified domains, configured by adding one domain per line to the included text box.<p>If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all domains.<p>**Note:**<br>You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. |
 |Limit Site Discovery output by Zone |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to control which zones are included in the discovery function of the Internet Explorer Site Discovery Toolkit.<p>If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all specified security zones.<p>If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all security zones.<p>To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:<ul><li>0 – Restricted Sites zone</li><li>0 – Internet zone</li><li>0 – Trusted Sites zone</li><li>0 – Local Intranet zone</li><li>0 – Local Machine zone</li></ul><br>**Example 1:** Include only the Local Intranet zone (binary representation: 00010), based on:<br><ul><li>0 – Restricted Sites zone</li><li>0 – Internet zone</li><li>0 – Trusted Sites zone</li><li>1 – Local Intranet zone</li><li>0 – Local Machine zone</li></ul><br>**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones (binary representation: 10110), based on:<br><ul><li>1 – Restricted Sites zone</li><li>0 – Internet zone</li><li>1 – Trusted Sites zone</li><li>1 – Local Intranet zone</li><li>1 – Local Machine zone</li></ul><p>**Note:**<br>You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. |
-|Allow SSL3 Fallback |Administrative Templates\Windows Components\Internet Explorer\Security Features |Internet Explorer 11 on Windows 10 |This policy setting allows you to stop websites from falling back to using Secure Socket Layer (SSL) 3.0 or lower, if Transport Layer Security (TLS) 1.0 or higher, fails. This setting doesn’t affect which security protocols are enabled.<p>If you enable this policy setting and a website fails while using the TLS 1.0 or higher security protocols, Internet Explorer will try to fallback and use SSL 3.0 or lower security protocols.<p>If you disable or don’t configure this setting, Internet Explorer uses the default system protocols.**Important:**<br>By default, SSL 3.0 is disabled. If you choose to enable SSL 3.0, we recommend that you disable or don't configure this setting to help mitigate potential man-in-the-middle attacks. |
-|Turn off automatic download of the ActiveX VersionList |Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management |At least Windows Internet Explorer 8 |This policy setting allows you to decide whether Internet Explorer automatically downloads updated versions of Microsoft's VersionList.XML file. This file tells Internet Explorer whether to stop specific ActiveX controls from loading.<p>If you enable this policy setting, Internet Explorer stops automatically downloading updated versions of the VersionList.XML file.<p>If you disable or don’t configure this setting, Internet Explorer continues to download updated versions of the VersionList.XML file.<p>**Important:**<br>Stopping this file from updating breaks the out-of-date ActiveX control blocking feature, potentially compromising the security of the device. For more info, see the Out-of-Date ActiveX Control Blocking (https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) topic. |
-|Let users turn on and use Enterprise Mode from the **Tools** menu |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10 |This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.<p>If you enable this policy setting, users can see and use the **Enterprise Mode** option from the **Tools** menu. If you enable this setting, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.<p>If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally. |
-|Use the Enterprise Mode IE website list |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1511 |This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.<p>If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.<p>If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode. |
+|Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data |Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History |At least Windows Internet Explorer 9 |**In Internet Explorer 9 and Internet Explorer 10:**<br>This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the **Personalized Tracking Protection List**, which blocks third-party items while the user is browsing.<p>**In IE11:**<br>This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions, stored in the **Delete Browsing History** dialog box, for visited websites.<p>If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks **Delete**.<p>If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks **Delete**.<p>If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking **Delete**. |
 |Send all sites not included in the Enterprise Mode Site List to Microsoft Edge |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1607 |This policy setting lets you decide whether to open all sites that aren’t specified to open in IE11 by the Enterprise Mode site list, to open in Microsoft Edge.<p>If you enable this policy setting, you must also enable the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode site list.<p>If you disable or don't configure this policy setting, all sites will open based on the currently active browser.<p>**Note:**<br>If you’ve also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. |
 |Show message when opening sites in Microsoft Edge using Enterprise Mode |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1607 |This policy setting lets you decide whether employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.<p>If you enable this policy setting, employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.<p>If you disable or don't configure this policy setting, the default app behavior occurs and no additional page appears. |
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+|Turn off automatic download of the ActiveX VersionList |Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management |At least Windows Internet Explorer 8 |This policy setting allows you to decide whether Internet Explorer automatically downloads updated versions of Microsoft's VersionList.XML file. This file tells Internet Explorer whether to stop specific ActiveX controls from loading.<p>If you enable this policy setting, Internet Explorer stops automatically downloading updated versions of the VersionList.XML file.<p>If you disable or don’t configure this setting, Internet Explorer continues to download updated versions of the VersionList.XML file.<p>**Important:**<br>Stopping this file from updating breaks the out-of-date ActiveX control blocking feature, potentially compromising the security of the device. For more info, see the Out-of-Date ActiveX Control Blocking (https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) topic. |
+|Turn off loading websites and content in the background to optimize performance |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view.<p>If you enable this policy setting, IE doesn't load any websites or content in the background.<p>If you disable this policy setting, IE preemptively loads websites and content in the background.<p>If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default. |
+|Turn off phone number detection |Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing |IE11 on Windows 10 |This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system.<p>If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting.<p>If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting.<p>If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on. |
+|Turn off sending URL path as UTF-8 |User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\URL Encoding |At least Windows Internet Explorer 7 |This policy setting determines whether to let IE send the path portion of a URL using the UTF-8 standard. This standard defines characters so they're readable in any language and lets you exchange Internet addresses (URLs) with characters included in any language.<p>If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting.<p>If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting.<p>If you don't configure this policy setting, users can turn this behavior on or off. |
+|Turn off sending UTF-8 query strings for URLs |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.<p>If you enable this policy setting, you must specify when to use UTF-8 to encode query strings:<ul><li>**0.** Never encode query strings.</li><li>**1.** Only encode query strings for URLs that aren't in the Intranet zone.</li><li>**2.** Only encode query strings for URLs that are in the Intranet zone.</li><li>**3.** Always encode query strings.</li></ul><p>If you disable or don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Options settings. The default is to encode all query strings in UTF-8. |
+|Turn off the ability to launch report site problems using a menu option |Administrative Templates\Windows Components\Internet Explorer\Browser menus |Internet Explorer 11 |This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.<p>If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.<p>If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. |
+|Turn off the flip ahead with page prediction feature |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |At least Internet Explorer 10 on Windows 8 |This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.<p>If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.<p>If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.<p>If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.<p>**Note**<br>Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop. |
+|Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.<p>**Important**<br>When using 64-bit processes, some ActiveX controls and toolbars might not be available. |
+|Turn on Site Discovery WMI output |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.<p>If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as System Center Configuration Manager.<p>If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.<p>**Note:**<br>Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
+|Turn on Site Discovery XML output |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.<p>If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.<p>If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.<p>**Note:**<br>Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
+|Use the Enterprise Mode IE website list |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1511 |This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.<p>If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.<p>If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode. |
 
 ## Removed Group Policy settings
 IE11 no longer supports these Group Policy settings:
diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index a9cde81f15..5d807a4e97 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -1,42 +1,41 @@
 # [Microsoft Surface Hub](index.md)
-## [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
-### [Intro to Microsoft Surface Hub](intro-to-surface-hub.md)
-### [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md)
-#### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)
-#### [Create and test a device account](create-and-test-a-device-account-surface-hub.md)
-##### [Online deployment](online-deployment-surface-hub-device-accounts.md)
-##### [On-premises deployment (single forest)](on-premises-deployment-surface-hub-device-accounts.md)
-##### [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md)
-##### [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md)
-##### [Create a device account using UI](create-a-device-account-using-office-365.md)
-##### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md)
-##### [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md)
-##### [Password management](password-management-for-surface-hub-device-accounts.md)
-#### [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md)
-#### [Admin group management](admin-group-management-for-surface-hub.md)
-### [Set up Microsoft Surface Hub](set-up-your-surface-hub.md)
-#### [Setup worksheet](setup-worksheet-surface-hub.md)
-#### [First-run program](first-run-program-surface-hub.md)
-### [Manage Microsoft Surface Hub](manage-surface-hub.md)
-#### [Remote Surface Hub management](remote-surface-hub-management.md)
-##### [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)
-##### [Monitor your Surface Hub](monitor-surface-hub.md)
-##### [Windows updates](manage-windows-updates-for-surface-hub.md)
-#### [Manage Surface Hub settings](manage-surface-hub-settings.md)
-##### [Local management for Surface Hub settings](local-management-surface-hub-settings.md)
-##### [Accessibility](accessibility-surface-hub.md)
-##### [Change the Surface Hub device account](change-surface-hub-device-account.md)
-##### [Device reset](device-reset-surface-hub.md)
-##### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md)
-##### [Wireless network management](wireless-network-management-for-surface-hub.md)
-#### [Install apps on your Surface Hub](install-apps-on-surface-hub.md)
-#### [End a Surface Hub meeting with I'm Done](i-am-done-finishing-your-surface-hub-meeting.md)
-#### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)
-#### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md)
-#### [Using a room control system](use-room-control-system-with-surface-hub.md)
-### [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
-### [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)
-## [Useful downloads for Surface Hub administrators](surface-hub-downloads.md)
+## [What's new in Windows 10, version 1703 for Surface Hub?](surfacehub-whats-new-1703.md)
 ## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)
+## [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md)
+### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)
+### [Create and test a device account](create-and-test-a-device-account-surface-hub.md)
+#### [Online deployment](online-deployment-surface-hub-device-accounts.md)
+#### [On-premises deployment (single forest)](on-premises-deployment-surface-hub-device-accounts.md)
+#### [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md)
+#### [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md)
+#### [Create a device account using UI](create-a-device-account-using-office-365.md)
+#### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md)
+#### [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md)
+#### [Password management](password-management-for-surface-hub-device-accounts.md)
+### [Create provisioning packages](provisioning-packages-for-surface-hub.md)
+### [Admin group management](admin-group-management-for-surface-hub.md)
+## [Set up Microsoft Surface Hub](set-up-your-surface-hub.md)
+### [Setup worksheet](setup-worksheet-surface-hub.md)
+### [First-run program](first-run-program-surface-hub.md)
+## [Manage Microsoft Surface Hub](manage-surface-hub.md)
+### [Remote Surface Hub management](remote-surface-hub-management.md)
+#### [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)
+#### [Monitor your Surface Hub](monitor-surface-hub.md)
+#### [Windows updates](manage-windows-updates-for-surface-hub.md)
+### [Manage Surface Hub settings](manage-surface-hub-settings.md)
+#### [Local management for Surface Hub settings](local-management-surface-hub-settings.md)
+#### [Accessibility](accessibility-surface-hub.md)
+#### [Change the Surface Hub device account](change-surface-hub-device-account.md)
+#### [Device reset](device-reset-surface-hub.md)
+#### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md)
+#### [Wireless network management](wireless-network-management-for-surface-hub.md)
+### [Install apps on your Surface Hub](install-apps-on-surface-hub.md)
+### [End a Surface Hub meeting with End session](i-am-done-finishing-your-surface-hub-meeting.md)
+### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)
+### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md)
+### [Using a room control system](use-room-control-system-with-surface-hub.md)
+## [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md)
 ## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)
+## [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
+## [Useful downloads for Surface Hub administrators](surface-hub-downloads.md)
 ## [Change history for Surface Hub](change-history-surface-hub.md)
\ No newline at end of file
diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md
index 46348c087d..7ea46504e4 100644
--- a/devices/surface-hub/accessibility-surface-hub.md
+++ b/devices/surface-hub/accessibility-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surfacehub
 ms.sitesec: library
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
@@ -30,7 +30,7 @@ The full list of accessibility settings are available to IT admins in the **Sett
 | Mouse                 | Defaults selected for **Pointer size**, **Pointer color** and **Mouse keys**. |
 | Other options         | Defaults selected for **Visual options** and **Touch feedback**. |
 
-Additionally, these accessibility features and apps are returned to default settings when users press [I'm Done](i-am-done-finishing-your-surface-hub-meeting.md):
+Additionally, these accessibility features and apps are returned to default settings when users press [End session](finishing-your-surface-hub-meeting.md):
 - Narrator
 - Magnifier
 - High contrast
diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md
index 7607199209..2abc8df009 100644
--- a/devices/surface-hub/admin-group-management-for-surface-hub.md
+++ b/devices/surface-hub/admin-group-management-for-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub, security
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
index 76275e3ec8..b04dd91222 100644
--- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
+++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
@@ -1,5 +1,5 @@
 ---
-title: Appendix PowerShell (Surface Hub)
+title: PowerShell for Surface Hub (Surface Hub)
 description: PowerShell scripts to help set up and manage your Microsoft Surface Hub .
 ms.assetid: 3EF48F63-8E4C-4D74-ACD5-461F1C653784
 keywords: PowerShell, set up Surface Hub, manage Surface Hub
@@ -7,14 +7,14 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
-# Appendix: PowerShell (Surface Hub)
+# PowerShell for Surface Hub
 
 
-PowerShell scripts to help set up and manage your Microsoft Surface Hub .
+PowerShell scripts to help set up and manage your Microsoft Surface Hub.
 
 -   [PowerShell scripts for Surface Hub admins](#scripts-for-admins)
     -   [Create an on-premise account](#create-on-premise-ps-scripts)
@@ -43,7 +43,8 @@ What do you need in order to run the scripts?
 -   Remote PowerShell access to your organization's domain or tenant, Exchange servers, and Skype for Business servers.
 -   Admin credentials for your organization's domain or tenant, Exchange servers, and Skype for Business servers.
 
->**Note**  Whether you’re creating a new account or modifying an already-existing account, the validation script will verify that your device account is configured correctly. You should always run the validation script before adding a device account to Surface Hub.
+>[!NOTE]
+>Whether you’re creating a new account or modifying an already-existing account, the validation script will verify that your device account is configured correctly. You should always run the validation script before adding a device account to Surface Hub.
 
  
 
diff --git a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
index f6cad56654..e49731d001 100644
--- a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index 74ee57c2f5..d8d69bb450 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
@@ -14,6 +14,10 @@ localizationpriority: medium
 
 This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
 
+## RELEASE: Windows 10, version 1703
+
+The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update).
+
 ## February 2017
 
 | New or changed topic | Description |
diff --git a/devices/surface-hub/change-surface-hub-device-account.md b/devices/surface-hub/change-surface-hub-device-account.md
index 6dc6bf7016..2ad7a30571 100644
--- a/devices/surface-hub/change-surface-hub-device-account.md
+++ b/devices/surface-hub/change-surface-hub-device-account.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md
index 914b6136e6..b6719175f5 100644
--- a/devices/surface-hub/create-a-device-account-using-office-365.md
+++ b/devices/surface-hub/create-a-device-account-using-office-365.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
index 9930a748e3..5c6ab373e5 100644
--- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
+++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md
index f2cb38c5f2..0d070c1ae5 100644
--- a/devices/surface-hub/device-reset-surface-hub.md
+++ b/devices/surface-hub/device-reset-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
@@ -49,21 +49,49 @@ If you see a blank screen for long periods of time during the **Reset device** p
 
     ![Image showing Update & Security group in Settings app for Surface Hub.](images/sh-settings-update-security.png)
  
-3.	Click **Recovery**, and then click **Get started**.
+3.	Click **Recovery**, and then, under **Reset device**, click **Get started**.
 
     ![Image showing Reset device option in Settings app for Surface Hub.](images/sh-settings-reset-device.png) 
 
-## Reset a Surface Hub from Windows Recovery Environment
+<span id="cloud-recovery" />
+## Recover a Surface Hub from the cloud
  
-On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset the device from [Windows Recovery Environment](https://technet.microsoft.com/library/cc765966.aspx) (Windows RE). 
+In the Windows Recovery Environment (Windows RE), you can recover your device by downloading a factory build from the cloud and installing it on the Surface Hub. This allows devices in an unusable state to recover without requiring assistance from Microsoft Support.
 
-**To reset a Surface Hub from Windows Recovery Environment**
+### Recover a Surface Hub in a bad state
+
+If the device account gets into an unstable state or the Admin account is running into issues, you can use cloud recovery in **Settings**. You should only use cloud recovery when [reset](#reset-a-surface-hub-from-settings) doesn't fix the problem.  
+
+1. On your Surface Hub, go to **Settings** &gt; **Update & security** &gt; **Recovery**.
+
+2. Under **Recover from the cloud**, click **Restart now**.
+
+    ![recover from the cloud](images/recover-from-the-cloud.png)
+
+### Recover a locked Surface Hub
+
+On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset or recover the device from [Windows RE](https://technet.microsoft.com/library/cc765966.aspx). 
 
 1.  From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) for help with locating the power switch. 
-2. The device should automatically boot into Windows RE. Select **Advanced Repair**.
-3. Select **Reset**.
-4. If prompted, enter your device's BitLocker key. 
+2. The device should automatically boot into Windows RE. 
+3. After the Surface Hub enters Windows RE, select **Recover from the cloud**. (Optionally, you can choose **Reset**, however **Recover from the cloud** is the recommended approach.)
+    >[!NOTE]
+    >When using **Recover from the cloud**, an ethernet connection is recommended.
+    
+    ![Recover from the cloud](images/recover-from-cloud.png)
+    
+4. Enter the Bitlocker key (if prompted).
+5. When prompted, select **Reinstall**.
 
+    ![Reinstall](images/reinstall.png)
+
+6. Select **Yes** to repartition the disk.
+ 
+    ![Repartition](images/repartition.png)
+    
+Reset will begin after the image is downloaded from the cloud. You will see progress indicators.
+
+![downloading 97&](images/recover-progress.png)
 
 ## Related topics
 
diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
index 73557c1f2c..e6d812ea78 100644
--- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
+++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
@@ -33,7 +33,7 @@ Surface Hub doesn't have a lock screen or a screen saver, but it has a similar f
 Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without logging on. The system always runs as a local, auto logged-in, low-privilege user. It doesn't support logging in any additional users - including admin users.
 
 > [!NOTE]
-> Surface Hub supports signing in to Microsoft Edge and other apps. However, these credentials are deleted when users press **I'm done**. 
+> Surface Hub supports signing in to Microsoft Edge and other apps. However, these credentials are deleted when users press **End session**. 
 
 *Organization policies that this may affect:* <br> Generally, Surface Hub uses lockdown features rather than user access control to enforce security. Policies related to password requirements, interactive logon, user accounts, and access control don't apply for Surface Hub.
 
@@ -46,7 +46,7 @@ Users have access to a limited set of directories on the Surface Hub:
 - Pictures
 - Downloads
 
-Files saved locally in these directories are deleted when users press **I'm done**. To save content created during a meeting, users should save files to a USB drive or to OneDrive.
+Files saved locally in these directories are deleted when users press **End session**. To save content created during a meeting, users should save files to a USB drive or to OneDrive.
 
 *Organization policies that this may affect:* <br> Policies related to access permissions and ownership of files and folders don't apply for Surface Hub. Users can't browse and save files to system directories and network folders.
 
diff --git a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
index 3e9df023a1..527eaf6198 100644
--- a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
diff --git a/devices/surface-hub/finishing-your-surface-hub-meeting.md b/devices/surface-hub/finishing-your-surface-hub-meeting.md
new file mode 100644
index 0000000000..8733038060
--- /dev/null
+++ b/devices/surface-hub/finishing-your-surface-hub-meeting.md
@@ -0,0 +1,92 @@
+---
+title: End session - ending a Surface Hub meeting
+description: To end a Surface Hub meeting, tap End session. Surface Hub cleans up the application state, operating system state, and the user interface so that Surface Hub is ready for the next meeting.
+keywords: I am Done, end Surface Hub meeting, finish Surface Hub meeting, clean up Surface Hub meeting
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# End a Surface Hub meeting with End session
+Surface Hub is a collaboration device designed to be used in meeting spaces by different groups of people. At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting. Surface Hub will clean up, or reset, the following states:
+- Applications
+- Operating system
+- User interface
+
+This topic explains what **End session** resets for each of these states.
+
+## Applications
+When you start apps on Surface Hub, they are stored in memory and data is stored at the application level. Data is available to all users during that session (or meeting) until date is removed or overwritten. When **End session** is selected, Surface Hub application state is cleared out by closing applications, deleting browser history, resetting applications, and removing Skype logs.
+
+### Close applications
+Surface Hub closes all visible windows, including Win32 and Universal Windows Platform (UWP) applications. The application close stage uses the multitasking view to query the visible windows. Win32 windows that do not close within a certain timeframe are closed using **TerminateProcess**. 
+   
+### Delete browser history
+Surface Hub uses Delete Browser History (DBH) in Edge to clear Edge history and cached data. This is similar to how a user can clear out their browser history manually, but **End session** also ensures that application states are cleared and data is removed before the next session, or meeting, starts. 
+ 
+### Reset applications
+**End session** resets the state of each application that is installed on the Surface Hub. Resetting an application clears all background tasks, application data, notifications, and user consent dialogs. Applications are returned to their first-run state for the next people that use Surface Hub.  
+ 
+### Remove Skype logs
+Skype does not store personally-identifiable information on Surface Hub. Information is stored in the Skype service to meet existing Skype for Business guidance. Local Skype logging information is the only data removed when **End session** is selected. This includes Unified Communications Client Platform (UCCP) logs and media logs.   
+
+## Operating System
+The operating system hosts a variety of information about the state of the sessions that needs to be cleared after each Surface Hub meeting. 
+
+### File System
+Meeting attendees have access to a limited set of directories on the Surface Hub. When **End session** is selected, Surface Hub clears these directories:<br>
+- Music
+- Videos
+- Documents
+- Pictures
+- Downloads
+
+Surface Hub also clears these directories, since many applications often write to them:
+- Desktop
+- Favorites
+- Recent
+- Public Documents
+- Public Music
+- Public Videos
+- Public Downloads
+
+### Credentials
+User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap **End session**.
+
+## User interface
+User interface (UI) settings are returned to their default values when **End session** is selected. 
+
+### UI items
+- Reset Quick Actions to default state
+- Clear Toast notifications
+- Reset volume levels
+- Reset sidebar width
+- Reset tablet mode layout
+- Sign user out of Office 365 meetings and files
+
+### Accessibility
+Accessibility features and apps are returned to default settings when **End session** is selected.
+- Filter keys
+- High contrast
+- Sticky keys
+- Toggle keys
+- Mouse keys
+- Magnifier
+- Narrator
+
+### Clipboard
+The clipboard is cleared to remove data that was copied to the clipboard during the session. 
+
+## Frequently asked questions
+**What happens if I forget to tap End session at the end of a meeting, and someone else uses the Surface Hub later?**<br>
+Surface Hub only cleans up meeting content when users tap **End session**. If you leave the meeting without tapping **End session**, the device will return to the welcome screen after some time. From the welcome screen, users have the option to resume the previous session or start a new one. You can also disable the ability to resume a session if **End session** is not pressed.
+
+**Are documents recoverable?**<br> 
+Removing files from the hard drive when **End session** is selected is just like any other file deletion from a hard disk drive. Third-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. To prevent data loss, always save the data you need before leaving a meeting.
+
+**Do the clean-up actions from End session comply with the US Department of Defense clearing and sanitizing standard: DoD 5220.22-M?**<br>
+No. Currently, the clean-up actions from **End session** do not comply with this standard.  
+  
diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md
index 6ee36023cc..4e6ceac8b8 100644
--- a/devices/surface-hub/first-run-program-surface-hub.md
+++ b/devices/surface-hub/first-run-program-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
@@ -43,9 +43,10 @@ Each of these sections also contains information about paths you might take when
 
 This is the first screen you'll see when you power up the Surface Hub for the first time. It's where you input localization information for your device.
 
->**Note**  This is also where you begin the optional process of deploying a provisioning package. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) if that's what you're doing.
+>[!NOTE]
+>This is also where you begin the optional process of deploying a provisioning package. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) if that's what you're doing.
 
- 
+ Select a language and the initial setup options are displayed.
 
 ![Image showing ICD options checklist.](images/setuplocale.png)
 
@@ -326,6 +327,9 @@ This is what happens when you choose an option.
 -   **Use Microsoft Azure Active Directory**
 
     Clicking this option allows you to join the device to Azure AD. Once you click **Next**, the device will restart to apply some settings, and then you’ll be taken to the [Use Microsoft Azure Active Directory](#use-microsoft-azure) page and asked to enter credentials that can allow you to join Azure AD. After joining, admins from the joined organization will be able to use the Settings app. The specific people that will be allowed depends on your Azure AD subscription and how you’ve configured the settings for your Azure AD organization.
+    
+    >[!IMPORTANT]
+    >If you join Surface Hub to Azure AD during first-run setup, single sign-on (SSO) for Office apps will not work properly. Users will have to sign in to each Office app individually.
 
 -   **Use Active Directory Domain Services**
 
@@ -382,7 +386,7 @@ Once the device has been domain joined, you must specify a security group from t
 The following input is required:
 
 -   **Domain:** This is the fully qualified domain name (FQDN) of the domain that you want to join. A security group from this domain can be used to manage the device.
--   **User name:** The user name of an account that has sufficient permission to join the specified domain.
+-   **User name:** The user name of an account that has sufficient permission to join the specified domain. This account must be a computer object.
 -   **Password:** The password for the account.
 
 After the credentials are verified, you will be asked to type a security group name. This input is required.
diff --git a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md
deleted file mode 100644
index ccf99db112..0000000000
--- a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md
+++ /dev/null
@@ -1,91 +0,0 @@
----
-title: I am done - ending a Surface Hub meeting
-description: To end a Surface Hub meeting, tap I am Done. Surface Hub cleans up the application state, operating system state, and the user interface so that Surface Hub is ready for the next meeting.
-keywords: I am Done, end Surface Hub meeting, finish Surface Hub meeting, clean up Surface Hub meeting
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: surfacehub
-author: TrudyHa
-localizationpriority: medium
----
-
-# End a Surface Hub meeting with I'm Done
-Surface Hub is a collaboration device designed to be used in meeting spaces by different groups of people. At the end of a meeting, users can tap **I'm Done** to clean up any sensitive data and prepare the device for the next meeting. Surface Hub will clean up, or reset, the following states:
-- Applications
-- Operating system
-- User interface
-
-This topic explains what **I'm Done** resets for each of these states.
-
-## Applications
-When you start apps on Surface Hub, they are stored in memory and data is stored at the application level. Data is available to all users during that session (or meeting) until date is removed or overwritten. When **I'm done** is selected, Surface Hub application state is cleared out by closing applications, deleting browser history, resetting applications, and removing Skype logs.
-
-### Close applications
-Surface Hub closes all visible windows, including Win32 and Universal Windows Platform (UWP) applications. The application close stage uses the multitasking view to query the visible windows. Win32 windows that do not close within a certain timeframe are closed using **TerminateProcess**. 
-   
-### Delete browser history
-Surface Hub uses Delete Browser History (DBH) in Edge to clear Edge history and cached data. This is similar to how a user can clear out their browser history manually, but **I'm Done** also ensures that application states are cleared and data is removed before the next session, or meeting, starts. 
- 
-### Reset applications
-**I'm Done** resets the state of each application that is installed on the Surface Hub. Resetting an application clears all background tasks, application data, notifications, and user consent dialogs. Applications are returned to their first-run state for the next people that use Surface Hub.  
- 
-### Remove Skype logs
-Skype does not store personally-identifiable information on Surface Hub. Information is stored in the Skype service to meet existing Skype for Business guidance. Local Skype logging information is the only data removed when **I'm Done** is selected. This includes Unified Communications Client Platform (UCCP) logs and media logs.   
-
-## Operating System
-The operating system hosts a variety of information about the state of the sessions that needs to be cleared after each Surface Hub meeting. 
-
-### File System
-Meeting attendees have access to a limited set of directories on the Surface Hub. When **I'm Done** is selected, Surface Hub clears these directories:<br>
-- Music
-- Videos
-- Documents
-- Pictures
-- Downloads
-
-Surface Hub also clears these directories, since many applications often write to them:
-- Desktop
-- Favorites
-- Recent
-- Public Documents
-- Public Music
-- Public Videos
-- Public Downloads
-
-### Credentials
-User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap **I’m done**.
-
-## User interface
-User interface (UI) settings are returned to their default values when **I'm Done** is selected. 
-
-### UI items
-- Reset Quick Actions to default state
-- Clear Toast notifications
-- Reset volume levels
-- Reset sidebar width
-- Reset tablet mode layout
-
-### Accessibility
-Accessibility features and apps are returned to default settings when **I'm Done** is selected.
-- Filter keys
-- High contrast
-- Sticky keys
-- Toggle keys
-- Mouse keys
-- Magnifier
-- Narrator
-
-### Clipboard
-The clipboard is cleared to remove data that was copied to the clipboard during the session. 
-
-## Frequently asked questions
-**What happens if I forget to tap I'm Done at the end of a meeting, and someone else uses the Surface Hub later?**<br>
-Surface Hub only cleans up meeting content when users tap **I'm Done**. If you leave the meeting without tapping **I'm Done**, the device will return to the welcome screen after some time. From the welcome screen, users have the option to resume the previous session or start a new one.
-
-**Are documents recoverable?**<br> 
-Removing files from the hard drive when **I'm Done** is selected is just like any other file deletion from a hard disk drive. Third-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. To prevent data loss, always save the data you need before leaving a meeting.
-
-**Do the clean-up actions from I'm Done comply with the US Department of Defense clearing and sanitizing standard: DoD 5220.22-M?**<br>
-No. Currently, the clean-up actions from **I'm Done** do not comply with this standard.  
-  
diff --git a/devices/surface-hub/images/OOBE-2.jpg b/devices/surface-hub/images/OOBE-2.jpg
new file mode 100644
index 0000000000..0c615a2ec4
Binary files /dev/null and b/devices/surface-hub/images/OOBE-2.jpg differ
diff --git a/devices/surface-hub/images/account-management-details.PNG b/devices/surface-hub/images/account-management-details.PNG
new file mode 100644
index 0000000000..66712394ec
Binary files /dev/null and b/devices/surface-hub/images/account-management-details.PNG differ
diff --git a/devices/surface-hub/images/account-management.PNG b/devices/surface-hub/images/account-management.PNG
new file mode 100644
index 0000000000..34165dfcd6
Binary files /dev/null and b/devices/surface-hub/images/account-management.PNG differ
diff --git a/devices/surface-hub/images/add-applications-details.PNG b/devices/surface-hub/images/add-applications-details.PNG
new file mode 100644
index 0000000000..2efd3483ae
Binary files /dev/null and b/devices/surface-hub/images/add-applications-details.PNG differ
diff --git a/devices/surface-hub/images/add-applications.PNG b/devices/surface-hub/images/add-applications.PNG
new file mode 100644
index 0000000000..2316deb2fd
Binary files /dev/null and b/devices/surface-hub/images/add-applications.PNG differ
diff --git a/devices/surface-hub/images/add-certificates-details.PNG b/devices/surface-hub/images/add-certificates-details.PNG
new file mode 100644
index 0000000000..78cd783282
Binary files /dev/null and b/devices/surface-hub/images/add-certificates-details.PNG differ
diff --git a/devices/surface-hub/images/add-certificates.PNG b/devices/surface-hub/images/add-certificates.PNG
new file mode 100644
index 0000000000..24cb605d1c
Binary files /dev/null and b/devices/surface-hub/images/add-certificates.PNG differ
diff --git a/devices/surface-hub/images/add-config-file-details.PNG b/devices/surface-hub/images/add-config-file-details.PNG
new file mode 100644
index 0000000000..c7b4db97e6
Binary files /dev/null and b/devices/surface-hub/images/add-config-file-details.PNG differ
diff --git a/devices/surface-hub/images/add-config-file.PNG b/devices/surface-hub/images/add-config-file.PNG
new file mode 100644
index 0000000000..5b779509d9
Binary files /dev/null and b/devices/surface-hub/images/add-config-file.PNG differ
diff --git a/devices/surface-hub/images/apps.png b/devices/surface-hub/images/apps.png
new file mode 100644
index 0000000000..5cb3b7ec8f
Binary files /dev/null and b/devices/surface-hub/images/apps.png differ
diff --git a/devices/surface-hub/images/developer-setup.PNG b/devices/surface-hub/images/developer-setup.PNG
new file mode 100644
index 0000000000..8c93d5ed91
Binary files /dev/null and b/devices/surface-hub/images/developer-setup.PNG differ
diff --git a/devices/surface-hub/images/enroll-mdm-details.PNG b/devices/surface-hub/images/enroll-mdm-details.PNG
new file mode 100644
index 0000000000..f3a7fea8da
Binary files /dev/null and b/devices/surface-hub/images/enroll-mdm-details.PNG differ
diff --git a/devices/surface-hub/images/enroll-mdm.PNG b/devices/surface-hub/images/enroll-mdm.PNG
new file mode 100644
index 0000000000..b7cfdbc767
Binary files /dev/null and b/devices/surface-hub/images/enroll-mdm.PNG differ
diff --git a/devices/surface-hub/images/finish-details.png b/devices/surface-hub/images/finish-details.png
new file mode 100644
index 0000000000..727efac696
Binary files /dev/null and b/devices/surface-hub/images/finish-details.png differ
diff --git a/devices/surface-hub/images/finish.PNG b/devices/surface-hub/images/finish.PNG
new file mode 100644
index 0000000000..7c65da1799
Binary files /dev/null and b/devices/surface-hub/images/finish.PNG differ
diff --git a/devices/surface-hub/images/five.png b/devices/surface-hub/images/five.png
new file mode 100644
index 0000000000..961f0e15b7
Binary files /dev/null and b/devices/surface-hub/images/five.png differ
diff --git a/devices/surface-hub/images/four.png b/devices/surface-hub/images/four.png
new file mode 100644
index 0000000000..0fef213b37
Binary files /dev/null and b/devices/surface-hub/images/four.png differ
diff --git a/devices/surface-hub/images/icd-simple-edit.png b/devices/surface-hub/images/icd-simple-edit.png
new file mode 100644
index 0000000000..aea2e24c8a
Binary files /dev/null and b/devices/surface-hub/images/icd-simple-edit.png differ
diff --git a/devices/surface-hub/images/one.png b/devices/surface-hub/images/one.png
new file mode 100644
index 0000000000..42b4742c49
Binary files /dev/null and b/devices/surface-hub/images/one.png differ
diff --git a/devices/surface-hub/images/ppkg-config.png b/devices/surface-hub/images/ppkg-config.png
new file mode 100644
index 0000000000..10a2b7de58
Binary files /dev/null and b/devices/surface-hub/images/ppkg-config.png differ
diff --git a/devices/surface-hub/images/ppkg-csv.png b/devices/surface-hub/images/ppkg-csv.png
new file mode 100644
index 0000000000..0648f555e1
Binary files /dev/null and b/devices/surface-hub/images/ppkg-csv.png differ
diff --git a/devices/surface-hub/images/proxy-details.PNG b/devices/surface-hub/images/proxy-details.PNG
new file mode 100644
index 0000000000..fcc7b06a41
Binary files /dev/null and b/devices/surface-hub/images/proxy-details.PNG differ
diff --git a/devices/surface-hub/images/proxy.PNG b/devices/surface-hub/images/proxy.PNG
new file mode 100644
index 0000000000..cdfc02c454
Binary files /dev/null and b/devices/surface-hub/images/proxy.PNG differ
diff --git a/devices/surface-hub/images/recover-from-cloud.png b/devices/surface-hub/images/recover-from-cloud.png
new file mode 100644
index 0000000000..7d409edc5f
Binary files /dev/null and b/devices/surface-hub/images/recover-from-cloud.png differ
diff --git a/devices/surface-hub/images/recover-from-the-cloud.png b/devices/surface-hub/images/recover-from-the-cloud.png
new file mode 100644
index 0000000000..07c1e22851
Binary files /dev/null and b/devices/surface-hub/images/recover-from-the-cloud.png differ
diff --git a/devices/surface-hub/images/recover-progress.png b/devices/surface-hub/images/recover-progress.png
new file mode 100644
index 0000000000..316d830a57
Binary files /dev/null and b/devices/surface-hub/images/recover-progress.png differ
diff --git a/devices/surface-hub/images/reinstall.png b/devices/surface-hub/images/reinstall.png
new file mode 100644
index 0000000000..2f307841aa
Binary files /dev/null and b/devices/surface-hub/images/reinstall.png differ
diff --git a/devices/surface-hub/images/repartition.png b/devices/surface-hub/images/repartition.png
new file mode 100644
index 0000000000..26725a8c54
Binary files /dev/null and b/devices/surface-hub/images/repartition.png differ
diff --git a/devices/surface-hub/images/set-up-device-admins-details.PNG b/devices/surface-hub/images/set-up-device-admins-details.PNG
new file mode 100644
index 0000000000..42c04b4b3b
Binary files /dev/null and b/devices/surface-hub/images/set-up-device-admins-details.PNG differ
diff --git a/devices/surface-hub/images/set-up-device-admins.PNG b/devices/surface-hub/images/set-up-device-admins.PNG
new file mode 100644
index 0000000000..e0e037903c
Binary files /dev/null and b/devices/surface-hub/images/set-up-device-admins.PNG differ
diff --git a/devices/surface-hub/images/set-up-device-details.PNG b/devices/surface-hub/images/set-up-device-details.PNG
new file mode 100644
index 0000000000..be565ac8d9
Binary files /dev/null and b/devices/surface-hub/images/set-up-device-details.PNG differ
diff --git a/devices/surface-hub/images/set-up-device.PNG b/devices/surface-hub/images/set-up-device.PNG
new file mode 100644
index 0000000000..0c9eb0e3ff
Binary files /dev/null and b/devices/surface-hub/images/set-up-device.PNG differ
diff --git a/devices/surface-hub/images/set-up-network-details.PNG b/devices/surface-hub/images/set-up-network-details.PNG
new file mode 100644
index 0000000000..7e1391326c
Binary files /dev/null and b/devices/surface-hub/images/set-up-network-details.PNG differ
diff --git a/devices/surface-hub/images/set-up-network.PNG b/devices/surface-hub/images/set-up-network.PNG
new file mode 100644
index 0000000000..a0e856c103
Binary files /dev/null and b/devices/surface-hub/images/set-up-network.PNG differ
diff --git a/devices/surface-hub/images/sh-55-rpc-ports.png b/devices/surface-hub/images/sh-55-rpc-ports.png
index dfea48ef96..7df98f2277 100644
Binary files a/devices/surface-hub/images/sh-55-rpc-ports.png and b/devices/surface-hub/images/sh-55-rpc-ports.png differ
diff --git a/devices/surface-hub/images/sh-quick-action.png b/devices/surface-hub/images/sh-quick-action.png
index cb072a9793..3003e464b3 100644
Binary files a/devices/surface-hub/images/sh-quick-action.png and b/devices/surface-hub/images/sh-quick-action.png differ
diff --git a/devices/surface-hub/images/sh-settings-reset-device.png b/devices/surface-hub/images/sh-settings-reset-device.png
index b3e35bb385..f3a9a6dc5c 100644
Binary files a/devices/surface-hub/images/sh-settings-reset-device.png and b/devices/surface-hub/images/sh-settings-reset-device.png differ
diff --git a/devices/surface-hub/images/sh-settings-update-security.png b/devices/surface-hub/images/sh-settings-update-security.png
index a10d4ffb51..59212d1805 100644
Binary files a/devices/surface-hub/images/sh-settings-update-security.png and b/devices/surface-hub/images/sh-settings-update-security.png differ
diff --git a/devices/surface-hub/images/sh-settings.png b/devices/surface-hub/images/sh-settings.png
index 03125b3419..0134fda740 100644
Binary files a/devices/surface-hub/images/sh-settings.png and b/devices/surface-hub/images/sh-settings.png differ
diff --git a/devices/surface-hub/images/six.png b/devices/surface-hub/images/six.png
new file mode 100644
index 0000000000..2816328ec3
Binary files /dev/null and b/devices/surface-hub/images/six.png differ
diff --git a/devices/surface-hub/images/surfacehub.png b/devices/surface-hub/images/surfacehub.png
new file mode 100644
index 0000000000..1b9b484ab8
Binary files /dev/null and b/devices/surface-hub/images/surfacehub.png differ
diff --git a/devices/surface-hub/images/three.png b/devices/surface-hub/images/three.png
new file mode 100644
index 0000000000..887fa270d7
Binary files /dev/null and b/devices/surface-hub/images/three.png differ
diff --git a/devices/surface-hub/images/two.png b/devices/surface-hub/images/two.png
new file mode 100644
index 0000000000..b8c2d52eaf
Binary files /dev/null and b/devices/surface-hub/images/two.png differ
diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
index 22e94d2746..dabf0f1f6e 100644
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@@ -12,19 +12,36 @@ localizationpriority: medium
 
 # Microsoft Surface Hub
 
+>[Looking for the user's guide for Surface Hub?](http://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf)
+
+<table><tr><td style="border: 0px;width: 75%;valign= top">Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. The documentation in this library describes what needs to be done both before and during setup in order to help you optimize your use of the device.</td><td align="left" style="border: 0px">![image of a Surface Hub](images/surfacehub.png) </td></tr></table>
+ 
+
+## Surface Hub setup process
+
+In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Here are the next topics you'll need:
+
+1. [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md)
+2. [Gather the information listed in the Setup worksheet](setup-worksheet-surface-hub.md)
+2. [Physically install your Surface Hub device](physically-install-your-surface-hub-device.md)
+3. [Run the Surface Hub first-run setup program (OOBE)](first-run-program-surface-hub.md)
 
-Documents related to deploying and managing the Microsoft Surface Hub in your organization.
 
->[Looking for the user's guide for Surface Hub?](https://www.microsoft.com/surface/support/surface-hub)
 
 ## In this section
 
 | Topic | Description |
 | --- | --- |
-| [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) | This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.|
+| [What's new in Windows 10, version 1703 for Surface Hub?](surfacehub-whats-new-1703.md) | Discover the changes and improvements for Microsoft Surface Hub in the Windows 10, version 1703 release (also known as Creators Update). |
 | [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) | This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise. |
-| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security.  |
+| [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md) | This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Surface Hub. See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment. |
+| [Set up Microsoft Surface Hub](set-up-your-surface-hub.md) | Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program. |
+| [Manage Microsoft Surface Hub](manage-surface-hub.md) | How to manage your Surface Hub after finishing the first-run program. |
+| [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) | 
+| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security.  | PowerShell scripts to help set up and manage your Surface Hub. |
+| [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) | Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. |
 | [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) | This topic provides links to useful Surface Hub documents, such as product datasheets, the site readiness guide, and user's guide. |
-| [Change history for Surface Hub](change-history-surface-hub.md) | This topic lists new and updated topics in the Surface Hub documentation. |
+| [Change history for Surface Hub](change-history-surface-hub.md) | This topic lists new and updated topics in the Surface Hub documentation library. |
+
 
 
diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md
index d26712627a..dea976e29f 100644
--- a/devices/surface-hub/install-apps-on-surface-hub.md
+++ b/devices/surface-hub/install-apps-on-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: surfacehub, store
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
diff --git a/devices/surface-hub/intro-to-surface-hub.md b/devices/surface-hub/intro-to-surface-hub.md
deleted file mode 100644
index eb48a1fb78..0000000000
--- a/devices/surface-hub/intro-to-surface-hub.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-title: Intro to Microsoft Surface Hub
-description: Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations.
-ms.assetid: 5DAD4489-81CF-47ED-9567-A798B90C7E76
-keywords: Surface Hub, productivity, collaboration, presentations, setup
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: surfacehub
-author: TrudyHa
-localizationpriority: medium
----
-
-# Intro to Microsoft Surface Hub
-
-
-Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. This guide describes what needs to be done both before and during setup in order to help you optimize your use of the device.
- 
-You’ll need to understand how each of these services interacts with Surface Hub. See [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) for details.
-
-## Surface Hub setup process
-
-In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Here are the next topics you'll need:
-
-1.  [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md)
-2.  [Physically install your Surface Hub device](physically-install-your-surface-hub-device.md)
-3.  [Run the Surface Hub first-run setup program (OOBE)](first-run-program-surface-hub.md)
-
diff --git a/devices/surface-hub/local-management-surface-hub-settings.md b/devices/surface-hub/local-management-surface-hub-settings.md
index dea2a514bd..7d17d33c38 100644
--- a/devices/surface-hub/local-management-surface-hub-settings.md
+++ b/devices/surface-hub/local-management-surface-hub-settings.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
@@ -16,29 +16,38 @@ After initial setup of Microsoft Surface Hub, the device’s settings can be loc
 
 ## Surface Hub settings
 
-Surface Hubs have many settings that are common to other Windows devices, but also have settings which are only configurable on Surface Hubs. This table lists settings only cofigurable on Surface Hubs. 
+Surface Hubs have many settings that are common to other Windows devices, but also have settings which are only configurable on Surface Hubs. This table lists settings only configurable on Surface Hubs. 
 
 | Setting | Location | Description |
 | ------- | -------- | ----------- |
-| Device account | This device > Accounts | Set or change the Surface Hub's device account. |
-| Device account sync status | This device > Accounts | Check the sync status of the device account’s mail and calendar on the Surface Hub. |
-| Password rotation | This device > Accounts | Choose whether to let the Surface Hub automatically rotate the device account's password. |
-| Change admin account password  | This device > Accounts | Change the password for the local admin account. This is only available if you configured the device to use a local admin during first run. |
-| Configure Operations Management Suite (OMS) | This device > Device management | Set up monitoring for your Surface Hub using OMS. |
-| Open the Windows Store app | This device > Apps & features | The Windows Store app is only available to admins through the Settings app. |
-| Skype for Business domain name | This device > Calling | Configure a domain name for your Skype for Business server. |
-| Default microphone and speaker settings | This device > Calling | Configure a default microphone and speaker for calls, and a default speaker for media playback. |
-| Turn off wireless projection using Miracast | This device > Wireless projection | Choose whether presenters can wirelessly project to the Surface Hub using Miracast. |
-| Require a PIN for wireless projection | This device > Wireless projection | Choose whether people are required to enter a PIN before they use wireless projection. |
-| Wireless projection (Miracast) channel | This device > Wireless projection | Set the channel for Miracast projection. |
-| Meeting info shown on the welcome screen | This device > Welcome screen | Choose whether meeting organizer, time, and subject show up on the welcome screen. |
-| Welcome screen background |  This device > Welcome screen | Choose a background image for the welcome screen. |
-| Turn on screen with motion sensors | This device > Session & clean up | Choose whether the screen turns on when motion is detected. |
-| Session time out | This device > Session & clean up | Choose how long the device needs to be inactive before returning to the welcome screen. |
-| Sleep time out | This device > Session & clean up | Choose how long the device needs to be inactive before going to sleep mode. |
-| Friendly name | This device > About | Set the Surface Hub name that people will see when connecting wirelessly. |
+| Device account | Surface Hub > Accounts | Set or change the Surface Hub's device account. |
+| Device account sync status | Surface Hub > Accounts | Check the sync status of the device account’s mail and calendar on the Surface Hub. |
+| Password rotation | Surface Hub > Accounts | Choose whether to let the Surface Hub automatically rotate the device account's password. |
+| Change admin account password  | Surface Hub > Accounts | Change the password for the local admin account. This is only available if you configured the device to use a local admin during first run. |
+| Device Management | Surface Hub > Device management | Manage policies and business applications using mobile device management (MDM). |
+| Provisioning packages | Surface Hub > Device management | Set or change provisioning packages installed on the Surface Hub. |
+| Configure Operations Management Suite (OMS) | Surface Hub > Device management | Set up monitoring for your Surface Hub using OMS. |
+| Open the Windows Store app | Surface Hub > Apps & features | The Windows Store app is only available to admins through the Settings app. |
+| Skype for Business domain name | Surface Hub > Calling & Audio | Configure a domain name for your Skype for Business server. |
+| Default Speaker volume | Surface Hub > Calling & Audio | Configure the default speaker volume for the Surface Hub when it starts a session. |
+| Default microphone and speaker settings | Surface Hub > Calling & Audio | Configure a default microphone and speaker for calls, and a default speaker for media playback. |
+| Enable Dolby Audio X2 | Surface Hub > Calling & Audio | Configure the Dolby Audio X2 speaker enhancements. |
+| Open Connect App automatically | Surface Hub > Projection | Choose whether projection will automatically open the Connect app or wait for user input before opening. |
+| Turn off wireless projection using Miracast | Surface Hub > Projection | Choose whether presenters can wirelessly project to the Surface Hub using Miracast. |
+| Require a PIN for wireless projection | Surface Hub > Projection | Choose whether people are required to enter a PIN before they use wireless projection. |
+| Wireless projection (Miracast) channel | Surface Hub > Projection | Set the channel for Miracast projection. |
+| Meeting info shown on the welcome screen | Surface Hub > Welcome screen | Choose whether meeting organizer, time, and subject show up on the welcome screen. |
+| Welcome screen background |  Surface Hub > Welcome screen | Choose a background image for the welcome screen. |
+| Idle timeout to Welcome screen | Surface Hub > Session & Power | Choose how long until the Surface Hub returns to the welcome screen after no motion is detected. |
+| Resume session | Surface Hub > Session & Power | Choose to allow users to resume a session after no motion is detected or to automatically clean up a session. |
+| Access to Office 365 meetings and files | Surface Hub > Session & Power | Choose whether a user can sign in to Office 365 to get access to their meetings and files. |
+| Turn on screen with motion sensors | Surface Hub > Session & clean up | Choose whether the screen turns on when motion is detected. |
+| Session time out | Surface Hub > Session & clean up | Choose how long the device needs to be inactive before returning to the welcome screen. |
+| Sleep time out | Surface Hub > Session & clean up | Choose how long the device needs to be inactive before going to sleep mode. |
+| Friendly name | Surface Hub > About | Set the Surface Hub name that people will see when connecting wirelessly. |
 | Maintenance hours | Update & security > Windows Update > Advanced options | Configure when updates can be installed. |
 | Configure Windows Server Update Services (WSUS) server | Update & security > Windows Update > Advanced options | Change whether Surface Hub receives updates from a WSUS server instead of Windows Update. |
+| Recover from the cloud | Update & security > Recovery | Reinstall the operating system on Surface Hub to a manufacturer build from the cloud. |
 | Save BitLocker key | Update & security > Recovery | Backup your Surface Hub's BitLocker key to a USB drive. |
 | Collect logs | Update & security > Recovery | Save logs to a USB drive to send to Microsoft later. | 
 
diff --git a/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md b/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md
deleted file mode 100644
index db9230f9ad..0000000000
--- a/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md
+++ /dev/null
@@ -1,13 +0,0 @@
----
-title: Manage settings with a local admin account (Surface Hub)
-description: A local admin account will be set up on every Microsoft Surface Hub as part of the first run program. The only way to change the local admin options that you chose at that time is to reset the device.
-ms.assetid: B4B3668B-985D-427E-8495-E30ABEECA679
-redirect_url: https://technet.microsoft.com/itpro/surface-hub/admin-group-management-for-surface-hub
-keywords: local admin account, Surface Hub, change local admin options
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: surfacehub
-author: TrudyHa
-localizationpriority: medium
----
diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
index 8cadcb7309..c1913c01cc 100644
--- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
@@ -69,9 +69,19 @@ For more information, see [SurfaceHub configuration service provider](https://ms
 | Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID <br> MOMAgent/WorkspaceKey | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 | Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 | Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Friendly name for wireless projection | Properties/FriendlyName | Yes. <br> [Use a custom policy.](#example-intune)) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Friendly name for wireless projection | Properties/FriendlyName | Yes <br> [Use a custom policy.](#example-intune)) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 | Device account, including password rotation | DeviceAccount/*`<name_of_policy>`* <br> See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes |
-\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
+| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+| Set default volume | Properties/DefaultVolume | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+| Set screen timeout | Properties/ScreenTimeout | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+| Set session timeout | Properties/SessionTimeout | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+| Set sleep timeout | Properties/SleepTimeout | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. 
 
 ### Supported Windows 10 settings
 
@@ -87,7 +97,7 @@ The following tables include info on Windows 10 settings that have been validate
 | Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
 | Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
 | Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
-\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
+\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Browser settings
 
@@ -102,7 +112,7 @@ The following tables include info on Windows 10 settings that have been validate
 | Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
 | Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
 | Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
-\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
+\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Windows Update settings
 
@@ -115,7 +125,7 @@ The following tables include info on Windows 10 settings that have been validate
 | Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes|
 | Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
 | Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
-\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
+\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Windows Defender settings
 
@@ -123,7 +133,7 @@ The following tables include info on Windows 10 settings that have been validate
 | ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
 | Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br>  Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
 | Defender status | Use to initiate a Defender scan, force a signature update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | No. | No. | Yes |
-\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
+\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Remote reboot
 
@@ -132,7 +142,7 @@ The following tables include info on Windows 10 settings that have been validate
 | Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | No | No | Yes |
 | Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
 | Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
-\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
+\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Install certificates
 
@@ -142,7 +152,7 @@ The following tables include info on Windows 10 settings that have been validate
 <!--
 | Install client certificates  | Use to deploy Personal Information Exchange (.pfx, .p12) certificates. | [ClientCertificateInstall CSP](https://msdn.microsoft.com/library/windows/hardware/dn920023.aspx) | Yes. <br> See [How to Create and Deploy PFX Certificate Profiles in Intune Standalone](https://blogs.technet.microsoft.com/karanrustagi/2016/03/16/want-to-push-a-certificate-to-device-but-cant-use-ndes-continue-reading/). | Yes. <br> See [How to create PFX certificate profiles in System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-pfx-certificate-profiles). | Yes |
 -->
-\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
+\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Collect logs
 
@@ -151,7 +161,7 @@ The following tables include info on Windows 10 settings that have been validate
 | Collect ETW logs | Use to remotely collect ETW logs from Surface Hub. | [DiagnosticLog CSP](https://msdn.microsoft.com/library/windows/hardware/mt219118.aspx) | No | No | Yes |
 <!--
 | Collect security auditing logs | Use to remotely collect security auditing logs from Surface Hub. | SecurityAuditing node in [Reporting CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt608321.aspx) | No | No | Yes |-->
-\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
+\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 ### Generate OMA URIs for settings 
 You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in System Center Configuration Manager.
@@ -252,7 +262,7 @@ For more information, see [Create configuration items for Windows 8.1 and Window
 
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
-[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
+
 
  
 
diff --git a/devices/surface-hub/manage-surface-hub-settings.md b/devices/surface-hub/manage-surface-hub-settings.md
index 5413d28a30..ecfbb7c584 100644
--- a/devices/surface-hub/manage-surface-hub-settings.md
+++ b/devices/surface-hub/manage-surface-hub-settings.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md
index b464c430f2..95b3b394bd 100644
--- a/devices/surface-hub/manage-surface-hub.md
+++ b/devices/surface-hub/manage-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
@@ -30,7 +30,7 @@ Learn about managing and updating Surface Hub.
 | [Remote Surface Hub management](remote-surface-hub-management.md) |Topics related to managing your Surface Hub remotely. Include install apps, managing settings with MDM and monitoring with Operations Management Suite. |
 | [Manage Surface Hub settings](manage-surface-hub-settings.md) |Topics related to managing Surface Hub settings: accessibility, device account, device reset, fully qualified domain name, Windows Update settings, and wireless network |
 | [Install apps on your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/install-apps-on-surface-hub) | Admins can install apps can from either the Windows Store or the Windows Store for Business.|
-| [End a meeting with I’m done](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap I'm Done to clean up any sensitive data and prepare the device for the next meeting.|
+| [End a meeting with End session](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting.|
 | [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.|
 | [Connect other devices and display with Surface Hub](https://technet.microsoft.com/itpro/surface-hub/connect-and-display-with-surface-hub) | You can connect other device to your Surface Hub to display content.|
 | [Using a room control system]( https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.|
diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index d8661c166c..f54bd79038 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
@@ -17,7 +17,7 @@ New releases of the Surface Hub operating system are published through Windows U
 - **Windows Update for Business** - New in Windows 10, Windows Update for Business is a set of features designed to provide enterprises additional control over how and when Windows Update installs releases, while reducing device management costs. Using this method, Surface Hubs are directly connected to Microsoft’s Windows Update service.
 - **Windows Server Update Services (WSUS)** - Set of services that enable IT administrators to obtain the updates that Windows Update determines are applicable to the devices in their enterprise, perform additional testing and evaluation on the updates, and select the updates they want to install. Using this method, Surface Hubs will receive updates from WSUS rather than Windows Update.
 
-You can also configure Surface Hub to receive updates from both Windows Update for Business and WSUS. See [Integrate Windows Update for Business with Windows Server Update Services](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-integrate-wufb#integrate-windows-update-for-business-with-windows-server-update-services) for details.
+You can also configure Surface Hub to receive updates from both Windows Update for Business and WSUS. See [Integrate Windows Update for Business with Windows Server Update Services](https://technet.microsoft.com/itpro/windows/manage/waas-integrate-wufb#integrate-windows-update-for-business-with-windows-server-update-services) for details.
 
 | Capabilities | Windows Update for Business | Windows Server Update Services (WSUS) |
 | ------------ | --------------------------- | ------------------------------------- |
@@ -27,7 +27,7 @@ You can also configure Surface Hub to receive updates from both Windows Update f
 | Define maintenance windows for installing updates. | Yes  | Yes  |
 
 > [!TIP]
-> Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Optimize update delivery for Windows 10 updates](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-optimize-windows-10-updates) for details.
+> Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Optimize update delivery for Windows 10 updates](https://technet.microsoft.com/itpro/windows/manage/waas-optimize-windows-10-updates) for details.
 
 > [!NOTE]
 > Surface Hub does not currently support rolling back updates.
@@ -45,11 +45,11 @@ In order to improve release quality and simplify deployments, all new releases t
 
 The Surface Hub operating system is available on **Current Branch (CB)** and **Current Branch for Business (CBB)**. Like other editions of Windows 10, the servicing lifetime of CB or CBB is finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
 
-For more information on Windows as a Service, see [Overview of Windows as a service](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview).
+For more information on Windows as a Service, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
 
 
 ## Use Windows Update for Business
-Surface Hubs, like all Windows 10 devices, include **Windows Update for Business (WUfB)** to enable you to control how your devices are being updated. Windows Update for Business helps reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. For more information, see [Manage updates using Windows Update for Business](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb).
+Surface Hubs, like all Windows 10 devices, include **Windows Update for Business (WUfB)** to enable you to control how your devices are being updated. Windows Update for Business helps reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. For more information, see [Manage updates using Windows Update for Business](https://technet.microsoft.com/itpro/windows/manage/waas-manage-updates-wufb).
 
 **To set up Windows Update for Business:**
 1. [Group Surface Hub into deployment rings](#group-surface-hub-into-deployment-rings)
@@ -58,11 +58,11 @@ Surface Hubs, like all Windows 10 devices, include **Windows Update for Business
 
 > [!NOTE]
 
-> You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-wufb-intune)
+> You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/itpro/windows/manage/waas-wufb-intune)
 
 
 ### Group Surface Hub into deployment rings
-Use deployment rings to control when updates roll out to your Surface Hubs, giving you time to validate them. For example, you can update a small pool of devices first to verify quality before a broader roll-out to your organization. Depending on who manages Surface Hub in your organization, consider incorporating Surface Hub into the deployment rings that you've built for your other Windows 10 devices. For more information about deployment rings, see [Build deployment rings for Windows 10 updates](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-deployment-rings-windows-10-updates).
+Use deployment rings to control when updates roll out to your Surface Hubs, giving you time to validate them. For example, you can update a small pool of devices first to verify quality before a broader roll-out to your organization. Depending on who manages Surface Hub in your organization, consider incorporating Surface Hub into the deployment rings that you've built for your other Windows 10 devices. For more information about deployment rings, see [Build deployment rings for Windows 10 updates](https://technet.microsoft.com/itpro/windows/manage/waas-deployment-rings-windows-10-updates).
 
 This table gives examples of deployment rings.
 
@@ -75,22 +75,22 @@ This table gives examples of deployment rings.
 
 
 ### Configure Surface Hub to use Current Branch or Current Branch for Business
-By default, Surface Hubs are configured to receive updates from Current Branch (CB). CB receives feature updates as soon as they are released by Microsoft. Current Branch for Business (CBB), on the other hand, receives feature updates at least four months after they have been initially offered to CB devices, and includes all of the quality updates that have been released in the interim. For more information on the differences between CB and CBB, see [Servicing branches](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#servicing-branches).
+By default, Surface Hubs are configured to receive updates from Current Branch (CB). CB receives feature updates as soon as they are released by Microsoft. Current Branch for Business (CBB), on the other hand, receives feature updates at least four months after they have been initially offered to CB devices, and includes all of the quality updates that have been released in the interim. For more information on the differences between CB and CBB, see [Servicing branches](https://technet.microsoft.com/itpro/windows/manage/waas-overview#servicing-branches).
 
 **To manually configure Surface Hub to use CB or CBB:**
 1. Open **Settings** > **Update & Security** > **Windows Update**, and then select **Advanced Options**. 
 2. Select **Defer feature updates**.
 
-To configure Surface Hub to use CB or CBB remotely using MDM, set an appropriate [Update/BranchReadinessLevel](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) policy.
+To configure Surface Hub to use CB or CBB remotely using MDM, set an appropriate [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) policy.
 
 
 ### Configure when Surface Hub receives updates
 Once you've determined deployment rings for your Surface Hubs, configure update deferral policies for each ring:
-- To defer feature updates, set an appropriate [Update/DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) policy for each ring.
-- To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) policy for each ring.
+- To defer feature updates, set an appropriate [Update/DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) policy for each ring.
+- To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) policy for each ring.
 
 > [!NOTE]
-> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates).
+> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates).
 
 
 ## Use Windows Server Update Services
@@ -103,7 +103,7 @@ You can connect Surface Hub to your Windows Server Update Services (WSUS) server
 3. Navigate to **Update & security** > **Windows Update** > **Advanced options** > **Configure Windows Server Update Services (WSUS) server**.
 4. Click **Use WSUS Server to download updates** and type the URL of your WSUS server.
 
-To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/UpdateServiceUrl](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) policy.
+To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) policy.
 
 **If you use a proxy server or other method to block URLs**
 
@@ -135,7 +135,7 @@ A default maintenance window is set for all new Surface Hubs:
 2.  Navigate to **Update & security** > **Windows Update** > **Advanced options**.
 3.  Under **Maintenance hours**, select **Change**.
 
-To change the maintenance window using MDM, set the **MOMAgent** node in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/en-us/library/windows/hardware/mt608323.aspx). See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for more details.
+To change the maintenance window using MDM, set the **MOMAgent** node in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for more details.
 
 
 ## Related topics
diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md
index 4b96956704..27f722e175 100644
--- a/devices/surface-hub/monitor-surface-hub.md
+++ b/devices/surface-hub/monitor-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
index 8914899056..7a4a8ed551 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index 8905e5b36c..0c25519753 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
@@ -25,7 +25,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
     ```PowerShell
     Set-ExecutionPolicy Unrestricted
     $org='contoso.microsoft.com'
-    $cred=Get-Credential $admin@$org
+    $cred=Get-Credential admin@$org
     $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
     Import-PSSession $sess
     ```
@@ -51,7 +51,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
     If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
 
     ```PowerShell
-    $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
+    $easPolicy = New-MobileDeviceMailboxPolicy -Name "SurfaceHubs" -PasswordEnabled $false -AllowNonProvisionableDevices $True
     ```
 
     Once you have a compatible policy, then you will need to apply the policy to the device account.
@@ -112,6 +112,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
         Get-CsOnlineUser -Identity ‘alice@contoso.com’| fl *registrarpool*
         ```
         OR by setting a variable
+        
         ```PowerShell
         $strRegistrarPool = (Get-CsOnlineUser -Identity ‘alice@contoso.com’).RegistrarPool
         ```
@@ -120,7 +121,11 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
       
         ```PowerShell
         Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool yourRegistrarPool -SipAddressType EmailAddress
+        ```
+        
         OR using the $strRegistarPool variable from above
+        
+        ```PowerShell
         Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool $strRegistrarPool -SipAddressType EmailAddress
         ```
 
diff --git a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
index c6c3db5d36..851ae60a58 100644
--- a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub, security
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
diff --git a/devices/surface-hub/physically-install-your-surface-hub-device.md b/devices/surface-hub/physically-install-your-surface-hub-device.md
index 489e6a03a3..3ea7a56b63 100644
--- a/devices/surface-hub/physically-install-your-surface-hub-device.md
+++ b/devices/surface-hub/physically-install-your-surface-hub-device.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub, readiness
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
index f5c342d43d..e11e0e6e42 100644
--- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
@@ -27,11 +27,12 @@ Review these dependencies to make sure Surface Hub features will work in your IT
 | Skype for Business (Lync Server 2013 or later, or Skype for Business Online)  | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.</br></br>If screen sharing on a Surface Hub fails and the error message **An error occurred during the screen presentation** is displayed, see [Video Based Screen Sharing not working on Surface Hub](https://support.microsoft.com/help/3179272/video-based-screen-sharing-not-working-on-surface-hub) for help. |
 | Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. |
 | Microsoft Operations Managmement Suite (OMS)   | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. |
-| Network and Internet access   | <p>In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred.</p><p>**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.</p>**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. |
+| Network and Internet access   | <p>In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1x Authentication is supported for both wired and wireless connections.</p><p>**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.</p>**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. |
 
 Additionally, note that Surface Hub requires the following open ports:
 - HTTPS: 443
 - HTTP: 80
+- NTP: 123
 
 Depending on your environment, access to additional ports may be needed:
 - For online environments, see [Office 365 IP URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
@@ -49,7 +50,7 @@ Surface Hub interacts with a few different products and services. Depending on t
 
 ## Create and verify device account
 
-A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, and send email. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details.
+A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, send email, and (optionally) to authenticate to Exchange. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details.
 
 After you've created your device account, there are a couple of ways to verify that it's setup correctly.
 - Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. 
diff --git a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
deleted file mode 100644
index 73dd21ac2e..0000000000
--- a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
+++ /dev/null
@@ -1,221 +0,0 @@
----
-title: Create provisioning packages (Surface Hub)
-description: For Windows 10, settings that use the registry or a content services platform (CSP) can be configured using provisioning packages. You can also add certificates during first run using provisioning.
-ms.assetid: 8AA25BD4-8A8F-4B95-9268-504A49BA5345
-keywords: add certificate, provisioning package
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: surfacehub
-author: TrudyHa
-localizationpriority: medium
----
-
-# Create provisioning packages (Surface Hub)
-
-This topic explains how to create a provisioning package using the Windows Imaging and Configuration Designer (ICD), and apply it to Surface Hub devices. For Surface Hub, you can use provisioning packages to add certificates, install Universal Windows Platform (UWP) apps, and customize policies and settings.
-
-You can apply a provisioning package using a USB during first run, or through the **Settings** app. 
-
-
-## Advantages
--   Quickly configure devices without using a MDM provider.
-
--   No network connectivity required.
-
--   Simple to apply.
-
-[Learn more about the benefits and uses of provisioning packages.](https://technet.microsoft.com/itpro/windows/whats-new/new-provisioning-packages)
-
-
-## Requirements 
-
-To create and apply a provisioning package to a Surface Hub, you'll need the following:
-
--   Windows Imaging and Configuration Designer (ICD), which is installed as a part of the [Windows 10 Assessment and Deployment Kit (ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526740).
--   A PC running Windows 10.
--   A USB flash drive.
--   If you apply the package using the **Settings** app, you'll need device admin credentials.
-
-You'll create the provisioning package on a PC running Windows 10, save the package to a USB drive, and then deploy it to your Surface Hub.
-
-
-## Supported items for Surface Hub provisioning packages
-
-Currently, you can add these items to provisioning packages for Surface Hub:
-- **Certificates** - You can add certificates, if needed, to authenticate to Microsoft Exchange.
-- **Universal Windows Platform (UWP) apps** - You can install UWP apps. This can be an offline-licensed app from the Windows Store for Business, or an app created by an in-house dev.
-- **Policies** - Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD.
-- **Settings** - You can configure any setting in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx).
-
-
-## Create the provisioning package
-
-Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. When you install the ADK, you can choose to install only the Imaging and Configuration Designer (ICD).  [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
-
-1. Open Windows ICD (by default, `%windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`).
-
-2. Click **Advanced provisioning**.
-
-    ![ICD start options](images/ICDstart-option.PNG)  
-  
-3. Name your project and click **Next**.
-
-4. Select **Common to Windows 10 Team edition**, click **Next**, and then click **Finish**.
-
-    ![ICD new project](images/icd-new-project.png)
-
-5. In the project, under **Available customizations**, select **Common Team edition settings**.
-
-    ![ICD common settings](images/icd-common-settings.png)
-
-
-### Add a certificate to your package
-You can use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange.
-
-> [!NOTE]
-> Provisioning packages can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details.
-
-1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. 
-
-2. Enter a **CertificateName** and then click **Add**. 
-
-2. Enter the **CertificatePassword**. 
-
-3. For **CertificatePath**, browse and select the certificate. 
-
-4. Set **ExportCertificate** to **False**.
-
-5. For **KeyLocation**, select **Software only**.
-
-
-### Add a Universal Windows Platform (UWP) app to your package
-Before adding a UWP app to a provisioning package, you need the app package (either an .appx, or .appxbundle) and any dependency files. If you acquired the app from the Windows Store for Business, you will also need the *unencoded* app license. See [Distribute offline apps](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app) to learn how to download these items from the Windows Store for Business.
-
-1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextApp**.
-
-2. Enter a **PackageFamilyName** for the app and then click **Add**. For consistency, use the app's package family name. If you acquired the app from the Windows Store for Business, you can find the package family name in the app license. Open the license file using a text editor, and use the value between the \<PFM\>...\</PFM\> tags.
-
-3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
-
-4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. For Surface Hub, you will only need the x64 versions of these dependencies.
-
-If you acquired the app from the Windows Store for Business, you will also need to add the app license to your provisioning package.
-
-1. Make a copy of the app license, and rename it to use a **.ms-windows-store-license** extension. For example, "example.xml" becomes "example.ms-windows-store-license".
-
-2. In ICD, in the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextAppLicense**.
-
-3. Enter a **LicenseProductId** and then click **Add**. For consistency, use the app's license ID from the app license. Open the license file using a text editor. Then, in the \<License\> tag, use the value in the **LicenseID** attribute.
-
-4. Select the new **LicenseProductId** node. For **LicenseInstall**, click **Browse** to find and select the license file that you renamed in Step 1.
-
-
-### Add a policy to your package
-Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD.
-
-1. In the **Available customizations** pane, go to **Runtime settings** > **Policies**.
-
-2. Select one of the available policy areas.
-
-3. Select and set the policy you want to add to your provisioning package.
-
-
-### Add Surface Hub settings to your package 
-
-You can add settings from the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) to your provisioning package. 
-
-1. In the **Available customizations** pane, go to **Runtime settings** > **WindowsTeamSettings**.
-
-2. Select one of the available setting areas.
-
-3. Select and set the setting you want to add to your provisioning package. 
-
-
-## Build your package
-
-1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
-
-2. Read the warning that project files may contain sensitive information, and click **OK**.
-
-    > [!IMPORTANT]
-    > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
-
-3. On the **Export** menu, click **Provisioning package**.
-
-4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources.
-
-5. Set a value for **Package Version**, and then select **Next.**
-
-    > [!TIP]
-    > You can make changes to existing packages and change the version number to update previously applied packages.
-
-6. Optional: You can choose to encrypt the package and enable package signing.
-
-    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
-
-    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse...** and choosing the certificate you want to use to sign the package.
-
-        > [!IMPORTANT]
-        > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. 
-
-7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
-Optionally, you can click **Browse** to change the default output location.
-
-8. Click **Next**.
-
-9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.<p>
-If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
-
-10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.<p>
-If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
-
-    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
-    
-    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
-
-11. Select the **output location** link to go to the location of the package. Copy the .ppkg to an empty USB flash drive.
-
-
-## Apply a provisioning package to Surface Hub
-
-There are two options for deploying provisioning packages to a Surface Hub. You can apply a provisioning packing [during the first run wizard](#apply-a-provisioning-package-during-first-run), or using [Settings](#apply-a-package-using-settings). 
-
-
-### Apply a provisioning package during first run
-
-> [!IMPORTANT]
-> Only use provisioning packages to install certificates during first run. Use the **Settings** app to install apps and apply other settings.
-
-1. When you turn on the Surface Hub for the first time, the first-run program will display the [**Hi there page**](first-run-program-surface-hub.md#first-page). Make sure that the settings are properly configured before proceeding.
-
-2. Insert the USB flash drive containing the .ppkg file into the Surface Hub. If the package is in the root directory of the drive, the first-run program will recognize it and ask if you want to set up the device. Select **Set up**.
-
-    ![Set up device?](images/provisioningpackageoobe-01.png)
-
-3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
-
-    ![Provision this device](images/provisioningpackageoobe-02.png)
-    
-4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. Note that you can only install one package during first run.
-
-    ![Choose a package](images/provisioningpackageoobe-03.png)
-
-5. The first-run program will show you a summary of the changes that the provisioning package will apply. Select **Yes, add it**. The package will be applied, and you'll be taken to the next page in the first-run program.
-
-    ![Do you trust this package?](images/provisioningpackageoobe-04.png)
-
-
-### Apply a package using Settings
-
-1. Insert the USB flash drive containing the .ppkg file into the Surface Hub.
-
-2. From the Surface Hub, start **Settings** and enter the admin credentials when prompted.
-
-3. Navigate to **This device** > **Device management**. Under **Provisioning packages**, select **Add or remove a provisioning package**.
-
-4. Select **Add a package**.
-
-5. Choose your provisioning package and select **Add**. You may have to re-enter the admin credentials if prompted.
-
-6. You'll see a summary of the changes that the provisioning package will apply. Select **Yes, add it**.
diff --git a/devices/surface-hub/provisioning-packages-for-surface-hub.md b/devices/surface-hub/provisioning-packages-for-surface-hub.md
new file mode 100644
index 0000000000..0d3604f6ad
--- /dev/null
+++ b/devices/surface-hub/provisioning-packages-for-surface-hub.md
@@ -0,0 +1,319 @@
+---
+title: Create provisioning packages (Surface Hub)
+description: For Windows 10, settings that use the registry or a configuration service provider (CSP) can be configured using provisioning packages. 
+ms.assetid: 8AA25BD4-8A8F-4B95-9268-504A49BA5345
+keywords: add certificate, provisioning package
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Create provisioning packages (Surface Hub)
+
+This topic explains how to create a provisioning package using the Windows Configuration Designer, and apply it to Surface Hub devices. For Surface Hub, you can use provisioning packages to add certificates, install Universal Windows Platform (UWP) apps, and customize policies and settings.
+
+You can apply a provisioning package using a USB stick during first-run setup, or through the **Settings** app. 
+
+
+## Advantages
+-   Quickly configure devices without using a mobile device management (MDM) provider.
+
+-   No network connectivity required.
+
+-   Simple to apply.
+
+[Learn more about the benefits and uses of provisioning packages.](https://technet.microsoft.com/itpro/windows/configure/provisioning-packages)
+
+
+## Requirements 
+
+To create and apply a provisioning package to a Surface Hub, you'll need the following:
+
+-   Windows Configuration Designer, which can be installed from Windows Store or from the Windows 10 Assessment and Deployment Kit (ADK). [Learn how to install Windows Configuration Designer.](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd)
+-   A USB stick.
+-   If you apply the package using the **Settings** app, you'll need device admin credentials.
+
+You create the provisioning package on a PC running Windows 10, save the package to a USB drive, and then deploy it to your Surface Hub.
+
+
+## Supported items for Surface Hub provisioning packages
+
+Using the **Provision Surface Hub devices** wizard, you can:
+
+- Enroll in Active Directory, Azure Active Directory, or MDM 
+- Create an device administrator account 
+- Add applications and certificates
+- Configure proxy settings
+- Add a Surface Hub configuration file
+
+>[!WARNING]
+>You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using the wizard.
+
+Using the advanced provisioning editor, you can add these items to provisioning packages for Surface Hub:
+
+- **Policies** - Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#surfacehubpolicies). 
+- **Settings** - You can configure any setting in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx).
+
+>[!TIP]
+> Use the wizard to create a package with the common settings, then switch to the advanced editor to add other settings.
+>
+>![open advanced editor](images/icd-simple-edit.png)
+
+## Use the Surface Hub provisioning wizard
+
+After you [install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd), you can create a provisioning package.
+
+### Create the provisioning package 
+
+1. Open Windows Configuration Designer:
+    - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut, 
+    
+    or
+    
+    - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
+
+2. Click **Provision Surface Hub devices**.
+
+3. Name your project and click **Next**.
+
+### Configure settings
+
+<table>
+<tr><td style="width:45%" valign="top">![step one](images/one.png) ![add certificates](images/add-certificates.png)</br></br>To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.</td><td>![add a certificate](images/add-certificates-details.png)</td></tr> 
+<tr><td style="width:45%" valign="top">![step two](images/two.png)  ![configure proxy settings](images/proxy.png)</br></br>Toggle **Yes** or **No** for proxy settings. The default configuration for Surface Hub is to automatically detect proxy settings, so you can select **No** if that is the setting that you want. However, if your infrastructure previously required using a proxy server and has changed to not require a proxy server, you can use a provisioning package to revert your Surface Hub devices to the default settings by selecting **Yes** and **Automatically detect settings**. </br></br>If you toggle **Yes**, you can select to automatically detect proxy settings, or you can manually configure the settings by entering a URL to a setup script, or a static proxy server address. You can also identify whether to use the proxy server for local addresses, and enter exceptions (addresses that Surface Hub should connect to directly without using the proxy server).  </td><td>![configure proxy settings](images/proxy-details.png)</td></tr>
+<tr><td style="width:45%" valign="top">![step three](images/three.png)  ![device admins](images/set-up-device-admins.png)</br></br>You can enroll the device in Active Directory and specify a security group to use the Settings app, enroll in Azure Active Directory to allow global admins to use the Settings app, or create a local administrator account on the device.</br></br>To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain, and specify the security group to have admin credentials on Surface Hub. If a provisioning package that enrolls a device in Active Directory is going to be applied to a Surface Hub that was reset, the same domain account can only be used if the account listed is a domain administrator or is the same account that set up the Surface Hub initially. Otherwise, a different domain account must be used in the provisioning package.</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.</br></br>To create a local administrator account, select that option and enter a user name and password. </br></br>**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.  </td><td>![join Active Directory, Azure AD, or create a local admin account](images/set-up-device-admins-details.png)</td></tr>
+<tr><td style="width:45%" valign="top">![step four](images/four.png) ![enroll in device management](images/enroll-mdm.png)</br></br>Toggle **Yes** or **No** for enrollment in MDM. </br></br>If you toggle **Yes**, you must provide a service account and password or certificate thumbprint that is authorized to enroll the device, and also specify the authentication type. If required by your MDM provider, also enter the URLs for the discovery service, enrollment service, and policy service. [Learn more about managing Surface Hub with MDM.](manage-settings-with-mdm-for-surface-hub.md)</td><td>![enroll in mobile device management](images/enroll-mdm-details.png)</td></tr>
+<tr><td style="width:45%" valign="top">![step five](images/five.png) ![add applications](images/add-applications.png)</br></br>You can install multiple Universal Windows Platform (UWP) apps in a provisioning package. For help with the settings, see [Provision PCs with apps](https://technet.microsoft.com/itpro/windows/configure/provision-pcs-with-apps). </br></br>**Important:** Although the wizard interface allows you to select a Classic Win32 app, only include UWP apps in a provisioning package that will be applied to Surface Hub. If you include a Classic Win32 app, provisioning will fail. </td><td>![add an application](images/add-applications-details.png)</td></tr>
+<tr><td style="width:45%" valign="top">![step six](images/six.png)  ![Add configuration file](images/add-config-file.png)</br></br>You don't configure any settings in this step. It provides instructions for including a configuration file that contains a list of device accounts. The configuration file must not contain column headers. When you apply the provisioning package to Surface Hub, if a Surface Hub configuration file is included on the USB drive, you can select the account and friendly name for the device from the file. See [Sample configuration file](#sample-configuration-file) for an example.</br></br>**Important:** The configuration file can only be applied during the out-of-box setup experience (OOBE) and can only be used with provisioning packages created using the Windows Configuration Designer released with Windows 10, version 1703.  </td><td>![Add a Surface Hub configuration file](images/add-config-file-details.png)</td></tr>
+<tr><td style="width:45%" valign="top">  ![finish](images/finish.png)</br></br>You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.</td><td>![Protect your package](images/finish-details.png)</td></tr>
+</table>
+
+After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
+
+## Sample configuration file
+
+A Surface Hub configuration file contains a list of device accounts that your device can use to connect to Exchange and Skype for Business. When you apply a provisioning package to Surface Hub, you can include a configuration file in the root directory of the USB flash drive, and then select the desired account to apply to that device. The configuration file can only be applied during the out-of-box setup experience (OOBE) and can only be used with provisioning packages created using the Windows Configuration Designer released with Windows 10, version 1703.
+
+Use Microsoft Excel or other CSV editor to create a CSV file named `SurfaceHubConfiguration.csv`. In the file, enter a list of device accounts and friendly names in this format:
+
+```
+<DeviceAccountName>,<DeviceAccountPassword>,<FriendlyName>
+```
+>[!IMPORTANT]
+>Because the configuration file stores the device account passwords in plaintext, we recommend that you update the passwords after you've applied the provisioning package to your devices. You can use the [DeviceAccount node](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/surfacehub-csp#deviceaccount) in the [Surface Hub configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/surfacehub-csp) to update the passwords via MDM.
+
+
+The following is an example of `SurfaceHubConfiguration.csv`. 
+
+```
+Rainier@contoso.com,password,Rainier Surface Hub
+Adams@contoso.com,password,Adams Surface Hub
+Baker@contoso.com,password,Baker Surface Hub
+Glacier@constoso.com,password,Glacier Surface Hub
+Stuart@contoso.com,password,Stuart Surface Hub
+Fernow@contoso.com,password,Fernow Surface Hub
+Goode@contoso.com,password,Goode Surface Hub
+Shuksan@contoso.com,password,Shuksan Surface Hub
+Buckner@contoso.com,password,Buckner Surface Hub
+Logan@contoso.com,password,Logan Surface Hub
+Maude@consoto.com,password,Maude Surface hub
+Spickard@contoso.com,password,Spickard Surface Hub
+Redoubt@contoso.com,password,Redoubt Surface Hub
+Dome@contoso.com,password,Dome Surface Hub
+Eldorado@contoso.com,password,Eldorado Surface Hub
+Dragontail@contoso.com,password,Dragontail Surface Hub
+Forbidden@contoso.com,password,Forbidden Surface Hub
+Oval@contoso.com,password,Oval Surface Hub
+StHelens@contoso.com,password,St Helens Surface Hub
+Rushmore@contoso.com,password,Rushmore Surface Hub
+```
+
+## Use advanced provisioning
+
+After you [install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd), you can create a provisioning package.
+
+### Create the provisioning package (advanced)
+
+1. Open Windows Configuration Designer:
+    - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut, 
+    
+    or
+    
+    - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
+
+2. Click **Advanced provisioning**.
+   
+3. Name your project and click **Next**.
+
+4. Select **Common to Windows 10 Team edition**, click **Next**, and then click **Finish**.
+
+    ![ICD new project](images/icd-new-project.png)
+
+5. In the project, under **Available customizations**, select **Common Team edition settings**.
+
+    ![ICD common settings](images/icd-common-settings.png)
+
+
+### Add a certificate to your package
+You can use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange.
+
+> [!NOTE]
+> Provisioning packages can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details.
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. 
+
+2. Enter a **CertificateName** and then click **Add**. 
+
+2. Enter the **CertificatePassword**. 
+
+3. For **CertificatePath**, browse and select the certificate. 
+
+4. Set **ExportCertificate** to **False**.
+
+5. For **KeyLocation**, select **Software only**.
+
+
+### Add a Universal Windows Platform (UWP) app to your package
+Before adding a UWP app to a provisioning package, you need the app package (either an .appx, or .appxbundle) and any dependency files. If you acquired the app from the Windows Store for Business, you will also need the *unencoded* app license. See [Distribute offline apps](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app) to learn how to download these items from the Windows Store for Business.
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextApp**.
+
+2. Enter a **PackageFamilyName** for the app and then click **Add**. For consistency, use the app's package family name. If you acquired the app from the Windows Store for Business, you can find the package family name in the app license. Open the license file using a text editor, and use the value between the \<PFM\>...\</PFM\> tags.
+
+3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
+
+4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. For Surface Hub, you will only need the x64 versions of these dependencies.
+
+If you acquired the app from the Windows Store for Business, you will also need to add the app license to your provisioning package.
+
+1. Make a copy of the app license, and rename it to use a **.ms-windows-store-license** extension. For example, "example.xml" becomes "example.ms-windows-store-license".
+
+2. In ICD, in the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextAppLicense**.
+
+3. Enter a **LicenseProductId** and then click **Add**. For consistency, use the app's license ID from the app license. Open the license file using a text editor. Then, in the \<License\> tag, use the value in the **LicenseID** attribute.
+
+4. Select the new **LicenseProductId** node. For **LicenseInstall**, click **Browse** to find and select the license file that you renamed in Step 1.
+
+
+### Add a policy to your package
+Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD.
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **Policies**.
+
+2. Select one of the available policy areas.
+
+3. Select and set the policy you want to add to your provisioning package.
+
+
+### Add Surface Hub settings to your package 
+
+You can add settings from the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) to your provisioning package. 
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **WindowsTeamSettings**.
+
+2. Select one of the available setting areas.
+
+3. Select and set the setting you want to add to your provisioning package. 
+
+
+## Build your package
+
+1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
+
+2. Read the warning that project files may contain sensitive information, and click **OK**.
+
+    > [!IMPORTANT]
+    > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+3. On the **Export** menu, click **Provisioning package**.
+
+4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources.
+
+5. Set a value for **Package Version**, and then select **Next.**
+
+    > [!TIP]
+    > You can make changes to existing packages and change the version number to update previously applied packages.
+
+6. Optional: You can choose to encrypt the package and enable package signing.
+
+    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse...** and choosing the certificate you want to use to sign the package.
+
+        > [!IMPORTANT]
+        > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. 
+
+7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
+Optionally, you can click **Browse** to change the default output location.
+
+8. Click **Next**.
+
+9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.<p>
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.<p>
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+    
+    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+11. Select the **output location** link to go to the location of the package. Copy the .ppkg to an empty USB flash drive.
+
+
+## Apply a provisioning package to Surface Hub
+
+There are two options for deploying provisioning packages to a Surface Hub. You can apply a provisioning packing [during the first run wizard](#apply-a-provisioning-package-during-first-run), or using [Settings](#apply-a-package-using-settings). 
+
+
+### Apply a provisioning package during first run
+
+> [!IMPORTANT]
+> Only use provisioning packages to install certificates during first run. Use the **Settings** app to install apps and apply other settings.
+
+1. When you turn on the Surface Hub for the first time, the first-run program will display the [**Hi there page**](first-run-program-surface-hub.md#first-page). Make sure that the settings are properly configured before proceeding.
+
+2. Insert the USB flash drive containing the .ppkg file into the Surface Hub. If the package is in the root directory of the drive, the first-run program will recognize it and ask if you want to set up the device. Select **Set up**.
+
+    ![Set up device?](images/provisioningpackageoobe-01.png)
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+    ![Provision this device](images/provisioningpackageoobe-02.png)
+    
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. Note that you can only install one package during first run.
+
+    ![Choose a package](images/provisioningpackageoobe-03.png)
+
+5. The first-run program will show you a summary of the changes that the provisioning package will apply. Select **Yes, add it**.  
+
+    ![Do you trust this package?](images/provisioningpackageoobe-04.png)
+    
+6. If a configuration file is included in the root directory of the USB flash drive, you will see **Select a configuration**. The first device account in the configuration file will be shown with a summary of the account information that will be applied to the Surface Hub.
+
+    ![select a configuration](images/ppkg-config.png)    
+
+7. In **Select a configuration**, select the device name to apply, and then click **Next**.
+
+    ![select a friendly device name](images/ppkg-csv.png)
+    
+The settings from the provisioning package will be applied to the device and OOBE will be complete. After the device restarts, you can remove the USB flash drive.
+
+### Apply a package using Settings
+
+1. Insert the USB flash drive containing the .ppkg file into the Surface Hub.
+
+2. From the Surface Hub, start **Settings** and enter the admin credentials when prompted.
+
+3. Navigate to **Surface Hub** > **Device management**. Under **Provisioning packages**, select **Add or remove a provisioning package**.
+
+4. Select **Add a package**.
+
+5. Choose your provisioning package and select **Add**. You may have to re-enter the admin credentials if prompted.
+
+6. You'll see a summary of the changes that the provisioning package will apply. Select **Yes, add it**.
+
+
diff --git a/devices/surface-hub/remote-surface-hub-management.md b/devices/surface-hub/remote-surface-hub-management.md
index 41588251fe..57bd619f8b 100644
--- a/devices/surface-hub/remote-surface-hub-management.md
+++ b/devices/surface-hub/remote-surface-hub-management.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md
index 2354de0f40..6e6b8b5317 100644
--- a/devices/surface-hub/save-bitlocker-key-surface-hub.md
+++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub, security
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
diff --git a/devices/surface-hub/set-up-your-surface-hub.md b/devices/surface-hub/set-up-your-surface-hub.md
index 95b7c2c92f..96310f473c 100644
--- a/devices/surface-hub/set-up-your-surface-hub.md
+++ b/devices/surface-hub/set-up-your-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
diff --git a/devices/surface-hub/setup-worksheet-surface-hub.md b/devices/surface-hub/setup-worksheet-surface-hub.md
index a77cf5850f..d8e7f921c0 100644
--- a/devices/surface-hub/setup-worksheet-surface-hub.md
+++ b/devices/surface-hub/setup-worksheet-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
diff --git a/devices/surface-hub/surface-hub-administrators-guide.md b/devices/surface-hub/surface-hub-administrators-guide.md
deleted file mode 100644
index 4786082d45..0000000000
--- a/devices/surface-hub/surface-hub-administrators-guide.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-title: Microsoft Surface Hub administrator's guide
-description: This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.
-ms.assetid: e618aab7-3a94-4159-954e-d455ef7b8839
-keywords: Surface Hub, installation, administration, administrator's guide
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: surfacehub
-author: TrudyHa
-localizationpriority: medium
----
-
-# Microsoft Surface Hub administrator's guide
-
-
-This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.
-
-Before you power on Microsoft Surface Hub for the first time, make sure you've [completed preparation items](prepare-your-environment-for-surface-hub.md), and that you have the information listed in the [Setup worksheet](setup-worksheet-surface-hub.md). When you do power it on, the device will walk you through a series of setup screens. If you haven't properly set up your environment, or don't have the required information, you'll have to do extra work afterward making sure the settings are correct.
-
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Intro to Microsoft Surface Hub](intro-to-surface-hub.md)</p></td>
-<td align="left"><p>Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. This guide describes what needs to be done both before and during setup in order to help you optimize your use of the device.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)</p></td>
-<td align="left"><p>The Surface Hub Readiness Guide will help make sure that your site is ready for the installation. You can download the Guide from the [Microsoft Download Center](https://go.microsoft.com/fwlink/?LinkId=718144). It includes planning information for both the 55&quot; and 84&quot; devices, as well as info on moving the Surface Hub from receiving to the installation location, mounting options, and a list of what's in the box.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md)</p></td>
-<td align="left"><p>This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Surface Hub. See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Set up Microsoft Surface Hub](set-up-your-surface-hub.md)</p></td>
-<td align="left"><p>Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Manage Microsoft Surface Hub](manage-surface-hub.md)</p></td>
-<td align="left"><p>How to manage your Surface Hub after finishing the first-run program.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)</p></td>
-<td align="left"><p>Troubleshoot common problems, including setup issues, Exchange ActiveSync errors.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)</p></td>
-<td align="left"><p>PowerShell scripts to help set up and manage your Surface Hub .</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
- 
-
- 
-
-
-
-
-
diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md
new file mode 100644
index 0000000000..537d6c55a9
--- /dev/null
+++ b/devices/surface-hub/surfacehub-whats-new-1703.md
@@ -0,0 +1,31 @@
+---
+title: What's new in Windows 10, version 1703 for Surface Hub 
+description: Windows 10, version 1703 (Creators Update) brings new features to Microsoft Surface Hub.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: devices
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# What's new in Windows 10, version 1703 for Microsoft Surface Hub?
+
+Windows 10, version 1703 (also called the Creators Update), introduces the following changes for Microsoft Surface Hub:
+
+
+- Settings have been added to mobile device management (MDM) and configuration service providers (CSPs) to expand the Surface Hub management capabilities. [Learn more about the new settings.](manage-settings-with-mdm-for-surface-hub.md)
+
+- An easy-to-use wizard helps you quickly create provisioning packages that you can apply to multiple Surface Hub devices. [Learn how to create a provisioning package for Surface Hub.](provisioning-packages-for-certificates-surface-hub.md)
+
+- When you reset a Surface Hub device, you now have the ability to download and install a factory build of the operating system from the cloud. [Learn more about cloud recovery.](device-reset-surface-hub.md#cloud-recovery)
+    >[!NOTE]
+    >Cloud recovery doesn't work if you use proxy servers.
+    
+- **I'm done** is now **End session**. [Learn how to use End session.](i-am-done-finishing-your-surface-hub-meeting.md) 
+
+
+
+ 
+
+ 
diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md
index cc3bd57b95..ff05c19f62 100644
--- a/devices/surface-hub/troubleshoot-surface-hub.md
+++ b/devices/surface-hub/troubleshoot-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: support
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
index fbed027215..512cf6b4bf 100644
--- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
+++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
@@ -3,7 +3,7 @@ title: Use fully qualified doman name with Surface Hub
 description: Troubleshoot common problems, including setup issues, Exchange ActiveSync errors.
 ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A
 keywords: ["Troubleshoot common problems", "setup issues", "Exchange ActiveSync errors"]
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
@@ -16,7 +16,7 @@ There are a few scenarios where you need to specify the domain name of your Skyp
 
 **To configure the domain name for your Skype for Business server**</br>
 1. On Surface Hub, open **Settings**.
-2. Click **This device**, and then click **Calling**. 
+2. Click **Surface Hub**, and then click **Calling & Audio**. 
 3. Under **Skype for Business configuration**, click **Configure domain name**. 
 4. Type the domain name for your Skype for Business server, and then click **Ok**. 
 > [!TIP]
diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md
index d229e05de5..4ff4665c6a 100644
--- a/devices/surface-hub/use-room-control-system-with-surface-hub.md
+++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
@@ -267,6 +267,9 @@ The current volume level is a range from 0 to 100.
 
 Changes to volume levels can be sent by a room control system, or other system.
 
+>[!NOTE]
+>The Volume command will only control the volume for embedded or Replacement PC mode, not from [Guest sources](connect-and-display-with-surface-hub.md).
+
 <table>
 <colgroup>
 <col width="33%" />
diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md
index 0ccd6ad70d..db080ce397 100644
--- a/devices/surface-hub/wireless-network-management-for-surface-hub.md
+++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub, networking
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 
@@ -24,7 +24,7 @@ If a wired network connection is not available, the Surface Hub can use a wirele
 ### Choose a wireless access point
 
 1.  On the Surface Hub, open **Settings** and enter your admin credentials.
-2.  Click **System**, and then click **Network & Internet**. Under **Wi-Fi**, choose an access point. If you want Surface Hub to automatically connect to this access point, click **Connect automatically**. Click **Connect**.
+2.  Click **Network & Internet**. Under **Wi-Fi**, choose an access point. If you want Surface Hub to automatically connect to this access point, click **Connect automatically**. Click **Connect**.
 
     ![Image showing Wi-Fi settings, Network & Internet page.](images/networkmgtwireless-01.png)
 
@@ -35,7 +35,7 @@ If a wired network connection is not available, the Surface Hub can use a wirele
 ### Review wireless settings
 
 1.  On the Surface Hub, open **Settings** and enter your admin credentials.
-2.  Click **System**, click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**.
+2.  Click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**.
 3.  Surface Hub shows you the properties for the wireless network connection.
 
     ![Image showing properties for connected Wi-Fi.](images/networkmgtwireless-04.png)
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index 4a39f0775e..2b7f54801b 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -18,6 +18,9 @@ Find out how the Microsoft Surface Data Eraser tool can help you securely wipe d
 
 [Microsoft Surface Data Eraser](https://www.microsoft.com/download/details.aspx?id=46703) is a tool that boots from a USB stick and allows you to perform a secure wipe of all data from a compatible Surface device. A Microsoft Surface Data Eraser USB stick requires only the ability to boot from USB. The USB stick is easy to create by using the provided wizard, the Microsoft Surface Data Eraser wrapper, and is easy to use with a simple graphic interface, no command line needed. To learn more about the data wiping capabilities and practices Microsoft uses during the service process for Surface, see [Protecting your data if you send your Surface in for service](https://www.microsoft.com/surface/support/security-sign-in-and-accounts/data-wiping-policy).
 
+>[!IMPORTANT]
+>Microsoft Surface Data Eraser uses the NVM Express (NVMe) format command to erase data as authorized in [NIST Special Publication 800-88 Revision 1](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf). 
+
 Compatible Surface devices include:
 
 - Surface Studio
diff --git a/education/windows/index.md b/education/windows/index.md
index f8db1c0562..6ee2d1946a 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -1,11 +1,12 @@
 ---
 title: Windows 10 for Education (Windows 10)
-description: Learn how to use Windows 10 in schools.
+description: Learn how to use Windows 10 in schools.
 keywords: Windows 10, education
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: edu
+localizationpriority: high
 author: CelesteDG
 ---
 
@@ -29,8 +30,7 @@ author: CelesteDG
   <li><a href="https://technet.microsoft.com/en-us/windows/mt723345" target="_blank">Automate common Windows 10 deployment and configuration tasks</a></li>
   <li><a href="https://technet.microsoft.com/en-us/windows/mt723346" target="_blank">Deploy a custom Windows 10 Start menu</a></li>
   <li><a href="https://technet.microsoft.com/en-us/windows/mt723347" target="_blank">Manage Windows 10 updates and upgrades</a></li>
-  <li><a href="https://technet.microsoft.com/en-us/windows/mt723344" target="_blank">Reprovision devices at the end of the school year</a></li>
-  <li><a href="https://technet.microsoft.com/en-us/windows/mt723343" target="_blank">Use MDT to deploy Windows 10</a></li>
+  <li><a href="https://technet.microsoft.com/en-us/windows/mt723344" target="_blank">Reprovision devices at the end of the school year</a></li>  <li><a href="https://technet.microsoft.com/en-us/windows/mt723343" target="_blank">Use MDT to deploy Windows 10</a></li>
   <li><a href="https://technet.microsoft.com/en-us/windows/mt723348" target="_blank">Use Windows Store for Business</a></li>
 </ul>
 </div>
@@ -57,20 +57,16 @@ author: CelesteDG
  <div class="side-by-side-content-right">
 <p><b><a href="https://technet.microsoft.com/en-us/windows/mt574244" target="_blank">Try it out: Windows 10 deployment (for education)</a></b><br />Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.<br /><br />For the best experience, use this guide in tandem with the <a href="https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=vlabs&altadd=true&labid=20949&lod=true" target="_blank">TechNet Virtual Lab: IT Pro Try-It-Out</a>.</p>
 </div>
-</div></div>
+ </div></div>
 
- ### ![Upgrade to Windows 10 for education](images/windows.png) Upgrade
+### ![Upgrade to Windows 10 for education](images/windows.png) Upgrade
 
  <div class="side-by-side"> <div class="side-by-side-content">
  <div class="side-by-side-content-left"><p><b>[Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)</b><br />If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free upgrade to Windows 10 Pro Education.</p></div>
-<<<<<<< HEAD
- <div class="side-by-side-content-right">
- <p></p>
-=======
+
  <div class="side-by-side-content-right"><p></p>
->>>>>>> e04a8c5905ed4bcb1df7b6b60d48146df9095a12
- </div>
  </div>
+ </div></div>
 
 ## Windows 8.1
 Follow these links to find step-by-step guidance on how to deploy Windows 8.1 in an academic environment.
diff --git a/license.md b/license.md
deleted file mode 100644
index 0e5cb57b99..0000000000
--- a/license.md
+++ /dev/null
@@ -1,7 +0,0 @@
-Copyright (c) Microsoft Corporation.  Distributed under the following terms:
-
-1. Microsoft and any contributors to this project each grants you a license, under its respective copyrights, to the documentation under the [Creative Commons Attribution 3.0 United States License](http://creativecommons.org/licenses/by/3.0/us/legalcode).  In addition, with respect to any sample code contained in the documentation, Microsoft and any such contributors grants you an additional license, under its respective intellectual property rights, to use the code to develop or design your software for Microsoft Windows.
-
-2.  Microsoft, Windows, and/or other Microsoft products and services referenced in the documentation may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. This license does not grant you rights to use any names, logos, or trademarks. For Microsoft’s general trademark guidelines, go to [https://go.microsoft.com/fwlink/?LinkID=254653](https://go.microsoft.com/fwlink/?LinkID=254653).
-
-3.  Microsoft and any contributors reserves all others rights, whether under copyrights, patents, or trademarks, or by implication, estoppel or otherwise.
diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
index 8b3704c3a9..bd506092d0 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
@@ -441,14 +441,14 @@ After you download the Office 2016 applications through the Office Deployment To
     <td align="left"><p>PACKAGEGUID (optional)</p></td>
     <td align="left"><p>By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.</p>
     <p>An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.</p>
->**Note** Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
+    
+    >**Note** Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
     </td>
     </tr>
     </tbody>
     </table>
 
      
-
 2.  Use the /packager command to convert the Office applications to an Office 2016 App-V package.
 
     For example:
diff --git a/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md b/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md
index 34ae20a4f8..e61be318ba 100644
--- a/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md
+++ b/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md
@@ -29,7 +29,8 @@ Use the following procedure to view and configure default package extensions.
 
 5.  To edit other application extensions, modify the configuration file and click **Import and Overwrite this Configuration**. Select the modified file and click **Open**. In the dialog box, click **Overwrite** to complete the process.
 
->**Note** If the upload fails and the size of your configuration file is above 4MB, you will need to increase the maximum file size allowed by the server. This can be done by adding the maxRequestLength attribute with a value greater than the size of your configuration file (in KB) to the httpRuntime element on line 26 of C:\Program Files\Microsoft Application Virtualization Server\ManagementService\Web.config. For example, changing'<httpRuntime targetFramework="4.5"/> ' to '<httpRuntime targetFramework="4.5" maxRequestLength="8192"/>' will increase the maximum size to 8MB
+>**Note** If the upload fails and the size of your configuration file is above 4MB, you will need to increase the maximum file size allowed by the server. This can be done by adding the maxRequestLength attribute with a value greater than the size of your configuration file (in KB) to the httpRuntime element on line 26 of `C:\Program Files\Microsoft Application Virtualization Server\ManagementService\Web.config`.  
+For example, changing `<httpRuntime targetFramework="4.5"/>` to `<httpRuntime targetFramework="4.5" maxRequestLength="8192"/>` will increase the maximum size to 8MB
 
 
 **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
diff --git a/mdop/appv-v5/planning-for-using-app-v-with-office51.md b/mdop/appv-v5/planning-for-using-app-v-with-office51.md
index c6edab05da..0f34f1b356 100644
--- a/mdop/appv-v5/planning-for-using-app-v-with-office51.md
+++ b/mdop/appv-v5/planning-for-using-app-v-with-office51.md
@@ -28,82 +28,15 @@ Use the following information to plan how to deploy Office by using Microsoft Ap
 
 You can use the App-V 5.1 Sequencer to create plug-in packages for Language Packs, Language Interface Packs, Proofing Tools and ScreenTip Languages. You can then include the plug-in packages in a Connection Group, along with the Office 2013 package that you create by using the Office Deployment Toolkit. The Office applications and the plug-in Language Packs interact seamlessly in the same connection group, just like any other packages that are grouped together in a connection group.
 
-**Note**  
+>**Note**  
 Microsoft Visio and Microsoft Project do not provide support for the Thai Language Pack.
 
  
 
 ## <a href="" id="bkmk-office-vers-supp-appv"></a>Supported versions of Microsoft Office
 
-
-The following table lists the versions of Microsoft Office that App-V supports, methods of Office package creation, supported licensing, and supported deployments.
-
-<table>
-<colgroup>
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Supported Office Version</th>
-<th align="left">Supported App-V Versions</th>
-<th align="left">Package Creation</th>
-<th align="left">Supported Licensing</th>
-<th align="left">Supported Deployments</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Office 365 ProPlus</p>
-<p>Also supported:</p>
-<ul>
-<li><p>Visio Pro for Office 365</p></li>
-<li><p>Project Pro for Office 365</p></li>
-</ul></td>
-<td align="left"><ul>
-<li><p>App-V 5.0</p></li>
-<li><p>App-V 5.0 SP1</p></li>
-<li><p>App-V 5.0 SP2</p></li>
-<li><p>App-V 5.0 SP3</p></li>
-<li><p>App-V 5.1</p></li>
-</ul></td>
-<td align="left"><p>Office Deployment Tool</p></td>
-<td align="left"><p>Subscription</p></td>
-<td align="left"><ul>
-<li><p>Desktop</p></li>
-<li><p>Personal VDI</p></li>
-<li><p>Pooled VDI</p></li>
-<li><p>RDS</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Office Professional Plus 2013</p>
-<p>Also supported:</p>
-<ul>
-<li><p>Visio Professional 2013</p></li>
-<li><p>Project Professional 2013</p></li>
-</ul></td>
-<td align="left"><ul>
-<li><p>App-V 5.0</p></li>
-<li><p>App-V 5.0 SP1</p></li>
-<li><p>App-V 5.0 SP2</p></li>
-<li><p>App-V 5.0 SP3</p></li>
-<li><p>App-V 5.1</p></li>
-</ul></td>
-<td align="left"><p>Office Deployment Tool</p></td>
-<td align="left"><p>Volume Licensing</p></td>
-<td align="left"><ul>
-<li><p>Desktop</p></li>
-<li><p>Personal VDI</p></li>
-<li><p>Pooled VDI</p></li>
-<li><p>RDS</p></li>
-</ul></td>
-</tr>
-</tbody>
-</table>
+See [Microsoft Office Product IDs that App-V supports](https://support.microsoft.com/en-us/help/2842297/product-ids-that-are-supported-by-the-office-deployment-tool-for-click) for a list of supported Office products.
+>**Note**&nbsp;&nbsp;You must use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported. You cannot use the App-V Sequencer.
 
  
 
@@ -149,7 +82,7 @@ The Office documentation provides extensive guidance on coexistence for Windows
 
 The following tables summarize the supported coexistence scenarios. They are organized according to the version and deployment method you’re starting with and the version and deployment method you are migrating to. Be sure to fully test all coexistence solutions before deploying them to a production audience.
 
-**Note**  
+>**Note**  
 Microsoft does not support the use of multiple versions of Office in Windows Server environments that have the Remote Desktop Session Host role service enabled. To run Office coexistence scenarios, you must disable this role service.
 
  
diff --git a/windows/configure/TOC.md b/windows/configure/TOC.md
index 730ad0a216..7051cc29db 100644
--- a/windows/configure/TOC.md
+++ b/windows/configure/TOC.md
@@ -3,28 +3,30 @@
 ## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
 ## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
 ## [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md)
-### [Set up a shared or guest PC with Windows 10](set-up-a-device-for-anyone-to-use.md)
+### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
 ### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
 ### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
 ### [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md)
 ## [Configure Windows 10 Mobile devices](configure-mobile.md)
 ### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
 ### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md)
-### [Use the Lockdown Designer app to configure Windows 10 Mobile devices](mobile-lockdown-designer.md)
+#### [NFC-based device provisioning](provisioning-nfc.md)
+#### [Barcode provisioning and the package splitter tool](provisioning-package-splitter.md)
+### [Use the Lockdown Designer app to create a Lockdown XML file](mobile-lockdown-designer.md)
 ### [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
 ### [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
 ### [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
+### [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md)
 ## [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md)
-### [Windows Spotlight on the lock screen](windows-spotlight.md)
+### [Configure Windows Spotlight on the lock screen](windows-spotlight.md)
 ### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
 ### [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
 #### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
 #### [Customize and export Start layout](customize-and-export-start-layout.md)
 #### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
-#### [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md)
 #### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-#### [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-#### [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+#### [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+#### [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
 #### [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
 ## [Cortana integration in your business or enterprise](cortana-at-work-overview.md)
 ### [Testing scenarios using Cortana in your business or organization](cortana-at-work-testing-scenarios.md)
@@ -33,7 +35,8 @@
 #### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work-scenario-3.md)
 #### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work-scenario-4.md)
 #### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work-scenario-5.md)
-#### [Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work-scenario-6.md)
+#### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email}(cortana-at-work-scenario-6.md)
+#### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work-scenario-7.md)
 ### [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md)
 ### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work-crm.md)
 ### [Set up and test Cortana for Power BI in your organization](cortana-at-work-powerbi.md)
@@ -44,14 +47,14 @@
 ## [Provisioning packages for Windows 10](provisioning-packages.md)
 ### [How provisioning works in Windows 10](provisioning-how-it-works.md)
 ### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md)
-### [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+### [Install Windows Configuration Designer](provisioning-install-icd.md)
 ### [Create a provisioning package](provisioning-create-package.md)
 ### [Apply a provisioning package](provisioning-apply-package.md)
 ### [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-### [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-### [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
+### [Provision PCs with common settings for initial deployment (desktop wizard)](provision-pcs-for-initial-deployment.md)
+### [Provision PCs with apps](provision-pcs-with-apps.md)
 ### [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-### [NFC-based device provisioning](provisioning-nfc.md)
+### [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
 ### [Windows ICD command-line interface (reference)](provisioning-command-line.md)
 ### [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
 ## [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md)
diff --git a/windows/configure/change-history-for-configure-windows-10.md b/windows/configure/change-history-for-configure-windows-10.md
index 80c0283c81..4706cf6049 100644
--- a/windows/configure/change-history-for-configure-windows-10.md
+++ b/windows/configure/change-history-for-configure-windows-10.md
@@ -12,9 +12,8 @@ author: jdeckerMS
 
 # Change history for Configure Windows 10
 
-This topic lists new and updated topics in the [Update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
->If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history).
 
 ## RELEASE: Windows 10, version 1703
 
diff --git a/windows/configure/configure-mobile.md b/windows/configure/configure-mobile.md
index fdef1fa5f8..db4bb93e0f 100644
--- a/windows/configure/configure-mobile.md
+++ b/windows/configure/configure-mobile.md
@@ -1,5 +1,5 @@
 ---
-title: configure mobile
+title: Configure Windows 10 Mobile devices
 description: 
 keywords: Windows 10, MDM, WSUS, Windows update
 ms.prod: w10
@@ -10,5 +10,19 @@ localizationpriority: high
 author: jdeckerMS
 ---
 
-# configure mobile
+# Configure Windows 10 Mobile devices
+
+Windows 10 Mobile enables administrators to define what users can see and do on a device, which you might think of as "configuring" or "customizing" or "device lockdown". Your device configuration can provide a standard Start screen with pre-installed apps, or restrict various settings and features, or even limit the device to run only a single app (kiosk). 
+
+## In this section
+
+| Topic | Description |
+| --- | --- |
+| [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) | You can configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select. |
+| [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md) | Use Windows Configuration Designer to create provisioning packages. Using provisioning packages, you can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes.  |
+| [Use the Lockdown Designer app to configure Windows 10 Mobile devices](mobile-lockdown-designer.md) | The Lockdown Designer app provides a guided wizard-like process to generate a Lockdown XML file that you can apply to devices running Windows 10 Mobile. |
+| [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) | Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. |
+| [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md) | On Windows 10 Mobile, you can use the XML-based layout to modify the Start screen and provide the most robust and complete Start customization experience. This reference topic describes the supported elements and attributes for the LayoutModification.xml file. |
+| [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) | This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. |
+| [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) | You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user. |
 
diff --git a/windows/configure/configure-windows-telemetry-in-your-organization.md b/windows/configure/configure-windows-telemetry-in-your-organization.md
index a7f9bbef7e..d8710b1bb2 100644
--- a/windows/configure/configure-windows-telemetry-in-your-organization.md
+++ b/windows/configure/configure-windows-telemetry-in-your-organization.md
@@ -98,17 +98,17 @@ Windows telemetry also helps Microsoft better understand how customers use (or d
 
 ### Insights into your own organization
 
-Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well.  Microsoft is in the process of developing a set of analytics customized for your internal use.  The first of these, called [Windows 10 Upgrade Analytics](../deploy/manage-windows-upgrades-with-upgrade-analytics.md).
+Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well.  Microsoft is in the process of developing a set of analytics customized for your internal use.  The first of these, called [Upgrade Readiness](../deploy/manage-windows-upgrades-with-upgrade-readiness.md).
 
-#### Windows 10 Upgrade Analytics
+#### Upgrade Readiness
 
 Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. 
  
-To better help customers through this difficult process, Microsoft developed Upgrade Analytics to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. 
+To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. 
 
 With Windows telemetry enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. 
 
-Use Upgrade Analytics to get:
+Use Upgrade Readiness to get:
 
 - A visual workflow that guides you from pilot to production
 - Detailed computer, driver, and application inventory
@@ -118,7 +118,7 @@ Use Upgrade Analytics to get:
 - Application usage information, allowing targeted validation; workflow to track validation progress and decisions
 - Data export to commonly used software deployment tools 
 
-The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
+The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
 
 ## How is telemetry data handled by Microsoft?
 
@@ -179,7 +179,7 @@ The levels are cumulative and are illustrated in the following diagram. Also, th
 
 ### Security level
 
-The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windos IoT Core editions.
+The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.
 
 > [!NOTE]  
 > If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
@@ -216,6 +216,8 @@ No user content, such as user files or communications, is gathered at the **Secu
 
 The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
 
+The normal upload range for the Basic telemetry level is between 109 KB - 159 KB per day, per device.
+
 The data gathered at this level includes:
 
 -   **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include:
@@ -256,12 +258,15 @@ The data gathered at this level includes:
 
 -   **Windows Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
 
+
 ### Enhanced level
 
 The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
 
 This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
 
+The normal upload range for the Enhanced telemetry level is between 239 KB - 348 KB per day, per device.
+
 The data gathered at this level includes:
 
 -   **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
diff --git a/windows/configure/cortana-at-work-scenario-6.md b/windows/configure/cortana-at-work-scenario-6.md
index 06a6bf3d51..2ad1c7cb5c 100644
--- a/windows/configure/cortana-at-work-scenario-6.md
+++ b/windows/configure/cortana-at-work-scenario-6.md
@@ -1,6 +1,6 @@
 ---
-title: Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device (Windows 10)
-description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP).
+title: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email (Windows 10)
+description: A test scenario about how to use Cortana with the Suggested reminders feature.
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
@@ -8,7 +8,7 @@ author: eross-msft
 localizationpriority: high
 ---
 
-# Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
+# Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email
 
 -   Windows 10, Windows Insider Program 
 -   Windows 10 Mobile, Windows Insider Program
@@ -17,22 +17,32 @@ localizationpriority: high
 >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 >[!IMPORTANT]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. For more info, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Microsoft Services Agreement](https://www.microsoft.com/en-us/servicesagreement).
 
-This optional scenario helps you to protect your organization’s data on a device, based on an inspection by Cortana.
+Cortana automatically finds patterns in your email, suggesting reminders based things that you said you would do so you don’t forget about them. For example, Cortana recognizes that if you include the text, _I’ll get this to you by the end of the week_ in an email, you're making a commitment to provide something by a specific date. Cortana can now suggest that you be reminded about this event, letting you decide whether to keep it or to cancel it.
 
-## Use Cortana and WIP to protect your organization’s data 
+>[!NOTE]
+>The Suggested reminders feature is currently only available in English (en-us). 
 
-1.	Create and deploy an WIP policy to your organization. For info about how to do this, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md).
+**To use Cortana to create Suggested reminders for you**
 
-2.	Create a new email from a non-protected or personal mailbox, including the text _I’ll send you that presentation tomorrow_.
+1. Make sure that you've connected Cortana to Office 365. For the steps to connect, see [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md).
 
-3.	Wait up to 2 hours to make sure everything has updated, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+2. Click on the **Cortana** search box in the taskbar, click the **Notebook** icon, and then click **Permissions**.
 
-    Cortana automatically pulls your commitment to sending the presentation out of your email, showing it to you.
+3. Make sure the **Contacts, email, calendar, and communication history** option is turned on.
 
-4.	Create a new email from a protected mailbox, including the same text as above, _I’ll send you that presentation tomorrow_.
+    ![Permissions options for Cortana at work](images/cortana-communication-history-permissions.png)
 
-5.	Wait until everything has updated again, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+4. Click the **Notebook** icon again, click the **Suggested reminders** option, click to turn on the **All reminder suggestions cards** option, click the **Notify me when something I mentioned doing is coming up** box, and then click **Save**.
+
+    ![Suggested reminders options for Cortana at work](images/cortana-suggested-reminder-settings.png)
+
+5. Create and send an email to yourself (so you can see the Suggested reminder), including the text, _I’ll finish this project by end of day today_.
+
+6.	After you get the email, click on the Cortana **Home** icon, and scroll to today’s events. 
+
+    If the reminder has a specific date or time associated with it, like end of day, Cortana notifies you at the appropriate time and puts the reminder into the Action Center. Also from the Home screen, you can view the email where you made the promise, set aside time on your calendar, officially set the reminder, or mark the reminder as completed.
+
+    ![Cortana Home screen with your suggested reminder showing](images/cortana-suggested-reminder.png)    
 
-    Because it was in an WIP-protected email, the presentation info isn’t pulled out and it isn’t shown to you.
diff --git a/windows/configure/cortana-at-work-scenario-7.md b/windows/configure/cortana-at-work-scenario-7.md
new file mode 100644
index 0000000000..e8d6cfd3ff
--- /dev/null
+++ b/windows/configure/cortana-at-work-scenario-7.md
@@ -0,0 +1,38 @@
+---
+title: Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device (Windows 10)
+description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP).
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: eross-msft
+localizationpriority: high
+---
+
+# Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
+
+-   Windows 10, Windows Insider Program 
+-   Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+>[!IMPORTANT]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+
+This optional scenario helps you to protect your organization’s data on a device, based on an inspection by Cortana.
+
+## Use Cortana and WIP to protect your organization’s data 
+
+1.	Create and deploy an WIP policy to your organization. For info about how to do this, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md).
+
+2.	Create a new email from a non-protected or personal mailbox, including the text _I’ll send you that presentation tomorrow_.
+
+3.	Wait up to 2 hours to make sure everything has updated, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+    Cortana automatically pulls your commitment to sending the presentation out of your email, showing it to you.
+
+4.	Create a new email from a protected mailbox, including the same text as above, _I’ll send you that presentation tomorrow_.
+
+5.	Wait until everything has updated again, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+    Because it was in an WIP-protected email, the presentation info isn’t pulled out and it isn’t shown to you.
diff --git a/windows/configure/cortana-at-work-testing-scenarios.md b/windows/configure/cortana-at-work-testing-scenarios.md
index f3227225c1..d58e3e41e7 100644
--- a/windows/configure/cortana-at-work-testing-scenarios.md
+++ b/windows/configure/cortana-at-work-testing-scenarios.md
@@ -19,15 +19,19 @@ localizationpriority: high
 
 We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
 
-- Sign-in to Cortana using Azure AD, manage entries in the notebook, and search for content across your device, Bing, and the cloud, using Cortana.
+- [Sign-in to Cortana using Azure AD, manage entries in the notebook, and search for content across your device, Bing, and the cloud, using Cortana](cortana-at-work-scenario-1.md)
 
-- Set a reminder and have it remind you when you’ve reached a specific location.
+- [Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md)
 
-- Search for your upcoming meetings on your work calendar.
+- [Set a reminder and have it remind you when you’ve reached a specific location](cortana-at-work-scenario-3.md)
 
-- Send an email to a co-worker from your work email app.
+- [Search for your upcoming meetings on your work calendar](cortana-at-work-scenario-4.md)
 
-- Use WIP to secure content on a device and then try to manage your organization’s entries in the notebook.
+- [Send an email to a co-worker from your work email app](cortana-at-work-scenario-5.md)
+
+- [Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work-scenario-6.md)
+
+- [Use Windows Information Protection (WIP) to secure content on a device and then try to manage your organization’s entries in the notebook](cortana-at-work-scenario-7.md)
 
 >[!IMPORTANT]
 >The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
\ No newline at end of file
diff --git a/windows/configure/customize-and-export-start-layout.md b/windows/configure/customize-and-export-start-layout.md
index 102272ce54..cbff20b284 100644
--- a/windows/configure/customize-and-export-start-layout.md
+++ b/windows/configure/customize-and-export-start-layout.md
@@ -36,7 +36,7 @@ You can deploy the resulting .xml file to devices using one of the following met
 
 -   [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
 
--   [Windows Imaging and Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+-   [Windows Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
 
 -   [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
 
@@ -47,7 +47,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a
 
 **To prepare a test computer**
 
-1.  Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users’ computers (Windows 10 Enterprise or Windows 10 Education). Install all apps and services that the Start layout should display.
+1.  Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users’ computers (Windows 10 Pro, Enterprise, or Education). Install all apps and services that the Start layout should display.
 
 2.  Create a new user account that you will use to customize the Start layout.
 
@@ -70,7 +70,8 @@ To prepare a Start layout for export, you simply customize the Start layout on a
 
     -   **Create your own app groups**. Drag the apps to an empty area. To name a group, click above the group of tiles and then type the name in the **Name group** field that appears above the group.
 
-## <a href="" id="bmk-exportstartscreenlayout"></a>Export the Start layout
+<span id="bmk-exportstartscreenlayout" />
+## Export the Start layout
 
 
 When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet in Windows PowerShell to export the Start layout to an .xml file.
diff --git a/windows/configure/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configure/customize-windows-10-start-screens-by-using-group-policy.md
index 47b68d045b..5a2c3940fa 100644
--- a/windows/configure/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configure/customize-windows-10-start-screens-by-using-group-policy.md
@@ -1,6 +1,6 @@
 ---
-title: Customize Windows 10 Start with Group Policy (Windows 10)
-description: In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain.
+title: Customize Windows 10 Start and tasbkar with Group Policy (Windows 10)
+description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain.
 ms.assetid: F4A47B36-F1EF-41CD-9CBA-04C83E960545
 keywords: ["Start layout", "start menu", "layout", "group policy"]
 ms.prod: w10
@@ -19,7 +19,7 @@ localizationpriority: high
 
 >**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
 
-In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start and taskbar layout to users in a domain. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
+In Windows 10 Pro, Enterprise, and Education, you can use a Group Policy Object (GPO) to deploy a customized Start and taskbar layout to users in a domain. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
 
 This topic describes how to update Group Policy settings to display a customized Start and taskbar layout when the users sign in. By creating a domain-based GPO with these settings, you can deploy a customized Start and taskbar layout to users in a domain.
 
@@ -33,7 +33,7 @@ This topic describes how to update Group Policy settings to display a customized
 ## Operating system requirements
 
 
-Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education, Version 1607. Start and taskbar layout control is not supported in Windows 10 Pro.
+Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education, version 1607. Start and taskbar layout control is supported in Windows 10 Pro in Windows 10, version 1703.
 
 The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841, written for Windows Vista and still applicable](https://go.microsoft.com/fwlink/p/?LinkId=691687) in the Microsoft Knowledge Base.
 
diff --git a/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md
index 2ccace55f5..16f95659b2 100644
--- a/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -1,6 +1,6 @@
 ---
-title: Customize Windows 10 Start with mobile device management (MDM) (Windows 10)
-description: In Windows 10 Enterprise and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users.
+title: Customize Windows 10 Start and taskbar with mobile device management (MDM) (Windows 10)
+description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and tasbkar layout to users.
 ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4
 keywords: ["start screen", "start menu"]
 ms.prod: w10
@@ -10,7 +10,7 @@ author: jdeckerMS
 localizationpriority: medium
 ---
 
-# Customize Windows 10 Start with mobile device management (MDM)
+# Customize Windows 10 Start and taskbar with mobile device management (MDM)
 
 
 **Applies to**
@@ -18,18 +18,17 @@ localizationpriority: medium
 - Windows 10
 - Windows 10 Mobile
 
-**Looking for consumer information?**
+>**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
 
--   [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
+In Windows 10 Mobile, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
 
-In Windows 10 Mobile, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
+>[!NOTE]
+>Support for applying a customized taskbar using MDM is added in Windows 10, version 1703.
 
-> **Note:** Customized taskbar configuration cannot be applied using MDM at this time.
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](mobile-lockdown-designer.md) for mobile.
 
-**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](start-layout-xml-mobile.md) for mobile.
-
-**Warning**  
-When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
+>[!WARNING] 
+>When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
 
  
 
@@ -40,8 +39,8 @@ Two features enable Start layout control:
 
 -   The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. 
 
-    **Note**  
-    To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
+    >[!NOTE]  
+    >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
 
      
 
diff --git a/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index 7cc8395f8b..8c7153b1ce 100644
--- a/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -1,5 +1,5 @@
 ---
-title: Customize Windows 10 Start with ICD and provisioning packages (Windows 10)
+title: Customize Windows 10 Start and tasbkar with provisioning packages (Windows 10)
 description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users.
 ms.assetid: AC952899-86A0-42FC-9E3C-C25F45B1ACAC
 keywords: ["Start layout", "start menu"]
@@ -10,7 +10,7 @@ author: jdeckerMS
 localizationpriority: medium
 ---
 
-# Customize Windows 10 Start and taskbar with ICD and provisioning packages
+# Customize Windows 10 Start and taskbar with provisioning packages
 
 
 **Applies to**
@@ -18,16 +18,14 @@ localizationpriority: medium
 - Windows 10
 - Windows 10 Mobile
 
-**Looking for consumer information?**
+>**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
 
--   [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
-
-In Windows 10 Mobile, Windows 10 Enterprise, and Windows 10 Education, version 1607, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
+In Windows 10 Mobile, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
 
 >[!IMPORTANT]
 >If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
 
-**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](start-layout-xml-mobile.md) for mobile.
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](mobile-lockdown-designer.md) for mobile.
 
 ## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
 
@@ -36,23 +34,39 @@ Three features enable Start and taskbar layout control:
 
 -   The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. 
 
-    **Note**  
-    To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
+    >[!NOTE]  
+    >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
 
 -    [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include  `<CustomTaskbarLayoutCollection>` or create an .xml file just for the taskbar configuration.
 
+-   In Windows Configuration Designer, you use the **Policies/Start/StartLayout** setting to provide the contents of the .xml file that defines the Start and taskbar layout.
 
--   In ICD, you use the **Start/StartLayout** setting to set the path to the .xml file that defines the Start and taskbar layout.
+<span id="escape" />
+## Prepare the Start layout XML file
+
+Before you paste the contents of the .xml file in the **Policies/Start/StartLayout** setting, you must remove all line breaks and replace markup characters with escape characters. 
+
+1. In PowerShell, run the following script:
+
+    ```
+    $path="layout.xml"
+    (Get-Content $path -Raw).Replace("'r'n","") | Set-Content $path -Force
+    ```
+
+2. Copy the contents of layout.xml into an online tool that escapes characters.
+
+3. Copy the text with the escape characters and paste it in the **Polilcies/Start/StartLayout** setting in your provisioning package. 
 
 ## <a href="" id="bkmk-domaingpodeployment"></a>Create a provisioning package that contains a customized Start layout
 
 
-Use the [Imaging and Configuration Designer (ICD) tool](https://go.microsoft.com/fwlink/p/?LinkID=525483) included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that applies a customized Start and taskbar layout. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-install-icd.md)
 
 >[!IMPORTANT]
 >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 
-1.  Open ICD (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+1.  Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+
 2. Choose **Advanced provisioning**.
 
 3.  Name your project, and click **Next**.
@@ -61,12 +75,12 @@ Use the [Imaging and Configuration Designer (ICD) tool](https://go.microsoft.com
 
 5.  On **New project**, click **Finish**. The workspace for your package opens.
 
-6.  Expand **Runtime settings** &gt; **Start**, and click **StartLayout**.
+6.  Expand **Runtime settings** &gt; **Policies** &gt; **Start**, and click **StartLayout**.
 
     >[!TIP]
     >If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**.
 
-7.  Specify the path and file name of the Start layout .xml that you created with the [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet.
+7.  Paste the text from the layout.xml file, [with line breaks removed and markup characters replaced with escape characters](#escape).
 
 8.  On the **File** menu, select **Save.**
 
diff --git a/windows/configure/guidelines-for-assigned-access-app.md b/windows/configure/guidelines-for-assigned-access-app.md
index 0552f8af1a..30dd845161 100644
--- a/windows/configure/guidelines-for-assigned-access-app.md
+++ b/windows/configure/guidelines-for-assigned-access-app.md
@@ -20,7 +20,7 @@ localizationpriority: high
 
 You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk.  Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience.
 
-The following guidelines may help you choose an appropriate Windows app for your assigned access experience in Windows 10, Version 1607.
+The following guidelines may help you choose an appropriate Windows app for your assigned access experience.
 
 ## General guidelines
 
@@ -82,19 +82,7 @@ The above guidelines may help you select or develop an appropriate Windows app f
 
 [Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
 
-## Related topics
 
-[Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
-
-[Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)
-
-[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
-
-[Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
-
-[Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
-
- 
 
  
 
diff --git a/windows/configure/images/account-management-details.PNG b/windows/configure/images/account-management-details.PNG
new file mode 100644
index 0000000000..e4307d8f7b
Binary files /dev/null and b/windows/configure/images/account-management-details.PNG differ
diff --git a/windows/configure/images/account-management.PNG b/windows/configure/images/account-management.PNG
new file mode 100644
index 0000000000..34165dfcd6
Binary files /dev/null and b/windows/configure/images/account-management.PNG differ
diff --git a/windows/configure/images/add-applications-details.PNG b/windows/configure/images/add-applications-details.PNG
new file mode 100644
index 0000000000..2efd3483ae
Binary files /dev/null and b/windows/configure/images/add-applications-details.PNG differ
diff --git a/windows/configure/images/add-applications.PNG b/windows/configure/images/add-applications.PNG
new file mode 100644
index 0000000000..2316deb2fd
Binary files /dev/null and b/windows/configure/images/add-applications.PNG differ
diff --git a/windows/configure/images/add-certificates-details.PNG b/windows/configure/images/add-certificates-details.PNG
new file mode 100644
index 0000000000..78cd783282
Binary files /dev/null and b/windows/configure/images/add-certificates-details.PNG differ
diff --git a/windows/configure/images/add-certificates.PNG b/windows/configure/images/add-certificates.PNG
new file mode 100644
index 0000000000..24cb605d1c
Binary files /dev/null and b/windows/configure/images/add-certificates.PNG differ
diff --git a/windows/configure/images/apps.png b/windows/configure/images/apps.png
new file mode 100644
index 0000000000..5cb3b7ec8f
Binary files /dev/null and b/windows/configure/images/apps.png differ
diff --git a/windows/configure/images/bulk-enroll-mobile-details.PNG b/windows/configure/images/bulk-enroll-mobile-details.PNG
new file mode 100644
index 0000000000..8329d39cfc
Binary files /dev/null and b/windows/configure/images/bulk-enroll-mobile-details.PNG differ
diff --git a/windows/configure/images/bulk-enroll-mobile.PNG b/windows/configure/images/bulk-enroll-mobile.PNG
new file mode 100644
index 0000000000..812b57e8e0
Binary files /dev/null and b/windows/configure/images/bulk-enroll-mobile.PNG differ
diff --git a/windows/configure/images/cortana-communication-history-permissions.png b/windows/configure/images/cortana-communication-history-permissions.png
new file mode 100644
index 0000000000..db182be13c
Binary files /dev/null and b/windows/configure/images/cortana-communication-history-permissions.png differ
diff --git a/windows/configure/images/cortana-suggested-reminder-settings.png b/windows/configure/images/cortana-suggested-reminder-settings.png
new file mode 100644
index 0000000000..176dbff483
Binary files /dev/null and b/windows/configure/images/cortana-suggested-reminder-settings.png differ
diff --git a/windows/configure/images/cortana-suggested-reminder.png b/windows/configure/images/cortana-suggested-reminder.png
new file mode 100644
index 0000000000..4184bd1b6c
Binary files /dev/null and b/windows/configure/images/cortana-suggested-reminder.png differ
diff --git a/windows/configure/images/developer-setup.PNG b/windows/configure/images/developer-setup.PNG
new file mode 100644
index 0000000000..8c93d5ed91
Binary files /dev/null and b/windows/configure/images/developer-setup.PNG differ
diff --git a/windows/configure/images/finish-details-mobile.PNG b/windows/configure/images/finish-details-mobile.PNG
new file mode 100644
index 0000000000..c25a6b4b2f
Binary files /dev/null and b/windows/configure/images/finish-details-mobile.PNG differ
diff --git a/windows/configure/images/finish-details.png b/windows/configure/images/finish-details.png
new file mode 100644
index 0000000000..727efac696
Binary files /dev/null and b/windows/configure/images/finish-details.png differ
diff --git a/windows/configure/images/finish-mobile.PNG b/windows/configure/images/finish-mobile.PNG
new file mode 100644
index 0000000000..336e24289e
Binary files /dev/null and b/windows/configure/images/finish-mobile.PNG differ
diff --git a/windows/configure/images/finish.PNG b/windows/configure/images/finish.PNG
new file mode 100644
index 0000000000..7c65da1799
Binary files /dev/null and b/windows/configure/images/finish.PNG differ
diff --git a/windows/configure/images/icd-create-options-1703.PNG b/windows/configure/images/icd-create-options-1703.PNG
new file mode 100644
index 0000000000..007e740683
Binary files /dev/null and b/windows/configure/images/icd-create-options-1703.PNG differ
diff --git a/windows/configure/images/icd-desktop-1703.PNG b/windows/configure/images/icd-desktop-1703.PNG
new file mode 100644
index 0000000000..7c060af4d0
Binary files /dev/null and b/windows/configure/images/icd-desktop-1703.PNG differ
diff --git a/windows/configure/images/kiosk-account-details.PNG b/windows/configure/images/kiosk-account-details.PNG
new file mode 100644
index 0000000000..53c31880ea
Binary files /dev/null and b/windows/configure/images/kiosk-account-details.PNG differ
diff --git a/windows/configure/images/kiosk-account.PNG b/windows/configure/images/kiosk-account.PNG
new file mode 100644
index 0000000000..f78f9b9d56
Binary files /dev/null and b/windows/configure/images/kiosk-account.PNG differ
diff --git a/windows/configure/images/kiosk-common-details.PNG b/windows/configure/images/kiosk-common-details.PNG
new file mode 100644
index 0000000000..5eda9b293e
Binary files /dev/null and b/windows/configure/images/kiosk-common-details.PNG differ
diff --git a/windows/configure/images/kiosk-common.PNG b/windows/configure/images/kiosk-common.PNG
new file mode 100644
index 0000000000..f5873a53aa
Binary files /dev/null and b/windows/configure/images/kiosk-common.PNG differ
diff --git a/windows/configure/images/ld-apps.PNG b/windows/configure/images/ld-apps.PNG
new file mode 100644
index 0000000000..ef65ff9a52
Binary files /dev/null and b/windows/configure/images/ld-apps.PNG differ
diff --git a/windows/configure/images/ld-buttons.PNG b/windows/configure/images/ld-buttons.PNG
new file mode 100644
index 0000000000..d89eff3b35
Binary files /dev/null and b/windows/configure/images/ld-buttons.PNG differ
diff --git a/windows/configure/images/ld-connect.PNG b/windows/configure/images/ld-connect.PNG
new file mode 100644
index 0000000000..15094b0e2b
Binary files /dev/null and b/windows/configure/images/ld-connect.PNG differ
diff --git a/windows/configure/images/ld-csp.PNG b/windows/configure/images/ld-csp.PNG
new file mode 100644
index 0000000000..6d7caa5163
Binary files /dev/null and b/windows/configure/images/ld-csp.PNG differ
diff --git a/windows/configure/images/ld-export.PNG b/windows/configure/images/ld-export.PNG
new file mode 100644
index 0000000000..970e5939bc
Binary files /dev/null and b/windows/configure/images/ld-export.PNG differ
diff --git a/windows/configure/images/ld-other.PNG b/windows/configure/images/ld-other.PNG
new file mode 100644
index 0000000000..c8b5f7518a
Binary files /dev/null and b/windows/configure/images/ld-other.PNG differ
diff --git a/windows/configure/images/ld-pair.PNG b/windows/configure/images/ld-pair.PNG
new file mode 100644
index 0000000000..0859810e73
Binary files /dev/null and b/windows/configure/images/ld-pair.PNG differ
diff --git a/windows/configure/images/ld-quick.PNG b/windows/configure/images/ld-quick.PNG
new file mode 100644
index 0000000000..63a6173103
Binary files /dev/null and b/windows/configure/images/ld-quick.PNG differ
diff --git a/windows/configure/images/ld-settings.PNG b/windows/configure/images/ld-settings.PNG
new file mode 100644
index 0000000000..eb6a37d925
Binary files /dev/null and b/windows/configure/images/ld-settings.PNG differ
diff --git a/windows/configure/images/ld-start.PNG b/windows/configure/images/ld-start.PNG
new file mode 100644
index 0000000000..4081f3e1e2
Binary files /dev/null and b/windows/configure/images/ld-start.PNG differ
diff --git a/windows/configure/images/ld-sync.PNG b/windows/configure/images/ld-sync.PNG
new file mode 100644
index 0000000000..3f54d910ac
Binary files /dev/null and b/windows/configure/images/ld-sync.PNG differ
diff --git a/windows/configure/images/ldstore.PNG b/windows/configure/images/ldstore.PNG
new file mode 100644
index 0000000000..63f0eedee7
Binary files /dev/null and b/windows/configure/images/ldstore.PNG differ
diff --git a/windows/configure/images/lily.jpg b/windows/configure/images/lily.jpg
new file mode 100644
index 0000000000..eb144d1f2b
Binary files /dev/null and b/windows/configure/images/lily.jpg differ
diff --git a/windows/configure/images/set-up-device-details-desktop.PNG b/windows/configure/images/set-up-device-details-desktop.PNG
new file mode 100644
index 0000000000..97c8a1b704
Binary files /dev/null and b/windows/configure/images/set-up-device-details-desktop.PNG differ
diff --git a/windows/configure/images/set-up-device-details-mobile.PNG b/windows/configure/images/set-up-device-details-mobile.PNG
new file mode 100644
index 0000000000..f41fe99a72
Binary files /dev/null and b/windows/configure/images/set-up-device-details-mobile.PNG differ
diff --git a/windows/configure/images/set-up-device-details.PNG b/windows/configure/images/set-up-device-details.PNG
new file mode 100644
index 0000000000..031dac6fe6
Binary files /dev/null and b/windows/configure/images/set-up-device-details.PNG differ
diff --git a/windows/configure/images/set-up-device-mobile.PNG b/windows/configure/images/set-up-device-mobile.PNG
new file mode 100644
index 0000000000..b8173385d4
Binary files /dev/null and b/windows/configure/images/set-up-device-mobile.PNG differ
diff --git a/windows/configure/images/set-up-device.PNG b/windows/configure/images/set-up-device.PNG
new file mode 100644
index 0000000000..0c9eb0e3ff
Binary files /dev/null and b/windows/configure/images/set-up-device.PNG differ
diff --git a/windows/configure/images/set-up-network-details-desktop.PNG b/windows/configure/images/set-up-network-details-desktop.PNG
new file mode 100644
index 0000000000..83911ccbd0
Binary files /dev/null and b/windows/configure/images/set-up-network-details-desktop.PNG differ
diff --git a/windows/configure/images/set-up-network-details-mobile.PNG b/windows/configure/images/set-up-network-details-mobile.PNG
new file mode 100644
index 0000000000..8f515ba1f6
Binary files /dev/null and b/windows/configure/images/set-up-network-details-mobile.PNG differ
diff --git a/windows/configure/images/set-up-network-details.PNG b/windows/configure/images/set-up-network-details.PNG
new file mode 100644
index 0000000000..778b8497c4
Binary files /dev/null and b/windows/configure/images/set-up-network-details.PNG differ
diff --git a/windows/configure/images/set-up-network-mobile.PNG b/windows/configure/images/set-up-network-mobile.PNG
new file mode 100644
index 0000000000..9442b33e90
Binary files /dev/null and b/windows/configure/images/set-up-network-mobile.PNG differ
diff --git a/windows/configure/images/set-up-network.PNG b/windows/configure/images/set-up-network.PNG
new file mode 100644
index 0000000000..a0e856c103
Binary files /dev/null and b/windows/configure/images/set-up-network.PNG differ
diff --git a/windows/configure/images/seven.png b/windows/configure/images/seven.png
new file mode 100644
index 0000000000..285a92df0b
Binary files /dev/null and b/windows/configure/images/seven.png differ
diff --git a/windows/configure/images/six.png b/windows/configure/images/six.png
index 8bf761ef20..e8906332ec 100644
Binary files a/windows/configure/images/six.png and b/windows/configure/images/six.png differ
diff --git a/windows/configure/images/startannotated.png b/windows/configure/images/startannotated.png
index d46f3a70c2..9261fd9078 100644
Binary files a/windows/configure/images/startannotated.png and b/windows/configure/images/startannotated.png differ
diff --git a/windows/configure/index.md b/windows/configure/index.md
index eceae9b24b..bbe9b61e15 100644
--- a/windows/configure/index.md
+++ b/windows/configure/index.md
@@ -18,17 +18,17 @@ Enterprises often need to apply custom configurations to devices for their users
 
 | Topic | Description |
 | --- | --- |
-| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | se this article to make informed decisions about how you can configure Windows telemetry in your organization. |
-| [Manage connections from Windows operating system components to Microsoft services] (manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. |
+| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows telemetry in your organization. |
+| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. |
 | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.  |
-| [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) |  |
-| [Configure Windows 10 Mobile devices](configure-mobile.md) |  |
-| [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) |  |
-| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) |  |
+| [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) | These topics help you configure Windows 10 devices to be shared by multiple users or to run as a kiosk device that runs a single app. |
+| [Configure Windows 10 Mobile devices](configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app.  |
+| [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) | A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. |
+| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) | The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.  |
 | [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md) | IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store. |
-| [Provisioning packages for Windows 10](provisioning-packages.md) |  |
+| [Provisioning packages for Windows 10](provisioning-packages.md) | Learn how to use the Windows Configuration Designer and provisioning packages to easily configure multiple devices. |
 | [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) | Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. |
-| [Change history for Configure Windows 10](change-history-for-configure-windows-10.md) |  |
+| [Change history for Configure Windows 10](change-history-for-configure-windows-10.md) | This topic lists new and updated topics in the Configure Windows 10 documentation for Windows 10 and Windows 10 Mobile. |
 
 
 
diff --git a/windows/configure/kiosk-shared-pc.md b/windows/configure/kiosk-shared-pc.md
index e434735152..2afc67e022 100644
--- a/windows/configure/kiosk-shared-pc.md
+++ b/windows/configure/kiosk-shared-pc.md
@@ -1,14 +1,23 @@
 ---
-title: kiosk shared pc (Windows 10)
+title: Configure kiosk and shared devices running Windows desktop editions (Windows 10)
 description: 
-keywords: Windows 10, MDM, WSUS, Windows update
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+localizationpriority: medium
 author: jdeckerMS
 ---
 
-# kiosk shared pc
+# Configure kiosk and shared devices running Windows desktop editions
 
+Some desktop devices in an enterprise serve a special purpose, such as a common PC in a touchdown space that any employee can sign in to, or a PC in the lobby that customers can use to view your product catalog. Windows 10 is easy to configure for shared use or for use as a kiosk (single app).
+
+## In this section
+
+| Topic | Description |
+| --- | --- |
+| [Set up a shared or guest PC with Windows 10](set-up-a-device-for-anyone-to-use.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail.  |
+| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select.  |
+| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device.  |
+| [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. |
\ No newline at end of file
diff --git a/windows/configure/lock-down-windows-10-to-specific-apps.md b/windows/configure/lock-down-windows-10-to-specific-apps.md
index 8ab992a6f0..8ae79ef7f2 100644
--- a/windows/configure/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configure/lock-down-windows-10-to-specific-apps.md
@@ -112,14 +112,11 @@ In addition to specifying the apps that users can run, you should also restrict
 
 To learn more about locking down features, see [Customizations for Windows 10 Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=691442).
 
-## Customize Start screen layout for the device
+## Customize Start screen layout for the device (recommended)
 
 
 Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md).
 
-## Related topics
-
-- [Provisioning packages for Windows 10](../deploy/provisioning-packages.md)
 
  
 
diff --git a/windows/configure/lockdown-xml.md b/windows/configure/lockdown-xml.md
index 936ed8c310..9398934ee7 100644
--- a/windows/configure/lockdown-xml.md
+++ b/windows/configure/lockdown-xml.md
@@ -19,9 +19,9 @@ localizationpriority: high
 
 Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available.
 
-This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices.
+This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. 
 
-Lockdown XML is an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601).
+In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseassignedaccess-csp). This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices. You can also use the [Lockdown Designer app](mobile-lockdown-designer.md) to configure and export your lockdown XML file.
 
 > [!NOTE]
 >  On Windows 10 desktop editions, *assigned access* is a feature that lets you configure the device to run a single app above the lockscreen ([kiosk mode](set-up-a-device-for-anyone-to-use.md)). On a Windows 10 Mobile device, assigned access refers to the lockdown settings in AssignedAccessXml in the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601).
@@ -33,17 +33,17 @@ If you're not familiar with CSPs, read [Introduction to configuration service pr
 Let's start by looking at the basic structure of the lockdown XML file. You can start your file by pasting the following XML (or any other examples in this topic) into a text or XML editor, and saving the file as *filename*.xml.
 
 ```xml
-<?xml version "1.0" encoding "utf-8"?>
-<HandheldLockdown version "1.0" >
+<?xml version="1.0" encoding="utf-8"?>
+<HandheldLockdown version="1.0" >
 	<Default>
-		<ActionCenter>
-		<Apps>
-		<Buttons>
-		<CSPRunner>
-		<MenuItems>
-		<Settings>
-		<Tiles>
-		<StartScreenSize>
+		<ActionCenter/>
+		<Apps/>
+		<Buttons/>
+		<CSPRunner/>
+		<MenuItems/>
+		<Settings/>
+		<Tiles/>
+		<StartScreenSize/>
 	</Default>
 </HandheldLockdown>
 ```
@@ -52,7 +52,8 @@ Let's start by looking at the basic structure of the lockdown XML file. You can
 
 The settings for the Default role and other roles must be listed in your XML file in the order presented in this topic. All of the entries are optional. If you don't include a setting, that aspect of the device will operate as it would for an nonconfigured device.
 
->  **Tip**&nbsp;&nbsp;Keep your XML file easy to work with and to understand by using proper indentation and adding comments for each setting you configure.
+>[!TIP]
+>Keep your XML file easy to work with and to understand by using proper indentation and adding comments for each setting you configure.
 
 ## Action Center
 
@@ -325,27 +326,28 @@ Use DisableMenuItems to prevent use of the context menu, which is displayed when
 
 ![XML for settings](images/SettingsXML.png)
 
-The **Settings** section contains an `allow` list of pages in the Settings app. The following example allows all settings.
+The **Settings** section contains an `allow` list of pages in the Settings app and quick actions. The following example allows all settings.
 
 ```xml
  <Settings>
      <!-- Allow all settings -->
  </Settings>
  ```
-In the following example, all system setting pages are enabled.
+In earlier versions of Windows 10, you used the page name to define allowed settings. Starting in Windows 10, version 1703, you use the settings URI.
+
+In the following example for Windows 10, version 1703, all system setting pages that have a settings URI are enabled.
 
 ```xml
 <Settings> 
-  <System name="SettingsPageGroupPCSystem" /> 
-  <System name="SettingsPageDisplay" /> 
-  <System name="SettingsPageAppsNotifications" />
-  <System name="SettingsPageCalls" />
-  <System name="SettingsPageMessaging" /> 
-  <System name="SettingsPageBatterySaver" /> 
-  <System name="SettingsPageStorageSenseStorageOverview" />
-  <System name="SettingsPageGroupPCSystemDeviceEncryption" /> 
-  <System name="SettingsPageDrivingMode" /> 
-  <System name="SettingsPagePCSystemInfo" /> 
+  <System name="ms-settings:screenrotation" /> 
+  <System name="ms-settings:notifications" /> 
+  <System name="ms-settings:phone" />
+  <System name="ms-settings:messaging" />
+  <System name="ms-settings:batterysaver" /> 
+  <System name="ms-settings:batterysaver-usagedetails" /> 
+  <System name="ms-settings:about" /> 
+  <System name="ms-settings:deviceencryption" /> 
+  <System name="ms-settings:maps" /> 
  </Settings>
 ```
 
@@ -372,58 +374,61 @@ For a list of the settings and quick actions that you can allow or block, see [S
  ## Start screen size
  
  Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: 
- * Small sets the width to 4 columns on devices with short axis (less than 400epx) or 6 columns on devices with short axis (greater than or equal to 400epx). 
- * Large sets the width to 6 columns on devices with short axis (less than 400epx) or 8 columns on devices with short axis (greater than or equal to 400epx). 
- 
  
+ - Small sets the width to 4 columns on devices with short axis (less than 400epx) or 6 columns on devices with short axis (greater than or equal to 400epx).
+ - Large sets the width to 6 columns on devices with short axis (less than 400epx) or 8 columns on devices with short axis (greater than or equal to 400epx).
+  
  If you have existing lockdown xml, you must update start screen size if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. 
  
  [Learn about effective pixel width (epx) for different device size classes.](https://go.microsoft.com/fwlink/p/?LinkId=733340)
  
  
- ## Configure additional roles
+## Configure additional roles
  
- You can add custom configurations by role. In addition to the role configuration, you must also install a login application on the device. The app displays a list of available roles on the device; the user taps a role, such as "Manager"; the configuration defined for the "Manager" role is applied.
+You can add custom configurations by role. In addition to the role configuration, you must also install a login application on the device. The app displays a list of available roles on the device; the user taps a role, such as "Manager"; the configuration defined for the "Manager" role is applied.
  
- [Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) For reference, see the [Windows.Embedded.DeviceLockdown API](https://msdn.microsoft.com/library/windows/apps/windows.embedded.devicelockdown).
+[Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) For reference, see the [Windows.Embedded.DeviceLockdown API](https://msdn.microsoft.com/library/windows/apps/windows.embedded.devicelockdown).
  
- In the XML file, you define each role with a GUID and name, as shown in the following example:
+In the XML file, you define each role with a GUID and name, as shown in the following example:
  
- ```xml
- <Role guid="{7bb62e8c-81ba-463c-b691-74af68230b42}" name="Manager">
- ```
+```xml
+<Role guid="{7bb62e8c-81ba-463c-b691-74af68230b42}" name="Manager">
+```
+
+You can create a GUID using a GUID generator -- free tools are available online. The GUID needs to be unique within this XML file.
  
- You can create a GUID using a GUID generator -- free tools are available online. The GUID needs to be unique within this XML file.
+You can configure the same settings for each role as you did for the default role, except Start screen size which can only be configured for the default role. If you use CSPRunner with roles, be aware that the last CSP setting applied will be retained across roles unless explicitly changed in each role configuration. CSP settings applied by CSPRunner may conflict with settings applied by MDM. 
  
- You can configure the same settings for each role as you did for the default role, except Start screen size which can only be configured for the default role. If you use CSPRunner with roles, be aware that the last CSP setting applied will be retained across roles unless explicitly changed in each role configuration. CSP settings applied by CSPRunner may conflict with settings applied by MDM. 
- 
- ```xml
+```xml
 <?xml version "1.0" encoding "utf-8"?>
 <HandheldLockdown version "1.0" >
 	<Default>
-		<ActionCenter>
-		<Apps>
-		<Buttons>
-		<CSPRunner>
-		<MenuItems>
-		<Settings>
-		<Tiles>
-		<StartScreenSize>
+		<ActionCenter/>
+		<Apps/>
+		<Buttons/>
+		<CSPRunner/>
+		<MenuItems/>
+		<Settings/>
+		<Tiles/>
+		<StartScreenSize/>
 	</Default>
 		<RoleList>
 			<Role>
-				<ActionCenter>
-				<Apps>
-				<Buttons>
-				<CSPRunner>
-				<MenuItems>
-				<Settings>
-				<Tiles>
+				<ActionCenter/>
+				<Apps/>
+				<Buttons/>
+				<CSPRunner/>
+				<MenuItems/>
+				<Settings/>
+				<Tiles/>
 			</Role>
 		</RoleList>
-	</Default>
 </HandheldLockdown>
 ```
+
+## Validate your XML
+
+You can validate your lockdown XML file against the [EnterpriseAssignedAccess XSD](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseassignedaccess-xsd).
  
 ## Add lockdown XML to a provisioning package
 
@@ -474,7 +479,7 @@ After you build the provisioning package, follow the instructions for [applying
 
 After you deploy your devices, you can still configure lockdown settings through your MDM solution if it supports the [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601).
 
-To push lockdown settings to enrolled devices, use the AssignedAccessXML setting and use the lockdown XML as the value. The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as &lt; in place of &lt;). After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device.
+To push lockdown settings to enrolled devices, use the AssignedAccessXML setting and use the lockdown XML as the value. The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as `&lt;` in place of &lt;). After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device.
 
 ## Full Lockdown.xml example
 
@@ -605,13 +610,12 @@ To push lockdown settings to enrolled devices, use the AssignedAccessXML setting
             <!-- Quick actions: Brightness, Rotation -->
             <System name="SystemSettings_System_Display_QuickAction_Brightness"/>
             <System name="SystemSettings_System_Display_Internal_Rotation"/>
-            <!-- Brightness+Rotation, About -->
-            <System name="SettingsPageGroupPCSystem"/>
-            <System name="SettingsPageDisplay"/>
-            <System name="SettingsPagePCSystemInfo"/>
+            <!-- Rotation, About -->
+            <System name="ms-settings:screenrotation"/>
+            <System name="ms-settings:about"/>
             <!-- Ringtones, sounds -->
-            <System name="SettingsPageGroupPersonalization"/>
-            <System name="SettingsPageSounds"/>
+            <System name="ms-settings:personalizationn"/>
+            <System name="ms-settings:sounds"/>
         </Settings>
         <Tiles>
             <EnableTileManipulation/>
@@ -706,17 +710,16 @@ To push lockdown settings to enrolled devices, use the AssignedAccessXML setting
                 <DisableMenuItems/>
             </MenuItems>
             <Settings>
-                <!-- Brightness+Rotation, Notifications, About -->
-                <System name="SettingsPageGroupPCSystem"/>
-                <System name="SettingsPageAppsNotifications"/>
-                <System name="SettingsPageDisplay"/>
-                <System name="SettingsPagePCSystemInfo"/>
+                <!-- Rotation, Notifications, About -->
+                <System name="ms-settings:screenrotation"/>
+                <System name="ms-settings:notifications"/>
+                <System name="ms-settings:about"/>
                 <!-- Ringtones, sounds -->
-                <System name="SettingsPageGroupPersonalization"/>
-                <System name="SettingsPageSounds"/>
+                <System name="ms-settings:personalization"/>
+                <System name="ms-settings:sounds"/>
                 <!-- Workplace -->
-                <System name="SettingsPageGroupAccounts"/>
-                <System name="SettingsPageAccountsWorkplace"/>
+                <System name="ms-settings:workplace"/>
+                <System name="ms-settings:emailandaccounts"/>
             </Settings>
         </Role>
         <Role guid="{7bb62e8c-81ba-463c-b691-74af68230b42}" name="Manager">
@@ -858,13 +861,4 @@ To push lockdown settings to enrolled devices, use the AssignedAccessXML setting
 
 [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
 
-[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
-
- 
-
- 
-
-
-
-
-
+[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
\ No newline at end of file
diff --git a/windows/configure/mobile-lockdown-designer.md b/windows/configure/mobile-lockdown-designer.md
index ffd367b09a..ee7d0aa8b6 100644
--- a/windows/configure/mobile-lockdown-designer.md
+++ b/windows/configure/mobile-lockdown-designer.md
@@ -1,14 +1,165 @@
 ---
-title: lockdown designer (Windows 10)
+title: Use the Lockdown Designer app to create a Lockdown XML file (Windows 10)
 description: 
-keywords: Windows 10, MDM, WSUS, Windows update
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+localizationpriority: medium
 author: jdeckerMS
 ---
 
-# lockdown designer
+# Use the Lockdown Designer app to create a Lockdown XML file
+
+![Lockdown Designer in the Store](images/ldstore.png)
+
+Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. 
+
+When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. 
+
+The Lockdown Designer app helps you configure and create a lockdown XML file that you can apply to devices running Windows 10 Mobile, version 1703, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Lockdown Designer also validates the XML. Using Lockdown Designer is easier than [manually creating a lockdown XML file](lockdown-xml.md).
+
+
+
+## Overview
+
+Lockdown Designer can be installed on a PC running Windows 10, version 1607 or later. After you install the app, you connect a mobile device running Windows 10 Mobile, version 1703, to the PC. 
+
+>[!NOTE]
+>Lockdown Designer will not make any changes to the connected device, but we recommend that you use a test device.
+
+Lockdown Designer will populate the available settings and apps to configure from the connected device. Using the different pages in the app, you select the settings, apps, and layout to be included in the lockdown XML.
+
+When you're done, you export the configuration to a lockdown XML file. This configuration can be applied to any device running Windows 10 Mobile, version 1703.
+
+>[!NOTE]
+>You can also import an existing WEHLockdown.xml file to Lockdown Designer and modify it in the app.
+
+## Prepare the test mobile device
+
+Perform these steps on the device running Windows 10 Mobile that you will use to supply the settings, apps, and layout to Lockdown Designer.
+
+1. Install all apps on the device that you want to include in the configuration, including line-of-business apps.
+
+2. On the mobile device, go to **Settings** > **Update & security** > **For developers**, enable **Developer mode**. 
+
+3. Read the disclaimer, then click **Yes** to accept the change.
+
+4. Enable **Device discovery**, and then turn on **Device Portal**. 
+
+## Prepare the PC
+
+[Install Lockdown Designer](https://www.microsoft.com/store/r/9nblggh40753) on the PC. 
+
+If the PC and the test mobile device are on the same Wi-Fi network, you can connect the devices using Wi-Fi. 
+
+If you want to connect the PC and the test mobile device using a USB cable, perform the following steps on the PC:
+
+1. [Install the Windows 10 Software Development Kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-10-sdk). This enables the **Windows Phone IP over USB Transport (IpOverUsbSvc)** service.
+
+2. Open a command prompt as an administrator and run `checknetisolation  LoopbackExempt -a -n=microsoft.lockdowndesigner_8wekyb3d8bbwe`
+
+    >[!NOTE]
+    >Loopback is permitted only for development purposes. To remove the loopback exemption when you're done using Lockdown Designer, run `checknetisolation  LoopbackExempt -d -n=microsoft.lockdowndesigner_8wekyb3d8bbwe`
+
+
+
+<span id="pair" />
+## Connect the mobile device to Lockdown Designer
+
+**Using Wi-Fi**
+
+1. Open Lockdown Designer.
+
+2. Click **Create new project**.
+
+3. On the test mobile device, go to **Settings** > **Update & security** > **For developers** > **Connect using:** and get the IP address listed for **Wi-Fi**.
+
+2. On the **Project setting** > **General settings** page, in **Remote device IP address**, enter the IP address for the test mobile device, using `https://`.
+
+3. Click **Pair**. 
+
+    ![Pair](images/ld-pair.png)
+
+    **Connect to remote device** appears. 
+
+4. On the mobile device, under **Device discovery**, tap **Pair**. A case-sensitive code is displayed.
+
+5. On the PC, in **Connect to remote device**, enter the code from the mobile device.
+
+6. Next, click **Sync** to pull information from the device in to Lockdown Designer.
+
+    ![Sync](images/ld-sync.png)
+
+7. Click the **Save** icon and enter a name for your project. 
+
+**Using a USB cable**
+
+1. Open Lockdown Designer.
+
+2. Click **Create new project**.
+
+2. Connect a Windows 10 Mobile device to the PC by USB and unlock the device.
+
+3. On the **Project setting** > **General settings** page, click **Pair**. 
+
+    ![Pair](images/ld-pair.png)
+
+    **Connect to remote device** appears. 
+
+4. On the mobile device, under **Device discovery**, tap **Pair**. A case-sensitive code is displayed.
+
+5. On the PC, in **Connect to remote device**, enter the code from the mobile device.
+
+6. Next, click **Sync** to pull information from the device in to Lockdown Designer.
+
+    ![Sync](images/ld-sync.png)
+
+7. Click the **Save** icon and enter a name for your project. 
+
+
+## Configure your lockdown XML settings
+
+The apps and settings available in the pages of Lockdown Designer should now be populated from the test mobile device. The following table describes what you can configure on each page.
+
+| Page | Description |
+| --- | --- |
+| ![Applications](images/ld-apps.png) | Each app from the test mobile device is listed. Select the apps that you want visible to users.</br></br>You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. |
+| ![CSP Runner](images/ld-csp.png) | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner)  |
+| ![Settings](images/ld-settings.png)  |  On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI.  |
+| ![Quick actions](images/ld-quick.png)  |  On this page, you select the settings that you want visible to users. |
+| ![Buttons](images/ld-buttons.png)  |  Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.</br></br>Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. |
+| ![Other settings](images/ld-other.png)  | This page contains several settings that you can configure:</br></br>- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.</br></br>- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.</br></br>- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both.  |
+| ![Start screen](images/ld-start.png)  | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)</br></br>On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.</br></br>When you are done changing the layout on the test mobile device, click **Accept** on the PC. |
+
+
+## Validate and export
+
+On the **Validate and export** page, click **Validate** to make sure your lockdown XML is valid. 
+
+>[!WARNING]
+>Lockdown Designer cannot validate SyncML that you imported to CSPRunner.
+
+Click **Export** to generate the XML file for your project. You can select the location to save the file.
+
+## Create and configure multiple roles
+
+You can create additional roles for the device and have unique configurations for each role. For example, you could have one configuration for a **Manager** role and a different configuration for a **Salesperson** role.
+
+>[!NOTE]
+>Using multiple roles on a device requires a login application that displays the list of roles and allows users to sign in to Azure Active Directory. [Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) 
+
+**For each role:**
+
+1. On the **Project setting** page, click **Role management**.
+
+2. Click **Add a role**.
+
+3. Enter a name for the role, and then click **Save**.
+
+4. Configure the settings for the role as above, but make sure on each page that you select the correct role.
+
+    ![Current role selection box](images/ld-role.png)
+
+
 
diff --git a/windows/configure/provision-pcs-for-initial-deployment.md b/windows/configure/provision-pcs-for-initial-deployment.md
index 86c8e234ff..c23f3d854c 100644
--- a/windows/configure/provision-pcs-for-initial-deployment.md
+++ b/windows/configure/provision-pcs-for-initial-deployment.md
@@ -10,14 +10,14 @@ author: jdeckerMS
 localizationpriority: high
 ---
 
-# Provision PCs with common settings for initial deployment (simple provisioning)
+# Provision PCs with common settings for initial deployment (desktop wizard)
 
 
 **Applies to**
 
 -   Windows 10
 
-This topic explains how to create and apply a simple provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home.
+This topic explains how to create and apply a provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home.
 
 You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. 
 
@@ -32,66 +32,59 @@ You can apply a provisioning package on a USB drive to off-the-shelf devices dur
 
 [Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md)
 
-## What does simple provisioning do?
+## What does the desktop wizard do?
 
-In a simple provisioning package, you can configure:
+The desktop wizard helps you configure the following settings in a provisioning package:
 
-- Device name
-- Upgraded product edition
-- Wi-Fi network 
-- Active Directory enrollment
-- Local administrator account 
+- Set device name
+- Upgrade product edition
+- Configure the device for shared use
+- Remove pre-installed software
+- Configure Wi-Fi network 
+- Enroll device in Active Directory or Azure Active Directory 
+- Create local administrator account 
+- Add applications and certificates
 
-Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. To learn about provisioning packages that include more than the settings in a simple provisioning package, see [Provision PCs with apps and certificates](provision-pcs-with-apps-and-certificates.md). 
+>[!WARNING]
+>You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.
+
+Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. 
 
 > [!TIP]
-> Use simple provisioning to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
-
-![open advanced editor](images/icd-simple-edit.png)
+> Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
+>
+>![open advanced editor](images/icd-simple-edit.png)
 
 ## Create the provisioning package
 
-Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-install-icd.md)
 
-1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+1. Open Windows Configuration Designer (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
 
-2. Click **Simple provisioning**.
+2. Click **Provision desktop devices**.
 
-  ![ICD start options](images/icdstart-option.png)   
+  ![ICD start options](images/icd-create-options-1703.png)   
 
-3. Name your project and click **Finish**. The screens for simple provisioning will walk you through the following steps.
-
-  ![ICD simple provisioning](images/icd-simple.png)
-
-4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length.
-
-5. (*Optional*) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to.
-    - Pro to Education
-    - Pro to Enterprise
-    - Enterprise to Education
-   
-6. Click **Set up network**.
-
-7. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network.
-
-8. Click **Enroll into Active Directory**.
-
-9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (*Optional*) Enter a user name and password to create a local administrator account.
-
-    > **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend:
-      - Use a least-privileged domain account to join the device to the domain.
-      - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
-      - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
-
-10. Click **Finish**.
-
-11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package.
-
-12. Click **Create**.
+3. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps.
 
+  ![ICD desktop provisioning](images/icd-desktop-1703.png)
+  
 > [!IMPORTANT]
 > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 
+## Configure settings
+
+
+<table>
+<tr><td style="width:45%" valign="top">![step one](images/one.png)![set up device](images/set-up-device.png)</br></br>Enter a name for the device.</br></br>(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)</br></br>Toggle **Yes** or **No** to **Configure devices for shared use**. This setting optimizes Windows 10 for shared use scenarios. [Learn more about shared PC configuration.](set-up-shared-or-guest-pc.md)</br></br>You can also select to remove pre-installed software from the device. </td><td>![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details-desktop.png)</td></tr>
+<tr><td style="width:45%" valign="top">![step two](images/two.png)  ![set up network](images/set-up-network.png)</br></br>Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.</td><td>![Enter network SSID and type](images/set-up-network-details-desktop.png)</td></tr>
+<tr><td style="width:45%" valign="top">![step three](images/three.png)  ![account management](images/account-management.png)</br></br>Enable account management if you want to configure settings on this page. </br></br>You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device</br></br>To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions. </br></br>To create a local administrator account, select that option and enter a user name and password. </br></br>**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.  </td><td>![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)</td></tr>
+<tr><td style="width:45%" valign="top">![step four](images/four.png) ![add applications](images/add-applications.png)</br></br>You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). </td><td>![add an application](images/add-applications-details.png)</td></tr>
+<tr><td style="width:45%" valign="top">![step five](images/five.png) ![add certificates](images/add-certificates.png)</br></br>To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.</td><td>![add a certificate](images/add-certificates-details.png)</td></tr> 
+<tr><td style="width:45%" valign="top">  ![finish](images/finish.png)</br></br>You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.</td><td>![Protect your package](images/finish-details.png)</td></tr>
+</table>
+
+After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
 
  **Next step**: [How to apply a provisioning package](provisioning-apply-package.md)   
 
@@ -107,14 +100,15 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
 
 - [Provisioning packages for Windows 10](provisioning-packages.md)
 - [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Install Windows Configuration Designer](provisioning-install-icd.md)
 - [Create a provisioning package](provisioning-create-package.md)
 - [Apply a provisioning package](provisioning-apply-package.md)
 - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
 - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
 - [NFC-based device provisioning](provisioning-nfc.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [Use the package splitter tool](provisioning-package-splitter.md)
+- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
 - [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
 
 
diff --git a/windows/configure/provision-pcs-with-apps-and-certificates.md b/windows/configure/provision-pcs-with-apps-and-certificates.md
index 6e4614a977..b5e03dbb14 100644
--- a/windows/configure/provision-pcs-with-apps-and-certificates.md
+++ b/windows/configure/provision-pcs-with-apps-and-certificates.md
@@ -17,6 +17,7 @@ localizationpriority: high
 
 - Windows 10
 
+DEPRECATED - See [Provision PCs with apps](provision-pcs-with-apps.md)
 
 This topic explains how to create and apply a provisioning package that contains apps and certificates to a device running all desktop editions of Windows 10 except Windows 10 Home. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
 
@@ -183,14 +184,15 @@ If your build is successful, the name of the provisioning package, output direct
 
 - [Provisioning packages for Windows 10](provisioning-packages.md)
 - [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Install Windows Configuration Designer](provisioning-install-icd.md)
 - [Create a provisioning package](provisioning-create-package.md)
 - [Apply a provisioning package](provisioning-apply-package.md)
 - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
 - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
 - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
 - [NFC-based device provisioning](provisioning-nfc.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [Use the package splitter tool](provisioning-package-splitter.md)
+- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
 - [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
 
 
diff --git a/windows/configure/provision-pcs-with-apps.md b/windows/configure/provision-pcs-with-apps.md
new file mode 100644
index 0000000000..2314c30c16
--- /dev/null
+++ b/windows/configure/provision-pcs-with-apps.md
@@ -0,0 +1,207 @@
+---
+title: Provision PCs with apps  (Windows 10)
+description: Add apps to a Windows 10 provisioning package. 
+ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
+keywords: ["runtime provisioning", "provisioning package"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Provision PCs with apps 
+
+
+**Applies to**
+
+- Windows 10
+
+
+In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Classic Windows (Win32) applications in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install.
+
+When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv).
+
+## Settings for UWP apps
+
+- **License Path**: Specify the license file if it is an app from the Windows Store. This is optional if you have a certificate for the app. 
+
+- **Package family name**: Specify the package family name if you don’t specify a license. This field will be auto-populated after you specify a license. 
+
+- **Required appx dependencies**: Specify the appx dependency packages that are required for the installation of the app 
+
+## Settings for Classic Windows apps
+
+### MSI installer
+
+- **Command line arguments**: Optionally, append additional command arguments. The silent flag is appended for you. Example: PROPERTY=VALUE 
+
+- **Continue installations after failure**: Optionally, specify if you want to continue installing additional apps if this app fails to install 
+
+- **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app 
+
+- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. 
+
+### Exe or other installer
+
+- **Command line arguments**: Append the command line arguments with a silent flag (required). Optionally, append additional flags 
+
+- **Return Codes**: Specify the return codes for success and success with restart (0 and 3010 by default respectively) Any return code that is not listed will be interpreted as failure. The text boxes are space delimited. 
+
+- **Continue installations after failure**: Optionally, specify if you want to continue installing additional apps if this app fails to install 
+
+- **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app 
+
+- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. 
+
+
+<span id="adv" />
+## Add an app using advanced editor in Windows Configuration Designer
+
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**. 
+
+2. Add all the files required for the app install, including the data files and the installer.
+
+3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the `msiexec /quiet` option. 
+
+> [!NOTE]
+> If you are installing more than one app, then use `CommandLine` to invoke the script or batch file that orchestrates installation of the files. For more information, see [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md). 
+
+
+### Add a universal app to your package
+
+Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Windows Store for Business apps that you acquire with [offline licensing](../manage/acquire-apps-windows-store-for-business.md), or third-party apps. This procedure will assume you are distributing apps from the Windows Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer. 
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**. 
+
+2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Windows Store for Business, the package family name is listed in the **Package details** section of the download page.
+
+    ![details for offline app package](images/uwp-family.png)
+
+3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
+
+4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Windows Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. 
+
+    ![required frameworks for offline app package](images/uwp-dependencies.png)
+
+5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. 
+
+    - In Windows Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**.
+
+        ![generate license for offline app](images/uwp-license.png)
+        
+    - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**.
+    
+6. In the **Available customizations** pane, click the **LicenseProductId** that you just added. 
+
+7. For **LicenseInstall**, click **Browse**, navigate to the license file that you renamed *<file name>*.**ms-windows-store-license**, and select the license file.
+
+[Learn more about distributing offline apps from the Windows Store for Business.](../manage/distribute-offline-apps.md)
+
+> [!NOTE]
+> Removing a provisioning package will not remove any apps installed by device context in that provisioning package.
+
+
+
+### Add a certificate to your package
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. 
+
+2. Enter a **CertificateName** and then click **Add**. 
+
+2. Enter the **CertificatePassword**. 
+
+3. For **CertificatePath**, browse and select the certificate to be used. 
+
+4. Set **ExportCertificate** to **False**.
+
+5. For **KeyLocation**, select **Software only**. 
+
+
+### Add other settings to your package 
+
+For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012).
+
+### Build your package
+
+1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
+
+2. Read the warning that project files may contain sensitive information, and click **OK**.
+> **Important**  When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+3. On the **Export** menu, click **Provisioning package**.
+
+1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+10. Set a value for **Package Version**.
+
+    > [!TIP]  
+    > You can make changes to existing packages and change the version number to update previously applied packages.
+
+11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
+
+        **Important**  
+        We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. 
+
+12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
+Optionally, you can click **Browse** to change the default output location.
+
+13. Click **Next**.
+
+14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.<p>
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.<p>
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+    
+    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
+
+    -   Shared network folder
+
+    -   SharePoint site
+
+    -   Removable media (USB/SD)
+
+    -   Email
+
+    -   USB tether (mobile only)
+
+    -   NFC (mobile only)
+
+
+
+**Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
+
+## Learn more
+
+-   Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+-   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+ 
+
+## Related topics
+
+- [Provisioning packages for Windows 10](provisioning-packages.md)
+- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Install Windows Configuration Designer](provisioning-install-icd.md)
+- [Create a provisioning package](provisioning-create-package.md)
+- [Apply a provisioning package](provisioning-apply-package.md)
+- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
+- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [NFC-based device provisioning](provisioning-nfc.md)
+- [Use the package splitter tool](provisioning-package-splitter.md)
+- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
+
+
diff --git a/windows/configure/provisioning-apply-package.md b/windows/configure/provisioning-apply-package.md
index 1125dd6985..2fa9efb09a 100644
--- a/windows/configure/provisioning-apply-package.md
+++ b/windows/configure/provisioning-apply-package.md
@@ -42,25 +42,7 @@ Provisioning packages can be applied to a device during the first-run experience
 
     ![Do you trust this package?](images/trust-package.png)
     
-6. Read and accept the Microsoft Software License Terms.  
 
-    ![Sign in](images/license-terms.png)
-    
-7. Select **Use Express settings**.
-
-    ![Get going fast](images/express-settings.png)
-
-8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
-
-    ![Who owns this PC?](images/who-owns-pc.png)
-
-9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
-
-    ![Connect to Azure AD](images/connect-aad.png)
-
-10. Sign in with  your domain, Azure AD,  or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
-
-    ![Sign in](images/sign-in-prov.png)
     
 ### After setup, from a USB drive, network folder, or SharePoint site
 
@@ -97,23 +79,17 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Access work o
 
 
 
-## Learn more
-
--   Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
-
--   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
 
 
 ## Related topics
 
 - [Provisioning packages for Windows 10](provisioning-packages.md)
 - [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Install Windows Configuration Designer](provisioning-install-icd.md)
 - [Create a provisioning package](provisioning-create-package.md)
 - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
 - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
 - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
 - [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
\ No newline at end of file
diff --git a/windows/configure/provisioning-command-line.md b/windows/configure/provisioning-command-line.md
index d5c52aabac..a2e16343b0 100644
--- a/windows/configure/provisioning-command-line.md
+++ b/windows/configure/provisioning-command-line.md
@@ -1,5 +1,5 @@
 ---
-title: Windows ICD command-line interface (Windows 10)
+title: Windows Configuration Designer command-line interface (Windows 10)
 description: 
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -8,7 +8,7 @@ author: jdeckerMS
 localizationpriority: high
 ---
 
-# Windows ICD command-line interface (reference)
+# Windows Configuration Designer command-line interface (reference)
 
 
 **Applies to**
@@ -16,11 +16,11 @@ localizationpriority: high
 - Windows 10
 - Windows 10 Mobile
 
-You can use the Windows Imaging and Configuration Designer (ICD) command-line interface (CLI) to automate the building of provisioning packages and Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows 10 Mobile or Windows 10 IoT Core (IoT Core) images. 
+You can use the Windows Configuration Designer command-line interface (CLI) to automate the building of provisioning packages and Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows 10 Mobile or Windows 10 IoT Core (IoT Core) images. 
 
-- IT pros can use the Windows ICD CLI to require less re-tooling of existing processes. You must run the Windows ICD CLI from a command window with administrator privileges.
+- IT pros can use the Windows Configuration Designer CLI to require less re-tooling of existing processes. You must run the Windows Configuration Designer CLI from a command window with administrator privileges.
 
-- You must use the Windows ICD CLI and edit the customizations.xml sources to create an image and/or provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows ICD CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). 
+- You must use the Windows Configuration Designer CLI and edit the customizations.xml sources to create an image and/or provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows Configuration Designer CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). 
 
 
 
@@ -38,9 +38,9 @@ icd.exe /Build-ProvisioningPackage /CustomizationXML:<path_to_xml> /PackagePath:
 | --- | --- | --- |
 | /CustomizationXML | No | Specifies the path to a Windows provisioning XML file that contains the customization assets and settings. For more information, see Windows provisioning answer file. |
 | /PackagePath | Yes | Specifies the path and the package name where the built provisioning package will be saved. |
-| /StoreFile | No</br></br></br>See Important note. | For partners using a settings store other than the default store(s) used by Windows ICD, use this parameter to specify the path to one or more comma-separated Windows settings store file. By default, if you don't specify a settings store file, the settings store that's common to all Windows editions will be loaded by Windows ICD.</br></br></br>**Important**  If you use this parameter, you must not use /MSPackageRoot or /OEMInputXML. |
+| /StoreFile | No</br></br></br>See Important note. | For partners using a settings store other than the default store(s) used by Windows Configuration Designer, use this parameter to specify the path to one or more comma-separated Windows settings store file. By default, if you don't specify a settings store file, the settings store that's common to all Windows editions will be loaded by Windows Configuration Designer.</br></br></br>**Important**  If you use this parameter, you must not use /MSPackageRoot or /OEMInputXML. |
 | /Variables | No | Specifies a semicolon separated <name> and <value> macro pair. The format for the argument must be <name>=<value>. |
-| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows ICD auto-generates the decryption password and includes this information in the output.</br></br></br>Precede with + for encryption or - for no encryption. The default is no encryption. |
+| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows Configuration Designer auto-generates the decryption password and includes this information in the output.</br></br></br>Precede with + for encryption or - for no encryption. The default is no encryption. |
 | Overwrite | No | Denotes whether to overwrite an existing provisioning package.</br></br></br>Precede with + to overwrite an existing package or - if you don't want to overwrite an existing package. The default is false (don't overwrite). |
 | /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. |
  
@@ -51,14 +51,13 @@ icd.exe /Build-ProvisioningPackage /CustomizationXML:<path_to_xml> /PackagePath:
 
 - [Provisioning packages for Windows 10](provisioning-packages.md)
 - [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Install Windows Configuration Designer](provisioning-install-icd.md)
 - [Create a provisioning package](provisioning-create-package.md)
 - [Apply a provisioning package](provisioning-apply-package.md)
 - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
 - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
 - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
+- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
 - [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
  
 
diff --git a/windows/configure/provisioning-configure-mobile.md b/windows/configure/provisioning-configure-mobile.md
index 55a100ecdd..5c1a5048cf 100644
--- a/windows/configure/provisioning-configure-mobile.md
+++ b/windows/configure/provisioning-configure-mobile.md
@@ -1,7 +1,7 @@
 ---
-title: provisioning mobile (Windows 10)
+title: Use Windows Configuration Designer to configure Windows 10 Mobile devices (Windows 10)
 description: 
-keywords: Windows 10, MDM, WSUS, Windows update
+keywords: phone, handheld, lockdown, customize
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
@@ -10,5 +10,77 @@ localizationpriority: high
 author: jdeckerMS
 ---
 
-# provisioning mobile
+# Use Windows Configuration Designer to configure Windows 10 Mobile devices 
 
+Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using provisioning packages, ayou can easily specify desired configuration, settings, and information required to enroll the devices into management, and then apply that configuration to target devices in a matter of minutes. 
+
+A provisioning package (.ppkg) is a container for a collection of configuration settings. Using Windows Configuration Designer, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+
+Windows Configuration Designer can be installed from the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). Windows Configuration Designer is also available as an app in the Windows Store. [Learn more about installing Windows Configuration Designer.](provisioning-install-icd.md)
+
+## Create a provisioning package using the wizard
+
+The **Provision Windows mobile devices** wizard lets you configure common settings for devices running Windows 10 Mobile in a simple, graphical workflow.
+
+### Start a new project
+
+1. Open Windows Configuration Designer:
+    - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click the Windows Configuration Designer shortcut, 
+    
+    or
+    
+    - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
+
+2. On the **Start** page, choose **Provision Windows mobile devices**.
+
+3. Enter a name for your project, and then click **Next**.
+
+
+### Configure settings in the wizard
+
+<table>
+<tr><td style="width:45%" valign="top">![step one](images/one.png)![set up device](images/set-up-device-mobile.png)</br></br>Enter a device name.</br></br> Optionally, you can enter a product key to upgrade the device from Windows 10 Mobile to Windows 10 Mobile Enterprise. </td><td>![device name, upgrade license](images/set-up-device-details-mobile.png)</td></tr>
+<tr><td style="width:45%" valign="top">![step two](images/two.png)  ![set up network](images/set-up-network-mobile.png)</br></br>Toggle **On** or **Off** for wireless network connectivity. </br></br>If you select **On**, enter the SSID, network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.</td><td>![Enter network SSID and type](images/set-up-network-details-mobile.png)</td></tr>
+<tr><td style="width:45%" valign="top">![step three](images/three.png)  ![bulk enrollment in Azure Active Directory](images/bulk-enroll-mobile.png)</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. </br></br> Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.</br></br>**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. </td><td>![Enter expiration and get bulk token](images/bulk-enroll-mobile-details.png)</td></tr>
+<tr><td style="width:45%" valign="top">![step four](images/four.png) ![finish](images/finish-mobile.png)</br></br>You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.</td><td>![Protect your package](images/finish-details-mobile.png)</td></tr>
+</table>
+
+After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
+
+### Apply provisioning package
+
+You can apply a provisioning package to a device running Windows 10 Mobile by using:
+
+- removable media 
+- copying the provisioning package to the device
+- [NFC tags](provisioning-nfc.md)
+- [barcodes](provisioning-package-splitter.md)
+
+### Using removable media
+
+1. Insert an SD card containing the provisioning package into the device.
+2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. 
+
+    ![add a package option](images/packages-mobile.png)
+
+3. Click **Add**.
+
+4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
+
+    ![Is this package from a source you trust](images/package-trust.png)
+    
+### Copying the provisioning package to the device
+
+1. Connect the device to your PC through USB.
+
+2. On the PC, select the provisioning package that you want to use to provision the device and then drag and drop the file to your device.
+
+3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
+
+    ![Is this package from a source you trust](images/package-trust.png)
+
+
+## Related topics
+
+- [NFC-based device provisioning](provisioning-nfc.md)
+- [Use the package splitter tool](provisioning-package-splitter.md)
\ No newline at end of file
diff --git a/windows/configure/provisioning-create-package.md b/windows/configure/provisioning-create-package.md
index f543e6d10f..a73b54f4f8 100644
--- a/windows/configure/provisioning-create-package.md
+++ b/windows/configure/provisioning-create-package.md
@@ -16,30 +16,40 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
-You use Windows Imaging and Configuration Designer (ICD) to create a provisioning package (.ppkg) that contains customization settings. You can apply the provisioning package to a device running Windows 10. 
+You use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization settings. You can apply the provisioning package to a device running Windows 10 or Windows 10 Mobile. 
 
->[Learn how to install Windows ICD.](provisioning-install-icd.md)
+>[Learn how to install Windows Configuration Designer.](provisioning-install-icd.md)
+
+>[!TIP]
+>We recommend creating a local admin account when developing and testing your provisioning package. We also recommend using a “least privileged” domain user account to join devices to the Active Directory domain.
 
 ## Start a new project
 
-1. Open Windows ICD:
-    - From either the Start screen or Start menu search, type 'Imaging and Configuration Designer' and click on the Windows ICD shortcut, 
+1. Open Windows Configuration Designer:
+    - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut, 
     
     or
     
-    - Navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
+    - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
 
-2. Select your desired option on the **Start** page, which offers three options for creating a provisioning package, as shown in the following image:
+2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image:
 
-    ![Simple provisioning or provision school devices or advanced provisioning](images/icd-create-options.png)
+    ![Configuration Designer wizards](images/icd-create-options-1703.png)
     
-    - The **Simple provisioning** and **Provision school devices** options provide wizard-style walkthroughs for creating a provisioning package based on a set of common settings. 
-    - The **Advanced provisioning** option opens a new project with all **Runtime settings** available. 
+    - The wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices. Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop, mobile, and kiosk devices, see [What you can configure using Configuration Designer wizardS](provisioning-packages.md#configuration-designer-wizards). 
     
-    >[!TIP]
-    >You can start a project in the simple editor and then switch the project to the advanced editor.
-    >
-    >![Switch to advanced editor](images/icd-switch.png)
+        - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
+        - [Instructions for the mobile wizard](provisioning-configure-mobile.md)
+        - [Instructions for the kiosk wizard](set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard)
+        - [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning)
+        - [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub)
+        
+    - The **Advanced provisioning** option opens a new project with all **Runtime settings** available. *The rest of this procedure uses advanced provisioning.*
+    
+        >[!TIP]
+        > You can start a project in the simple wizard editor and then switch the project to the advanced editor.
+        >
+        > ![Switch to advanced editor](images/icd-switch.png)
         
 3. Enter a name for your project, and then click **Next**.
 
@@ -59,19 +69,18 @@ You use Windows Imaging and Configuration Designer (ICD) to create a provisionin
 >[!TIP]
 >**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages you create so you don't have to reconfigure those common settings repeatedly.
 
-After you click **Finish**, Windows ICD will open the appropriate walkthrough page if you selected **Simple provisioning** or **Provision school devices**, or the **Available customizations** pane if you selected **Advanced provisioning**. The remainder of this topic will explain the **Advanced provisioning scenario**. 
+After you click **Finish**, Windows Configuration Designer will open the **Available customizations** pane and you can then configure settings for the package. 
+
 
-- For instructions on **Simple provisioning**, see [Provision PCs with common settings](provision-pcs-for-initial-deployment.md). 
-- For instructions on **Provision school devices**, see [Set up student PCs to join domain](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain).
 
 
 ## Configure settings
 
-For an advanced provisioning project, Windows ICD opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings.
+For an advanced provisioning project, Windows Configuration Designer opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings.
 
 ![What the ICD interface looks like](images/icd-runtime.png)
 
-The settings in Windows ICD are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
+The settings in Windows Configuration Designer are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
 
 The process for configuring settings is similar for all settings. The following table shows an example.
 
@@ -83,9 +92,9 @@ The process for configuring settings is similar for all settings. The following
 <tr><td>![step five](images/five.png)</br>When the setting is configured, it is displayed in the **Selected customizations** pane.</td><td>![Selected customizations pane](images/icd-step5.png)</td></tr>
 </table>
 
-For details on each specific setting, see [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx). The reference topic for a setting is also displayed in Windows ICD when you select the setting, as shown in the following image.
+For details on each specific setting, see [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx). The reference topic for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image.
 
-![Windows ICD opens the reference topic when you select a setting](images/icd-setting-help.png) 
+![Windows Configuration Designer opens the reference topic when you select a setting](images/icd-setting-help.png) 
 
 
  ## Build package
@@ -110,7 +119,7 @@ For details on each specific setting, see [Windows Provisioning settings referen
     >
     >If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner.
 
-4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then click **Next**. By default, Windows ICD uses the project folder as the output location.
+4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then click **Next**. By default, Windows Configuration Designer uses the project folder as the output location.
 
 5. In the **Build the provisioning package** window, click **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. 
 
@@ -128,22 +137,21 @@ For details on each specific setting, see [Windows Provisioning settings referen
 
 ## Learn more
 
--   Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
-
--   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
 
+- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
 
+- [How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://docs.microsoft.com/sccm/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
 
 ## Related topics
 
 - [Provisioning packages for Windows 10](provisioning-packages.md)
 - [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Install Windows Configuration Designer](provisioning-install-icd.md)
 - [Apply a provisioning package](provisioning-apply-package.md)
 - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
 - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
 - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
 - [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
\ No newline at end of file
diff --git a/windows/configure/provisioning-how-it-works.md b/windows/configure/provisioning-how-it-works.md
index 1f9b72eb6c..349dfd08c2 100644
--- a/windows/configure/provisioning-how-it-works.md
+++ b/windows/configure/provisioning-how-it-works.md
@@ -16,7 +16,7 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
-Provisioning packages in Windows 10 provide IT administrators with a simplified way to apply configuration settings to Windows 10 devices. Windows Imaging and Configuration Designer (Windows ICD) is a tool that makes it easy to create a provisioning package. Windows ICD is contained in the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). 
+Provisioning packages in Windows 10 provide IT administrators with a simplified way to apply configuration settings to Windows 10 devices. Windows Configuration Designer is a tool that makes it easy to create a provisioning package. Windows Configuration Designer can be installed from the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) or through the Windows Store.
 
 ## Provisioning packages
 
@@ -58,9 +58,9 @@ When setting conflicts are encountered, the final values provisioned on the devi
 
 Windows provisioning XML is the framework that allows Microsoft and OEM components to declare end-user configurable settings and the on-device infrastructure for applying the settings with minimal work by the component owner. 
 
-Settings for each component can be declared within that component's package manifest file. These declarations are turned into settings schema that are used by Windows ICD to expose the potential settings to users to create customizations in the image or in provisioning packages. Windows ICD translates the user configuration, which is declared through Windows provisioning answer file(s), into the on-device provisioning format.
+Settings for each component can be declared within that component's package manifest file. These declarations are turned into settings schema that are used by Windows Configuration Designer to expose the potential settings to users to create customizations in the image or in provisioning packages. Windows Configuration Designer translates the user configuration, which is declared through Windows provisioning answer file(s), into the on-device provisioning format.
 
-When the provisioning engine selects a configuration, the Windows provisioning XML is contained within the selected provisioning data and is passed through the configuration manager and then to the Windows provisioning CSP. The Windows provisioning CSP then takes and applies the provisioning to the proper location for the actual component to use. 
+When the provisioning engine selects a configuration, the Windows provisioning XML is contained within the selected provisioning data and is passed through the configuration manager and then to the [Windows provisioning CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/provisioning-csp). The Windows provisioning CSP then takes and applies the provisioning to the proper location for the actual component to use. 
 
 ## Provisioning engine
 
@@ -77,7 +77,7 @@ The provisioning engine provides the following functionality:
 
 ## Configuration manager
 
-The configuration manager provides the unified way of managing Windows 10 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to Configuration Service Providers (CSPs) to perform the specific management requests and settings. 
+The configuration manager provides the unified way of managing Windows 10 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to [Configuration Service Providers (CSPs)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference) to perform the specific management requests and settings. 
 
 The provisioning engine relies on configuration manager for all of the actual processing and application of a chosen configuration. The provisioning engine determines the stage of provisioning and, based on a set of keys, determines the set of configuration to send to the configuration manager. The configuration manager in turn parses and calls into the CSPs for the setting to be applied. 
 
@@ -115,9 +115,9 @@ When a trigger occurs, provisioning is initiated for a particular provisioning s
 
 ## Device provisioning during OOBE
 
-The provisioning engine always applies provisioning packages persisted in the C:\Recovery\Customizations folder on the OS partition. When the provisioning engine applies provisioning packages in the %ProgramData%\Microsoft\Provisioning folder, certain runtime setting applications, such as the setting to install and configure Windows apps, may be extended past the OOBE pass and continually be processed in the background when the device gets to the desktop. Settings for configuring policies and certain crucial system configurations are always be completed before the first point at which they must take effect. 
+The provisioning engine always applies provisioning packages persisted in the `C:\Recovery\Customizations` folder on the OS partition. When the provisioning engine applies provisioning packages in the `%ProgramData%\Microsoft\Provisioning` folder, certain runtime setting applications, such as the setting to install and configure Windows apps, may be extended past the OOBE pass and continually be processed in the background when the device gets to the desktop. Settings for configuring policies and certain crucial system configurations are always be completed before the first point at which they must take effect. 
 
-Device users can apply a provisioning package from a remote source when the device first boots to OOBE. The device provisioning during OOBE is only triggered after the language, locale, time zone, and other settings on the first OOBE UI page are configured. On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key. When device provisioning is triggered, the provisioning UI is displayed in the OOBE page. The provisioning UI allows users to select a provisioning package acquired from a remote source, such as through NFC or a removable media. 
+Device users can apply a provisioning package from a remote source when the device first boots to OOBE. The device provisioning during OOBE is only triggered after the language, locale, time zone, and other settings on the first OOBE UI page are configured.  When device provisioning is triggered, the provisioning UI is displayed in the OOBE page. The provisioning UI allows users to select a provisioning package acquired from a remote source, such as through NFC or a removable media. 
 
 The following table shows how device provisioning can be initiated when a user first boots to OOBE.
 
@@ -125,17 +125,15 @@ The following table shows how device provisioning can be initiated when a user f
 | Package delivery | Initiation method | Supported device |
 | --- | --- | --- |
 | Removable media - USB drive or SD card</br> (Packages must be placed at media root) | 5 fast taps on the Windows key to launch the provisioning UI |All Windows devices |
-| From an administrator device through machine to machine NFC or NFC tag</br>(The administrator device must run an app that can transfer the package over NFC) | 5 fast taps on the Windows key to launch the provisioning UI | Windows 10 Mobile devices and IoT Core devices |
+| From an administrator device through machine-to-machine NFC or NFC tag</br>(The administrator device must run an app that can transfer the package over NFC) | 5 fast taps on the Windows key to launch the provisioning UI | Windows 10 Mobile devices and IoT Core devices |
  
-The provisioning engine always copies the acquired provisioning packages to the %ProgramData%\Microsoft\Provisioning folder before processing them during OOBE. The provisioning engine always applies provisioning packages embedded in the installed Windows image during Windows Setup OOBE pass regardless of whether the package is signed and trusted. When the provisioning engine applies an encrypted provisioning package on an end-user device during OOBE, users must first provide a valid password to decrypt the package. The provisioning engine also checks whether a provisioning package is signed and trusted; if it's not, the user must provide consent before the package is applied to the device. 
+The provisioning engine always copies the acquired provisioning packages to the `%ProgramData%\Microsoft\Provisioning` folder before processing them during OOBE. The provisioning engine always applies provisioning packages embedded in the installed Windows image during Windows Setup OOBE pass regardless of whether the package is signed and trusted. When the provisioning engine applies an encrypted provisioning package on an end-user device during OOBE, users must first provide a valid password to decrypt the package. The provisioning engine also checks whether a provisioning package is signed and trusted; if it's not, the user must provide consent before the package is applied to the device. 
 
 When the provisioning engine applies provisioning packages during OOBE, it applies only the runtime settings from the package to the device. Runtime settings can be system-wide configuration settings, including security policy, Windows app install/uninstall, network configuration, bootstrapping MDM enrollment, provisioning of file assets, account and domain configuration, Windows edition upgrade, and more. The provisioning engine also checks for the configuration settings on the device, such as region/locale or SIM card, and applies the multivariant settings with matching condition(s). 
 
 ## Device provisioning at runtime
 
-At device runtime, standalone provisioning packages can be applied by user initiation. Only runtime configuration settings including multivariant settings contained in a provisioning package can be applied at device runtime.
-
-The following table shows when provisioning at device runtime can be initiated.
+At device runtime, stand-alone provisioning packages can be applied by user initiation. The following table shows when provisioning at device runtime can be initiated.
 
 | Package delivery | Initiation method | Supported device |
 | --- | --- | --- |
@@ -147,7 +145,7 @@ When applying provisioning packages from a removable media attached to the devic
 
 When applying multiple provisioning packages to a device, the provisioning engine resolves settings with conflicting configuration values from different packages by evaluating the package ranking using the combination of package owner type and package rank level defined in the package metadata. A configuration setting applied from a provisioning package with the highest package ranking will be the final value applied to the device.
 
-After a standalone provisioning package is applied to the device, the package is persisted in the %ProgramData%\Microsoft\Provisioning folder on the device. Provisioning packages can be removed by an administrator by using the **Add or remove a provisioning package** available under **Settings** > **Accounts** > **Access work or school**. However, Windows 10 doesn't provide an uninstall option to revert runtime settings when removing a provisioning package from the device.
+After a stand-alone provisioning package is applied to the device, the package is persisted in the `%ProgramData%\Microsoft\Provisioning` folder on the device. Provisioning packages can be removed by an administrator by using the **Add or remove a provisioning package** available under **Settings** > **Accounts** > **Access work or school**. 
 
 
 ## Learn more
@@ -160,15 +158,14 @@ After a standalone provisioning package is applied to the device, the package is
 ## Related topics
 
 - [Provisioning packages for Windows 10](provisioning-packages.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Install Windows Configuration Designer](provisioning-install-icd.md)
 - [Create a provisioning package](provisioning-create-package.md)
 - [Apply a provisioning package](provisioning-apply-package.md)
 - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
 - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
 - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
 - [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
 
 
diff --git a/windows/configure/provisioning-install-icd.md b/windows/configure/provisioning-install-icd.md
index 9727bc089d..16ae7f94d5 100644
--- a/windows/configure/provisioning-install-icd.md
+++ b/windows/configure/provisioning-install-icd.md
@@ -1,6 +1,6 @@
 ---
-title: Install Windows Imaging and Configuration Designer (Windows 10)
-description: Learn how to install and run Windows ICD. 
+title: Install Windows Configuration Designer (Windows 10)
+description: Learn how to install and run Windows Configuration Designer. 
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -8,7 +8,7 @@ author: jdeckerMS
 localizationpriority: high
 ---
 
-# Install Windows Imaging and Configuration Designer (ICD)
+# Install Windows Configuration Designer
 
 
 **Applies to**
@@ -16,11 +16,11 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
-Use the Windows Imaging and Configuration Designer (ICD) tool in the Windows Assessment and Deployment Kit (ADK) to create provisioning packages to easily configure devices running Windows 10. Windows ICD is primarily designed for use by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices.
+Use the Windows Configuration Designer tool to create provisioning packages to easily configure devices running Windows 10. Windows Configuration Designer is primarily designed for use by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices.
 
 ## Supported platforms
 
-Windows ICD can create provisioning packages for Windows 10 desktop and mobile editions, including Windows 10 IoT Core. You can run Windows ICD on the following operating systems:
+Windows Configuration Designer can create provisioning packages for Windows 10 desktop and mobile editions, including Windows 10 IoT Core, as well as Microsoft Surface Hub and Microsoft HoloLens. You can run Windows Configuration Designer on the following operating systems:
 
 - Windows 10 - x86 and amd64
 - Windows 8.1 Update - x86 and amd64
@@ -33,18 +33,28 @@ Windows ICD can create provisioning packages for Windows 10 desktop and mobile e
 - Windows Server 2012
 - Windows Server 2008 R2
 
-## Install Windows ICD
+>[!WARNING]
+>You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.
 
-1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and select **Get Windows ADK** for the version of Windows 10 that you want to create provisioning packages for (version 1511 or version 1607).
+## Install Windows Configuration Designer
+
+On devices running Windows 10, you can install [the Windows Configuration Designer app from the Windows Store](https://www.microsoft.com/store/apps/9nblggh4tx22). To run Windows Configuration Designer on other operating systems or in languages other than English, install it from the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
+
+>[!NOTE]
+>If you install Windows Configuration Designer from both the ADK and Windows Store, the Store app will not open.
+>
+>The Windows Configuration Designer App from Windows Store currently supports only English. For a localized version of the Windows Configuration Designer, install it from the Windows ADK. 
+
+1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and select **Get Windows ADK** for the version of Windows 10 that you want to create provisioning packages for (version 1511, 1607, or 1703).
 
     >[!NOTE]
-    >The rest of this procedure uses Windows ADK for Windows 10, version 1607 as an example.
+    >The rest of this procedure uses Windows ADK for Windows 10, version 1703 as an example.
     
 2. Save **adksetup.exe** and then run it.
 
 3. On the **Specify Location** page, select an installation path and then click **Next**.
     >[!NOTE]
-    >The estimated disk space listed on this page applies to the full Windows ADK. If you only install Windows ICD, the space requirement is approximately 32 MB.
+    >The estimated disk space listed on this page applies to the full Windows ADK. If you only install Windows Configuration Designer, the space requirement is approximately 32 MB.
 4. Make a selection on the **Windows Kits Privacy** page, and then click **Next**.
 
 5. Accept the **License Agreement**, and then click **Next**.
@@ -53,24 +63,24 @@ Windows ICD can create provisioning packages for Windows 10 desktop and mobile e
 
     ![Only Configuration Designer selected for installation](images/icd-install.png)
 
-## Current Windows ICD limitations
+## Current Windows Configuration Designer limitations
 
 
-- You can only run one instance of Windows ICD on your computer at a time.
+- You can only run one instance of Windows Configuration Designer on your computer at a time.
 
 - Be aware that when adding apps and drivers, all files stored in the same folder will be imported and may cause errors during the build process.
 
-- The Windows ICD UI does not support multivariant configurations. Instead, you must use the Windows ICD command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md).
+- The Windows Configuration Designer UI does not support multivariant configurations. Instead, you must use the Windows Configuration Designer command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md).
 
-- While you can open multiple projects at the same time within Windows ICD, you can only build one project at a time.
+- While you can open multiple projects at the same time within Windows Configuration Designer, you can only build one project at a time.
 
-- In order to enable the simplified authoring jscripts to work on a server SKU running Windows ICD, you need to explicitly enable **Allow websites to prompt for information using scripted windows**. Do this by opening Internet Explorer and then navigating to **Settings** > **Internet Options** > **Security**  -> **Custom level** > **Allow websites to prompt for information using scripted windows**, and then choose **Enable**. 
+- In order to enable the simplified authoring jscripts to work on a server SKU running Windows Configuration Designer, you need to explicitly enable **Allow websites to prompt for information using scripted windows**. Do this by opening Internet Explorer and then navigating to **Settings** > **Internet Options** > **Security**  -> **Custom level** > **Allow websites to prompt for information using scripted windows**, and then choose **Enable**. 
 
-- If you copy a Windows ICD project from one PC to another PC, make sure that all the associated files for the deployment assets, such as apps and drivers, are copied along with the project to the same path as it was on the original PC. 
+- If you copy a Windows Configuration Designer project from one PC to another PC, make sure that all the associated files for the deployment assets, such as apps and drivers, are copied along with the project to the same path as it was on the original PC. 
 
-    For example, when you add a driver to a provisioned package, you must copy the .INF file to a local directory on the PC that is running Windows ICD. If you don't do this, and attempt to use a copied version of this project on a different PC, Windows ICD might attempt to resolve the path to the files that point to the original PC.
+    For example, when you add a driver to a provisioned package, you must copy the .INF file to a local directory on the PC that is running Windows Configuration Designer. If you don't do this, and attempt to use a copied version of this project on a different PC, Windows Configuration Designer might attempt to resolve the path to the files that point to the original PC.
  
-- **Recommended**: Before starting, copy all source files to the PC running Windows ICD, rather than using external sources like network shares or removable drives. This reduces the risk of interrupting the build process from a temporary network issue or from disconnecting the USB device.
+- **Recommended**: Before starting, copy all source files to the PC running Windows Configuration Designer, rather than using external sources like network shares or removable drives. This reduces the risk of interrupting the build process from a temporary network issue or from disconnecting the USB device.
 
 **Next step**: [How to create a provisioning package](provisioning-create-package.md)
 
@@ -88,10 +98,9 @@ Windows ICD can create provisioning packages for Windows 10 desktop and mobile e
 - [Apply a provisioning package](provisioning-apply-package.md)
 - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
 - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
 - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
 - [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
 
 
diff --git a/windows/configure/provisioning-multivariant.md b/windows/configure/provisioning-multivariant.md
index d33f1206b5..d28ac354ee 100644
--- a/windows/configure/provisioning-multivariant.md
+++ b/windows/configure/provisioning-multivariant.md
@@ -302,15 +302,14 @@ The following events trigger provisioning on Windows 10 devices:
 
 - [Provisioning packages for Windows 10](provisioning-packages.md)
 - [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Install Windows Configuration Designer](provisioning-install-icd.md)
 - [Create a provisioning package](provisioning-create-package.md)
 - [Apply a provisioning package](provisioning-apply-package.md)
 - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
 - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
 - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
 
  
 
diff --git a/windows/configure/provisioning-nfc.md b/windows/configure/provisioning-nfc.md
index 114e6d5545..fad3428d0c 100644
--- a/windows/configure/provisioning-nfc.md
+++ b/windows/configure/provisioning-nfc.md
@@ -17,7 +17,7 @@ localizationpriority: high
 
 Near field communication (NFC) enables Windows 10 Mobile Enterprise and Windows 10 Mobile devices to communicate with an NFC tag or another NFC-enabled transmitting device. Enterprises that do bulk provisioning can use NFC-based device provisioning to provide a provisioning package to the device that's being provisioned. NFC provisioning is simple and convenient and it can easily store an entire provisioning package. 
 
-The NFC provisioning option enables the administrator to provide a provisioning package during initial device setup or the out-of-box experience (OOBE) phase. Administrators can use the NFC provisioning option to transfer provisioning information to persistent storage by tapping an unprovisioned mobile device to an NFC tag or NFC-enabled device. To use NFC for pre-provisioning a device, you must either prepare your own NFC tags by storing your provisioning package to a tag as described in this section, or build the infrastructure needed to transmit a provisioning package between an NFC-enabled device and a mobile device during OOBE.
+The NFC provisioning option enables the administrator to provide a provisioning package during initial device setup (the out-of-box experience or OOBE phase). Administrators can use the NFC provisioning option to transfer provisioning information to persistent storage by tapping an unprovisioned mobile device to an NFC tag or NFC-enabled device. To use NFC for pre-provisioning a device, you must either prepare your own NFC tags by storing your provisioning package to a tag as described in this section, or build the infrastructure needed to transmit a provisioning package between an NFC-enabled device and a mobile device during OOBE.
 
 ## Provisioning OOBE UI
 
@@ -131,18 +131,9 @@ For detailed information and code samples on how to implement an NFC-enabled dev
 
 ## Related topics
 
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
-- [Create a provisioning package](provisioning-create-package.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
+- [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md)
 
+- [Barcode provisioning and the package splitter tool](provisioning-package-splitter.md)
  
 
  
diff --git a/windows/configure/provisioning-package-splitter.md b/windows/configure/provisioning-package-splitter.md
new file mode 100644
index 0000000000..00a62a1ae4
--- /dev/null
+++ b/windows/configure/provisioning-package-splitter.md
@@ -0,0 +1,88 @@
+---
+title: Barcode provisioning and the package splitter tool (Windows 10)
+description: 
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Barcode provisioning and  the package splitter tool
+
+
+**Applies to**
+
+- Windows 10 Mobile
+
+Enterprises that do bulk provisioning can use barcode-based device provisioning to provide a provisioning package to the device that's being provisioned. 
+
+The barcode provisioning option enables the administrator to provide a provisioning package during initial device setup (the out-of-box experience or OOBE phase). To use barcodes to provision a device, your devices must have an integrated barcode scanner. You can get the barcode format that the scanner supports from your OEM or device provider, and use your existing tools and processes to convert a provisioning package into barcodes.
+
+Enterprise IT professionals who want to use a barcode to provision mobile devices during OOBE can use the package splitter tool, **ppkgtobase64.exe**, which is a command-line tool to split the provisioning package into smaller files.
+
+The smallest provisioning package is typically 5-6 KB, which cannot fit into one single barcode. The package splitter tool allows partners to split the original provisioning package into multiple smaller sized chunks that are encoded with Base64 so that enterprises can leverage their existing tools to convert these files into barcodes.
+
+When you [install Windows Configuration Designer](provisioning-install-icd.md) from the Windows Assessment and Deployment Kit (ADK), **ppkgtobase64.exe** is installed to the same folder.
+
+## Prerequisites
+
+Before you can use the tool, you must have a built provisioning package. The package file is the input to the package splitter tool.
+
+- To build a provisioning package using the Windows Configuration Designer UI, see [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md). 
+- To build a provisioning package using the Windows Configuration Designer CLI, see [Windows Configuration Designer command-line interface](provisioning-command-line.md).
+
+## To use the package splitter tool (ppkgtobase64.exe)
+
+1. Open a command-line window with administrator privileges.
+
+
+2. From the command-line, navigate to the Windows Configuration Designer install directory.
+
+    On an x64 computer, type:
+    ```
+    cd C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86
+    ```
+
+    - or -
+
+    On an x86 computer, type:
+    
+    ```
+    cd C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86
+    ```
+
+3. Run `ppkgtobase64.exe`. The [syntax](#syntax) and [switches and arguments](#switches-and-arguments) sections provide details for the command.
+
+
+### Syntax
+
+```
+ppkgtobase64.exe -i <InputFile> -o <OutputDirectory> -s <BlockSize>  [-c]  [/?]  
+```
+
+### Switches and arguments
+
+| Switch | Required? | Arguments |
+| --- | --- | --- |
+| -i | Yes | Use to specify the path and file name of the provisioning package that you want to divide into smaller files.</br></br>The tool allows you to specify the absolute path of the provisioning package file. However, if you don't specify the path, the tool will search the current folder for a package that matches the file name you specified. |
+| -o | Yes | Use to specify the directory where the output files will be saved. |
+| -s | Yes | Use to specify the size of the block that will be encoded in Base64. |
+| -c | No | Use to delete any files in the output directory if the directory already exists. This parameter is optional. |
+| /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. |
+ 
+
+
+
+
+## Related topics
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/configure/provisioning-packages.md b/windows/configure/provisioning-packages.md
index 557bf3e595..8732d8c5a3 100644
--- a/windows/configure/provisioning-packages.md
+++ b/windows/configure/provisioning-packages.md
@@ -14,8 +14,8 @@ localizationpriority: high
 
 **Applies to**
 
--   Windows 10
--   Windows 10 Mobile
+- Windows 10
+- Windows 10 Mobile
 
 Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. 
 
@@ -23,59 +23,74 @@ A provisioning package (.ppkg) is a container for a collection of configuration
 
 Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization.
 
-The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) includes the Imaging and Configuration Designer (ICD), a tool for configuring provisioning packages. 
+The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) includes the Windows Configuration Designer, a tool for configuring provisioning packages. Windows Configuration Designer is also available as an [app in the Windows Store](https://www.microsoft.com/store/apps/9nblggh4tx22). 
 
-## New in Windows 10, version 1607
 
-Windows ICD for Windows 10, version 1607, simplifies common provisioning scenarios. 
 
-![Configuration Designer options](images/icd.png)
 
-Windows ICD in Windows 10, version 1607, supports the following scenarios for IT administrators:
+## New in Windows 10, version 1703
 
-* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. 
+- The tool for creating provisioning packages is renamed Windows Configuration Designer, replacing the Windows Imaging and Configuration Designer (ICD) tool. The components for creating images have been removed from Windows Configuration Designer, which now provides access to runtime settings only.
+- Windows Configuration Designer can still be installed from the Windows ADK. You can also install it from the Windows Store.
+- Windows Configuration Designer adds more wizards to make it easier to create provisioning packages for specific scenarios. See [What you can configure](#configuration-designer-wizards) for wizard descriptions.
+- The wizard **Provision desktop devices** (previously called **Simple provisioning**) now enables joining Azure Active Directory (Azure AD) domains and also allows you to remove non-Microsoft software from Windows desktop devices during provisioning.
+- When provisioning packages are applied to a device, a status screen indicates successful or failed provisioning. 
+- Windows 10 includes PowerShell cmdlets that simplify scripted provisioning. Using these cmdlets, you can add provisioning packages, remove provisioning packages and generate log files to investigate provisioning errors.
+- The **Provision school devices** wizard is removed from Windows Configuration Designer. Instead, use the [Setup School PCs app](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) from the Windows Store.
+<!-- Provisioning packages can be made available [using NFC and barcodes](provisioning-nfc.md).--> 
 
-    > [Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md)
-
-* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. 
-
-    > [Learn how to use advanced provisioning to configure Windows 10 computers with apps and certificates.](provision-pcs-with-apps-and-certificates.md)
-
-* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: 
-
-    * System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment) 
-    * AirWatch (password-string based enrollment) 
-    * Mobile Iron (password-string based enrollment) 
-    * Other MDMs (cert-based enrollment) 
-
-> [!NOTE]
-> Windows ICD in Windows 10, version 1607, also provides a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index).
 
 ## Benefits of provisioning packages
 
 
 Provisioning packages let you:
 
--   Quickly configure a new device without going through the process of installing a new image.
+- Quickly configure a new device without going through the process of installing a new image.
 
--   Save time by configuring multiple devices using one provisioning package.
+- Save time by configuring multiple devices using one provisioning package.
 
--   Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure.
+- Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure.
 
--   Set up a device without the device having network connectivity.
+- Set up a device without the device having network connectivity.
 
 Provisioning packages can be:
 
--   Installed using removable media such as an SD card or USB flash drive.
+- Installed using removable media such as an SD card or USB flash drive.
 
--   Attached to an email.
+- Attached to an email.
 
--   Downloaded from a network share.
+- Downloaded from a network share.
+
+- Deployed in NFC tags or barcodes.
 
 ## What you can configure
 
+### Configuration Designer wizards
 
-The following table provides some examples of what you can configure using provisioning packages.
+The following table describes settings that you can configure using the wizards in Windows Configuration Designer to create provisioning packages.
+
+<table><tr><td align="left">**Step**</td><td align="left">**Description**</td><td>**Desktop</br>wizard**</td><td align="center">**Mobile</br>wizard**</td><td>**Kiosk</br>wizard**</td></tr>
+<tr><td valign="top">Set up device</td><td valign="top">Assign device name,</br>enter product key to upgrade Windows,</br>configure shared used,</br>remove pre-installed software</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</br>(Only device name and upgrade key)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>
+<tr><td valign="top">Set up network</td><td valign="top">Connect to a Wi-Fit network</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>
+<tr><td valign="top">Account management</td><td valign="top">Enroll device in Active Directory,</br>enroll device in Azure Active Directory,</br>or create a local administrator account</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>
+<tr><td valign="top">Bulk Enrollment in Azure AD</td><td valign="top">Enroll device in Azure Active Directory</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup).</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![no](images/crossmark.png)</td></tr>
+<tr><td valign="top">Add applications</td><td valign="top">Install applications using the provisioning package.</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>
+<tr><td valign="top">Add certificates</td><td valign="top">Include a certificate file in the provisioning package.</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>
+<tr><td valign="top">Configure kiosk account and app</td><td valign="top">Create local account to run the kiosk mode app,</br>specify the app to run in kiosk mode</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>
+<tr><td valign="top">Configure kiosk common settings</td><td valign="top">Set tablet mode,</br>configure welcome and shutdown screens,</br>turn off timeout settings</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr></table>
+
+- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
+- [Instructions for the mobile wizard](provisioning-configure-mobile.md)
+- [Instructions for the kiosk wizard](set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard)
+
+
+
+>[!NOTE]
+>After you start a project using a Windows Configuration Designer wizard, you can switch to the advanced editor to configure additional settings in the provisioning package. 
+
+### Configuration Designer advanced editor
+
+The following table provides some examples of settings that you can configure using the Windows Configuration Designer advanced editor to create provisioning packages.
 
 | Customization options    | Examples                                                                                      |
 |--------------------------|-----------------------------------------------------------------------------------------------|
@@ -93,25 +108,52 @@ The following table provides some examples of what you can configure using provi
 
 For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012).
 
+## Changes to provisioning in Windows 10, version 1607
+
+>[!NOTE]
+>This section is retained for customers using Windows 10, version 1607, on the Current Branch for Business. Some of this information is not applicable in Windows 10, version 1703.
+
+Windows ICD for Windows 10, version 1607, simplified common provisioning scenarios. 
+
+![Configuration Designer options](images/icd.png)
+
+Windows ICD in Windows 10, version 1607, supported the following scenarios for IT administrators:
+
+* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. 
+
+    > [Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md)
+
+* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. 
+    
+* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: 
+
+    * System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment) 
+    * AirWatch (password-string based enrollment) 
+    * Mobile Iron (password-string based enrollment) 
+    * Other MDMs (cert-based enrollment) 
+
+> [!NOTE]
+> Windows ICD in Windows 10, version 1607, also provided a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index).
+
 ## Learn more
 
--   Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
+- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
 
--   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
 
 ## Related topics
 
 - [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Install Windows Configuration Designer](provisioning-install-icd.md)
 - [Create a provisioning package](provisioning-create-package.md)
 - [Apply a provisioning package](provisioning-apply-package.md)
 - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
 - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
 - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
 - [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
+- [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md)
 
 
 
diff --git a/windows/configure/provisioning-powershell.md b/windows/configure/provisioning-powershell.md
new file mode 100644
index 0000000000..508bada17f
--- /dev/null
+++ b/windows/configure/provisioning-powershell.md
@@ -0,0 +1,72 @@
+---
+title: PowerShell cmdlets for provisioning Windows 10 (Windows 10)
+description: 
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# PowerShell cmdlets for provisioning Windows 10 (reference)
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+Windows 10, version 1703, ships with Windows Provisioning PowerShell cmdlets. These cmdlets make it easy to script the following functions.
+
+
+
+<table><tr><th>Cmdlet</th><th>Use this cmdlet to</th><th>Syntax</th></tr>
+<tr><td>Add-ProvisioningPackage</td><td> Apply a provisioning package</td><td>```Add-ProvisioningPackage [-Path] <string> [-ForceInstall] [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]```</td></tr>
+<tr><td rowspan="3">Remove-ProvisioningPackage</td><td rowspan="3">Remove a provisioning package</td><td>	```Remove-ProvisioningPackage -PackageId <string> [-LogsFolder <string>] [-WprpFile <string>]  [<CommonParameters>]``` </td></tr><tr><td> ```Remove-ProvisioningPackage -Path <string> [-LogsFolder <string>] [-WprpFile <string>]  [<CommonParameters>]``` </td></tr><tr><td> ```Remove-ProvisioningPackage -AllInstalledPackages [-LogsFolder <string>] [-WprpFile <string>]  [<CommonParameters>]``` </td></tr>
+<tr><td rowspan="3">Get-ProvisioningPackage </td><td rowspan="3">	Get information about an installed provisioning package	</td><td> ```Get-ProvisioningPackage -PackageId <string> [-LogsFolder <string>] [-WprpFile <string>]  [<CommonParameters>]``` </td></tr><tr><td>```Get-ProvisioningPackage -Path <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]``` </td></tr><tr><td> ```Get-ProvisioningPackage -AllInstalledPackages [-LogsFolder <string>] [-WprpFile <string>]  [<CommonParameters>]``` </td></tr>
+<tr><td rowspan="2"> Export-ProvisioningPackage</td><td rowspan="2"> 	Extract the contents of a provisioning package</td><td>	```Export-ProvisioningPackage -PackageId <string> -OutputFolder <string> [-Overwrite] [-AnswerFileOnly] [-LogsFolder <string>] [-WprpFile <string>]  [<CommonParameters>]``` </td></tr><tr><td> ```Export-ProvisioningPackage -Path <string> -OutputFolder <string> [-Overwrite] [-AnswerFileOnly] [-LogsFolder <string>] [-WprpFile <string>]  [<CommonParameters>]``` </td></tr>
+<tr><td> Install-TrustedProvisioningCertificate </td><td>	Adds a certificate to the Trusted Certificate store </td><td>```Install-TrustedProvisioningCertificate <path to local certificate file on disk>```  </td></tr>
+<tr><td>Get-TrustedProvisioningCertificate</td><td> List all installed trusted provisioning certificates; use this cmdlet to get the certificate thumbprint to use with the **Uninstall-TrustedProvisioningCertificate** cmdlet</td><td>```Get-TrustedProvisioningCertificate```</td></tr>
+<tr><td>Uninstall-TrustedProvisioningCertificate </td><td> Remove a previously installed provisioning certificate</td><td>```Uninstall-TrustedProvisioningCertificate <thumbprint>```</td></tr>
+</table>	
+
+>[!NOTE]
+> You can use Get-Help to get usage help on any command. For example: `Get-Help Add-ProvisioningPackage`
+
+Trace logs are captured when using cmdlets. The following logs are available in the logs folder after the cmdlet completes: 
+
+- ProvTrace.&lt;timestamp&gt;.ETL - ETL trace file, unfiltered
+- ProvTrace.&lt;timestamp&gt;.XML - ETL trace file converted into raw trace events, unfiltered
+- ProvTrace.&lt;timestamp&gt;.TXT - TEXT file containing trace output formatted for easy reading, filtered to only show events logged by providers in the WPRP file
+- ProvLogReport.&lt;timestamp&gt;.XLS - Excel file containing trace output, filtered to only show events logged by providers in WPRP file
+
+
+
+>[!NOTE]
+>When applying provisioning packages using Powershell cmdlets, the default behavior is to suppress the prompt that appears when applying an unsigned provisioning package. This is by design so that provisioning packages can be applied as part of existing scripts.
+
+
+## Related topics
+
+- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Install Windows Configuration Designer](provisioning-install-icd.md)
+- [Create a provisioning package](provisioning-create-package.md)
+- [Apply a provisioning package](provisioning-apply-package.md)
+- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
+- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
+
+
+
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/configure/provisioning-script-to-install-app.md b/windows/configure/provisioning-script-to-install-app.md
index 8754c66299..20ada61de8 100644
--- a/windows/configure/provisioning-script-to-install-app.md
+++ b/windows/configure/provisioning-script-to-install-app.md
@@ -168,21 +168,21 @@ Here’s a table describing this relationship, using the PowerShell example from
  
 ### Add script to provisioning package 
  
-When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Window Imaging and Configuration Designer (Windows ICD). 
+When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Window Configuration Designer. 
 
-Using ICD, specify the full details of how the script should be run in the CommandLine setting in the provisioning package. This includes flags or any other parameters that you would normally type on the command line. So for example if the package contained an app installer called install.exe and a script used to automate the install called InstallMyApp.bat, the `ProvisioningCommands/DeviceContext/CommandLine` setting should be configured to: 
+Using Windows Configuration Designer, specify the full details of how the script should be run in the CommandLine setting in the provisioning package. This includes flags or any other parameters that you would normally type on the command line. So for example if the package contained an app installer called install.exe and a script used to automate the install called InstallMyApp.bat, the `ProvisioningCommands/DeviceContext/CommandLine` setting should be configured to: 
 
 ```
 cmd /c InstallMyApp.bat
 ```
 
-In ICD, this looks like:
+In Windows Configuration Designer, this looks like:
 
 ![Command line in Selected customizations](images/icd-script1.png)
 
 You also need to add the relevant assets for that command line including the orchestrator script and any other assets it references such as installers or .cab files.
 
-In ICD, that is done by adding files under the `ProvisioningCommands/DeviceContext/CommandFiles` setting.
+In Windows Configuration Designer, that is done by adding files under the `ProvisioningCommands/DeviceContext/CommandFiles` setting.
 
 ![Command files in Selected customizations](images/icd-script2.png)
 
@@ -211,12 +211,11 @@ When you are done, [build the package](provisioning-create-package.md#build-pack
 
 - [Provisioning packages for Windows 10](provisioning-packages.md)
 - [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Install Windows Configuration Designer](provisioning-install-icd.md)
 - [Create a provisioning package](provisioning-create-package.md)
 - [Apply a provisioning package](provisioning-apply-package.md)
 - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
 - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
+- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
 - [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
\ No newline at end of file
diff --git a/windows/configure/provisioning-uninstall-package.md b/windows/configure/provisioning-uninstall-package.md
index b3836ede88..e4ee9c442e 100644
--- a/windows/configure/provisioning-uninstall-package.md
+++ b/windows/configure/provisioning-uninstall-package.md
@@ -27,7 +27,7 @@ Only settings in the following lists are revertible.
 
 ## Registry-based settings
 
-The registry-based settings that are revertible when a provisioning package is uninstalled all fall under these categories, which you can find in the Graphical User Interface of the Windows Imaging and Configuration Designer (Windows ICD). 
+The registry-based settings that are revertible when a provisioning package is uninstalled all fall under these categories, which you can find in the  Windows Configuration Designer. 
 
 
 - [Wi-Fi Sense](https://msdn.microsoft.com/library/windows/hardware/mt219706.aspx)
@@ -78,14 +78,13 @@ Here is the list of revertible settings based on configuration service providers
 
 - [Provisioning packages for Windows 10](provisioning-packages.md)
 - [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Install Windows Configuration Designer](provisioning-install-icd.md)
 - [Create a provisioning package](provisioning-create-package.md)
 - [Apply a provisioning package](provisioning-apply-package.md)
 - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
 - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
 - [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
 
  
diff --git a/windows/configure/set-up-a-device-for-anyone-to-use.md b/windows/configure/set-up-a-device-for-anyone-to-use.md
index f274498ed1..7a58deaa8f 100644
--- a/windows/configure/set-up-a-device-for-anyone-to-use.md
+++ b/windows/configure/set-up-a-device-for-anyone-to-use.md
@@ -1,5 +1,5 @@
 ---
-title: Set up a device for anyone to use (kiosk mode) (Windows 10)
+title: Set up a device for anyone to use in kiosk mode (Windows 10)
 description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app.
 ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8
 keywords: ["kiosk", "lockdown", "assigned access"]
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
 localizationpriority: high
+redirect_url: https://technet.microsoft.com/itpro/windows/configure/kiosk-shared-pc
 ---
 
 # Set up a device for anyone to use (kiosk mode)
diff --git a/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index 211f47f9c2..e9f19dfa8f 100644
--- a/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -19,52 +19,65 @@ localizationpriority: high
 
 >  **Looking for Windows Embedded 8.1 Industry information?** See [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653)
 
-A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the **assigned access** feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use **Shell Launcher** to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access).
+A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions. 
 
-**Note**  
-A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
+- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only).
+
+    or
+    
+- For a kiosk device to run a Universal Windows app, use the [assigned access](#assigned-access) feature (Windows 10 Pro, Enterprise, or Education). 
+
+    or
+    
+- For a kiosk device to run a Classic Windows application, use [Shell Launcher](#shell-launcher) to set a custom user interface as the shell (Windows 10 Enterprise or Education only). 
+
+To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access).
+
+>[!NOTE]
+>A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
 
  
 
-## Other settings to lock down
 
 
-For a more secure kiosk experience, we recommend that you make the following configuration changes to the device:
+<span id="wizard" />
+## Set up a kiosk using Windows Configuration Designer
 
--   Put device in **Tablet mode**.
+When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Classic Windows application.
 
-    If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.**
+>[!IMPORTANT]
+>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 
--   Hide **Ease of access** feature on the logon screen.
 
-    Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
+[Install Windows Configuration Designer](provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table.
 
--   Disable the hardware power button.
 
-    Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
 
--   Remove the power button from the sign-in screen.
+<table>
+<tr><td  style="width:45%" valign="top">![step one](images/one.png)![set up device](images/set-up-device.png)</br></br>Enable device setup if you want to configure settings on this page.</br></br>**If enabled:**</br></br>Enter a name for the device.</br></br>(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)</br></br>Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.</br></br>You can also select to remove pre-installed software from the device. </td><td>![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)</td></tr>
+<tr><td  style="width:45%" valign="top">![step two](images/two.png)  ![set up network](images/set-up-network.png)</br></br>Enable network setup if you want to configure settings on this page.</br></br>**If enabled:**</br></br>Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.</td><td>![Enter network SSID and type](images/set-up-network-details.png)</td></tr>
+<tr><td  style="width:45%" valign="top">![step three](images/three.png)  ![account management](images/account-management.png)</br></br>Enable account management if you want to configure settings on this page. </br></br>**If enabled:**</br></br>You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device</br></br>To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.</br></br>**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.</br></br>To create a local administrator account, select that option and enter a user name and password. </br></br>**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.  </td><td>![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)</td></tr>
+<tr><td  style="width:45%" valign="top">![step four](images/four.png) ![add applications](images/add-applications.png)</br></br>You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md)</br></br>**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. </td><td>![add an application](images/add-applications-details.png)</td></tr>
+<tr><td  style="width:45%" valign="top">![step five](images/five.png) ![add certificates](images/add-certificates.png)</br></br>To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.</td><td>![add a certificate](images/add-certificates-details.png)</td></tr> 
+<tr><td  style="width:45%" valign="top">![step six](images/six.png)  ![Configure kiosk account and app](images/kiosk-account.png)</br></br>**Important:** You must use the Windows Configuration Designer app from Windows Store to select a Classic Windows application as the kiosk app in a provisioning package.</br></br>You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.</br></br>If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.</br></br>In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Classic Windows app) or the AUMID (for a Universal Windows app). For a Classic Windows app, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.</td><td>![Configure kiosk account and app](images/kiosk-account-details.png)</td></tr>
+<tr><td  style="width:45%" valign="top">![step seven](images/seven.png)  ![configure kiosk common settings](images/kiosk-common.png)</br></br>On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.</td><td>![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)</td></tr>
+<tr><td  style="width:45%" valign="top">  ![finish](images/finish.png)</br></br>You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.</td><td>![Protect your package](images/finish-details.png)</td></tr>
+</table>
 
-    Go to **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt;**Security Options** &gt; **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
 
--   Disable the camera.
+>[!NOTE]
+>If you want to use the advanced editor in Windows Configuration Designer, specify the user account and app (by AUMID) in **Runtime settings** &gt; **AssignedAccess** &gt; **AssignedAccessSettings**
 
-    Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
 
--   Turn off app notifications on the lock screen.
 
-    Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
 
--   Disable removable media.
 
-    Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
+[Learn how to apply a provisioning package.](provisioning-apply-package.md)
 
-    **Note**  
-    To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
 
      
-
-## <a href="" id="assigned-access-method"></a>Assigned access method for Universal Windows apps
+<span id="assigned-access" />
+## Assigned access method for Universal Windows apps
 
 
 Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access:
@@ -73,7 +86,7 @@ Using assigned access, Windows 10 runs the designated Universal Windows app abo
 | --- | --- | --- |
 | [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education |
 | [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
-| [Create a provisioning package using Windows Imaging and Configuration Designer (ICD)](#icd) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
+| [Create a provisioning package using Windows Configuration Designer](#wizard) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
 | [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education |
 
 
@@ -88,8 +101,8 @@ Using assigned access, Windows 10 runs the designated Universal Windows app abo
 
     The Universal Windows app must be able to handle multiple views and cannot launch other apps or dialogs.
 
-**Note**  
-Assigned access does not work on a device that is connected to more than one monitor.
+>[!NOTE]  
+>Assigned access does not work on a device that is connected to more than one monitor.
 
  
 
@@ -105,7 +118,7 @@ Assigned access does not work on a device that is connected to more than one mon
 
 5.  Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on.
 
-To remove assigned access, in step 3, choose **Don't use assigned access**.
+To remove assigned access, choose **Turn off assigned access and sign out of the selected account**.
 
 ### Set up assigned access in MDM
 
@@ -115,69 +128,9 @@ Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you
 
 [See the technical reference for the Assigned Access configuration service provider.](https://go.microsoft.com/fwlink/p/?LinkId=626608)
 
-### <a href="" id="icd"></a>Set up assigned access using Windows Imaging and Configuration Designer (ICD)
+<sp id="set-up-assigned-access-wcd" />
 
-Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
 
-> **Important**
-When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
-
-**Create a provisioning package for a kiosk device**
-
-1.  Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
-
-2.  Choose **Advanced provisioning**.
-
-3.  Name your project, and click **Next**.
-
-4.  Choose **All Windows desktop editions** and click **Next**.
-
-5.  On **New project**, click **Finish**. The workspace for your package opens.
-
-6.  Expand **Runtime settings** &gt; **AssignedAccess**, and click **AssignedAccessSettings**.
-
-7.  Enter a string to specify the user account and app (by AUMID). For example:
-
-    "Account":"contoso\\\\kiosk","AUMID":"8f82d991-f842-44c3-9a95-521b58fc2084"
-
-8.  On the **File** menu, select **Save.**
-
-9.  On the **Export** menu, select **Provisioning package**.
-
-10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
-
-11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
-
-    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
-
-    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
-
-12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
-
-    Optionally, you can click **Browse** to change the default output location.
-
-13. Click **Next**.
-
-14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
-
-    If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
-
-15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
-
-    If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
-
-    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
-    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
-
-**Apply the provisioning package**
-
-1.  Select the provisioning package that you want to apply, double-click the file, and then allow admin privileges.
-
-2.  Consent to allow the package to be installed.
-
-    After you allow the package to be installed, the settings will be applied to the device
-
-[Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012)
 
 ### Set up assigned access using Windows PowerShell
 
@@ -201,7 +154,9 @@ Set-AssignedAccess -AppName <CustomApp> -UserName <username>
 Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>
 ```
 
-> **Note:** To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. 
+> [!NOTE]
+> To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. 
+
 [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867).
 
 [Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**).
@@ -223,8 +178,8 @@ Edit the registry to have an account automatically logged on.
 
 1.  Open Registry Editor (regedit.exe).
 
-    **Note**  
-    If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
+    >[!NOTE]  
+    >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
   
 
 2.  Go to
@@ -239,7 +194,8 @@ Edit the registry to have an account automatically logged on.
 
     -   *DefaultPassword*: set value as the password for the account.
 
-       > **Note**  If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** &gt; **String Value**.
+       > [!NOTE]
+       > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** &gt; **String Value**.
 
     -   *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
 
@@ -255,11 +211,15 @@ If you press **Ctrl + Alt + Del** and do not sign in to another account, after a
 
 To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
 
-## <a href="" id="local-user-policy"></a>Shell Launcher for Classic Windows applications
+<span id="shell-launcher" />
+## Shell Launcher for Classic Windows applications
 
 
 Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
 
+>[!NOTE]
+>You can also configure a kiosk device that runs a Classic Windows application by using the [Provision kiosk devices wizard](#wizard).
+
 ### Requirements
 
 -   A domain or local user account.
@@ -274,10 +234,13 @@ To set a Classic Windows application as the shell, you first turn on the Shell L
 
 **To turn on Shell Launcher in Windows features**
 
-1.  Go to Control Panel &gt; **Programs and Features** &gt; **Turn Windows features on or off**.
-2.  Select **Embedded Shell Launcher** and **OK**.
+1. Go to Control Panel &gt; **Programs and features** &gt; **Turn Windows features on or off**.
 
-Alternatively, you can turn on Shell Launcher using the Deployment Image Servicing and Management (DISM.exe) tool.
+2. Expand **Device Lockdown**.
+
+2. Select **Shell Launcher** and **OK**.
+
+Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool.
 
 **To turn on Shell Launcher using DISM**
 
@@ -425,19 +388,46 @@ $IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
 "`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
 ```
 
+## Other settings to lock down
+
+
+For a more secure kiosk experience, we recommend that you make the following configuration changes to the device:
+
+-   Put device in **Tablet mode**.
+
+    If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.**
+
+-   Hide **Ease of access** feature on the logon screen.
+
+    Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
+
+-   Disable the hardware power button.
+
+    Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
+
+-   Remove the power button from the sign-in screen.
+
+    Go to **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt;**Security Options** &gt; **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
+
+-   Disable the camera.
+
+    Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
+
+-   Turn off app notifications on the lock screen.
+
+    Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
+
+-   Disable removable media.
+
+    Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
+
+    >[!NOTE]  
+    >To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
+
+ 
 ## Related topics
 
-
-[Set up a device for anyone to use](set-up-a-device-for-anyone-to-use.md)
-
-[Set up a kiosk for Windows 10 for mobile edition](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
-
-[Manage and update Windows 10](index.md)
-
- 
-
- 
-
+- [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
 
 
 
diff --git a/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
index 1a11ff9c20..3ef7f7e374 100644
--- a/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
+++ b/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
@@ -18,51 +18,18 @@ localizationpriority: high
 
 -   Windows 10 Mobile
 
-A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience.
 
-**Note**  
-The specified app must be an above lock screen app. For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](https://go.microsoft.com/fwlink/p/?LinkId=708386).
-
- 
-
-## Apps Corner
+A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You use the [Enterprise Assigned Access](#enterprise-assigned-access) configuration service provider (CSP) to configure a kiosk experience. You can also configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise, version 1607 or earlier, for kiosk mode by using the [Apps Corner](#apps-corner) feature. (Apps Corner is removed in version 1703.)
 
 
-Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or Windows 10 Mobile Enterprise device, where you can share only the apps you choose with the people you let use your device. You configure a device for kiosk mode by selecting a single app to use in Apps Corner.
-
-**To set up Apps Corner**
-
-1.  On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner**.
-
-2.  Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![](images/doneicon.png)
-
-3.  If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back](images/backicon.png) to the Apps Corner settings.
-
-4.  Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode.
-
-5.  Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them.
-
-6.  Press **Back** ![back](images/backicon.png) when you're done.
-
-**To use Apps Corner**
-
-1.  On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner** &gt; launch ![launch](images/launchicon.png).
-
-    **Tip**  
-    Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** &gt; **pin** to pin the Apps Corner tile to your Start screen.
-
-     
-
-2.  Give the device to someone else, so they can use the device and only the one app you chose.
-
-3.  When they're done and you get the device back, press and hold Power ![power](images/powericon.png), and then swipe right to exit Apps Corner.
 
 ## Enterprise Assigned Access
 
 
-Enterprise Assigned Access allows you to lock down your Windows 10 Mobile or Windows 10 Mobile Enterprise device in kiosk mode by creating a user role that has only a single app, set to run automatically, in the Allow list.
+Enterprise Assigned Access allows you to put your Windows 10 Mobile or Windows 10 Mobile Enterprise device in kiosk mode by creating a user role that has only a single app, set to run automatically, in the Allow list.
 
-**Note**  The app can be a Universal Windows app, Universal Windows Phone 8 app, or a legacy Silverlight app.
+>[!NOTE]
+>The app can be a Universal Windows app, Universal Windows Phone 8 app, or a legacy Silverlight app.
 
  
 
@@ -72,21 +39,24 @@ In AssignedAccessXml, for Application, you enter the product ID for the app to r
 
 [See the technical reference for the Enterprise Assigned Access configuration service provider (CSP).](https://go.microsoft.com/fwlink/p/?LinkID=618601)
 
-### Set up assigned access using Windows Imaging and Configuration Designer (ICD)
+### Set up assigned access using Windows Configuration Designer
 
-> **Important**
-When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+>[!IMPORTANT] 
+>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 
-**To create and apply a provisioning package for a kiosk device**
+#### Create the *AssignedAccess*.xml file
 
 1.  Create an *AssignedAccess*.xml file that specifies the app the device will run. (You can name use any file name.) For instructions on AssignedAccessXml, see [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601).
 
-    **Note**  
-    Do not escape the xml in *AssignedAccess*.xml file as Windows Imaging and Configuration Designer (ICD) will do that when building the package. Providing escaped xml in Windows ICD will cause building the package fail.
+    >[!NOTE]
+    >Do not escape the xml in *AssignedAccess*.xml file as Windows Configuration Designer will do that when building the package. Providing escaped xml in Windows ICD will cause building the package fail.
+    
+#### Create the provisioning package
 
-     
+1. [Install Windows Configuration Designer.](provisioning-install-icd.md)
+
+2.  Open Windows Configuration Designer (if you installed it from the Windows ADK, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`).
 
-2.  Open Windows ICD (by default, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`).
 3. Choose **Advanced provisioning**.
 
 
@@ -130,55 +100,91 @@ When you build a provisioning package, you may include sensitive information in
     -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
     -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
 
-17. Select the **output location** link to go to the location of the package. You can distribute that .ppkg to mobile devices using any of the following methods:
+17. Select the **output location** link to go to the location of the package. 
 
-    -   Removable media (USB/SD)
+#### Distribute the provisioning package
 
-        **To apply a provisioning package from removable media**
+You can distribute that .ppkg to mobile devices using any of the following methods:
 
-        1.  Copy the provisioning package file to the root directory on a micro SD card.
+-   Removable media (USB/SD)
 
-        2.  On the device, insert the micro SD card containing the provisioning package.
+    **To apply a provisioning package from removable media**
 
-        3.  Go to **Settings** &gt; **Accounts** &gt; **Provisioning.**
+    1.  Copy the provisioning package file to the root directory on a micro SD card.
 
-        4.  Tap **Add a package**.
+    2.  On the device, insert the micro SD card containing the provisioning package.
 
-        5.  On the **Choose a method** screen, in the **Add from** dropdown menu, select **Removable Media**.
+    3.  Go to **Settings** &gt; **Accounts** &gt; **Provisioning.**
 
-        6.  Select a package will list all available provisioning packages on the micro SD card. Tap the desired package, and then tap **Add**.
+    4.  Tap **Add a package**.
 
-        7.  You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
+    5.  On the **Choose a method** screen, in the **Add from** dropdown menu, select **Removable Media**.
 
-        8.  Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
+    6.  Select a package will list all available provisioning packages on the micro SD card. Tap the desired package, and then tap **Add**.
 
-    -   Email
+    7.  You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
 
-        **To apply a provisioning package sent in email**
+    8.  Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
 
-        1.  Send the provisioning package in email to an account on the device.
+-   Email
 
-        2.  Open the email on the device, and then double-tap the attached file.
+    **To apply a provisioning package sent in email**
 
-        3.  You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
+    1.  Send the provisioning package in email to an account on the device.
 
-        4.  Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
+    2.  Open the email on the device, and then double-tap the attached file.
 
-    -   USB tether (mobile only)
+    3.  You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
 
-        **To apply a provisioning package using USB tether**
+    4.  Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
 
-        1.  Connect the device to your PC by USB.
+-   USB tether 
 
-        2.  Select the provisioning package that you want to use to provision the device, and then drag and drop the file to your device.
+    **To apply a provisioning package using USB tether**
 
-        3.  The provisioning package installation dialog will appear on the phone.
+    1.  Connect the device to your PC by USB.
 
-        4.  You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
+    2.  Select the provisioning package that you want to use to provision the device, and then drag and drop the file to your device.
 
-        5.  Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
+    3.  The provisioning package installation dialog will appear on the phone.
 
-        [Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012)
+    4.  You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
+
+    5.  Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
+
+       
+
+## Apps Corner
+
+>[!NOTE]
+>For Windows 10, versions 1507, 1511, and 1607 only.
+
+Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or Windows 10 Mobile Enterprise device, where you can share only the apps you choose with the people you let use your device. You configure a device for kiosk mode by selecting a single app to use in Apps Corner.
+
+**To set up Apps Corner**
+
+1.  On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner**.
+
+2.  Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![](images/doneicon.png)
+
+3.  If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back](images/backicon.png) to the Apps Corner settings.
+
+4.  Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode.
+
+5.  Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them.
+
+6.  Press **Back** ![back](images/backicon.png) when you're done.
+
+**To use Apps Corner**
+
+1.  On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner** &gt; launch ![launch](images/launchicon.png).
+
+    >[!TIP]  
+    >Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** &gt; **pin** to pin the Apps Corner tile to your Start screen.
+  
+2.  Give the device to someone else, so they can use the device and only the one app you chose.
+
+3.  When they're done and you get the device back, press and hold Power ![power](images/powericon.png), and then swipe right to exit Apps Corner.
 
 ## Related topics
 
@@ -191,9 +197,5 @@ When you build a provisioning package, you may include sensitive information in
 
  
 
- 
-
-
-
 
 
diff --git a/windows/configure/set-up-shared-or-guest-pc.md b/windows/configure/set-up-shared-or-guest-pc.md
index f641f80569..d0998d18c6 100644
--- a/windows/configure/set-up-shared-or-guest-pc.md
+++ b/windows/configure/set-up-shared-or-guest-pc.md
@@ -16,7 +16,7 @@ localizationpriority: high
 
 -   Windows 10
 
-Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise  and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise.
+Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise  and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise.
 
 > [!NOTE]
 > If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](https://technet.microsoft.com/edu/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education.
@@ -69,16 +69,16 @@ You can configure Windows to be in shared PC mode in a couple different ways:
 
 ![custom OMA-URI policy in Intune](images/oma-uri-shared-pc.png) 
 
-- A provisioning package created with the Windows Imaging and Configuration Designer (ICD): You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Imaging and Configuration Designer (ICD). Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in ICD as SharedPC.
+- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in Windows Configuration Designer as **SharedPC**.
 
 ![Shared PC settings in ICD](images/icd-adv-shared-pc.png)
 
 
 ### Create a provisioning package for shared use
 
-Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device for shared PC mode. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+1. [install Windows Configuration Designer](provisioning-install-icd.md)
 
-1.  Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). 
+1.  Open Windows Configuration Designer. 
 
 2. On the **Start page**, select **Advanced provisioning**.
 
@@ -287,15 +287,10 @@ Shared PC mode sets local group policies to configure the device. Some of these
 
 
 
-## Related topics
-
-[Set up a device for anyone to use (kiosk)](set-up-a-device-for-anyone-to-use.md)
 
 
  
 
- 
-
 
 
 
diff --git a/windows/configure/settings-that-can-be-locked-down.md b/windows/configure/settings-that-can-be-locked-down.md
index c0348677ba..6e0e342400 100644
--- a/windows/configure/settings-that-can-be-locked-down.md
+++ b/windows/configure/settings-that-can-be-locked-down.md
@@ -20,7 +20,15 @@ localizationpriority: high
 
 This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile.
 
-## Settings lockdown
+## Settings lockdown in Windows 10, version 1703
+
+In earlier versions of Windows 10, you used the page name to define allowed settings. Starting in Windows 10, version 1703, you use the settings URI.
+
+For example, in place of **SettingsPageDisplay**, you would use **ms-settings:display**.
+
+See the [ms-settings: URI scheme reference](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to find the URI for each Settings page.
+
+## Settings lockdown in Windows 10, version 1607 and earlier
 
 
 You can use Lockdown.xml to configure lockdown settings.
@@ -451,52 +459,26 @@ You can specify the quick actions as follows:
 
 ``` syntax
 <Settings>
-    <System name="SystemSettings_System_Display_QuickAction_Brightness"/>
-    <System name="SystemSettings_System_Display_Internal_Rotation"/>
-    <System name="SystemSettings_QuickAction_WiFi"/>
-    <System name="SystemSettings_QuickAction_InternetSharing"/>
-    <System name="SystemSettings_QuickAction_CellularData"/>
-    <System name="SystemSettings_QuickAction_AirplaneMode"/>
-    <System name="SystemSettings_Privacy_LocationEnabledUserPhone"/>
-    <System name="SystemSettings_Network_VPN_QuickAction"/>
-    <System name="SystemSettings_Flashlight_Toggle"/>
-    <System name="SystemSettings_Device_BluetoothQuickAction"/>
-    <System name="SystemSettings_BatterySaver_LandingPage_OverrideControl" />
-    <System name="SystemSettings_QuickAction_QuietHours" />
-    <System name="SystemSettings_QuickAction_Camera" />
-    <System name="SystemSettings_Launcher_QuickNote" />
     <System name="QuickActions_Launcher_AllSettings" />
     <System name="QuickActions_Launcher_DeviceDiscovery" />
+    <System name="SystemSettings_BatterySaver_LandingPage_OverrideControl" />
+    <System name="SystemSettings_Device_BluetoothQuickAction"/>
+    <System name="SystemSettings_Flashlight_Toggle"/>
+    <System name="SystemSettings_Launcher_QuickNote" />
+    <System name="SystemSettings_Network_VPN_QuickAction"/>
+    <System name="SystemSettings_Privacy_LocationEnabledUserPhone"/>
+    <System name="SystemSettings_QuickAction_AirplaneMode"/>
+    <System name="SystemSettings_QuickAction_Camera" />
+    <System name="SystemSettings_QuickAction_CellularData"/>
+    <System name="SystemSettings_QuickAction_InternetSharing"/>
+    <System name="SystemSettings_QuickAction_QuietHours" />
+    <System name="SystemSettings_QuickAction_WiFi"/>
+    <System name="SystemSettings_System_Display_Internal_Rotation"/>
+    <System name="SystemSettings_System_Display_QuickAction_Brightness"/>
 </Settings> 
 ```
 
-Some quick actions are dependent on related settings pages/page groups. When a dependent page/group is not available, then the corresponding quick action will also be hidden.
 
-**Note**  
-Dependent settings group/pages will be automatically enabled when a quick action is specified in the lockdown xml file. For example, if the Rotation quick setting is specified, the following group and page will automatically be added to the allow list: “SettingsPageSystemDisplay” and “SettingsPageDisplay”.
-
- 
-
-The following table lists the dependencies between quick actions and Settings groups/pages.
-
-| Quick action   | Settings group    | Settings page  |
-|-----|-------|-------|
-| SystemSettings\_System\_Display\_QuickAction\_Brightness | SettingsPageSystemDisplay| SettingsPageDisplay | 
-| SystemSettings\_System\_Display\_Internal\_Rotation | SettingsPageSystemDisplay | SettingsPageDisplay   |
-| SystemSettings\_QuickAction\_WiFi | SettingsPageNetworkWiFi  | SettingsPageNetworkWiFi  |
-| SystemSettings\_QuickAction\_InternetSharing   | SettingsPageNetworkInternetSharing  | SettingsPageNetworkInternetSharing |
-| SystemSettings\_QuickAction\_CellularData | SettingsGroupCellular  | SettingsPageNetworkCellular  |
-| SystemSettings\_QuickAction\_AirplaneMode  | SettingsPageNetworkAirplaneMode | SettingsPageNetworkAirplaneMode |
-| SystemSettings\_Privacy\_LocationEnabledUserPhone | SettingsGroupPrivacyLocationGlobals   | SettingsPagePrivacyLocation  |
-| SystemSettings\_Network\_VPN\_QuickAction | SettingsPageNetworkVPN   | SettingsPageNetworkVPN  |
-| SystemSettings\_Launcher\_QuickNote | N/A   | N/A    |
-| SystemSettings\_Flashlight\_Toggle  | N/A    | N/A    |
-| SystemSettings\_Device\_BluetoothQuickAction   | SettingsPagePCSystemBluetooth   | SettingsPagePCSystemBluetooth  |
-| SystemSettings\_BatterySaver\_LandingPage\_OverrideControl | BatterySaver\_LandingPage\_SettingsConfiguration | SettingsPageBatterySaver   |
-| QuickActions\_Launcher\_DeviceDiscovery  | N/A    | N/A   |
-| QuickActions\_Launcher\_AllSettings    | N/A   | N/A  |
-| SystemSettings\_QuickAction\_QuietHours   | N/A    | N/A   |
-| SystemSettings\_QuickAction\_Camera   | N/A   | N/A   |
 
  
 
diff --git a/windows/configure/start-layout-xml-desktop.md b/windows/configure/start-layout-xml-desktop.md
index c86fc0cfe6..2a8a20dfd2 100644
--- a/windows/configure/start-layout-xml-desktop.md
+++ b/windows/configure/start-layout-xml-desktop.md
@@ -30,6 +30,9 @@ On Windows 10 for desktop editions, the customized Start works by:
 >[!NOTE]
 >Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/en-US/library/jj649079.aspx).
 
+>[!NOTE]
+>Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/library/jj649079.aspx).
+
 ## LayoutModification XML
 
 IT admins can provision the Start layout using a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. The easiest method for creating a LayoutModification.xml file is by using the Export-StartLayout cmdlet; see [Customize and export Start layout](customize-and-export-start-layout.md) for instructions.
@@ -224,7 +227,7 @@ The following example shows how to create a tile of the Web site's URL using the
           Column="4"/>
 ```
 
-The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to *8Size**, **Row**, and *8Column**.
+The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to **Size**, **Row**, and **Column**.
 
 | Attribute | Required/optional | Description |
 | --- | --- | --- |
@@ -473,17 +476,13 @@ Once you have created the LayoutModification.xml file and it is present in the d
 ## Related topics
 
 
-[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
-
-[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
-
-[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-
-[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-
-[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-
-[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
+- [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
+- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
+- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+- [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+- [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
+- [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md)
 
  
 
diff --git a/windows/configure/start-layout-xml-mobile.md b/windows/configure/start-layout-xml-mobile.md
index 9d10466302..f25c2d2413 100644
--- a/windows/configure/start-layout-xml-mobile.md
+++ b/windows/configure/start-layout-xml-mobile.md
@@ -370,17 +370,13 @@ This should set the value of **StartLayout**. The setting appears in the **Selec
 ## Related topics
 
 
-[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
-
-[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
-
-[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-
-[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-
-[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-
-[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
+- [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
+- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
+- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+- [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+- [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
+- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
 
  
 
diff --git a/windows/configure/start-taskbar-lockscreen.md b/windows/configure/start-taskbar-lockscreen.md
index 3216cfabda..966ef97fca 100644
--- a/windows/configure/start-taskbar-lockscreen.md
+++ b/windows/configure/start-taskbar-lockscreen.md
@@ -1,7 +1,6 @@
 ---
-title: start tasbkar lockscreen (Windows 10)
+title: Configure Start layout, taskbar, and lock screen for Windows 10 PCs (Windows 10)
 description: 
-keywords: Windows 10, MDM, WSUS, Windows update
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
@@ -10,5 +9,19 @@ localizationpriority: high
 author: jdeckerMS
 ---
 
-# start taskbar lockscreen
+# Configure Start layout, taskbar, and lock screen for Windows 10 PCs 
 
+
+
+## In this section 
+
+| Topic | Description |
+| --- | --- |
+| [Windows Spotlight on the lock screen](windows-spotlight.md) | Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.</br></br>**Note:** You can also use the [Personalization CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/personalization-csp) settings to set lock screen and desktop background images. |
+| [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | Options to manage the tips, tricks, and suggestions offered by Windows and Windows Store. |
+| [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Pro, Enterprise, or Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. |
+
+
+## Related topics
+
+- [Configure Windows 10 Mobile devices](configure-mobile.md)
\ No newline at end of file
diff --git a/windows/configure/windows-10-start-layout-options-and-policies.md b/windows/configure/windows-10-start-layout-options-and-policies.md
index b588216cb5..258d6c4418 100644
--- a/windows/configure/windows-10-start-layout-options-and-policies.md
+++ b/windows/configure/windows-10-start-layout-options-and-policies.md
@@ -1,6 +1,6 @@
 ---
 title: Manage Windows 10 Start and taskbar layout  (Windows 10)
-description: Organizations might want to deploy a customized Start and taskbar layout to devices running Windows 10 Enterprise or Windows 10 Education.
+description: Organizations might want to deploy a customized Start and taskbar layout to devices.
 ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A
 keywords: ["start screen", "start menu"]
 ms.prod: w10
@@ -19,12 +19,16 @@ localizationpriority: high
 
 > **Looking for consumer information?** See [Customize the Start menu](http://windows.microsoft.com/windows-10/getstarted-see-whats-on-the-menu) 
 
-Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Enterprise or Windows 10 Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default.
+Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Pro, Enterprise, or Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default.
 
 >[!NOTE]
 >Taskbar configuration is available starting in Windows 10, version 1607.
 >
->Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/en-US/library/jj649079.aspx).
+>Start and taskbar configuration can be applied to devices running Windows 10 Pro, version 1703.
+>
+>Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/library/jj649079.aspx).
+
+
 
 ## Start options
 
@@ -34,87 +38,21 @@ Some areas of Start can be managed using Group Policy. The layout of Start tiles
 
 The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table.
 
-<table>
-<thead>
-<tr class="header">
-<th align="left">Start</th>
-<th align="left">Policy</th>
-<th align="left">Setting</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left">User tile</td>
-<td align="left">Group Policy: <strong>Remove Logoff on the Start menu</strong></td>
-<td align="left"></td>
-</tr>
-<tr class="even">
-<td align="left">Most used</td>
-<td align="left">Group Policy: <strong>Remove frequent programs from the Start menu</strong></td>
-<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Show most used apps</strong></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Suggestions</p>
-<p>-and-</p>
-<p>Dynamically inserted app tile</p></td>
-<td align="left"><p>MDM: <strong>Allow Windows Consumer Features</strong></p>
-<p>Group Policy: <strong>Computer Configuration</strong>\\<strong>Administrative Templates</strong>\\<strong>Windows Components</strong>\\<strong>Cloud Content</strong>\\<strong>Turn off Microsoft consumer experiences</strong></p>
-<div class="alert">
-<strong>Note</strong>  
-<p>This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu.</p>
-</div>
-<div>
- 
-</div></td>
-<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Occasionally show suggestions in Start</strong></td>
-</tr>
-<tr class="even">
-<td align="left">Recently added</td>
-<td align="left">not applicable</td>
-<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Show recently added apps</strong></td>
-</tr>
-<tr class="odd">
-<td align="left">Pinned folders</td>
-<td align="left">not applicable</td>
-<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Choose which folders appear on Start</strong></td>
-</tr>
-<tr class="even">
-<td align="left">Power</td>
-<td align="left">Group Policy: <strong>Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands</strong></td>
-<td align="left">None</td>
-</tr>
-<tr class="even">
-<td align="left">Start layout</td>
-<td align="left"><p>MDM: <strong>Start layout</strong></p>
-<p>Group Policy: <strong>Start layout</strong></p>
-<p>Group Policy: <strong>Prevent users from customizing their Start Screen</strong></p>
-<div class="alert">
-<strong>Note</strong>  
-<p> When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the <strong>All Apps</strong> view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.</p><p><strong>Start layout</strong> policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar.
-</div>
-<div>
- 
-</div></td>
-<td align="left">None</td>
-</tr>
-<tr class="odd">
-<td align="left">Jump lists</td>
-<td align="left">Group Policy: <strong>Do not keep history of recently opened documents</strong></td>
-<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Show recently opened items in Jump Lists on Start or the taskbar</strong></td>
-</tr>
-<tr class="even">
-<td align="left">Start size</td>
-<td align="left"><p>MDM: <strong>Force Start size</strong></p>
-<p>Group Policy: <strong>Force Start to be either full screen size or menu size</strong></p></td>
-<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Use Start full screen</strong></td>
-</tr>
-<tr class="odd">
-<td align="left">All Settings</td>
-<td align="left">Group Policy: <strong>Prevent changes to Taskbar and Start Menu Settings</strong></td>
-<td align="left">None</td>
-</tr>
-</tbody>
-</table>
+| Start | Policy | Local setting |
+| --- | --- | --- |
+| User tile | MDM: **Start/HideUserTile**</br>**Start/HideSwitchAccount**</br>**Start/HideSignOut**</br>**Start/HideLock**</br>**Start/HideChangeAccountSettings**</br></br>Group Policy: **Remove Logoff on the Start menu** | none  |
+| Most used | MDM: **Start/HideFrequentlyUsedApps**</br></br>Group Policy: **Remove frequent programs from the Start menu** | **Settings** &gt; **Personalization** &gt; **Start** &gt; **Show most used apps** |
+| Suggestions</br>-and-</br>Dynamically inserted app tile | MDM: **Allow Windows Consumer Features**</br></br>Group Policy: **Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences**</br></br>**Note:** This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu. | **Settings** &gt; **Personalization** &gt; **Start** &gt; **Occasionally show suggestions in Start** |
+| Recently added | MDM: **Start/HideRecentlyAddedApps** | **Settings** &gt; **Personalization** &gt; **Start** &gt; **Show recently added apps** |
+| Pinned folders | MDM: **AllowPinnedFolder** | **Settings** &gt; **Personalization** &gt; **Start** &gt; **Choose which folders appear on Start** |
+| Power | MDM: **Start/HidePowerButton**</br>**Start/HideHibernate**</br>**Start/HideRestart**</br>**Start/HideShutDown**</br>**Start/HideSleep**</br></br>Group Policy: **Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands** | none |
+| Start layout | MDM: **Start layout**</br>**ImportEdgeAssets**</br></br>Group Policy: **Prevent users from customizing their Start screen**</br></br>**Note:** When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.</br></br>**Start layout** policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar. | none |
+| Jump lists | MDM: **Start/HideRecentJumplists**</br></br>Group Policy: **Do not keep history of recently opened documents** | **Settings** &gt; **Personalization** &gt; **Start** &gt; **Show recently opened items in Jump Lists on Start or the taskbar** |
+| Start size | MDM: **Force Start size**</br></br>Group Policy: **Force Start to be either full screen size or menu size** | **Settings** &gt; **Personalization** &gt; **Start** &gt; **Use Start full screen** |
+| App list | MDM: **Start/HideAppList** | **Settings** &gt; **Personalization** &gt; **Start** &gt; **Show app list in Start menu** |
+| All Settings | Group Policy: **Prevent changes to Taskbar and Start Menu Settings** | none |
+| Taskbar | MDM: **Start/NoPinningToTaskbar** | none |
+
 
  ## Taskbar options
 
@@ -125,20 +63,26 @@ There are three categories of apps that might be pinned to a taskbar:
 * Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store)
 * Apps pinned by the enterprise, such as in an unattended Windows setup
 
- **Note**  
-   The earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607.
+ >[!NOTE]
+ >The earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607.
    
 The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square).
 
-> **Note**  In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
-
 ![Windows left, user center, enterprise to the right](images/taskbar-generic.png)
 
+>[!NOTE]
+>In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
+
+
+
 Whether you apply the taskbar configuration to a clean install or an update, users will still be able to:
 * Pin additional apps
 * Change the order of pinned apps
 * Unpin any app
 
+>[!NOTE]
+>In Windows 10, version 1703, you can apply an MDM policy, `Start/NoPinningToTaskbar`, to prevents users from pinning and unpinning apps on the taskbar.
+
 ### Taskbar configuration applied to clean install of Windows 10
 
 In a clean install, if you apply a taskbar layout, only the apps that you specify and default apps that you do not remove will be pinned to the taskbar. Users can pin additional apps to the taskbar after the layout is applied.
@@ -153,22 +97,16 @@ The new taskbar layout for upgrades to Windows 10, version 1607 or later, will a
 * If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right.
 * New apps specified in updated layout file are pinned to right of user's pinned apps.
   
-
+[Learn how to onfigure Windows 10 taskbar](configure-windows-10-taskbar.md).
 
 ## Related topics
 
 
-[Customize and export Start layout](customize-and-export-start-layout.md)
-
-[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
-
-[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-
-[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-
-[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-
-[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
+- [Customize and export Start layout](customize-and-export-start-layout.md)
+- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+- [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+- [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
 
  
 
diff --git a/windows/configure/windows-spotlight.md b/windows/configure/windows-spotlight.md
index eb3af0eb51..c3a078d793 100644
--- a/windows/configure/windows-spotlight.md
+++ b/windows/configure/windows-spotlight.md
@@ -1,5 +1,5 @@
 ---
-title: Windows Spotlight on the lock screen (Windows 10)
+title: Configure Windows Spotlight on the lock screen (Windows 10)
 description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen.
 ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A
 keywords: ["lockscreen"]
@@ -10,13 +10,14 @@ author: jdeckerMS
 localizationpriority: high
 ---
 
-# Windows Spotlight on the lock screen
+# Configure Windows Spotlight on the lock screen
 
 
 **Applies to**
 
 -   Windows 10
 
+
 Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10. 
 
 For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps.
@@ -24,6 +25,8 @@ For managed devices running Windows 10 Enterprise and Windows 10 Education, en
 
 >[!NOTE]
 >In Windows 10, version 1607, the lock screen background does not display if you disable the **Animate windows when minimizing and mazimizing** setting in **This PC** > **Properties** > **Advanced system settings** > **Performance settings** > **Visual Effects**, or if you enable the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Desktop Windows Manager** > **Do not allow windows animations**.
+>
+>In Windows 10, version 1703, you can use the [Personalization CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/personalization-csp) settings to set lock screen and desktop background images.
 
 ## What does Windows Spotlight include?
 
@@ -37,6 +40,8 @@ For managed devices running Windows 10 Enterprise and Windows 10 Education, en
 -   **Feature suggestions, fun facts, tips**
 
     The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**.
+    
+    ![fun facts](images/funfacts.png)
 
 ## How do you turn off Windows Spotlight locally?
 
@@ -48,27 +53,28 @@ To turn off Windows Spotlight locally, go to **Settings** &gt; **Personalization
 ## How do you disable Windows Spotlight for managed devices?
 
 
-Windows 10, version 1607, provides three new Group Policy settings to help you manage Windows Spotlight on enterprise computers.
+Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mobile device management (MDM) settings to help you manage Windows Spotlight on enterprise computers.
 
-**Windows 10 Pro, Enterprise, and Education**
+| Group Policy | MDM | Description | Applies to |
+| --- | --- | --- | --- |
+| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** | **Experience/Allow ThirdParty Suggestions In Windows Spotlight** | Enables enterprises to restrict suggestions to Microsoft apps and services | Windows 10 Pro, Enterprise, and Education, version 1607 and later |
+| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** | **Experience/Allow Windows Spotlight** | Enables enterprises to completely disable all Windows Spotlight features in a single setting | Windows 10 Enterprise and Education, version 1607 and later |
+| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** | **Experience/Configure Windows Spotlight On Lock Screen** | Specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled | Windows 10 Enterprise and Education, version 1607 and later | 
+| **Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Spotlight on Action Center** | **Experience/Allow Windows Spotlight On Action Center** |  Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed | Windows 10 Enterprise and Education, version 1703 |
+| **User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Do not use diagnostic data for tailored experiences** | **Experience/Allow Tailored Experiences With Diagnostic Data** | Prevent Windows from using diagnostic data to provide tailored experiences to the user | Windows 10 Pro, Enterprise, and Education, version 1703 |
+| **User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Welcome Experience** | **Experience/Allow Windows Spotlight Windows Welcome Experience** | Turn off the Windows Spotlight Windows Welcome experience which helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new features | Windows 10 Enterprise and Education, version 1703 |
 
-- **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** enables enterprises to restrict suggestions to Microsoft apps and services.
 
-**Windows 10 Enterprise and Education**
-
-* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** enables enterprises to completely disable all Windows Spotlight features in a single setting.
-* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled. (The Group Policy setting **Enterprise Spotlight** does not work in Windows 10, version 1607.)
-
-Windows Spotlight is enabled by default. Administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Force a specific default lock screen image**.
+ In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Force a specific default lock screen image**.
 
 >[!WARNING]
 > In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release.
 
 ![lockscreen policy details](images/lockscreenpolicy.png)
 
-Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages, such as the example in the following image.
+Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages.
+
 
-![fun facts](images/funfacts.png)
 
 ## Related topics
 
diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md
index e177c6b199..a14e1d9f0d 100644
--- a/windows/deploy/TOC.md
+++ b/windows/deploy/TOC.md
@@ -1,4 +1,5 @@
 # [Deploy Windows 10](index.md)
+## [What's new in Windows 10 deployment](deploy-whats-new.md)
 ## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
 ## [Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md)
 ### [Upgrade Readiness architecture](upgrade-readiness-architecture.md)
@@ -18,25 +19,26 @@
 ### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
 ## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
 ### [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-#### [Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)
-#### [MDT 2013 Update 2 Lite Touch components](mdt-2013-lite-touch-components.md)
-#### [Prepare for deployment with MDT 2013 Update 2](prepare-for-windows-deployment-with-mdt-2013.md)
+#### [Key features in MDT](key-features-in-mdt.md)
+#### [MDT Lite Touch components](mdt-lite-touch-components.md)
+#### [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
 ### [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-### [Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+### [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
 ### [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
 ### [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
 ### [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-### [Configure MDT settings](configure-mdt-2013-settings.md)
-#### [Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
+### [Perform an in-place upgrade to Windows 10 with MDT](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+### [Configure MDT settings](configure-mdt-settings.md)
+#### [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
 #### [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-#### [Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
+#### [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
 #### [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
 #### [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-#### [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
-#### [Use web services in MDT](use-web-services-in-mdt-2013.md)
-#### [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
+#### [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+#### [Use web services in MDT](use-web-services-in-mdt.md)
+#### [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
 ## [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
-### [Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+### [Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
 ### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
 ### [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
 ### [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
@@ -48,8 +50,7 @@
 ### [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
 ### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 ### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
 ## [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md)
 ## [Convert MBR partition to GPT](mbr-to-gpt.md)
 ## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
diff --git a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md
index 8fb81af58a..47176515eb 100644
--- a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -48,7 +48,7 @@ For the purposes of this topic, we will use CM01, a machine running Windows Serv
 ## Related topics
 
 
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
 
 [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
 
diff --git a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
index 878c230d72..5be734a75b 100644
--- a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ b/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -81,7 +81,7 @@ This section illustrates how to add drivers for Windows 10 through an example in
 ## Related topics
 
 
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
 
 [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
 
diff --git a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md
index d8b4505c51..06cc51df9b 100644
--- a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md
+++ b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md
@@ -1,132 +1,7 @@
 ---
 title: Assign applications using roles in MDT (Windows 10)
-description: This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer.
-ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7
-keywords: settings, database, deploy
-ms.prod: w10
-ms.mktglfcycl: deploy
-localizationpriority: high
-ms.sitesec: library
-ms.pagetype: mdt
-author: mtniehaus
+redirect_url: assign-applications-using-roles-in-mdt
 ---
 
-# Assign applications using roles in MDT
-
-This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer. For the purposes of this topic, the application we are adding is Adobe Reader XI. In addition to using computer-specific entries in the database, you can use roles in MDT to group settings together.
-
-## <a href="" id="sec01"></a>Create and assign a role entry in the database
-
-1.  On MDT01, using Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration** and then expand **Database**.
-2.  In the **Database** node, right-click **Role**, select **New**, and create a role entry with the following settings:
-    1.  Role name: Standard PC
-    2.  Applications / Lite Touch Applications:
-    3.  Install - Adobe Reader XI - x86
-
-![figure 12](images/mdt-09-fig12.png)
-
-Figure 12. The Standard PC role with the application added
-
-## <a href="" id="sec02"></a>Associate the role with a computer in the database
-
-After creating the role, you can associate it with one or more computer entries.
-1.  Using Deployment Workbench, expand **MDT Production**, expand **Advanced Configuration**, expand **Database**, and select **Computers**.
-2.  In the **Computers** node, double-click the **PC00075** entry, and add the following setting:
-    -   Roles: Standard PC
-
-![figure 13](images/mdt-09-fig13.png)
-
-Figure 13. The Standard PC role added to PC00075 (having ID 1 in the database).
-
-## <a href="" id="sec03"></a>Verify database access in the MDT simulation environment
-
-When the database is populated, you can use the MDT simulation environment to simulate a deployment. The applications are not installed, but you can see which applications would be installed if you did a full deployment of the computer.
-1.  On PC0001, log on as **CONTOSO\\MDT\_BA**.
-2.  Modify the C:\\MDT\\CustomSettings.ini file to look like the following:
-
-    ``` syntax
-    [Settings]
-    Priority=CSettings, CRoles, RApplications, Default
-    [Default]
-    _SMSTSORGNAME=Contoso
-    OSInstall=Y
-    UserDataLocation=AUTO
-    TimeZoneName=Pacific Standard Time 
-    AdminPassword=P@ssw0rd
-    JoinDomain=contoso.com
-    DomainAdmin=CONTOSO\MDT_JD
-    DomainAdminPassword=P@ssw0rd
-    MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
-    SLShare=\\MDT01\Logs$
-    ScanStateArgs=/ue:*\* /ui:CONTOSO\*
-    USMTMigFiles001=MigApp.xml
-    USMTMigFiles002=MigUser.xml
-    HideShell=YES
-    ApplyGPOPack=NO
-    SkipAppsOnUpgrade=NO
-    SkipAdminPassword=YES
-    SkipProductKey=YES
-    SkipComputerName=NO
-    SkipDomainMembership=YES
-    SkipUserData=NO
-    SkipLocaleSelection=YES
-    SkipTaskSequence=NO
-    SkipTimeZone=YES
-    SkipApplications=NO
-    SkipBitLocker=YES
-    SkipSummary=YES
-    SkipCapture=YES
-    SkipFinalSummary=NO
-    EventService=http://MDT01:9800
-    [CSettings]
-    SQLServer=MDT01
-    Instance=SQLEXPRESS
-    Database=MDT
-    Netlib=DBNMPNTW
-    SQLShare=Logs$
-    Table=ComputerSettings
-    Parameters=UUID, AssetTag, SerialNumber, MacAddress
-    ParameterCondition=OR
-    [CRoles]
-    SQLServer=MDT01
-    Instance=SQLEXPRESS
-    Database=MDT
-    Netlib=DBNMPNTW
-    SQLShare=Logs$
-    Table=ComputerRoles
-    Parameters=UUID, AssetTag, SerialNumber, MacAddress
-    ParameterCondition=OR
-    [RApplications]
-    SQLServer=MDT01
-    Instance=SQLEXPRESS
-    Database=MDT
-    Netlib=DBNMPNTW
-    SQLShare=Logs$
-    Table=RoleApplications
-    Parameters=Role
-    Order=Sequence
-    ```
-
-3.  Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command:
-
-    ``` syntax
-    Set-Location C:\MDT
-    .\Gather.ps1
-
-    ```
-
-![figure 14](images/mdt-09-fig14.png)
-
-Figure 14. ZTIGather.log displaying the application GUID belonging to the Adobe Reader XI application that would have been installed if you deployed this machine.
-
-## Related topics
-
-[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
-<BR>[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-<BR>[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
-<BR>[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-<BR>[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-<BR>[Use web services in MDT](use-web-services-in-mdt-2013.md)
-<BR>[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
  
  
diff --git a/windows/deploy/assign-applications-using-roles-in-mdt.md b/windows/deploy/assign-applications-using-roles-in-mdt.md
new file mode 100644
index 0000000000..c2d8ed9f1b
--- /dev/null
+++ b/windows/deploy/assign-applications-using-roles-in-mdt.md
@@ -0,0 +1,132 @@
+---
+title: Assign applications using roles in MDT (Windows 10)
+description: This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer.
+ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7
+keywords: settings, database, deploy
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: mtniehaus
+---
+
+# Assign applications using roles in MDT
+
+This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer. For the purposes of this topic, the application we are adding is Adobe Reader XI. In addition to using computer-specific entries in the database, you can use roles in MDT to group settings together.
+
+## <a href="" id="sec01"></a>Create and assign a role entry in the database
+
+1.  On MDT01, using Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration** and then expand **Database**.
+2.  In the **Database** node, right-click **Role**, select **New**, and create a role entry with the following settings:
+    1.  Role name: Standard PC
+    2.  Applications / Lite Touch Applications:
+    3.  Install - Adobe Reader XI - x86
+
+![figure 12](images/mdt-09-fig12.png)
+
+Figure 12. The Standard PC role with the application added
+
+## <a href="" id="sec02"></a>Associate the role with a computer in the database
+
+After creating the role, you can associate it with one or more computer entries.
+1.  Using Deployment Workbench, expand **MDT Production**, expand **Advanced Configuration**, expand **Database**, and select **Computers**.
+2.  In the **Computers** node, double-click the **PC00075** entry, and add the following setting:
+    -   Roles: Standard PC
+
+![figure 13](images/mdt-09-fig13.png)
+
+Figure 13. The Standard PC role added to PC00075 (having ID 1 in the database).
+
+## <a href="" id="sec03"></a>Verify database access in the MDT simulation environment
+
+When the database is populated, you can use the MDT simulation environment to simulate a deployment. The applications are not installed, but you can see which applications would be installed if you did a full deployment of the computer.
+1.  On PC0001, log on as **CONTOSO\\MDT\_BA**.
+2.  Modify the C:\\MDT\\CustomSettings.ini file to look like the following:
+
+    ``` syntax
+    [Settings]
+    Priority=CSettings, CRoles, RApplications, Default
+    [Default]
+    _SMSTSORGNAME=Contoso
+    OSInstall=Y
+    UserDataLocation=AUTO
+    TimeZoneName=Pacific Standard Time 
+    AdminPassword=P@ssw0rd
+    JoinDomain=contoso.com
+    DomainAdmin=CONTOSO\MDT_JD
+    DomainAdminPassword=P@ssw0rd
+    MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
+    SLShare=\\MDT01\Logs$
+    ScanStateArgs=/ue:*\* /ui:CONTOSO\*
+    USMTMigFiles001=MigApp.xml
+    USMTMigFiles002=MigUser.xml
+    HideShell=YES
+    ApplyGPOPack=NO
+    SkipAppsOnUpgrade=NO
+    SkipAdminPassword=YES
+    SkipProductKey=YES
+    SkipComputerName=NO
+    SkipDomainMembership=YES
+    SkipUserData=NO
+    SkipLocaleSelection=YES
+    SkipTaskSequence=NO
+    SkipTimeZone=YES
+    SkipApplications=NO
+    SkipBitLocker=YES
+    SkipSummary=YES
+    SkipCapture=YES
+    SkipFinalSummary=NO
+    EventService=http://MDT01:9800
+    [CSettings]
+    SQLServer=MDT01
+    Instance=SQLEXPRESS
+    Database=MDT
+    Netlib=DBNMPNTW
+    SQLShare=Logs$
+    Table=ComputerSettings
+    Parameters=UUID, AssetTag, SerialNumber, MacAddress
+    ParameterCondition=OR
+    [CRoles]
+    SQLServer=MDT01
+    Instance=SQLEXPRESS
+    Database=MDT
+    Netlib=DBNMPNTW
+    SQLShare=Logs$
+    Table=ComputerRoles
+    Parameters=UUID, AssetTag, SerialNumber, MacAddress
+    ParameterCondition=OR
+    [RApplications]
+    SQLServer=MDT01
+    Instance=SQLEXPRESS
+    Database=MDT
+    Netlib=DBNMPNTW
+    SQLShare=Logs$
+    Table=RoleApplications
+    Parameters=Role
+    Order=Sequence
+    ```
+
+3.  Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command:
+
+    ``` syntax
+    Set-Location C:\MDT
+    .\Gather.ps1
+
+    ```
+
+![figure 14](images/mdt-09-fig14.png)
+
+Figure 14. ZTIGather.log displaying the application GUID belonging to the Adobe Reader XI application that would have been installed if you deployed this machine.
+
+## Related topics
+
+[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+<BR>[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+<BR>[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+<BR>[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+<BR>[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+<BR>[Use web services in MDT](use-web-services-in-mdt.md)
+<BR>[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
+ 
+ 
diff --git a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md
index 010284c04f..5d6bf1b687 100644
--- a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md
+++ b/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md
@@ -26,12 +26,12 @@ Figure 1. The machines used in this topic.
 
 ## <a href="" id="sec01"></a>Replicate deployment shares
 
-Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in a number of different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) 2013 use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content.
+Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in a number of different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content.
 
 **Note**  
 Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target.
  
-### Linked deployment shares in MDT 2013 Update 2
+### Linked deployment shares in MDT
 
 LDS is a built-in feature in MDT for replicating content. However, LDS works best with strong connections such as LAN connections with low latency. For most WAN links, DFS-R is the better option.
 
@@ -211,15 +211,14 @@ Now you should have a solution ready for deploying the Windows 10 client to the
 
 [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
 
-
 [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
 
-[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
 
 [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
 
 [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
 
-[Configure MDT settings](configure-mdt-2013-settings.md)
+[Configure MDT settings](configure-mdt-settings.md)
  
  
diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md
index a3c2c4364e..f0c32cf285 100644
--- a/windows/deploy/change-history-for-deploy-windows-10.md
+++ b/windows/deploy/change-history-for-deploy-windows-10.md
@@ -17,6 +17,9 @@ The topics in this library have been updated for Windows 10, version 1703 (also
 ## March 2017
 | New or changed topic | Description |
 |----------------------|-------------|
+| [What's new in Windows 10 deployment](deploy-whats-new.md) | New | 
+| [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) | Topic moved under [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) in the table of contents and title adjusted to clarify in-place upgrade. | 
+| [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) | Topic moved under [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) in the table of contents and title adjusted to clarify in-place upgrade. | 
 | [Convert MBR partition to GPT](mbr-to-gpt.md) | New | 
 
 ## February 2017
diff --git a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md
index c95b0fc69e..f50d92c65e 100644
--- a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md
+++ b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md
@@ -1,69 +1,4 @@
 ---
 title: Configure MDT for UserExit scripts (Windows 10)
-description: In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address.
-ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7
-keywords: rules, script
-ms.prod: w10
-ms.mktglfcycl: deploy
-localizationpriority: high
-ms.sitesec: library
-ms.pagetype: mdt
-author: mtniehaus
+redirect_url: configure-mdt-for-userexit-scripts
 ---
-
-# Configure MDT for UserExit scripts
-
-In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. MDT supports calling external VBScripts as part of the Gather process; these scripts are referred to as UserExit scripts. The script also removes the colons in the MAC Address.
-
-## Configure the rules to call a UserExit script
-
-You can call a UserExit by referencing the script in your rules. Then you can configure a property to be set to the result of a function of the VBScript. In this example, we have a VBScript named Setname.vbs (provided in the book sample files, in the UserExit folder).
-
-``` syntax
-[Settings]
-Priority=Default
-[Default]
-OSINSTALL=YES
-UserExit=Setname.vbs
-OSDComputerName=#SetName("%MACADDRESS%")#
-```
-
-The UserExit=Setname.vbs calls the script and then assigns the computer name to what the SetName function in the script returns. In this sample the %MACADDRESS% variable is passed to the script
-
-## The Setname.vbs UserExit script
-
-The Setname.vbs script takes the MAC Address passed from the rules. The script then does some string manipulation to add a prefix (PC) and remove the semicolons from the MAC Address.
-
-``` syntax
-Function UserExit(sType, sWhen, sDetail, bSkip) 
-  UserExit = Success 
-End Function 
-Function SetName(sMac)
-  Dim re
-  Set re = new RegExp
-  re.IgnoreCase = true
-  re.Global = true
-  re.Pattern = ":"
-  SetName = "PC" & re.Replace(sMac, "")
-End Function
-```
-The first three lines of the script make up a header that all UserExit scripts have. The interesting part is the lines between Function and End Function. Those lines add a prefix (PC), remove the colons from the MAC Address, and return the value to the rules by setting the SetName value.
-
-**Note**  
-The purpose of this sample is not to recommend that you use the MAC Address as a base for computer naming, but to show you how to take a variable from MDT, pass it to an external script, make some changes to it, and then return the new value to the deployment process.
- 
-## Related topics
-
-[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
-
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-
-[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
-
-[Use web services in MDT](use-web-services-in-mdt-2013.md)
-
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
diff --git a/windows/deploy/configure-mdt-2013-settings.md b/windows/deploy/configure-mdt-2013-settings.md
index 46c1e30220..9549517323 100644
--- a/windows/deploy/configure-mdt-2013-settings.md
+++ b/windows/deploy/configure-mdt-2013-settings.md
@@ -1,46 +1,5 @@
 ---
 title: Configure MDT settings (Windows 10)
-description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) 2013 is its extension capabilities; there is virtually no limitation to what you can do in terms of customization.
-ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
-keywords: customize, customization, deploy, features, tools
-ms.prod: w10
-ms.mktglfcycl: deploy
-localizationpriority: high
-ms.sitesec: library
-ms.pagetype: mdt
-author: mtniehaus
+redirect_url: configure-mdt-settings
 ---
 
-# Configure MDT settings
-
-One of the most powerful features in Microsoft Deployment Toolkit (MDT) 2013 is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment.
-For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
-![figure 1](images/mdt-09-fig01.png)
-
-Figure 1. The machines used in this topic.
-
-## In this section
-
--   [Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
--   [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
--   [Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
--   [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
--   [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
--   [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
--   [Use web services in MDT](use-web-services-in-mdt-2013.md)
--   [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
-
-## Related topics
-
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-
-[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
-
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
diff --git a/windows/deploy/configure-mdt-deployment-share-rules.md b/windows/deploy/configure-mdt-deployment-share-rules.md
index 97a448f5da..bfcbdd5e6b 100644
--- a/windows/deploy/configure-mdt-deployment-share-rules.md
+++ b/windows/deploy/configure-mdt-deployment-share-rules.md
@@ -106,16 +106,16 @@ MachineObjectOU=OU=Laptops,OU=Contoso,DC=contoso,DC=com
 
 ## Related topics
 
-[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
+[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
 
-[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
 
 [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
 
 [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
 
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
 
-[Use web services in MDT](use-web-services-in-mdt-2013.md)
+[Use web services in MDT](use-web-services-in-mdt.md)
 
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deploy/configure-mdt-for-userexit-scripts.md b/windows/deploy/configure-mdt-for-userexit-scripts.md
new file mode 100644
index 0000000000..c168bda59d
--- /dev/null
+++ b/windows/deploy/configure-mdt-for-userexit-scripts.md
@@ -0,0 +1,69 @@
+---
+title: Configure MDT for UserExit scripts (Windows 10)
+description: In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address.
+ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7
+keywords: rules, script
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: mtniehaus
+---
+
+# Configure MDT for UserExit scripts
+
+In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. MDT supports calling external VBScripts as part of the Gather process; these scripts are referred to as UserExit scripts. The script also removes the colons in the MAC Address.
+
+## Configure the rules to call a UserExit script
+
+You can call a UserExit by referencing the script in your rules. Then you can configure a property to be set to the result of a function of the VBScript. In this example, we have a VBScript named Setname.vbs (provided in the book sample files, in the UserExit folder).
+
+``` syntax
+[Settings]
+Priority=Default
+[Default]
+OSINSTALL=YES
+UserExit=Setname.vbs
+OSDComputerName=#SetName("%MACADDRESS%")#
+```
+
+The UserExit=Setname.vbs calls the script and then assigns the computer name to what the SetName function in the script returns. In this sample the %MACADDRESS% variable is passed to the script
+
+## The Setname.vbs UserExit script
+
+The Setname.vbs script takes the MAC Address passed from the rules. The script then does some string manipulation to add a prefix (PC) and remove the semicolons from the MAC Address.
+
+``` syntax
+Function UserExit(sType, sWhen, sDetail, bSkip) 
+  UserExit = Success 
+End Function 
+Function SetName(sMac)
+  Dim re
+  Set re = new RegExp
+  re.IgnoreCase = true
+  re.Global = true
+  re.Pattern = ":"
+  SetName = "PC" & re.Replace(sMac, "")
+End Function
+```
+The first three lines of the script make up a header that all UserExit scripts have. The interesting part is the lines between Function and End Function. Those lines add a prefix (PC), remove the colons from the MAC Address, and return the value to the rules by setting the SetName value.
+
+**Note**  
+The purpose of this sample is not to recommend that you use the MAC Address as a base for computer naming, but to show you how to take a variable from MDT, pass it to an external script, make some changes to it, and then return the new value to the deployment process.
+ 
+## Related topics
+
+[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+
+[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+
+[Use web services in MDT](use-web-services-in-mdt.md)
+
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deploy/configure-mdt-settings.md b/windows/deploy/configure-mdt-settings.md
new file mode 100644
index 0000000000..f5e67fc5c6
--- /dev/null
+++ b/windows/deploy/configure-mdt-settings.md
@@ -0,0 +1,46 @@
+---
+title: Configure MDT settings (Windows 10)
+description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization.
+ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
+keywords: customize, customization, deploy, features, tools
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: mtniehaus
+---
+
+# Configure MDT settings
+
+One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment.
+For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+
+![figure 1](images/mdt-09-fig01.png)
+
+Figure 1. The machines used in this topic.
+
+## In this section
+
+-   [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+-   [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+-   [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+-   [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+-   [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+-   [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+-   [Use web services in MDT](use-web-services-in-mdt.md)
+-   [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
+
+## Related topics
+
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
diff --git a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index bfb8f98424..acdd78a794 100644
--- a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -17,7 +17,7 @@ author: mtniehaus
 
 -   Windows 10
 
-In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) 2013 Update 2 wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
+In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
 
 For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
 
@@ -86,7 +86,7 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g
 ## Related topics
 
 
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
 
 [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
 
diff --git a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md
index f259ac4131..98e1ddb768 100644
--- a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -59,9 +59,9 @@ This section walks you through the process of creating a System Center 2012 R2 C
 
 6.  On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
 
-7.  On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT 2013**. Then click **Next**.
+7.  On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT**. Then click **Next**.
 
-8.  On the **MDT Details** page, assign the name **MDT 2013** and click **Next**.
+8.  On the **MDT Details** page, assign the name **MDT** and click **Next**.
 
 9.  On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then click **Next**.
 
@@ -160,14 +160,14 @@ While creating the task sequence with the MDT wizard, a few operating system dep
 
 1.  On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**.
 
-2.  Select the **MDT 2013** and **Windows 10 x64 Settings** packages, right-click and select **Move**.
+2.  Select the **MDT** and **Windows 10 x64 Settings** packages, right-click and select **Move**.
 
 3.  In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**.
 
 ## Related topics
 
 
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
 
 [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
 
diff --git a/windows/deploy/create-a-windows-10-reference-image.md b/windows/deploy/create-a-windows-10-reference-image.md
index 7f4671ccf1..03ce967435 100644
--- a/windows/deploy/create-a-windows-10-reference-image.md
+++ b/windows/deploy/create-a-windows-10-reference-image.md
@@ -16,7 +16,7 @@ author: mtniehaus
 **Applies to**
 -   Windows 10
 
-Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT) 2013 Update 2. You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution.
+Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution.
 For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, PC0001 is a Windows 10 Enterprise x64 client, and MDT01 is a Windows Server 2012 R2 standard server. HV01 is a Hyper-V host server, but HV01 could be replaced by PC0001 as long as PC0001 has enough memory and is capable of running Hyper-V. MDT01, HV01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation.
 
 **Note**  
@@ -69,11 +69,11 @@ Figure 3. Permissions configured for the MDT\_BA user.
 
 ## <a href="" id="sec02"></a>Add the setup files
 
-This section will show you how to populate the MDT 2013 Update 2 deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image.
+This section will show you how to populate the MDT deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image.
 
 ### Add the Windows 10 installation files
 
-MDT 2013 supports adding both full source Windows 10 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft.
+MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft.
 
 **Note**  
 Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM.
@@ -124,7 +124,7 @@ You can customize Office 2013. In the volume license versions of Office 2013, th
 
 ### Add the Microsoft Office Professional Plus 2013 x86 installation files
 
-After adding the Microsoft Office Professional Plus 2013 x86 application, you then automate its setup by running the Office Customization Tool. In fact, MDT 2013 detects that you added the Office Professional Plus 2013 x86 application and creates a shortcut for doing this.
+After adding the Microsoft Office Professional Plus 2013 x86 application, you then automate its setup by running the Office Customization Tool. In fact, MDT detects that you added the Office Professional Plus 2013 x86 application and creates a shortcut for doing this.
 You also can customize the Office installation using a Config.xml file. But we recommend that you use the Office Customization Tool as described in the following steps, as it provides a much richer way of controlling Office 2013 settings.
 1.  Using the Deployment Workbench in the MDT Build Lab deployment share, expand the **Applications / Microsoft** node, and double-click **Install - Microsoft Office 2013 Pro Plus x86**.
 2.  In the **Office Products** tab, click **Office Customization Tool**, and click **OK** in the **Information** dialog box.
@@ -633,7 +633,7 @@ After some time, you will have a Windows 10 Enterprise x64 image that is fully
 
 [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
 
-[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
 
 [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
 
@@ -641,4 +641,4 @@ After some time, you will have a Windows 10 Enterprise x64 image that is fully
 
 [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
 
-[Configure MDT settings](configure-mdt-2013-settings.md)
+[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
index 30ed33ca81..7bbe55f078 100644
--- a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -71,7 +71,7 @@ The following steps show you how to create the Adobe Reader XI application. This
 ## Related topics
 
 
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
 
 [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
 
diff --git a/windows/deploy/deploy-a-windows-10-image-using-mdt.md b/windows/deploy/deploy-a-windows-10-image-using-mdt.md
index 05f3667cb6..d7f9b691ff 100644
--- a/windows/deploy/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deploy/deploy-a-windows-10-image-using-mdt.md
@@ -1,6 +1,6 @@
 ---
-title: Deploy a Windows 10 image using MDT 2013 Update 2 (Windows 10)
-description: This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically.
+title: Deploy a Windows 10 image using MDT (Windows 10)
+description: This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT).
 ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c
 keywords: deployment, automate, tools, configure
 ms.prod: w10
@@ -11,12 +11,12 @@ ms.pagetype: mdt
 author: mtniehaus
 ---
 
-# Deploy a Windows 10 image using MDT 2013 Update 2
+# Deploy a Windows 10 image using MDT
 
 **Applies to**
 -   Windows 10
 
-This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. You will prepare for this by creating a MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. You will then configure the deployment share, create a new task sequence, add applications, add drivers, add rules, and configure Active Directory permissions for deployment.
+This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). You will prepare for this by creating a MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. You will then configure the deployment share, create a new task sequence, add applications, add drivers, add rules, and configure Active Directory permissions for deployment.
 
 For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0005. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 standard server, and PC0005 is a blank machine to which you deploy Windows 10. MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation.
 
@@ -119,7 +119,7 @@ Figure 3. The Adobe Reader application added to the Deployment Workbench.
 
 ## <a href="" id="sec05"></a>Step 5: Prepare the drivers repository
 
-In order to deploy Windows 10 with MDT 2013 Update 2 successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples:
+In order to deploy Windows 10 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples:
 -   Lenovo ThinkPad T420
 -   Dell Latitude E6440
 -   HP EliteBook 8560w
@@ -131,7 +131,7 @@ You should only add drivers to the Windows PE images if the default drivers don'
  
 ### Create the driver source structure in the file system
 
-The key to successful management of drivers for MDT 2013 Update 2, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use.
+The key to successful management of drivers for MDT, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use.
 
 1.  On MDT01, using File Explorer, create the **E:\\Drivers** folder.
 2.  In the **E:\\Drivers** folder, create the following folder structure:
@@ -151,9 +151,9 @@ The key to successful management of drivers for MDT 2013 Update 2, as well as fo
 **Note**  
 Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use.
  
-### Create the logical driver structure in MDT 2013 Update 2
+### Create the logical driver structure in MDT
 
-When you import drivers to the MDT 2013 Update 2 driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This is done by creating logical folders in the Deployment Workbench.
+When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This is done by creating logical folders in the Deployment Workbench.
 1.  On MDT01, using Deployment Workbench, select the **Out-of-Box Drivers** node.
 2.  In the **Out-Of-Box Drivers** node, create the following folder structure:
     1.  WinPE x86
@@ -450,7 +450,7 @@ troubleshoot MDT deployments, as well as troubleshoot Windows itself.
 
 ### Add DaRT 10 to the boot images
 
-If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#bkmk-update-deployment). To enable the remote connection feature in MDT 2013 Update 2, you need to do the following:
+If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#bkmk-update-deployment). To enable the remote connection feature in MDT, you need to do the following:
 -   Install DaRT 10 (part of MDOP 2015 R1).
 -   Copy the two tools CAB files (Toolsx86.cab and Toolsx64.cab) to the deployment share.
 -   Configure the deployment share to add DaRT.
@@ -519,7 +519,7 @@ At this point, you should have a solution ready for deploying the Windows 10 cl
     2.  Installs the added application.
     3.  Updates the operating system via your local Windows Server Update Services (WSUS) server.
 
-### Use the MDT 2013 monitoring feature
+### Use the MDT monitoring feature
 
 Now that you have enabled the monitoring on the MDT Production deployment share, you can follow your deployment of PC0005 via the monitoring node.
 
@@ -545,7 +545,7 @@ Multicast deployment allows for image deployment with reduced network load durin
 
 ### Requirements
 
-Multicast requires that Windows Deployment Services (WDS) is running on Windows Server 2008 or later. In addition to the core MDT 2013 setup for multicast, the network needs to be configured to support multicast. In general, this means involving the organization networking team to make sure that 
+Multicast requires that Windows Deployment Services (WDS) is running on Windows Server 2008 or later. In addition to the core MDT setup for multicast, the network needs to be configured to support multicast. In general, this means involving the organization networking team to make sure that 
 Internet Group Management Protocol (IGMP) snooping is turned on and that the network is designed for multicast traffic. The multicast solution uses IGMPv3.
 
 ### Set up MDT for multicast
@@ -651,4 +651,4 @@ Figure 14. The partitions when deploying an UEFI-based machine.
 
 [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
 
-[Configure MDT settings](configure-mdt-2013-settings.md)
+[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deploy/deploy-whats-new.md b/windows/deploy/deploy-whats-new.md
new file mode 100644
index 0000000000..9d6a1b0d15
--- /dev/null
+++ b/windows/deploy/deploy-whats-new.md
@@ -0,0 +1,123 @@
+---
+title: What's new in Windows 10 deployment
+description: Changes and new features related to Windows 10 deployment
+keywords: deployment, automate, tools, configure, news
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.prod: w10
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+---
+
+# What's new in Windows 10 deployment
+
+**Applies to**
+-   Windows 10
+
+
+## In this topic
+
+This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization.
+
+- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index).
+- For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history).
+
+
+## Windows 10 Enterprise upgrade
+
+Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
+
+For more information, see [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md)
+
+
+## Deployment solutions and tools
+
+### Upgrade Readiness
+
+The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. 
+
+Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. 
+
+The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.  
+
+For more information about Upgrade Readiness, see the following topics:
+
+- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/)
+- [Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md)
+
+
+### Update Compliance
+
+Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
+
+Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
+
+For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](../manage/update-compliance-monitor.md).
+
+
+### MBR2GPT
+
+MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT. 
+
+There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface.  Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
+
+For more information, see [MBR2GPT.EXE](mbr-to-gpt.md).
+
+
+### Microsoft Deployment Toolkit (MDT)
+
+MDT build 884 is available, including support for:
+- Deployment and upgrade of Windows 10, version 1607 (including Enterprise LTSB and Education editions) and Windows Server 2016.
+- The Windows ADK for Windows 10, version 1607.
+- Integration with Configuration Manager version 1606.
+
+For more information about MDT, see the [MDT resource page](https://technet.microsoft.com/en-US/windows/dn475741).
+
+
+### Windows Assessment and Deployment Kit (ADK)
+
+The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. See the following topics:
+
+- [What's new in ADK kits and tools](https://msdn.microsoft.com/windows/hardware/commercialize/what-s-new-in-kits-and-tools)
+- [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md)
+
+
+## Testing and validation guidance
+
+### Windows 10 deployment proof of concept (PoC)
+
+The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup. 
+
+For more information, see the following guides:
+
+- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
+- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
+- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
+
+
+## Troubleshooting guidance
+
+[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The topic provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
+
+
+## Online content change history
+
+The following topics provide a change history for Windows 10 ITPro TechNet library content related to deploying and using Windows 10.
+
+[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md)
+<BR>[Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
+<BR>[Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
+<BR>[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
+
+
+## Related topics
+
+[Overview of Windows as a service](../manage/waas-overview.md)
+<BR>[Windows 10 deployment considerations](../plan/windows-10-deployment-considerations.md)
+<BR>[Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info.aspx)
+<BR>[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/en-us/windows/windows-10-specifications)
+<BR>[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
+<BR>[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
+
+ 
\ No newline at end of file
diff --git a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md
index 1a6a52fffb..3994cbff66 100644
--- a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ b/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -40,7 +40,7 @@ Figure 32. Typing in the computer name.
 ## Related topics
 
 
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
 
 [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
 
diff --git a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
index 37ca1c3630..29ef0d6793 100644
--- a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
+++ b/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
@@ -17,7 +17,7 @@ author: mtniehaus
 
 -   Windows 10
 
-If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2.
+If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT).
 
 For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
 
@@ -28,7 +28,7 @@ Figure 1. The machines used in this topic.
 ## In this section
 
 
--   [Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+-   [Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
 
 -   [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
 
@@ -69,11 +69,11 @@ Operating system deployment with Configuration Manager is part of the normal sof
 
 -   **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
 
--   **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT 2013 Update 2 Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
+-   **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
 
--   **Drivers.** Like MDT 2013 Update 2 Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
+-   **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
 
--   **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT 2013 Update 2 Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT 2013 Update 2 provides additional task sequence templates to Configuration Manager.
+-   **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager.
 
     **Note**  Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10.
 
diff --git a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
index b5bd6bcf7a..3cdcb17cd1 100644
--- a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -1,6 +1,6 @@
 ---
 title: Deploy Windows 10 with the Microsoft Deployment Toolkit (Windows 10)
-description: This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically.
+description: This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT).
 ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb
 keywords: deploy, tools, configure, script
 ms.prod: w10
@@ -16,10 +16,10 @@ ms.pagetype: mdt
 **Applies to**
 -   Windows 10
 
-This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically.
+This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT).
 
 The Microsoft Deployment Toolkit is a unified collection of tools, processes, and guidance for automating desktop and server deployment. In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the Windows Assessment and Deployment Kit (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment.
-MDT 2013 Update 2 supports the deployment of Windows 10, as well as Windows 7, Windows 8, Windows 8.1, and Windows Server 2012 R2. It also includes support for zero-touch installation (ZTI) with Microsoft System Center 2012 R2 Configuration Manager.
+MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8, Windows 8.1, and Windows Server 2012 R2. It also includes support for zero-touch installation (ZTI) with Microsoft System Center 2012 R2 Configuration Manager.
 
 To download the latest version of MDT, visit the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
 
@@ -27,11 +27,11 @@ To download the latest version of MDT, visit the [MDT resource page](https://go.
 
 -   [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
 -   [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
--   [Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+-   [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
 -   [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
 -   [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
 -   [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
--   [Configure MDT settings](configure-mdt-2013-settings.md)
+-   [Configure MDT settings](configure-mdt-settings.md)
 
 ## <a href="" id="proof"></a>Proof-of-concept environment
 
diff --git a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
index 635e1c0291..1cd99cefee 100644
--- a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -138,7 +138,7 @@ This sections provides steps to help you create a deployment for the task sequen
 ## <a href="" id="sec06"></a>Configure Configuration Manager to prompt for the computer name during deployment (optional)
 
 
-You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](configure-mdt-2013-settings.md).
+You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](configure-mdt-settings.md).
 
 This section provides steps to help you configure the All Unknown Computers collection to have Configuration Manager prompt for computer names.
 
@@ -162,7 +162,7 @@ This section provides steps to help you configure the All Unknown Computers coll
 ## Related topics
 
 
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
 
 [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
 
diff --git a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md
index 33998a9cbe..7e5bf105f1 100644
--- a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md
@@ -1,6 +1,6 @@
 ---
 title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10)
-description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 in particular, as part of a Windows operating system deployment.
+description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment.
 ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee
 keywords: deploy, image, feature, install, tools
 ms.prod: w10
@@ -16,9 +16,9 @@ author: mtniehaus
 **Applies to**
 -   Windows 10
 
-This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 in particular, as part of a Windows operating system deployment. MDT is one of the most important tools available to IT professionals today. You can use it to create reference images or as a complete deployment solution. MDT 2013 Update 2 also can be used to extend the operating system deployment features available in Microsoft System Center 2012 R2 Configuration Manager.
+This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment. MDT is one of the most important tools available to IT professionals today. You can use it to create reference images or as a complete deployment solution. MDT also can be used to extend the operating system deployment features available in Microsoft System Center 2012 R2 Configuration Manager.
 
-In addition to familiarizing you with the features and options available in MDT 2013 Update 2, this topic will walk you through the process of preparing for deploying Windows 10 using MDT by configuring Active Directory, creating an organizational unit (OU) structure, creating service accounts, configuring log files and folders, and installing the tools needed to view the logs and continue with the deployment process.
+In addition to familiarizing you with the features and options available in MDT, this topic will walk you through the process of preparing for deploying Windows 10 using MDT by configuring Active Directory, creating an organizational unit (OU) structure, creating service accounts, configuring log files and folders, and installing the tools needed to view the logs and continue with the deployment process.
 
 For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see 
 [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
@@ -29,9 +29,9 @@ Figure 1. The machines used in this topic.
 
 ## In this section
 
--   [Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)
--   [MDT 2013 Update 2 Lite Touch components](mdt-2013-lite-touch-components.md)
--   [Prepare for deployment with MDT 2013 Update 2](prepare-for-windows-deployment-with-mdt-2013.md)
+-   [Key features in MDT](key-features-in-mdt.md)
+-   [MDT Lite Touch components](mdt-lite-touch-components.md)
+-   [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
 
 ## Related topics
 
@@ -39,7 +39,7 @@ Figure 1. The machines used in this topic.
 
 [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
 
-[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
 
 [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
 
@@ -47,4 +47,4 @@ Figure 1. The machines used in this topic.
 
 [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
 
-[Configure MDT settings](configure-mdt-2013-settings.md)
+[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deploy/images/icd-create-options-1703.PNG b/windows/deploy/images/icd-create-options-1703.PNG
new file mode 100644
index 0000000000..007e740683
Binary files /dev/null and b/windows/deploy/images/icd-create-options-1703.PNG differ
diff --git a/windows/deploy/images/ur-arch-diagram.png b/windows/deploy/images/ur-arch-diagram.png
new file mode 100644
index 0000000000..9c1da1227c
Binary files /dev/null and b/windows/deploy/images/ur-arch-diagram.png differ
diff --git a/windows/deploy/images/ur-overview.PNG b/windows/deploy/images/ur-overview.PNG
index f1818d7073..cf9563ece5 100644
Binary files a/windows/deploy/images/ur-overview.PNG and b/windows/deploy/images/ur-overview.PNG differ
diff --git a/windows/deploy/images/ur-settings.PNG b/windows/deploy/images/ur-settings.PNG
new file mode 100644
index 0000000000..d1724cb821
Binary files /dev/null and b/windows/deploy/images/ur-settings.PNG differ
diff --git a/windows/deploy/index.md b/windows/deploy/index.md
index 651b89f466..8058cf8890 100644
--- a/windows/deploy/index.md
+++ b/windows/deploy/index.md
@@ -16,13 +16,12 @@ Learn about deploying Windows 10 for IT professionals.
 
 |Topic |Description |
 |------|------------|
+|[What's new in Windows 10 deployment](deploy-whats-new.md) |See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization. |
 |[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
 |[Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | 
 |[Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md), [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
-|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. |
-|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. |
-|[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. |
-|[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. |
+|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
+|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
 |[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
 |[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
 |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
diff --git a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md
index 149ba5e250..8ca7faeb78 100644
--- a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md
+++ b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md
@@ -1,116 +1,4 @@
 ---
 title: Integrate Configuration Manager with MDT 2013 Update 2 (Windows 10)
-description: This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system.
-ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5
-ms.pagetype: mdt
-keywords: deploy, image, customize, task sequence
-ms.prod: w10
-localizationpriority: high
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: mtniehaus
+redirect_url: integrate-configuration-manager-with-mdt
 ---
-
-# Integrate Configuration Manager with MDT 2013 Update 2
-
-**Applies to**
--   Windows 10
-
-This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system.
-MDT 2013 is a free, supported download from Microsoft that adds approximately 280 enhancements to Windows operating system deployment with System Center 2012 R2 Configuration Manager SP1. It is, therefore, recommended that you utilize MDT when deploying the Windows operating system with Configuration Manager SP1. In addition to integrating MDT with Configuration Manager, we also recommend using MDT Lite Touch to create the Windows 10 reference images used in Configuration Manager. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
-
-## <a href="" id="sec01"></a>Why integrate MDT 2013 Update 2 with Configuration Manager
-
-As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT 2013 Update 2 adds to Configuration Manager.
-
-### MDT enables dynamic deployment
-
-When MDT is integrated with Configuration Manager, the task sequence takes additional instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used.
-
-The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples:
--   The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence.
-
-    ``` syntax
-    [Settings] 
-    Priority=Model
-    [HP EliteBook 8570w] 
-    Packages001=PS100010:Install HP Hotkeys
-    ```
--   The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop.
-
-    ``` syntax
-    [Settings]
-    Priority= ByLaptopType, ByDesktopType
-    [ByLaptopType]
-    Subsection=Laptop-%IsLaptop%
-    [ByDesktopType]
-    Subsection=Desktop-%IsDesktop%
-    [Laptop-True]
-    Packages001=PS100012:Install Cisco VPN Client
-    OSDComputerName=LT-%SerialNumber%
-    MachineObjectOU=ou=laptops,ou=Contoso,dc=contoso,dc=com
-    [Desktop-True]
-    OSDComputerName=DT-%SerialNumber%
-    MachineObjectOU=ou=desktops,ou=Contoso,dc=contoso,dc=com
-    ```
-
-![figure 2](images/fig2-gather.png)
-
-Figure 2. The Gather action in the task sequence is reading the rules.
-
-### MDT adds an operating system deployment simulation environment
-
-When testing a deployment, it is important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested very quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](configure-mdt-2013-settings.md).
-
-![figure 3](images/mdt-06-fig03.png)
-
-Figure 3. The folder that contains the rules, a few scripts from MDT, and a custom script (Gather.ps1).
-
-### MDT adds real-time monitoring
-
-With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information.
-
-![figure 4](images/mdt-06-fig04.png)
-
-Figure 4. View the real-time monitoring data with PowerShell.
-
-### MDT adds an optional deployment wizard
-
-For some deployment scenarios, you may need to prompt the user for information during deployment such as the computer name, the correct organizational unit (OU) for the computer, or which applications should be installed by the task sequence. With MDT integration, you can enable the User-Driven Installation (UDI) wizard to gather the required information, and customize the wizard using the UDI Wizard Designer.
-
-![figure 5](images/mdt-06-fig05.png)
-
-Figure 5. The optional UDI wizard open in the UDI Wizard Designer.
-
-MDT Zero Touch simply extends Configuration Manager with many useful built-in operating system deployment components. By providing well-established, supported solutions, MDT reduces the complexity of deployment in Configuration Manager.
-
-## <a href="" id="sec02"></a>Why use MDT Lite Touch to create reference images
-
-You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons:
--   In a deployment project, it is typically much faster to create a reference image using MDT Lite Touch than Configuration Manager.
--   You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center 2012 R2 Virtual Machine Manager (SCVMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more.
--   Microsoft System Center 2012 R2 performs deployment in the LocalSystem context. This means that you cannot configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
--   The Configuration Manager task sequence does not suppress user interface interaction.
--   MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it is automatically captured.
--   MDT Lite Touch does not require any infrastructure and is easy to delegate.
-
-## Related topics
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) 
diff --git a/windows/deploy/integrate-configuration-manager-with-mdt.md b/windows/deploy/integrate-configuration-manager-with-mdt.md
new file mode 100644
index 0000000000..2b4560ff12
--- /dev/null
+++ b/windows/deploy/integrate-configuration-manager-with-mdt.md
@@ -0,0 +1,116 @@
+---
+title: Integrate Configuration Manager with MDT (Windows 10)
+description: This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system.
+ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5
+ms.pagetype: mdt
+keywords: deploy, image, customize, task sequence
+ms.prod: w10
+localizationpriority: high
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mtniehaus
+---
+
+# Integrate Configuration Manager with MDT
+
+**Applies to**
+-   Windows 10
+
+This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system.
+MDT is a free, supported download from Microsoft that adds approximately 280 enhancements to Windows operating system deployment with System Center 2012 R2 Configuration Manager SP1. It is, therefore, recommended that you utilize MDT when deploying the Windows operating system with Configuration Manager SP1. In addition to integrating MDT with Configuration Manager, we also recommend using MDT Lite Touch to create the Windows 10 reference images used in Configuration Manager. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
+
+## <a href="" id="sec01"></a>Why integrate MDT with Configuration Manager
+
+As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager.
+
+### MDT enables dynamic deployment
+
+When MDT is integrated with Configuration Manager, the task sequence takes additional instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used.
+
+The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples:
+-   The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence.
+
+    ``` syntax
+    [Settings] 
+    Priority=Model
+    [HP EliteBook 8570w] 
+    Packages001=PS100010:Install HP Hotkeys
+    ```
+-   The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop.
+
+    ``` syntax
+    [Settings]
+    Priority= ByLaptopType, ByDesktopType
+    [ByLaptopType]
+    Subsection=Laptop-%IsLaptop%
+    [ByDesktopType]
+    Subsection=Desktop-%IsDesktop%
+    [Laptop-True]
+    Packages001=PS100012:Install Cisco VPN Client
+    OSDComputerName=LT-%SerialNumber%
+    MachineObjectOU=ou=laptops,ou=Contoso,dc=contoso,dc=com
+    [Desktop-True]
+    OSDComputerName=DT-%SerialNumber%
+    MachineObjectOU=ou=desktops,ou=Contoso,dc=contoso,dc=com
+    ```
+
+![figure 2](images/fig2-gather.png)
+
+Figure 2. The Gather action in the task sequence is reading the rules.
+
+### MDT adds an operating system deployment simulation environment
+
+When testing a deployment, it is important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested very quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](configure-mdt-settings.md).
+
+![figure 3](images/mdt-06-fig03.png)
+
+Figure 3. The folder that contains the rules, a few scripts from MDT, and a custom script (Gather.ps1).
+
+### MDT adds real-time monitoring
+
+With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information.
+
+![figure 4](images/mdt-06-fig04.png)
+
+Figure 4. View the real-time monitoring data with PowerShell.
+
+### MDT adds an optional deployment wizard
+
+For some deployment scenarios, you may need to prompt the user for information during deployment such as the computer name, the correct organizational unit (OU) for the computer, or which applications should be installed by the task sequence. With MDT integration, you can enable the User-Driven Installation (UDI) wizard to gather the required information, and customize the wizard using the UDI Wizard Designer.
+
+![figure 5](images/mdt-06-fig05.png)
+
+Figure 5. The optional UDI wizard open in the UDI Wizard Designer.
+
+MDT Zero Touch simply extends Configuration Manager with many useful built-in operating system deployment components. By providing well-established, supported solutions, MDT reduces the complexity of deployment in Configuration Manager.
+
+## <a href="" id="sec02"></a>Why use MDT Lite Touch to create reference images
+
+You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons:
+-   In a deployment project, it is typically much faster to create a reference image using MDT Lite Touch than Configuration Manager.
+-   You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center 2012 R2 Virtual Machine Manager (SCVMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more.
+-   Microsoft System Center 2012 R2 performs deployment in the LocalSystem context. This means that you cannot configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
+-   The Configuration Manager task sequence does not suppress user interface interaction.
+-   MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it is automatically captured.
+-   MDT Lite Touch does not require any infrastructure and is easy to delegate.
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) 
diff --git a/windows/deploy/key-features-in-mdt-2013.md b/windows/deploy/key-features-in-mdt-2013.md
index 0264a106c0..d62060296d 100644
--- a/windows/deploy/key-features-in-mdt-2013.md
+++ b/windows/deploy/key-features-in-mdt-2013.md
@@ -1,62 +1,4 @@
 ---
 title: Key features in MDT 2013 Update 2 (Windows 10)
-description: The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0.
-ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868
-keywords: deploy, feature, tools, upgrade, migrate, provisioning
-ms.prod: w10
-ms.mktglfcycl: deploy
-localizationpriority: high
-ms.sitesec: library
-ms.pagetype: mdt
-author: mtniehaus
----
-
-# Key features in MDT 2013 Update 2
-
-**Applies to**
--   Windows 10
-
-The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment.
-
-MDT 2013 has many useful features, the most important of which are:
--   **Windows Client support.** Supports Windows 7, Windows 8, Windows 8.1, and Windows 10.
--   **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
--   **Additional operating systems support.** Supports Windows Thin PC and Windows Embedded POSReady 7, as well as Windows 8.1 Embedded Industry.
--   **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1.
--   **GPT support.** Supports deployment to machines that require the new GUID (globally unique identifier) partition table (GPT) format. This is related to UEFI.
--   **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts.
-
-    ![figure 2](images/mdt-05-fig02.png)
-
-    Figure 2. The deployment share mounted as a standard PSDrive allows for administration using PowerShell.
-
--   **Add local administrator accounts.** Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard.
--   **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER).
--   **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence.
--   **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file.
--   **Improved deployment wizard.** Provides additional progress information and a cleaner UI for the Lite Touch Deployment Wizard.
--   **Monitoring.** Allows you to see the status of currently running deployments.
--   **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM).
--   **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure.
--   **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time.
--   **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment.
-
-    ![figure 3](images/mdt-05-fig03.png)
-
-    Figure 3. The offline USMT backup in action.
-
--   **Install or uninstall Windows roles or features.** Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features.
--   **Microsoft System Center 2012 Orchestrator integration.** Provides the capability to use Orchestrator runbooks as part of the task sequence.
--   **Support for DaRT.** Supports optional integration of the DaRT components into the boot image.
--   **Support for Office 2013.** Provides added support for deploying Microsoft Office Professional Plus 2013.
--   **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later.
--   **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts.
--   **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
-
-## Related topics
-
-[Prepare for deployment with MDT 2013 Update 2](prepare-for-windows-deployment-with-mdt-2013.md)
-
-[MDT 2013 Update 2 Lite Touch components](mdt-2013-lite-touch-components.md)
- 
- 
+redirect_url: key-features-in-mdt
+---
\ No newline at end of file
diff --git a/windows/deploy/key-features-in-mdt.md b/windows/deploy/key-features-in-mdt.md
new file mode 100644
index 0000000000..faeb651733
--- /dev/null
+++ b/windows/deploy/key-features-in-mdt.md
@@ -0,0 +1,62 @@
+---
+title: Key features in MDT (Windows 10)
+description: The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0.
+ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868
+keywords: deploy, feature, tools, upgrade, migrate, provisioning
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: mtniehaus
+---
+
+# Key features in MDT
+
+**Applies to**
+-   Windows 10
+
+The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment.
+
+MDT has many useful features, the most important of which are:
+-   **Windows Client support.** Supports Windows 7, Windows 8, Windows 8.1, and Windows 10.
+-   **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
+-   **Additional operating systems support.** Supports Windows Thin PC and Windows Embedded POSReady 7, as well as Windows 8.1 Embedded Industry.
+-   **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1.
+-   **GPT support.** Supports deployment to machines that require the new GUID (globally unique identifier) partition table (GPT) format. This is related to UEFI.
+-   **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts.
+
+    ![figure 2](images/mdt-05-fig02.png)
+
+    Figure 2. The deployment share mounted as a standard PSDrive allows for administration using PowerShell.
+
+-   **Add local administrator accounts.** Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard.
+-   **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER).
+-   **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence.
+-   **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file.
+-   **Improved deployment wizard.** Provides additional progress information and a cleaner UI for the Lite Touch Deployment Wizard.
+-   **Monitoring.** Allows you to see the status of currently running deployments.
+-   **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM).
+-   **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure.
+-   **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time.
+-   **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment.
+
+    ![figure 3](images/mdt-05-fig03.png)
+
+    Figure 3. The offline USMT backup in action.
+
+-   **Install or uninstall Windows roles or features.** Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features.
+-   **Microsoft System Center 2012 Orchestrator integration.** Provides the capability to use Orchestrator runbooks as part of the task sequence.
+-   **Support for DaRT.** Supports optional integration of the DaRT components into the boot image.
+-   **Support for Office 2013.** Provides added support for deploying Microsoft Office Professional Plus 2013.
+-   **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later.
+-   **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts.
+-   **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
+
+## Related topics
+
+[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
+
+[MDT Lite Touch components](mdt-lite-touch-components.md)
+ 
+ 
diff --git a/windows/deploy/mbr-to-gpt.md b/windows/deploy/mbr-to-gpt.md
index 5775e4b633..e0c160b723 100644
--- a/windows/deploy/mbr-to-gpt.md
+++ b/windows/deploy/mbr-to-gpt.md
@@ -378,7 +378,6 @@ In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is
 
 ## Related topics
 
-[Using MBR2GPT with Configuration Manager OSD](https://miketerrill.net/tag/mbr2gpt/)
-<BR>[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
+[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
 <BR>[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
 <BR>[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
diff --git a/windows/deploy/mdt-2013-lite-touch-components.md b/windows/deploy/mdt-2013-lite-touch-components.md
index 2234092338..5afed1bb8b 100644
--- a/windows/deploy/mdt-2013-lite-touch-components.md
+++ b/windows/deploy/mdt-2013-lite-touch-components.md
@@ -1,119 +1,4 @@
 ---
 title: MDT 2013 Update 2 Lite Touch components (Windows 10)
-description: This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) 2013 Update 2 that support Lite Touch Installation (LTI) for Windows 10.
-ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089
-keywords: deploy, install, deployment, boot, log, monitor
-ms.prod: w10
-ms.mktglfcycl: deploy
-localizationpriority: high
-ms.sitesec: library
-ms.pagetype: mdt
-author: mtniehaus
----
-
-# MDT 2013 Update 2 Lite Touch components
-
-**Applies to**
--   Windows 10
-
-This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) 2013 Update 2 that support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc.
-When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command.
-
-![figure 4](images/mdt-05-fig04.png)
-
-Figure 4. If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task.
-
-## <a href="" id="sec01"></a>Deployment shares
-
-A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Microsoft System Center 2012 R2 Configuration Manager deploys the image in the production environment.
-
-## <a href="" id="sec02"></a>Rules
-
-The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed:
--   Computer name
--   Domain to join, and organizational unit (OU) in Active Directory to hold the computer object
--   Whether to enable BitLocker
--   Regional settings
-You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](https://go.microsoft.com/fwlink/p/?LinkId=618117).
-
-![figure 5](images/mdt-05-fig05.png)
-
-Figure 5. Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number
-
-## <a href="" id="sec03"></a>Boot images
-
-Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment 
-share on the server and start the deployment.
-
-## <a href="" id="sec04"></a>Operating systems
-
-Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments.
-
-## <a href="" id="sec05"></a>Applications
-
-Using the Deployment Workbench, you also add the applications you want to deploy. MDT supports virtually every executable Windows file type. The file can be a standard .exe file with command-line switches for an unattended install, a Microsoft Windows Installer (MSI) package, a batch file, or a VBScript. In fact, it can be just about anything that can be executed unattended. MDT also supports the new Universal Windows apps.
-
-## <a href="" id="sec06"></a>Driver repository
-
-You also use the Deployment Workbench to import the drivers your hardware needs into a driver repository that lives on the server, not in the image.
-
-## <a href="" id="sec07"></a>Packages
-
-With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts.
-
-## <a href="" id="sec08"></a>Task sequences
-
-Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence.
-
-You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows:
--   **Gather.** Reads configuration settings from the deployment server.
--   **Format and Partition.** Creates the partition(s) and formats them.
--   **Inject Drivers.** Finds out which drivers the machine needs and downloads them from the central driver repository.
--   **Apply Operating System.** Uses ImageX to apply the image.
--   **Windows Update.** Connects to a WSUS server and updates the machine.
-
-## <a href="" id="sec09"></a>Task sequence templates
-
-MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence.
--   **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer.
-
-    **Note**  
-    It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot.
-     
--   **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production.
--   **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned.
--   **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action).
--   **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it does not contain any USMT actions because USMT is not supported on servers.
--   **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature.
--   **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Very useful for server deployments but not often used for client deployments.
--   **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file.
--   **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers.
--   **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers.
-
-## <a href="" id="sec10"></a>Selection profiles
-
-Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to:
--   Control which drivers and packages are injected into the Lite Touch (and generic) boot images.
--   Control which drivers are injected during the task sequence.
--   Control what is included in any media that you create.
--   Control what is replicated to other deployment shares.
--   Filter which task sequences and applications are displayed in the Deployment Wizard.
-
-## <a href="" id="sec11"></a>Logging
-
-MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well.
-
-**Note**  
-The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717).
- 
-## <a href="" id="sec12"></a>Monitoring
-
-On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench.
-
-## Related topics
-
-[Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)
-
-[Prepare for deployment with MDT 2013 Update 2](prepare-for-windows-deployment-with-mdt-2013.md)
- 
- 
+redirect_url: mdt-lite-touch-components
+---
\ No newline at end of file
diff --git a/windows/deploy/mdt-lite-touch-components.md b/windows/deploy/mdt-lite-touch-components.md
new file mode 100644
index 0000000000..2b004d7fbb
--- /dev/null
+++ b/windows/deploy/mdt-lite-touch-components.md
@@ -0,0 +1,117 @@
+---
+title: MDT Lite Touch components (Windows 10)
+description: This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) that support Lite Touch Installation (LTI) for Windows 10.
+ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089
+keywords: deploy, install, deployment, boot, log, monitor
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: mtniehaus
+---
+
+# MDT Lite Touch components
+
+**Applies to**
+-   Windows 10
+
+This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) that support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc.
+When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command.
+
+![figure 4](images/mdt-05-fig04.png)
+
+Figure 4. If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task.
+
+## <a href="" id="sec01"></a>Deployment shares
+
+A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Microsoft System Center 2012 R2 Configuration Manager deploys the image in the production environment.
+
+## <a href="" id="sec02"></a>Rules
+
+The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed:
+-   Computer name
+-   Domain to join, and organizational unit (OU) in Active Directory to hold the computer object
+-   Whether to enable BitLocker
+-   Regional settings
+You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](https://go.microsoft.com/fwlink/p/?LinkId=618117).
+
+![figure 5](images/mdt-05-fig05.png)
+
+Figure 5. Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number
+
+## <a href="" id="sec03"></a>Boot images
+
+Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment 
+share on the server and start the deployment.
+
+## <a href="" id="sec04"></a>Operating systems
+
+Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments.
+
+## <a href="" id="sec05"></a>Applications
+
+Using the Deployment Workbench, you also add the applications you want to deploy. MDT supports virtually every executable Windows file type. The file can be a standard .exe file with command-line switches for an unattended install, a Microsoft Windows Installer (MSI) package, a batch file, or a VBScript. In fact, it can be just about anything that can be executed unattended. MDT also supports the new Universal Windows apps.
+
+## <a href="" id="sec06"></a>Driver repository
+
+You also use the Deployment Workbench to import the drivers your hardware needs into a driver repository that lives on the server, not in the image.
+
+## <a href="" id="sec07"></a>Packages
+
+With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts.
+
+## <a href="" id="sec08"></a>Task sequences
+
+Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence.
+
+You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows:
+-   **Gather.** Reads configuration settings from the deployment server.
+-   **Format and Partition.** Creates the partition(s) and formats them.
+-   **Inject Drivers.** Finds out which drivers the machine needs and downloads them from the central driver repository.
+-   **Apply Operating System.** Uses ImageX to apply the image.
+-   **Windows Update.** Connects to a WSUS server and updates the machine.
+
+## <a href="" id="sec09"></a>Task sequence templates
+
+MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence.
+-   **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer.
+
+    **Note**  
+    It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot.
+     
+-   **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production.
+-   **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned.
+-   **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action).
+-   **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it does not contain any USMT actions because USMT is not supported on servers.
+-   **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature.
+-   **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Very useful for server deployments but not often used for client deployments.
+-   **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file.
+-   **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers.
+-   **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers.
+
+## <a href="" id="sec10"></a>Selection profiles
+
+Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to:
+-   Control which drivers and packages are injected into the Lite Touch (and generic) boot images.
+-   Control which drivers are injected during the task sequence.
+-   Control what is included in any media that you create.
+-   Control what is replicated to other deployment shares.
+-   Filter which task sequences and applications are displayed in the Deployment Wizard.
+
+## <a href="" id="sec11"></a>Logging
+
+MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well.
+
+**Note**  
+The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717).
+ 
+## <a href="" id="sec12"></a>Monitoring
+
+On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench.
+
+## Related topics
+
+[Key features in MDT](key-features-in-mdt.md)
+
+[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
diff --git a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md
index a2caee8ea8..ecb875e202 100644
--- a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md
@@ -52,7 +52,7 @@ To monitor an operating system deployment conducted through System Center 2012 R
 ## Related topics
 
 
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
 
 [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
 
diff --git a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
index 546035f735..600b8e9783 100644
--- a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
+++ b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
@@ -1,122 +1,4 @@
 ---
 title: Prepare for deployment with MDT 2013 Update 2 (Windows 10)
-description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT) 2013 Update 2.
-ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226
-keywords: deploy, system requirements
-ms.prod: w10
-ms.mktglfcycl: deploy
-localizationpriority: high
-ms.sitesec: library
-ms.pagetype: mdt
-author: mtniehaus
+redirect_url: prepare-for-windows-deployment-with-mdt
 ---
-
-# Prepare for deployment with MDT 2013 Update 2
-
-**Applies to**
--   Windows 10
-
-This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT) 2013 Update 2. It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the files system and in Active Directory.
-
-For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
-## <a href="" id="sec01"></a>System requirements
-
-MDT 2013 Update 2 requires the following components:
--   Any of the following operating systems:
-    -   Windows 7
-    -   Windows 8
-    -   Windows 8.1
-    -   Windows 10
-    -   Windows Server 2008 R2
-    -   Windows Server 2012
-    -   Windows Server 2012 R2
--   Windows Assessment and Deployment Kit (ADK) for Windows 10
--   Windows PowerShell
--   Microsoft .NET Framework
-
-## <a href="" id="sec02"></a>Install Windows ADK for Windows 10
-
-These steps assume that you have the MDT01 member server installed and configured and that you have downloaded [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803) to the E:\\Downloads\\ADK folder.
-1.  On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd**.
-2.  Start the **ADK Setup** (E:\\Downloads\\ADK\\adksetup.exe), and on the first wizard page, click **Continue**.
-3.  On the **Select the features you want to change** page, select the features below and complete the wizard using the default settings:
-    1.  Deployment Tools
-    2.  Windows Preinstallation Environment (Windows PE)
-    3.  User State Migration Tool (UMST)
-
-## <a href="" id="sec03"></a>Install MDT 2013 Update 2
-
-These steps assume that you have downloaded [MDT 2013 Update 2](https://go.microsoft.com/fwlink/p/?LinkId=618117 ) to the E:\\Downloads\\MDT 2013 folder on MDT01.
-
-1.  On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd**.
-2.  Install **MDT** (E:\\Downloads\\MDT 2013\\MicrosoftDeploymentToolkit2013\_x64.msi) with the default settings.
-
-## <a href="" id="sec04"></a>Create the OU structure
-
-If you do not have an organizational unit (OU) structure in your Active Directory, you should create one. In this section, you create an OU structure and a service account for MDT 2013 Update 2.
-1.  On DC01, using Active Directory User and Computers, in the contoso.com domain level, create a top-level OU named **Contoso**.
-2.  In the **Contoso** OU, create the following OUs:
-    1.  Accounts
-    2.  Computers
-    3.  Groups
-3.  In the **Contoso / Accounts** OU, create the following underlying OUs:
-    1.  Admins
-    2.  Service Accounts
-    3.  Users
-4.  In the **Contoso / Computers** OU, create the following underlying OUs:
-    1.  Servers
-    2.  Workstations
-5.  In the **Contoso / Groups** OU, create the following OU:
-    -   Security Groups
-
-![figure 6](images/mdt-05-fig07.png)
-
-Figure 6. A sample of how the OU structure will look after all the OUs are created.
-
-## <a href="" id="sec05"></a>Create the MDT service account
-
-When creating a reference image, you need an account for MDT. The MDT Build Account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.
-1.  On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**.
-2.  Select the **Service Accounts** OU and create the **MDT\_BA** account using the following settings:
-    1.  Name: MDT\_BA
-    2.  User logon name: MDT\_BA
-    3.  Password: P@ssw0rd
-    4.  User must change password at next logon: Clear
-    5.  User cannot change password: Selected
-    6.  Password never expires: Selected
-
-## <a href="" id="sec06"></a>Create and share the logs folder
-
-By default MDT stores the log files locally on the client. In order to capture a reference image, you will need to enable server-side logging and, to do that, you will need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
-
-1.  On MDT01, log on as **CONTOSO\\Administrator**.
-2.  Create and share the **E:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt:
-
-    ``` syntax
-    New-Item -Path E:\Logs -ItemType directory
-    New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE
-    icacls E:\Logs /grant '"MDT_BA":(OI)(CI)(M)'
-    ```
-
-![figure 7](images/mdt-05-fig08.png)
-
-Figure 7. The Sharing tab of the E:\\Logs folder after sharing it with PowerShell.
-
-## <a href="" id="sec07"></a>Use CMTrace to read log files (optional)
-
-The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace (CMTrace), which is available as part [of Microsoft System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You can use Notepad, but CMTrace formatting makes the logs easier to read.
-
-![figure 8](images/mdt-05-fig09.png)
-
-Figure 8. An MDT log file opened in Notepad.
-
-![figure 9](images/mdt-05-fig10.png)
-
-
-Figure 9. The same log file, opened in CMTrace, is much easier to read.
-## Related topics
-
-[Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)
-
-[MDT 2013 Update 2 Lite Touch components](mdt-2013-lite-touch-components.md)
diff --git a/windows/deploy/prepare-for-windows-deployment-with-mdt.md b/windows/deploy/prepare-for-windows-deployment-with-mdt.md
new file mode 100644
index 0000000000..9274e2a90d
--- /dev/null
+++ b/windows/deploy/prepare-for-windows-deployment-with-mdt.md
@@ -0,0 +1,122 @@
+---
+title: Prepare for deployment with MDT (Windows 10)
+description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT).
+ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226
+keywords: deploy, system requirements
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: mtniehaus
+---
+
+# Prepare for deployment with MDT
+
+**Applies to**
+-   Windows 10
+
+This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the files system and in Active Directory.
+
+For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+
+## <a href="" id="sec01"></a>System requirements
+
+MDT requires the following components:
+-   Any of the following operating systems:
+    -   Windows 7
+    -   Windows 8
+    -   Windows 8.1
+    -   Windows 10
+    -   Windows Server 2008 R2
+    -   Windows Server 2012
+    -   Windows Server 2012 R2
+-   Windows Assessment and Deployment Kit (ADK) for Windows 10
+-   Windows PowerShell
+-   Microsoft .NET Framework
+
+## <a href="" id="sec02"></a>Install Windows ADK for Windows 10
+
+These steps assume that you have the MDT01 member server installed and configured and that you have downloaded [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803) to the E:\\Downloads\\ADK folder.
+1.  On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd**.
+2.  Start the **ADK Setup** (E:\\Downloads\\ADK\\adksetup.exe), and on the first wizard page, click **Continue**.
+3.  On the **Select the features you want to change** page, select the features below and complete the wizard using the default settings:
+    1.  Deployment Tools
+    2.  Windows Preinstallation Environment (Windows PE)
+    3.  User State Migration Tool (UMST)
+
+## <a href="" id="sec03"></a>Install MDT
+
+These steps assume that you have downloaded [MDT](https://go.microsoft.com/fwlink/p/?LinkId=618117 ) to the E:\\Downloads\\MDT folder on MDT01.
+
+1.  On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd**.
+2.  Install **MDT** (E:\\Downloads\\MDT\\MicrosoftDeploymentToolkit\_x64.msi) with the default settings.
+
+## <a href="" id="sec04"></a>Create the OU structure
+
+If you do not have an organizational unit (OU) structure in your Active Directory, you should create one. In this section, you create an OU structure and a service account for MDT.
+1.  On DC01, using Active Directory User and Computers, in the contoso.com domain level, create a top-level OU named **Contoso**.
+2.  In the **Contoso** OU, create the following OUs:
+    1.  Accounts
+    2.  Computers
+    3.  Groups
+3.  In the **Contoso / Accounts** OU, create the following underlying OUs:
+    1.  Admins
+    2.  Service Accounts
+    3.  Users
+4.  In the **Contoso / Computers** OU, create the following underlying OUs:
+    1.  Servers
+    2.  Workstations
+5.  In the **Contoso / Groups** OU, create the following OU:
+    -   Security Groups
+
+![figure 6](images/mdt-05-fig07.png)
+
+Figure 6. A sample of how the OU structure will look after all the OUs are created.
+
+## <a href="" id="sec05"></a>Create the MDT service account
+
+When creating a reference image, you need an account for MDT. The MDT Build Account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.
+1.  On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**.
+2.  Select the **Service Accounts** OU and create the **MDT\_BA** account using the following settings:
+    1.  Name: MDT\_BA
+    2.  User logon name: MDT\_BA
+    3.  Password: P@ssw0rd
+    4.  User must change password at next logon: Clear
+    5.  User cannot change password: Selected
+    6.  Password never expires: Selected
+
+## <a href="" id="sec06"></a>Create and share the logs folder
+
+By default MDT stores the log files locally on the client. In order to capture a reference image, you will need to enable server-side logging and, to do that, you will need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
+
+1.  On MDT01, log on as **CONTOSO\\Administrator**.
+2.  Create and share the **E:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt:
+
+    ``` syntax
+    New-Item -Path E:\Logs -ItemType directory
+    New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE
+    icacls E:\Logs /grant '"MDT_BA":(OI)(CI)(M)'
+    ```
+
+![figure 7](images/mdt-05-fig08.png)
+
+Figure 7. The Sharing tab of the E:\\Logs folder after sharing it with PowerShell.
+
+## <a href="" id="sec07"></a>Use CMTrace to read log files (optional)
+
+The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace (CMTrace), which is available as part [of Microsoft System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You can use Notepad, but CMTrace formatting makes the logs easier to read.
+
+![figure 8](images/mdt-05-fig09.png)
+
+Figure 8. An MDT log file opened in Notepad.
+
+![figure 9](images/mdt-05-fig10.png)
+
+
+Figure 9. The same log file, opened in CMTrace, is much easier to read.
+## Related topics
+
+[Key features in MDT](key-features-in-mdt.md)
+
+[MDT Lite Touch components](mdt-lite-touch-components.md)
diff --git a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index ea62cd3903..7e6facd287 100644
--- a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -154,15 +154,15 @@ Figure 7. The E:\\Sources\\OSD folder structure.
 ## <a href="" id="sec04"></a>Integrate Configuration Manager with MDT
 
 
-To extend the Configuration Manager console with MDT 2013 Update 2 wizards and templates, you install MDT 2013 Update 2 in the default location and run the integration setup. In these steps, we assume you have downloaded MDT 2013 Update 2 to the C:\\Setup\\MDT2013 folder on CM01.
+To extend the Configuration Manager console with MDT wizards and templates, you install MDT in the default location and run the integration setup. In these steps, we assume you have downloaded MDT to the C:\\Setup\\MDT2013 folder on CM01.
 
 1.  On CM01, log on as Administrator in the CONTOSO domain using the password **P@ssw0rd**.
 
 2.  Make sure the Configuration Manager Console is closed before continuing.
 
-3.  Using File Explorer, navigate to the **C:\\Setup\\MDT 2013** folder.
+3.  Using File Explorer, navigate to the **C:\\Setup\\MDT** folder.
 
-4.  Run the MDT 2013 setup (MicrosoftDeploymentToolkit2013\_x64.msi), and use the default options in the setup wizard.
+4.  Run the MDT setup (MicrosoftDeploymentToolkit2013\_x64.msi), and use the default options in the setup wizard.
 
 5.  From the Start screen, run Configure ConfigManager Integration with the following settings:
 
@@ -172,7 +172,7 @@ To extend the Configuration Manager console with MDT 2013 Update 2 wizards and t
 
 ![figure 8](images/mdt-06-fig08.png)
 
-Figure 8. Set up the MDT 2013 Update 2 integration with Configuration Manager.
+Figure 8. Set up the MDT integration with Configuration Manager.
 
 ## <a href="" id="sec06"></a>Configure the client settings
 
@@ -248,7 +248,7 @@ Configuration Manager has many options for starting a deployment, but starting v
 ## Related topics
 
 
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
 
 [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
 
diff --git a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 6f41793f47..9e7878aea9 100644
--- a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -120,7 +120,7 @@ Now you can start the computer refresh on PC0003.
 ## Related topics
 
 
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
 
 [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
 
diff --git a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
index 91eb3986c7..671ef7c573 100644
--- a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
+++ b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
@@ -1,6 +1,6 @@
 ---
 title: Refresh a Windows 7 computer with Windows 10 (Windows 10)
-description: This topic will show you how to use MDT 2013 Update 2 Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process.
+description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process.
 ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f
 keywords: reinstallation, customize, template, script, restore
 ms.prod: w10
@@ -16,7 +16,7 @@ author: mtniehaus
 **Applies to**
 -   Windows 10
 
-This topic will show you how to use MDT 2013 Update 2 Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. The refresh scenario, or computer refresh, is a reinstallation of an operating system on the same machine. You can refresh the machine to the same operating system as it is currently running, or to a later version.
+This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. The refresh scenario, or computer refresh, is a reinstallation of an operating system on the same machine. You can refresh the machine to the same operating system as it is currently running, or to a later version.
 
 For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 Standard server. PC0001 is a machine with Windows 7 Service Pack 1 (SP1) that is going to be refreshed into a Windows 10 machine, with data and settings restored. MDT01 and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
 
@@ -119,10 +119,10 @@ Figure 2. Starting the computer refresh from the running Windows 7 SP1 client.
 
 [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
 
-[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
 
 [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
 
 [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
 
-[Configure MDT settings](configure-mdt-2013-settings.md)
+[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 397914bb14..18d714b7ee 100644
--- a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -38,7 +38,7 @@ In this topic, you will create a backup-only task sequence that you run on PC000
 
 4.  On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
 
-5.  On the **MDT Package** page, browse and select the **OSD / MDT 2013** package. Then click **Next**.
+5.  On the **MDT Package** page, browse and select the **OSD / MDT** package. Then click **Next**.
 
 6.  On the **USMT Package** page, browse and select the O**SD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**.
 
@@ -204,7 +204,7 @@ When the process is complete, you will have a new Windows 10 machine in your dom
 ## Related topics
 
 
-[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
 
 [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
 
diff --git a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
index a3e51c36b6..28c9c32005 100644
--- a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -138,10 +138,10 @@ During a computer replace, these are the high-level steps that occur:
 
 [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
 
-[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
 
 [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
 
 [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
 
-[Configure MDT settings](configure-mdt-2013-settings.md)
+[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deploy/resolve-windows-10-upgrade-errors.md b/windows/deploy/resolve-windows-10-upgrade-errors.md
index b49144c4ca..a16acec410 100644
--- a/windows/deploy/resolve-windows-10-upgrade-errors.md
+++ b/windows/deploy/resolve-windows-10-upgrade-errors.md
@@ -1,6 +1,6 @@
 ---
-title: Resolve Windows 10 upgrade errors
-description: Resolve Windows 10 upgrade errors
+title: Resolve Windows 10 upgrade errors - Windows IT Pro
+description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
 ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
 keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback
 ms.prod: w10
@@ -11,7 +11,7 @@ author: greg-lindsay
 localizationpriority: high
 ---
 
-# Resolve Windows 10 upgrade errors
+# Resolve Windows 10 upgrade errors : Technical information for IT Pros
 
 **Applies to**
 -   Windows 10
@@ -251,13 +251,15 @@ See the following example:
 
 ### Analyze log files
 
+>The following instructions are meant for IT professionals. Also see the [Upgrade error codes](#upgrade-error-codes) section in this guide to familiarize yourself with [result codes](#result-codes) and [extend codes](#extend-codes).
+
 <P>To analyze Windows Setup log files:
 
 <OL>
-<LI>Determine the Windows Setup error code.
+<LI>Determine the Windows Setup error code. This code should be returned by Windows Setup if it is not successful with the upgrade process.
 <LI>Based on the [extend code](#extend-codes) portion of the error code, determine the type and location of a [log files](#log-files) to investigate.
 <LI>Open the log file in a text editor, such as notepad.
-<LI>Using the result code portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
+<LI>Using the [result code](#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
 <LI>To find the last occurrence of the result code:
   <OL type="a">
   <LI>Scroll to the bottom of the file and click after the last character.
diff --git a/windows/deploy/set-up-mdt-2013-for-bitlocker.md b/windows/deploy/set-up-mdt-2013-for-bitlocker.md
index 16b405ad57..1e417fd432 100644
--- a/windows/deploy/set-up-mdt-2013-for-bitlocker.md
+++ b/windows/deploy/set-up-mdt-2013-for-bitlocker.md
@@ -1,159 +1,5 @@
 ---
 title: Set up MDT for BitLocker (Windows 10)
-ms.assetid: 386e6713-5c20-4d2a-a220-a38d94671a38
-description: 
-keywords: disk, encryption, TPM, configure, secure, script
-ms.prod: w10
-ms.mktglfcycl: deploy
-localizationpriority: high
-ms.sitesec: library
-ms.pagetype: mdt
-author: mtniehaus
+redirect_url: set-up-mdt-for-bitlocker
 ---
 
-# Set up MDT for BitLocker
-
-This topic will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:
--   A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you also can use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password.
--   Multiple partitions on the hard drive.
-
-To configure your environment for BitLocker, you will need to do the following:
-
-1.  Configure Active Directory for BitLocker.
-2.  Download the various BitLocker scripts and tools.
-3.  Configure the operating system deployment task sequence for BitLocker.
-4.  Configure the rules (CustomSettings.ini) for BitLocker.
-
-**Note**  
-Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
- 
-For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
-## <a href="" id="sec01"></a>Configure Active Directory for BitLocker
-
-To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.
-
-**Note**  
-Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.
- 
-In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.
-
-![figure 2](images/mdt-09-fig02.png)
-
-Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.
-
-### Add the BitLocker Drive Encryption Administration Utilities
-
-The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):
-
-1.  On DC01, log on as **CONTOSO\\Administrator**, and, using Server Manager, click **Add roles and features**.
-2.  On the **Before you begin** page, click **Next**.
-3.  On the **Select installation type** page, select **Role-based or feature-based installation**, and click **Next**.
-4.  On the **Select destination server** page, select **DC01.contoso.com** and click **Next**.
-5.  On the **Select server roles** page, click **Next**.
-6.  On the **Select features** page, expand **Remote Server Administration Tools**, expand **Feature Administration Tools**, select the following features, and then click **Next**:
-    1.  BitLocker Drive Encryption Administration Utilities
-    2.  BitLocker Drive Encryption Tools
-    3.  BitLocker Recovery Password Viewer
-7.  On the **Confirm installation selections** page, click **Install** and then click **Close**.
-
-![figure 3](images/mdt-09-fig03.png)
-
-Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.
-
-### Create the BitLocker Group Policy
-
-Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.
-1.  On DC01, using Group Policy Management, right-click the **Contoso** organizational unit (OU), and select **Create a GPO in this domain, and Link it here**.
-2.  Assign the name **BitLocker Policy** to the new Group Policy.
-3.  Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings:
-    Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives
-    1.  Enable the **Choose how BitLocker-protected operating system drives can be recovered** policy, and configure the following settings:
-        1.  Allow data recovery agent (default)
-        2.  Save BitLocker recovery information to Active Directory Domain Services (default)
-        3.  Do not enable BitLocker until recovery information is stored in AD DS for operating system drives
-    2.  Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy.
-    3.  Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy.
-        Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services
-    4.  Enable the **Turn on TPM backup to Active Directory Domain Services** policy.
-
-**Note**  
-If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using.
- 
-### Set permissions in Active Directory for BitLocker
-
-In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://go.microsoft.com/fwlink/p/?LinkId=167133) from Microsoft to C:\\Setup\\Scripts on DC01.
-1.  On DC01, start an elevated PowerShell prompt (run as Administrator).
-2.  Configure the permissions by running the following command:
-
-    ``` syntax
-    cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
-    ```
-
-![figure 4](images/mdt-09-fig04.png)
-
-Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.
-
-## <a href="" id="sec02"></a>Add BIOS configuration tools from Dell, HP, and Lenovo
-
-If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.
-
-### Add tools from Dell
-
-The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:
-``` syntax
-cctk.exe --tpm=on --valsetuppwd=Password1234
-```
-### Add tools from HP
-
-The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:
-
-``` syntax
-BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234
-```
-And the sample content of the TPMEnable.REPSET file:
-
-``` syntax
-English
-Activate Embedded Security On Next Boot
-*Enable
-Embedded Security Activation Policy
-*No prompts
-F1 to Boot
-Allow user to reject
-Embedded Security Device Availability
-*Available
-```
-### Add tools from Lenovo
-
-The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:
-``` syntax
-cscript.exe SetConfig.vbs SecurityChip Active
-```
-## <a href="" id="sec03"></a>Configure the Windows 10 task sequence to enable BitLocker
-
-When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In this task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](https://go.microsoft.com/fwlink/p/?LinkId=619549). In the following task sequence, we have added five actions:
--   **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false.
--   **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf.
-    **Note**  
-    It is common for organizations wrapping these tools in scripts to get additional logging and error handling.
-     
--   **Restart computer.** Self-explanatory, reboots the computer.
--   **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time.
--   **Enable BitLocker.** Runs the built-in action to activate BitLocker.
-
-## Related topics
-
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-
-[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
-
-[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
-
-[Use web services in MDT](use-web-services-in-mdt-2013.md)
-
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
diff --git a/windows/deploy/set-up-mdt-for-bitlocker.md b/windows/deploy/set-up-mdt-for-bitlocker.md
new file mode 100644
index 0000000000..5047b0b791
--- /dev/null
+++ b/windows/deploy/set-up-mdt-for-bitlocker.md
@@ -0,0 +1,159 @@
+---
+title: Set up MDT for BitLocker (Windows 10)
+ms.assetid: 386e6713-5c20-4d2a-a220-a38d94671a38
+description: 
+keywords: disk, encryption, TPM, configure, secure, script
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: mtniehaus
+---
+
+# Set up MDT for BitLocker
+
+This topic will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:
+-   A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you also can use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password.
+-   Multiple partitions on the hard drive.
+
+To configure your environment for BitLocker, you will need to do the following:
+
+1.  Configure Active Directory for BitLocker.
+2.  Download the various BitLocker scripts and tools.
+3.  Configure the operating system deployment task sequence for BitLocker.
+4.  Configure the rules (CustomSettings.ini) for BitLocker.
+
+**Note**  
+Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
+ 
+For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+
+## <a href="" id="sec01"></a>Configure Active Directory for BitLocker
+
+To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.
+
+**Note**  
+Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.
+ 
+In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.
+
+![figure 2](images/mdt-09-fig02.png)
+
+Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.
+
+### Add the BitLocker Drive Encryption Administration Utilities
+
+The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):
+
+1.  On DC01, log on as **CONTOSO\\Administrator**, and, using Server Manager, click **Add roles and features**.
+2.  On the **Before you begin** page, click **Next**.
+3.  On the **Select installation type** page, select **Role-based or feature-based installation**, and click **Next**.
+4.  On the **Select destination server** page, select **DC01.contoso.com** and click **Next**.
+5.  On the **Select server roles** page, click **Next**.
+6.  On the **Select features** page, expand **Remote Server Administration Tools**, expand **Feature Administration Tools**, select the following features, and then click **Next**:
+    1.  BitLocker Drive Encryption Administration Utilities
+    2.  BitLocker Drive Encryption Tools
+    3.  BitLocker Recovery Password Viewer
+7.  On the **Confirm installation selections** page, click **Install** and then click **Close**.
+
+![figure 3](images/mdt-09-fig03.png)
+
+Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.
+
+### Create the BitLocker Group Policy
+
+Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.
+1.  On DC01, using Group Policy Management, right-click the **Contoso** organizational unit (OU), and select **Create a GPO in this domain, and Link it here**.
+2.  Assign the name **BitLocker Policy** to the new Group Policy.
+3.  Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings:
+    Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives
+    1.  Enable the **Choose how BitLocker-protected operating system drives can be recovered** policy, and configure the following settings:
+        1.  Allow data recovery agent (default)
+        2.  Save BitLocker recovery information to Active Directory Domain Services (default)
+        3.  Do not enable BitLocker until recovery information is stored in AD DS for operating system drives
+    2.  Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy.
+    3.  Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy.
+        Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services
+    4.  Enable the **Turn on TPM backup to Active Directory Domain Services** policy.
+
+**Note**  
+If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using.
+ 
+### Set permissions in Active Directory for BitLocker
+
+In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://go.microsoft.com/fwlink/p/?LinkId=167133) from Microsoft to C:\\Setup\\Scripts on DC01.
+1.  On DC01, start an elevated PowerShell prompt (run as Administrator).
+2.  Configure the permissions by running the following command:
+
+    ``` syntax
+    cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
+    ```
+
+![figure 4](images/mdt-09-fig04.png)
+
+Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.
+
+## <a href="" id="sec02"></a>Add BIOS configuration tools from Dell, HP, and Lenovo
+
+If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.
+
+### Add tools from Dell
+
+The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:
+``` syntax
+cctk.exe --tpm=on --valsetuppwd=Password1234
+```
+### Add tools from HP
+
+The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:
+
+``` syntax
+BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234
+```
+And the sample content of the TPMEnable.REPSET file:
+
+``` syntax
+English
+Activate Embedded Security On Next Boot
+*Enable
+Embedded Security Activation Policy
+*No prompts
+F1 to Boot
+Allow user to reject
+Embedded Security Device Availability
+*Available
+```
+### Add tools from Lenovo
+
+The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:
+``` syntax
+cscript.exe SetConfig.vbs SecurityChip Active
+```
+## <a href="" id="sec03"></a>Configure the Windows 10 task sequence to enable BitLocker
+
+When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In this task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](https://go.microsoft.com/fwlink/p/?LinkId=619549). In the following task sequence, we have added five actions:
+-   **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false.
+-   **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf.
+    **Note**  
+    It is common for organizations wrapping these tools in scripts to get additional logging and error handling.
+     
+-   **Restart computer.** Self-explanatory, reboots the computer.
+-   **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time.
+-   **Enable BitLocker.** Runs the built-in action to activate BitLocker.
+
+## Related topics
+
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+
+[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+
+[Use web services in MDT](use-web-services-in-mdt.md)
+
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md
index 3677031293..ba135d788d 100644
--- a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md
+++ b/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md
@@ -50,16 +50,16 @@ Figure 7. The ZTIGather.log file from PC0001, displaying some of its hardware ca
 
 ## Related topics
 
-[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
+[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
 
 [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
 
-[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
 
 [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
 
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
 
-[Use web services in MDT](use-web-services-in-mdt-2013.md)
+[Use web services in MDT](use-web-services-in-mdt.md)
 
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
\ No newline at end of file
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
\ No newline at end of file
diff --git a/windows/deploy/troubleshoot-upgrade-readiness.md b/windows/deploy/troubleshoot-upgrade-readiness.md
index 700408bdd6..2cc9bf9340 100644
--- a/windows/deploy/troubleshoot-upgrade-readiness.md
+++ b/windows/deploy/troubleshoot-upgrade-readiness.md
@@ -11,7 +11,7 @@ If you’re having issues seeing data in Upgrade Readiness after running the Upg
 
 If you still don’t see data in Upgrade Readiness, follow these steps:
 
-1.  Download and extract UpgradeAnalytics.zip. Ensure the “Diagnostics” folder is included.
+1.  Download and extract the [Upgrade Readiness Deployment Script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409). Ensure the “Pilot/Diagnostics” folder is included .
 
 2.  Edit the script as described in [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md).
 
diff --git a/windows/deploy/upgrade-readiness-architecture.md b/windows/deploy/upgrade-readiness-architecture.md
index c4cafc8768..93a028f925 100644
--- a/windows/deploy/upgrade-readiness-architecture.md
+++ b/windows/deploy/upgrade-readiness-architecture.md
@@ -13,7 +13,7 @@ Microsoft analyzes system, application, and driver telemetry data to help you de
 <img src="media/image1.png" width="624" height="401" />
 -->
 
-![Upgrade Readiness architecture](images/upgrade-analytics-architecture.png)
+![Upgrade Readiness architecture](images/ur-arch-diagram.png)
 
 After you enable Windows telemetry on user computers and install the compatibility update KB (1), user computers send computer, application and driver telemetry data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Upgrade Readiness, telemetry data is analyzed by the Upgrade Readiness Service (3) and pushed to your OMS workspace (4). You can then use the Upgrade Readiness solution (5) to plan and manage Windows upgrades.
 
diff --git a/windows/deploy/upgrade-readiness-deployment-script.md b/windows/deploy/upgrade-readiness-deployment-script.md
index e1decfb250..0206b5764e 100644
--- a/windows/deploy/upgrade-readiness-deployment-script.md
+++ b/windows/deploy/upgrade-readiness-deployment-script.md
@@ -31,7 +31,7 @@ The Upgrade Readiness deployment script does the following:
 
 To run the Upgrade Readiness deployment script:
 
-1.  Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. Inside, there are two folders: Pilot and Deployment. The Pilot folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The Deployment folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly.  Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
+1.  Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract the .zip file. Inside, there are two folders: **Pilot** and **Deployment**. The **Pilot** folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The **Deployment** folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly.  Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
 
 2.  Edit the following parameters in RunConfig.bat:
 
diff --git a/windows/deploy/upgrade-readiness-get-started.md b/windows/deploy/upgrade-readiness-get-started.md
index 9f9abda9b2..4829baa632 100644
--- a/windows/deploy/upgrade-readiness-get-started.md
+++ b/windows/deploy/upgrade-readiness-get-started.md
@@ -44,7 +44,7 @@ If you are already using OMS, you’ll find Upgrade Readiness in the Solutions G
 
 If you are not using OMS:
 
-1.  Go to the [Upgrade Readiness page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **Sign up** to kick off the onboarding process.
+1.  Go to the [Upgrade Readiness page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **New Customers >** to kick off the onboarding process.
 2.  Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
 3.  Create a new OMS workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
 4.  If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator.
@@ -130,4 +130,4 @@ To ensure that user computers are receiving the most up to date data from Micros
 
 ### Distribute the deployment script at scale
 
-Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see the [Upgrade Readiness blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
\ No newline at end of file
+Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see the [Upgrade Readiness blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
diff --git a/windows/deploy/upgrade-readiness-resolve-issues.md b/windows/deploy/upgrade-readiness-resolve-issues.md
index 7436b86607..bb0e2c452d 100644
--- a/windows/deploy/upgrade-readiness-resolve-issues.md
+++ b/windows/deploy/upgrade-readiness-resolve-issues.md
@@ -53,7 +53,7 @@ For applications assessed as **Attention needed**, review the table below for de
 | Upgrade Assessment | Action required prior to upgrade? | Issue     | What it means   | Guidance   |
 |--------------------|-----------------------------------|-----------|-----------------|------------|
 | Attention needed   | No                                | Application is removed during upgrade              | Compatibility issues were detected and the application will not migrate to the new operating system. <br>                                                                                                                                             | No action is required for the upgrade to proceed.                                                                                                                                                                                                                                                                                                                                         |
-| Attention needed   | Yes                               | Blocking upgrade                                   | Blocking issues were detected and Upgrade Analytics is not able to remove the application during upgrade. <br><br>The application may work on the new operating system.<br>                                                                       | Remove the application before upgrading, and reinstall and test on new operating system.                                                                                                                                                                                                                                                                                                  |
+| Attention needed   | Yes                               | Blocking upgrade                                   | Blocking issues were detected and Upgrade Readiness is not able to remove the application during upgrade. <br><br>The application may work on the new operating system.<br>                                                                       | Remove the application before upgrading, and reinstall and test on new operating system.                                                                                                                                                                                                                                                                                                  |
 | Attention needed   | No                                | Evaluate application on new OS                     | The application will migrate, but issues were detected that may impact its performance on the new operating system.                                                                                                                                     | No action is required for the upgrade to proceed, but be sure to test the application on the new operating system.<br>                                                                                                                                                                                                                                                                  |
 | Attention needed   | No                                | Does not work with new OS, but won’t block upgrade | The application is not compatible with the new operating system, but won’t block the upgrade.                                                                                                                                                           | No action is required for the upgrade to proceed, however, you’ll have to install a compatible version of the application on the new operating system.<br>                                                                                                                                                                                                                              |
 | Attention needed   | Yes                               | Does not work with new OS, and will block upgrade  | The application is not compatible with the new operating system and will block the upgrade.                                                                                                                                                             | Remove the application before upgrading. <br><br>A compatible version of the application may be available.<br>                                                                                                                                                                                                                                                                      |
diff --git a/windows/deploy/upgrade-readiness-upgrade-overview.md b/windows/deploy/upgrade-readiness-upgrade-overview.md
index 29777cad6f..bf09694a38 100644
--- a/windows/deploy/upgrade-readiness-upgrade-overview.md
+++ b/windows/deploy/upgrade-readiness-upgrade-overview.md
@@ -17,9 +17,13 @@ The following color-coded status changes are reflected on the upgrade overview b
     - No delay in processing device inventory data = "Last updated" banner is displayed in green.
     - Delay processing device inventory data = "Last updated" banner is displayed in amber.
 - Computers with incomplete data:
-    - Less than 4% = Count is displayed in black.
+    - Less than 4% = Count is displayed in green.
     - 4% - 10% = Count is displayed in amber.
     - Greater than 10%  = Count is displayed in red.
+- Computers with outdated KB:
+    - Less than 10% = Count is displayed in green.
+    - 10% - 30% = Count is displayed in amber.
+    - Greater than 30%  = Count is displayed in red.
 - User changes:
     - Pending user changes = User changes count displays "Data refresh pending" in amber.
     - No pending user changes = User changes count displays "Up to date" in green.
@@ -28,6 +32,8 @@ The following color-coded status changes are reflected on the upgrade overview b
     - If the current value is an older OS version than the recommended value, but not deprecated, the version is displayed in amber.
     - If the current value is a deprecated OS version, the version is displayed in red.
 
+Click on a row to drill down and see details about individual computers. If KBs are missing, see [Deploy the compatibility update and related KBs](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for information on required KBs.
+
 In the following example, there is no delay in data processing, less than 4% of computers (6k\294k) have incomplete data, there are no pending user changes, and the currently selected target OS version is the same as the recommended version:
 
 ![Upgrade overview](images/ur-overview.png)
diff --git a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md
index 1739910931..4df01c9022 100644
--- a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md
+++ b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md
@@ -1,6 +1,6 @@
 ---
-title: Upgrade to Windows 10 with System Center Configuration Manager (Windows 10)
-description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process.
+title: Perform an in-place upgrade to Windows 10 using Configuration Manager (Windows 10)
+description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. Use a System Center Configuration Manager task sequence to completely automate the process.
 ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
 keywords: upgrade, update, task sequence, deploy
 ms.prod: w10
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
 author: mtniehaus
 ---
 
-# Upgrade to Windows 10 with System Center Configuration Manager
+# Perform an in-place upgrade to Windows 10 using Configuration Manager
 
 
 **Applies to**
diff --git a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
index a57de8573f..4deadb668f 100644
--- a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -1,5 +1,5 @@
 ---
-title: Upgrade to Windows 10 with the Microsoft Deployment Toolkit (Windows 10)
+title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10)
 description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
 ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460
 keywords: upgrade, update, task sequence, deploy
@@ -11,7 +11,7 @@ ms.pagetype: mdt
 author: mtniehaus
 ---
 
-# Upgrade to Windows 10 with the Microsoft Deployment Toolkit
+# Perform an in-place upgrade to Windows 10 with MDT
 
 **Applies to**
 -   Windows 10
@@ -28,7 +28,7 @@ Figure 1. The machines used in this topic.
 
 ## Set up the upgrade task sequence
 
-MDT 2013 Update 2 adds support for Windows 10 deployment, including a new in-place upgrade task sequence template that makes the process really simple.
+MDT adds support for Windows 10 deployment, including a new in-place upgrade task sequence template that makes the process really simple.
 
 ## Create the MDT production deployment share
 
diff --git a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md
index 65fb7d646b..e7e0a319ae 100644
--- a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md
+++ b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md
@@ -1,174 +1,4 @@
 ---
 title: Use Orchestrator runbooks with MDT (Windows 10)
-description: This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
-ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f
-keywords: web services, database
-ms.prod: w10
-ms.mktglfcycl: deploy
-localizationpriority: high
-ms.sitesec: library
-ms.pagetype: mdt
-author: mtniehaus
+redirect_url: use-orchestrator-runbooks-with-mdt
 ---
-
-# Use Orchestrator runbooks with MDT
-
-This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
-MDT can integrate with System Center 2012 R2 Orchestrator, which is a component that ties the Microsoft System Center products together, as well as other products from both Microsoft and third-party vendors. The difference between using Orchestrator and "normal" web services, is that with Orchestrator you have a rich drag-and-drop style interface when building the solution, and little or no coding is required.
-
-**Note**  
-If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website.
- 
-## <a href="" id="sec01"></a>Orchestrator terminology
-
-Before diving into the core details, here is a quick course in Orchestrator terminology:
--   **Orchestrator Server.** This is a server that executes runbooks.
--   **Runbooks.** A runbook is similar to a task sequence; it is a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database.
--   **Orchestrator Designer.** This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions.
--   **Subscriptions.** These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook.
--   **Orchestrator Console.** This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default.
--   **Orchestrator web services.** These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default.
--   **Integration packs.** These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few.
-
-**Note**  
-To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](https://go.microsoft.com/fwlink/p/?LinkId=619554).
- 
-## <a href="" id="sec02"></a>Create a sample runbook
-
-This section assumes you have Orchestrator 2012 R2 installed on a server named OR01. In this section, you create a sample runbook, which is used to log some of the MDT deployment information into a text file on OR01.
-
-1.  On OR01, using File Explorer, create the **E:\\Logfile** folder, and grant Users modify permissions (NTFS).
-2.  In the **E:\\Logfile** folder, create the DeployLog.txt file.
-    **Note**  
-    Make sure File Explorer is configured to show known file extensions so the file is not named DeployLog.txt.txt.
-     
-    ![figure 23](images/mdt-09-fig23.png)
-
-    Figure 23. The DeployLog.txt file.
-
-3.  Using System Center 2012 R2 Orchestrator Runbook Designer, in the **Runbooks** node, create the **1.0 MDT** folder.
-
-    ![figure 24](images/mdt-09-fig24.png)
-
-    Figure 24. Folder created in the Runbooks node.
-
-4.  In the **Runbooks** node, right-click the **1.0 MDT** folder, and select **New / Runbook**.
-5.  On the ribbon bar, click **Check Out**.
-6.  Right-click the **New Runbook** label, select **Rename**, and assign the name **MDT Sample**.
-7.  Add (using a drag-and-drop operation) the following items from the **Activities** list to the middle pane:
-    1.  Runbook Control / Initialize Data
-    2.  Text File Management / Append Line
-8.  Connect **Initialize Data** to **Append Line**.
-
-    ![figure 25](images/mdt-09-fig25.png)
-
-    Figure 25. Activities added and connected.
-
-9.  Right-click the **Initialize Data** activity, and select **Properties**
-10. On **the Initialize Data Properties** page, click **Add**, change **Parameter 1** to **OSDComputerName**, and then click **Finish**.
-
-    ![figure 26](images/mdt-09-fig26.png)
-
-    Figure 26. The Initialize Data Properties window.
-
-11. Right-click the **Append Line** activity, and select **Properties**.
-12. On the **Append Line Properties** page, in the **File** text box, type **E:\\Logfile\\DeployLog.txt**.
-13. In the **File** encoding drop-down list, select **ASCII**.
-14. In the **Append** area, right-click inside the **Text** text box and select **Expand**.
-
-    ![figure 27](images/mdt-09-fig27.png)
-
-    Figure 27. Expanding the Text area.
-
-15. In the blank text box, right-click and select **Subscribe / Published Data**.
-
-    ![figure 28](images/mdt-09-fig28.png)
-
-    Figure 28. Subscribing to data.
-
-16. In the **Published Data** window, select the **OSDComputerName** item, and click **OK**.
-17. After the **{OSDComputerName from "Initialize Data"}** text, type in **has been deployed at** and, once again, right-click and select **Subscribe / Published Data**.
-18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and click **OK**.
-
-    ![figure 29](images/mdt-09-fig29.png)
-
-    Figure 29. The expanded text box after all subscriptions have been added.
-
-19. On the **Append Line Properties** page, click **Finish**.
-## <a href="" id="sec03"></a>Test the demo MDT runbook
-After the runbook is created, you are ready to test it.
-1.  On the ribbon bar, click **Runbook Tester**.
-2.  Click **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then click **OK**:
-    -   OSDComputerName: PC0010
-3.  Verify that all activities are green (for additional information, see each target).
-4.  Close the **Runbook Tester**.
-5.  On the ribbon bar, click **Check In**.
-
-![figure 30](images/mdt-09-fig30.png)
-
-Figure 30. All tests completed.
-
-## Use the MDT demo runbook from MDT
-
-1.  On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node, and create a folder named **Orchestrator**.
-2.  Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
-    1.  Task sequence ID: OR001
-    2.  Task sequence name: Orchestrator Sample
-    3.  Task sequence comments: &lt;blank&gt;
-    4.  Template: Custom Task Sequence
-3.  In the **Orchestrator** node, double-click the **Orchestrator Sample** task sequence, and then select the **Task Sequence** tab.
-4.  Remove the default **Application Install** action.
-5.  Add a **Gather** action and select the **Gather only local data (do not process rules)** option.
-6.  After the **Gather** action, add a **Set Task Sequence Variable** action with the following settings:
-    1.  Name: Set Task Sequence Variable
-    2.  Task Sequence Variable: OSDComputerName
-    3.  Value: %hostname%
-7.  After the **Set Task Sequence Variable** action, add a new **Execute Orchestrator Runbook** action with the following settings:
-    1.  Orchestrator Server: OR01.contoso.com
-    2.  Use Browse to select **1.0 MDT / MDT Sample**.
-8.  Click **OK**.
-
-![figure 31](images/mdt-09-fig31.png)
-
-Figure 31. The ready-made task sequence.
-
-## Run the orchestrator sample task sequence
-
-Since this task sequence just starts a runbook, you can test this on the PC0001 client that you used for the MDT simulation environment.
-**Note**  
-Make sure the account you are using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](https://go.microsoft.com/fwlink/p/?LinkId=619555).
- 
-1.  On PC0001, log on as **CONTOSO\\MDT\_BA**.
-2.  Using an elevated command prompt (run as Administrator), type the following command:
-
-    ``` syntax
-    cscript \\MDT01\MDTProduction$\Scripts\Litetouch.vbs
-    ```
-3.  Complete the Windows Deployment Wizard using the following information:
-    1.  Task Sequence: Orchestrator Sample
-    2.  Credentials:
-        1.  User Name: MDT\_BA
-        2.  Password: P@ssw0rd
-        3.  Domain: CONTOSO
-4.  Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated.
-
-![figure 32](images/mdt-09-fig32.png)
-
-Figure 32. The ready-made task sequence.
-
-## Related topics
-
-[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
-
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-
-[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
-
-[Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-
-
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
-
-[Use web services in MDT](use-web-services-in-mdt-2013.md)
diff --git a/windows/deploy/use-orchestrator-runbooks-with-mdt.md b/windows/deploy/use-orchestrator-runbooks-with-mdt.md
new file mode 100644
index 0000000000..ceb7766904
--- /dev/null
+++ b/windows/deploy/use-orchestrator-runbooks-with-mdt.md
@@ -0,0 +1,174 @@
+---
+title: Use Orchestrator runbooks with MDT (Windows 10)
+description: This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
+ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f
+keywords: web services, database
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: mtniehaus
+---
+
+# Use Orchestrator runbooks with MDT
+
+This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
+MDT can integrate with System Center 2012 R2 Orchestrator, which is a component that ties the Microsoft System Center products together, as well as other products from both Microsoft and third-party vendors. The difference between using Orchestrator and "normal" web services, is that with Orchestrator you have a rich drag-and-drop style interface when building the solution, and little or no coding is required.
+
+**Note**  
+If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website.
+ 
+## <a href="" id="sec01"></a>Orchestrator terminology
+
+Before diving into the core details, here is a quick course in Orchestrator terminology:
+-   **Orchestrator Server.** This is a server that executes runbooks.
+-   **Runbooks.** A runbook is similar to a task sequence; it is a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database.
+-   **Orchestrator Designer.** This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions.
+-   **Subscriptions.** These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook.
+-   **Orchestrator Console.** This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default.
+-   **Orchestrator web services.** These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default.
+-   **Integration packs.** These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few.
+
+**Note**  
+To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](https://go.microsoft.com/fwlink/p/?LinkId=619554).
+ 
+## <a href="" id="sec02"></a>Create a sample runbook
+
+This section assumes you have Orchestrator 2012 R2 installed on a server named OR01. In this section, you create a sample runbook, which is used to log some of the MDT deployment information into a text file on OR01.
+
+1.  On OR01, using File Explorer, create the **E:\\Logfile** folder, and grant Users modify permissions (NTFS).
+2.  In the **E:\\Logfile** folder, create the DeployLog.txt file.
+    **Note**  
+    Make sure File Explorer is configured to show known file extensions so the file is not named DeployLog.txt.txt.
+     
+    ![figure 23](images/mdt-09-fig23.png)
+
+    Figure 23. The DeployLog.txt file.
+
+3.  Using System Center 2012 R2 Orchestrator Runbook Designer, in the **Runbooks** node, create the **1.0 MDT** folder.
+
+    ![figure 24](images/mdt-09-fig24.png)
+
+    Figure 24. Folder created in the Runbooks node.
+
+4.  In the **Runbooks** node, right-click the **1.0 MDT** folder, and select **New / Runbook**.
+5.  On the ribbon bar, click **Check Out**.
+6.  Right-click the **New Runbook** label, select **Rename**, and assign the name **MDT Sample**.
+7.  Add (using a drag-and-drop operation) the following items from the **Activities** list to the middle pane:
+    1.  Runbook Control / Initialize Data
+    2.  Text File Management / Append Line
+8.  Connect **Initialize Data** to **Append Line**.
+
+    ![figure 25](images/mdt-09-fig25.png)
+
+    Figure 25. Activities added and connected.
+
+9.  Right-click the **Initialize Data** activity, and select **Properties**
+10. On **the Initialize Data Properties** page, click **Add**, change **Parameter 1** to **OSDComputerName**, and then click **Finish**.
+
+    ![figure 26](images/mdt-09-fig26.png)
+
+    Figure 26. The Initialize Data Properties window.
+
+11. Right-click the **Append Line** activity, and select **Properties**.
+12. On the **Append Line Properties** page, in the **File** text box, type **E:\\Logfile\\DeployLog.txt**.
+13. In the **File** encoding drop-down list, select **ASCII**.
+14. In the **Append** area, right-click inside the **Text** text box and select **Expand**.
+
+    ![figure 27](images/mdt-09-fig27.png)
+
+    Figure 27. Expanding the Text area.
+
+15. In the blank text box, right-click and select **Subscribe / Published Data**.
+
+    ![figure 28](images/mdt-09-fig28.png)
+
+    Figure 28. Subscribing to data.
+
+16. In the **Published Data** window, select the **OSDComputerName** item, and click **OK**.
+17. After the **{OSDComputerName from "Initialize Data"}** text, type in **has been deployed at** and, once again, right-click and select **Subscribe / Published Data**.
+18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and click **OK**.
+
+    ![figure 29](images/mdt-09-fig29.png)
+
+    Figure 29. The expanded text box after all subscriptions have been added.
+
+19. On the **Append Line Properties** page, click **Finish**.
+## <a href="" id="sec03"></a>Test the demo MDT runbook
+After the runbook is created, you are ready to test it.
+1.  On the ribbon bar, click **Runbook Tester**.
+2.  Click **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then click **OK**:
+    -   OSDComputerName: PC0010
+3.  Verify that all activities are green (for additional information, see each target).
+4.  Close the **Runbook Tester**.
+5.  On the ribbon bar, click **Check In**.
+
+![figure 30](images/mdt-09-fig30.png)
+
+Figure 30. All tests completed.
+
+## Use the MDT demo runbook from MDT
+
+1.  On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node, and create a folder named **Orchestrator**.
+2.  Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+    1.  Task sequence ID: OR001
+    2.  Task sequence name: Orchestrator Sample
+    3.  Task sequence comments: &lt;blank&gt;
+    4.  Template: Custom Task Sequence
+3.  In the **Orchestrator** node, double-click the **Orchestrator Sample** task sequence, and then select the **Task Sequence** tab.
+4.  Remove the default **Application Install** action.
+5.  Add a **Gather** action and select the **Gather only local data (do not process rules)** option.
+6.  After the **Gather** action, add a **Set Task Sequence Variable** action with the following settings:
+    1.  Name: Set Task Sequence Variable
+    2.  Task Sequence Variable: OSDComputerName
+    3.  Value: %hostname%
+7.  After the **Set Task Sequence Variable** action, add a new **Execute Orchestrator Runbook** action with the following settings:
+    1.  Orchestrator Server: OR01.contoso.com
+    2.  Use Browse to select **1.0 MDT / MDT Sample**.
+8.  Click **OK**.
+
+![figure 31](images/mdt-09-fig31.png)
+
+Figure 31. The ready-made task sequence.
+
+## Run the orchestrator sample task sequence
+
+Since this task sequence just starts a runbook, you can test this on the PC0001 client that you used for the MDT simulation environment.
+**Note**  
+Make sure the account you are using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](https://go.microsoft.com/fwlink/p/?LinkId=619555).
+ 
+1.  On PC0001, log on as **CONTOSO\\MDT\_BA**.
+2.  Using an elevated command prompt (run as Administrator), type the following command:
+
+    ``` syntax
+    cscript \\MDT01\MDTProduction$\Scripts\Litetouch.vbs
+    ```
+3.  Complete the Windows Deployment Wizard using the following information:
+    1.  Task Sequence: Orchestrator Sample
+    2.  Credentials:
+        1.  User Name: MDT\_BA
+        2.  Password: P@ssw0rd
+        3.  Domain: CONTOSO
+4.  Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated.
+
+![figure 32](images/mdt-09-fig32.png)
+
+Figure 32. The ready-made task sequence.
+
+## Related topics
+
+[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+
+[Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+
+
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+
+[Use web services in MDT](use-web-services-in-mdt.md)
diff --git a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md
index 38ae49c0e7..b2bed4243a 100644
--- a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md
+++ b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md
@@ -77,16 +77,16 @@ Figure 11. Adding the PC00075 computer to the database.
 
 ## Related topics
 
-[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
+[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
 
 [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
 
-[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
 
 [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
 
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
 
-[Use web services in MDT](use-web-services-in-mdt-2013.md)
+[Use web services in MDT](use-web-services-in-mdt.md)
 
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md
index cd081245c1..21ff12135a 100644
--- a/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md
+++ b/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md
@@ -41,7 +41,7 @@ As mentioned previously, the default target version in Upgrade Readiness is set
 
 The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version.
 
-You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, and Windows version 1610.
+You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, and Windows version 1607.
 
 To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution:
 
@@ -51,4 +51,4 @@ To change the target version setting, click on **Solutions Settings**, which app
 
 On the **Upgrade Readiness Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target version setting are reflected in evaluations when a new snapshot is uploaded to your workspace.
 
-![Target version](images/ua-cg-09.png)
+![Target version](images/ur-settings.png)
diff --git a/windows/deploy/use-web-services-in-mdt-2013.md b/windows/deploy/use-web-services-in-mdt-2013.md
index 33f1c9a3a7..6d885294e6 100644
--- a/windows/deploy/use-web-services-in-mdt-2013.md
+++ b/windows/deploy/use-web-services-in-mdt-2013.md
@@ -1,132 +1,6 @@
 ---
 title: Use web services in MDT (Windows 10)
-description: In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment.
-ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522
-keywords: deploy, web apps
-ms.prod: w10
-ms.mktglfcycl: deploy
-localizationpriority: high
-ms.pagetype: mdt
-ms.sitesec: library
-author: mtniehaus
+redirect_url: use-web-services-in-mdt
 ---
 
-# Use web services in MDT
-
-In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. Web services provide a powerful way to assign settings during a deployment. Simply put, web services are web applications that run code on the server side, and MDT has built-in functions to call these web services.
-Using a web service in MDT is straightforward, but it does require that you have enabled the Web Server (IIS) role on the server. Developing web services involves a little bit of coding, but for most web services used with MDT, you can use the free Microsoft Visual Studio Express 2013 for Web.
-
-## <a href="" id="sec01"></a>Create a sample web service
-
-In these steps we assume you have installed Microsoft Visual Studio Express 2013 for Web on PC0001 (the Windows 10 client) and downloaded the [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363) from the Microsoft Download Center and extracted it to C:\\Projects.
-1.  On PC0001, using Visual Studio Express 2013 for Web, open the C:\\Projects\\MDTSample\\ MDTSample.sln solution file.
-2.  On the ribbon bar, verify that Release is selected.
-3.  In the **Debug** menu, select the **Build MDTSample** action.
-4.  On MDT01, create a folder structure for **E:\\MDTSample\\bin**.
-5.  From PC0001, copy the C:\\Projects\\MDTSample\\obj\\Release\\MDTSample.dll file to the **E:\\MDTSample\\bin** folder on MDT01.
-6.  From PC0001, copy the following files from C:\\Projects\\MDTSample file to the **E:\\MDTSample** folder on MDT01:
-    1.  Web.config
-    2.  mdtsample.asmx
-
-![figure 15](images/mdt-09-fig15.png)
-
-Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web.
-
-## <a href="" id="sec02"></a>Create an application pool for the web service
-
-This section assumes that you have enabled the Web Server (IIS) role on MDT01.
-1.  On MDT01, using Server Manager, install the **IIS Management Console** role (available under Web Server (IIS) / Management Tools).
-2.  Using Internet Information Services (IIS) Manager, expand the **MDT01 (CONTOSO\\Administrator)** node. If prompted with the "Do you want to get started with Microsoft Web Platform?" question, select the **Do not show this message** check box and then click **No**.
-3.  Right-click **Application Pools**, select **Add Application Pool**, and configure the new application pool with the following settings:
-    1.  Name: MDTSample
-    2.  .NET Framework version: .NET Framework 4.0.30319
-    3.  Manage pipeline mode: Integrated
-    4.  Select the **Start application pool immediately** check box.
-    5.  Click **OK**.
-
-![figure 16](images/mdt-09-fig16.png)
-
-Figure 16. The new MDTSample application.
-
-## <a href="" id="sec03"></a>Install the web service
-
-1.  On MDT01, using Internet Information Services (IIS) Manager, expand **Sites**, right-click **Default Web Site**, and select **Add Application**. Use the following settings for the application:
-    1.  Alias: MDTSample
-    2.  Application pool: MDTSample
-    3.  Physical Path: E:\\MDTSample
-
-    ![figure 17](images/mdt-09-fig17.png)
-
-    Figure 17. Adding the MDTSample web application.
-
-2.  In the **Default Web Site** node, select the MDTSample web application, and in the right pane, double-click **Authentication**. Use the following settings for the **Authentication** dialog box:
-    1.  Anonymous Authentication: Enabled
-    2.  ASP.NET Impersonation: Disabled
-
-![figure 18](images/mdt-09-fig18.png)
-
-Figure 18. Configuring Authentication for the MDTSample web service.
-
-## <a href="" id="sec04"></a>Test the web service in Internet Explorer
-
-1.  On PC0001, using Internet Explorer, navigate to: **http://MDT01/MDTSample/mdtsample.asmx**.
-2.  Click the **GetComputerName** link.
-
-    ![figure 19](images/mdt-09-fig19.png)
-
-    Figure 19. The MDT Sample web service.
-3.  On the **GetComputerName** page, type in the following settings, and click **Invoke**:
-    1.  Model: Hewlett-Packard
-    2.  SerialNumber: 123456789
-
-![figure 20](images/mdt-09-fig20.png)
-
-Figure 20. The result from the MDT Sample web service.
-
-## <a href="" id="sec05"></a>Test the web service in the MDT simulation environment
-
-After verifying the web service using Internet Explorer, you are ready to do the same test in the MDT simulation environment.
-
-1.  On PC0001, edit the CustomSettings.ini file in the **C:\\MDT** folder to look like the following:
-    ``` syntax
-    [Settings]
-    Priority=Default, GetComputerName
-    [Default]
-    OSInstall=YES
-    [GetComputerName]
-    WebService=http://mdt01/MDTSample/mdtsample.asmx/GetComputerName
-    Parameters=Model,SerialNumber
-    OSDComputerName=string
-    ```
-    ![figure 21](images/mdt-09-fig21.png)
-
-    Figure 21. The updated CustomSettings.ini file.
-
-2.  Save the CustomSettings.ini file.
-3.  Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command:
-    ``` syntax
-    Set-Location C:\MDT
-    .\Gather.ps1
-    ```
-4.  Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder.
-
-![figure 22](images/mdt-09-fig22.png)
-
-Figure 22. The OSDCOMPUTERNAME value obtained from the web service.
-
-## Related topics
-
-[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
-
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-
-[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
-
-[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
-
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
  
\ No newline at end of file
diff --git a/windows/deploy/use-web-services-in-mdt.md b/windows/deploy/use-web-services-in-mdt.md
new file mode 100644
index 0000000000..a7f2ce0996
--- /dev/null
+++ b/windows/deploy/use-web-services-in-mdt.md
@@ -0,0 +1,132 @@
+---
+title: Use web services in MDT (Windows 10)
+description: In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment.
+ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522
+keywords: deploy, web apps
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.pagetype: mdt
+ms.sitesec: library
+author: mtniehaus
+---
+
+# Use web services in MDT
+
+In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. Web services provide a powerful way to assign settings during a deployment. Simply put, web services are web applications that run code on the server side, and MDT has built-in functions to call these web services.
+Using a web service in MDT is straightforward, but it does require that you have enabled the Web Server (IIS) role on the server. Developing web services involves a little bit of coding, but for most web services used with MDT, you can use the free Microsoft Visual Studio Express 2013 for Web.
+
+## <a href="" id="sec01"></a>Create a sample web service
+
+In these steps we assume you have installed Microsoft Visual Studio Express 2013 for Web on PC0001 (the Windows 10 client) and downloaded the [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363) from the Microsoft Download Center and extracted it to C:\\Projects.
+1.  On PC0001, using Visual Studio Express 2013 for Web, open the C:\\Projects\\MDTSample\\ MDTSample.sln solution file.
+2.  On the ribbon bar, verify that Release is selected.
+3.  In the **Debug** menu, select the **Build MDTSample** action.
+4.  On MDT01, create a folder structure for **E:\\MDTSample\\bin**.
+5.  From PC0001, copy the C:\\Projects\\MDTSample\\obj\\Release\\MDTSample.dll file to the **E:\\MDTSample\\bin** folder on MDT01.
+6.  From PC0001, copy the following files from C:\\Projects\\MDTSample file to the **E:\\MDTSample** folder on MDT01:
+    1.  Web.config
+    2.  mdtsample.asmx
+
+![figure 15](images/mdt-09-fig15.png)
+
+Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web.
+
+## <a href="" id="sec02"></a>Create an application pool for the web service
+
+This section assumes that you have enabled the Web Server (IIS) role on MDT01.
+1.  On MDT01, using Server Manager, install the **IIS Management Console** role (available under Web Server (IIS) / Management Tools).
+2.  Using Internet Information Services (IIS) Manager, expand the **MDT01 (CONTOSO\\Administrator)** node. If prompted with the "Do you want to get started with Microsoft Web Platform?" question, select the **Do not show this message** check box and then click **No**.
+3.  Right-click **Application Pools**, select **Add Application Pool**, and configure the new application pool with the following settings:
+    1.  Name: MDTSample
+    2.  .NET Framework version: .NET Framework 4.0.30319
+    3.  Manage pipeline mode: Integrated
+    4.  Select the **Start application pool immediately** check box.
+    5.  Click **OK**.
+
+![figure 16](images/mdt-09-fig16.png)
+
+Figure 16. The new MDTSample application.
+
+## <a href="" id="sec03"></a>Install the web service
+
+1.  On MDT01, using Internet Information Services (IIS) Manager, expand **Sites**, right-click **Default Web Site**, and select **Add Application**. Use the following settings for the application:
+    1.  Alias: MDTSample
+    2.  Application pool: MDTSample
+    3.  Physical Path: E:\\MDTSample
+
+    ![figure 17](images/mdt-09-fig17.png)
+
+    Figure 17. Adding the MDTSample web application.
+
+2.  In the **Default Web Site** node, select the MDTSample web application, and in the right pane, double-click **Authentication**. Use the following settings for the **Authentication** dialog box:
+    1.  Anonymous Authentication: Enabled
+    2.  ASP.NET Impersonation: Disabled
+
+![figure 18](images/mdt-09-fig18.png)
+
+Figure 18. Configuring Authentication for the MDTSample web service.
+
+## <a href="" id="sec04"></a>Test the web service in Internet Explorer
+
+1.  On PC0001, using Internet Explorer, navigate to: **http://MDT01/MDTSample/mdtsample.asmx**.
+2.  Click the **GetComputerName** link.
+
+    ![figure 19](images/mdt-09-fig19.png)
+
+    Figure 19. The MDT Sample web service.
+3.  On the **GetComputerName** page, type in the following settings, and click **Invoke**:
+    1.  Model: Hewlett-Packard
+    2.  SerialNumber: 123456789
+
+![figure 20](images/mdt-09-fig20.png)
+
+Figure 20. The result from the MDT Sample web service.
+
+## <a href="" id="sec05"></a>Test the web service in the MDT simulation environment
+
+After verifying the web service using Internet Explorer, you are ready to do the same test in the MDT simulation environment.
+
+1.  On PC0001, edit the CustomSettings.ini file in the **C:\\MDT** folder to look like the following:
+    ``` syntax
+    [Settings]
+    Priority=Default, GetComputerName
+    [Default]
+    OSInstall=YES
+    [GetComputerName]
+    WebService=http://mdt01/MDTSample/mdtsample.asmx/GetComputerName
+    Parameters=Model,SerialNumber
+    OSDComputerName=string
+    ```
+    ![figure 21](images/mdt-09-fig21.png)
+
+    Figure 21. The updated CustomSettings.ini file.
+
+2.  Save the CustomSettings.ini file.
+3.  Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command:
+    ``` syntax
+    Set-Location C:\MDT
+    .\Gather.ps1
+    ```
+4.  Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder.
+
+![figure 22](images/mdt-09-fig22.png)
+
+Figure 22. The OSDCOMPUTERNAME value obtained from the web service.
+
+## Related topics
+
+[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+
+[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
+ 
\ No newline at end of file
diff --git a/windows/deploy/windows-10-poc-mdt.md b/windows/deploy/windows-10-poc-mdt.md
index 54eb632a5f..e42cec7206 100644
--- a/windows/deploy/windows-10-poc-mdt.md
+++ b/windows/deploy/windows-10-poc-mdt.md
@@ -5,6 +5,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
+keywords: deployment, automate, tools, configure, mdt
+localizationpriority: high
 author: greg-lindsay
 ---
 
@@ -636,7 +638,7 @@ Also see [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.m
 ## Related Topics
 
 [Microsoft Deployment Toolkit](https://technet.microsoft.com/en-US/windows/dn475741)<BR>
-[Prepare for deployment with MDT 2013](prepare-for-windows-deployment-with-mdt-2013.md)
+[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
 
  
 
diff --git a/windows/deploy/windows-10-poc-sc-config-mgr.md b/windows/deploy/windows-10-poc-sc-config-mgr.md
index ff0b497b45..b7c115e44a 100644
--- a/windows/deploy/windows-10-poc-sc-config-mgr.md
+++ b/windows/deploy/windows-10-poc-sc-config-mgr.md
@@ -5,6 +5,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
+keywords: deployment, automate, tools, configure, sccm, configuration manager
+localizationpriority: high
 author: greg-lindsay
 ---
 
diff --git a/windows/deploy/windows-10-poc.md b/windows/deploy/windows-10-poc.md
index 74b8d0f352..3db31d59c4 100644
--- a/windows/deploy/windows-10-poc.md
+++ b/windows/deploy/windows-10-poc.md
@@ -5,6 +5,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
+keywords: deployment, automate, tools, configure, mdt, sccm
+localizationpriority: high
 author: greg-lindsay
 ---
 
diff --git a/windows/deploy/windows-10-upgrade-paths.md b/windows/deploy/windows-10-upgrade-paths.md
index 0c5b8ff890..3fc038bdd6 100644
--- a/windows/deploy/windows-10-upgrade-paths.md
+++ b/windows/deploy/windows-10-upgrade-paths.md
@@ -21,9 +21,7 @@ This topic provides a summary of available upgrade paths to Windows 10. You can
 
 >**Windows 10 LTSB**: The upgrade paths displayed below do not apply to Windows 10 LTSB. In-place upgrade from Windows 7 or Windows 8.1 to Windows 10 LTSB is not supported.  (Note that Windows 10 LTSB 2015 did not block this upgrade path.  This was corrected in the Windows 10 LTSB 2016 release, which will now only allow data-only and clean install options.)
 
->**Windows N/KN**: Windows "N" and "KN" editions follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.  
-
->**Free upgrade**: The Windows 10 free upgrade offer expired on July 29, 2016. For more information, see [Free upgrade paths](#free-upgrade-paths).
+>**Windows N/KN**: Windows "N" and "KN" editions follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
 
 ✔ = Full upgrade is supported including personal data, settings, and applications.<BR>
 D = Edition downgrade; personal data is maintained, applications and settings are removed.
@@ -334,77 +332,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
     </tr>
 </table>
 
-## Free upgrade paths
-
-Windows 10 is offered as a free upgrade for the first year after launch of Windows 10, with the following restrictions: 
-- The offer expires on July 29th, 2016.
-- The offer applies to devices connected to the Internet with Windows Update enabled.
-- Upgrading to Windows 10 Pro requires a computer running the Pro or Ultimate version of Windows 7/8/8.1.
-- Windows Phone 8.0 users must update to Windows 8.1 before upgrading to Windows 10 Mobile<sup>1</sup>. 
-- Editions that are excluded from the free upgrade offer include: Windows 7 Enterprise, Windows 8/8.1 Enterprise, and Windows RT/RT 8.1<sup>2</sup>. 
-
-><sup>1</sup>The availability of Windows 10 Mobile for Windows 8.1 devices will vary by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. For a list of eligible phones and important info about the upgrade and Windows 10 Mobile, see [Windows 10 specifications](http://windows.com/specsmobile).
-
-><sup>2</sup>Active Software Assurance customers in volume licensing have the benefit to upgrade to Windows 10 Enterprise outside of this offer. Windows 10 is not supported on devices running the RT versions of Windows 8.
-
-The following table summarizes the free upgrade paths to Windows 10. For a list of frequently asked questions about the free upgrade to Windows 10, see [Upgrade to Windows 10: FAQ](http://windows.microsoft.com/en-us/windows-10/upgrade-to-windows-10-faq).
-
-<table border="1" cellpadding="3">
-    <tr>
-        <td>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>
-        <td>From</td>
-        <td>To</td>
-    </tr>
-    <tr>
-        <td BGCOLOR="#a0e4fa" colspan="3">Windows 7</td>
-    </tr>
-    <tr>
-        <td></td>
-        <td>Windows 7 Starter</td>
-        <td rowspan="3">Windows 10 Home</td>
-    </tr>
-    <tr>
-        <td>&nbsp;</td>
-        <td>Windows 7 Home Basic</td>
-    </tr>
-    <tr>
-        <td>&nbsp;</td>
-        <td>Windows 7 Home Premium</td>
-    </tr>
-    <tr>
-        <td></td>
-        <td>Windows 7 Professional</td>
-        <td rowspan="2">Windows 10 Pro</td>
-    </tr>
-    <tr>
-        <td>&nbsp;</td>
-        <td>Windows 7 Ultimate</td>
-    </tr>
-        <tr>
-	        <td BGCOLOR="#a0e4fa" colspan="3">Windows 8/8.1</td>
-	    </tr>
-	    <tr>
-	        <td></td>
-	        <td>Windows Phone 8.1</td>
-	        <td>Windows 10 Mobile</td>
-       </tr>
-	    <tr>
-	        <td></td>
-	        <td>Windows 8/8.1</td>
-	        <td>Windows 10 Home</td>
-       </tr>
-    <tr>
-        <td></td>
-        <td>Windows 8/8.1 Pro</td>
-        <td rowspan="2">Windows 10 Pro</td>
-    </tr>
-    <tr>
-        <td>&nbsp;</td>
-        <td>Windows 8/8.1 Pro for Students</td>
-    </tr>
-
-</table>
-
 ## Related Topics
 
 [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)<BR>
diff --git a/windows/deploy/windows-deployment-scenarios-and-tools.md b/windows/deploy/windows-deployment-scenarios-and-tools.md
index 1a431a3040..997cf5b753 100644
--- a/windows/deploy/windows-deployment-scenarios-and-tools.md
+++ b/windows/deploy/windows-deployment-scenarios-and-tools.md
@@ -14,7 +14,7 @@ author: mtniehaus
 
 To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment.
 
-Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these are just tools and not a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT) 2013 Update 1](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) or [Microsoft System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) that you get the complete deployment solution.
+Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these are just tools and not a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT)](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) or [Microsoft System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) that you get the complete deployment solution.
 
 In this topic, you also learn about different types of reference images that you can build, and why reference images are beneficial for most organizations
 
@@ -184,23 +184,23 @@ Also, there are a few new features related to TFTP performance:
 
 Figure 10. TFTP changes are now easy to perform.
 
-## <a href="" id="sec09"></a>Microsoft Deployment Toolkit 2013 Update 1
+## <a href="" id="sec09"></a>Microsoft Deployment Toolkit
 
 
-MDT 2013 Update 1 is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution.
+MDT is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution.
 
-MDT 2013 Update 1 has two main parts: the first is Lite Touch, which is a stand-alone deployment solution; the second is Zero Touch, which is an extension to System Center 2012 R2 Configuration Manager.
+MDT has two main parts: the first is Lite Touch, which is a stand-alone deployment solution; the second is Zero Touch, which is an extension to System Center 2012 R2 Configuration Manager.
 
 **Note**  
-Lite Touch and Zero Touch are marketing names for the two solutions that MDT 2013 supports, and the naming has nothing to do with automation. You can fully automate the stand-alone MDT 2013 Update 1 solution (Lite Touch), and you can configure the solution integration with Configuration Manager to prompt for information.
+Lite Touch and Zero Touch are marketing names for the two solutions that MDT supports, and the naming has nothing to do with automation. You can fully automate the stand-alone MDT solution (Lite Touch), and you can configure the solution integration with Configuration Manager to prompt for information.
 
  
 
 ![figure 11](images/mdt-11-fig13.png)
 
-Figure 11. The Deployment Workbench in MDT 2013, showing a task sequence.
+Figure 11. The Deployment Workbench in, showing a task sequence.
 
-For more information on MDT 2013 Update 1, see the [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=618117) resource center.
+For more information on MDT, see the [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=618117) resource center.
 
 ## <a href="" id="sec10"></a>Microsoft Security Compliance Manager 2013
 
diff --git a/windows/images/W10-WaaS-poster.PNG b/windows/images/W10-WaaS-poster.PNG
new file mode 100644
index 0000000000..76f843c1b8
Binary files /dev/null and b/windows/images/W10-WaaS-poster.PNG differ
diff --git a/windows/images/front-page-video.PNG b/windows/images/front-page-video.PNG
new file mode 100644
index 0000000000..afe78e3564
Binary files /dev/null and b/windows/images/front-page-video.PNG differ
diff --git a/windows/images/w10-configure.png b/windows/images/w10-configure.png
new file mode 100644
index 0000000000..ebfef8d97b
Binary files /dev/null and b/windows/images/w10-configure.png differ
diff --git a/windows/images/w10-deploy.png b/windows/images/w10-deploy.png
new file mode 100644
index 0000000000..d567f44f1d
Binary files /dev/null and b/windows/images/w10-deploy.png differ
diff --git a/windows/images/w10-manage.png b/windows/images/w10-manage.png
new file mode 100644
index 0000000000..9ace55b79b
Binary files /dev/null and b/windows/images/w10-manage.png differ
diff --git a/windows/images/w10-plan.png b/windows/images/w10-plan.png
new file mode 100644
index 0000000000..045f85e914
Binary files /dev/null and b/windows/images/w10-plan.png differ
diff --git a/windows/images/w10-secure.png b/windows/images/w10-secure.png
new file mode 100644
index 0000000000..7799e94849
Binary files /dev/null and b/windows/images/w10-secure.png differ
diff --git a/windows/images/w10-update.png b/windows/images/w10-update.png
new file mode 100644
index 0000000000..876374904b
Binary files /dev/null and b/windows/images/w10-update.png differ
diff --git a/windows/images/w10-whatsnew.png b/windows/images/w10-whatsnew.png
new file mode 100644
index 0000000000..cc040c45aa
Binary files /dev/null and b/windows/images/w10-whatsnew.png differ
diff --git a/windows/index.md b/windows/index.md
index 08a4bee465..8d86b31add 100644
--- a/windows/index.md
+++ b/windows/index.md
@@ -8,37 +8,94 @@ author: brianlic-msft
 ---
 
 # Windows 10 and Windows 10 Mobile
+
+This library provides the core content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10 or Windows 10 Mobile.
 
+<center><iframe src="https://channel9.msdn.com/Events/Ignite/Australia-2017/WIN212/player" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
 
-This library provides the core content that IT pros need to evaluate, plan, deploy, and manage devices running Windows 10 or Windows 10 Mobile.
+<br/>
+<table border="0" width="100%" align='center'>
+</tr>
+  <tr style="text-align:center;">
+    <td style="width:25%; border:0;">
+      <a href="https://technet.microsoft.com/en-us/itpro/windows/whats-new/index">
+        <img src="images/w10-whatsnew.png" alt="Read what's new in Windows 10" title="What's new in Windows 10?" />
+      </a>
+      <br/>What's New?
+    </td>
+    <td style="width:25%; border:0;">
+      <a href="https://technet.microsoft.com/en-us/itpro/windows/plan/index">
+        <img src="images/w10-plan.png" alt="Plan your Windows 10 enterprise deployment" title="Plan your Windows 10 enterprise deployment" />
+      </a>
+      <br/>Plan
+    </td>
+    <td style="width:25%; border:0;">
+      <a href="https://technet.microsoft.com/en-us/itpro/windows/deploy/index">
+        <img src="images/w10-deploy.png" alt="Deploy Windows 10 in your enterprise" title="Deploy Windows 10" />
+      </a>
+      <br/>Deploy
+    </td>
+    <td style="width:25%; border:0;">
+      <a href="https://technet.microsoft.com/en-us/itpro/windows/manage/index">
+        <img src="images/w10-manage.png" alt="Manage Windows 10 in your enterprise" title="Manage Windows 10" />
+      </a>
+      <br/>Manage
+    </td>
+  </tr>
+  <tr style="text-align:center;">
+    <td style="width:25%; border:0;">
+    <br/>
+      <a href="https://technet.microsoft.com/en-us/itpro/windows/deploy/index">
+        <img src="images/w10-secure.png" alt="Keep Windows 10 secure" title="Keep Windows 10 secure" />
+      </a>
+      <br/>Keep Secure
+    </td>
+    <td style="width:25%; border:0;">
+      <br/>
+      <a href="https://technet.microsoft.com/en-us/itpro/windows/configure/index">
+        <img src="images/W10-configure.png" alt="Configure Windows 10 in your enterprise" title="Configure Windows 10" />
+      </a>
+      <br/>Configure
+    </td>
+    <td style="width:25%; border:0;">
+      <br/>
+      <a href="https://technet.microsoft.com/en-us/itpro/windows/update/index">
+        <img src="images/w10-update.png" alt="Update Windows 10 in your enterprise" title="Update Windows 10" />
+      </a>
+      <br/>Update
+    </td>
+    <td style="width:25%; border:0;">
+      <br/>
+      <a href="">
+        <img src="images/w10-plan.png" alt="Get your " title="What's new in Windows 10" />
+      </a>
+      <br/>Try it
+    </td>
+  </tr>
+</table>
 
-## In this library
+<br/>
 
+# Get to know Windows as a Service (WaaS)
+<table border="0" width="100%" align='center'>
+<tr>
+  <td valign=top width=60%>The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
+
+  These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
+
 
-[What's new in Windows 10](whats-new/index.md)
+  * [Read more about Windows as a Service]()
+  * [Download the WaaS infographic]()
 
-[Plan for Windows 10 deployment](plan/index.md)
+  </td>
+  <td width=40%><center><img style='border:thin silver solid' src="images/w10-WaaS-poster.png" alt="Get to know Windows as a Service (WaaS) " title="Get to know Windows as a Service (WaaS)" /></center></td>
+</tr>
+<table>
 
-[Deploy Windows 10](deploy/index.md)
-
-[Configure Windows 10](configure/index.md)
-
-[Update Windows 10](update/index.md)
-
-[Keep Windows 10 secure](keep-secure/index.md)
-
-[Manage Windows 10](manage/index.md)
 
 ## Related topics
-
-
 [Windows 10 TechCenter](https://go.microsoft.com/fwlink/?LinkId=620009)
 
  
 
  
-
-
-
-
-
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index 5125d56c73..f2339f5940 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -3,7 +3,6 @@
 ## [Windows Hello for Business](hello-identity-verification.md)
 ### [How Windows Hello for Business works](hello-how-it-works.md)
 ### [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-### [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
 ### [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 ### [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 ### [Windows Hello and password changes](hello-and-password-changes.md)
@@ -42,6 +41,9 @@
 #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md)
 #### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md)
 #### [Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md)
+## [Windows Defender SmartScreen](windows-defender-smartscreen-overview.md)
+### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md)
+### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen-set-individual-device.md)
 ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
 ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
 ## [VPN technical guide](vpn-guide.md)
@@ -170,6 +172,7 @@
 ##### [Choose the Right BitLocker Countermeasure](choose-the-right-bitlocker-countermeasure.md)
 #### [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)
 ### [Encrypted Hard Drive](encrypted-hard-drive.md)
+### [Enterprise Certificate Pinning](enterprise-certificate-pinning.md)
 ### [Security auditing](security-auditing-overview.md)
 #### [Basic security audit policies](basic-security-audit-policies.md)
 ##### [Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md)
@@ -574,7 +577,7 @@
 ###### [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md)
 ###### [Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)
 ###### [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)
-###### [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md)
+###### [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md)
 ###### [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)
 ###### [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md)
 ###### [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)
@@ -770,16 +773,19 @@
 ######## [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
 ######## [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
 ######## [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
-#### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
-##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
-##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
-##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+#### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
+##### [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+##### [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+##### [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+##### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+##### [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
 #### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
 ##### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
 ##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
 ##### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
 ##### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
 ##### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
+##### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
 ##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
 #### [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md)
 ##### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
@@ -787,7 +793,7 @@
 ###### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
 #### [Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md)
 ##### [Update general settings](general-settings-windows-defender-advanced-threat-protection.md)
-##### [Turn on advanced features](advanced-features-windows-defender-advacned-threat-protection.md)
+##### [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
 ##### [Turn on preview experience](preview-settings-windows-defender-advanced-threat-protection.md)
 ##### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
 #### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md)
@@ -795,16 +801,48 @@
 #### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
 #### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
 #### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
-### [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
-#### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
-#### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
-#### [Windows Defender Offline in Windows 10](windows-defender-offline.md)
-#### [Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)
-#### [Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)
-#### [Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)
-#### [Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md)
-#### [Detect and block Potentially Unwanted Applications with Windows Defender](enable-pua-windows-defender-for-windows-10.md)
-#### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+###	[Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+#### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md)
+#### [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md)
+#### [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
+##### [Deploy and enable Windows Defender Antivirus](deploy-windows-defender-antivirus.md)
+###### [Deployment guide for VDI environments](deployment-vdi-windows-defender-antivirus.md)
+##### [Report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md)
+##### [Manage updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
+###### [Manage protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
+###### [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+###### [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+###### [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+###### [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+#### [Configure Windows Defender Antivirus features](configure-windows-defender-antivirus-features.md)
+##### [Utilize Microsoft cloud-provided protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+###### [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+###### [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md)
+###### [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md)
+###### [Enable the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
+###### [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+##### [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
+###### [Detect and block Potentially Unwanted Applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
+###### [Enable and configure always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+##### [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
+###### [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+###### [Prevent users from seeing or interacting with the user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
+###### [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+#### [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+##### [Exclude files and processes from scans](configure-exclusions-windows-defender-antivirus.md)
+##### [Configure email, removable storage, network, reparse point, and archive scanning](configure-advanced-scan-types-windows-defender-antivirus.md)
+##### [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
+##### [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+##### [Configure and run scans](run-scan-windows-defender-antivirus.md)
+##### [Review scan results](review-scan-results-windows-defender-antivirus.md)
+##### [Run and review the results of a Windows Defender Offline scan](windows-defender-offline.md)
+#### [Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md)
+#### [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
+##### [Use Group Policy settings to configure and manage Windows Defender AV](use-group-policy-windows-defender-antivirus.md)
+##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](use-intune-config-manager-windows-defender-antivirus.md)
+##### [Use PowerShell cmdlets to configure and manage Windows Defender AV](use-powershell-cmdlets-windows-defender-antivirus.md)
+##### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](use-wmi-windows-defender-antivirus.md)
+##### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](command-line-arguments-windows-defender-antivirus.md)
 ### [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
 #### [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md)
 #### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md)
diff --git a/windows/keep-secure/advanced-features-windows-defender-advacned-threat-protection.md b/windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/advanced-features-windows-defender-advacned-threat-protection.md
rename to windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
index f9805f6b95..921bf48bbb 100644
--- a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
@@ -65,7 +65,7 @@ Reviewing the various alerts and their severity can help you decide on the appro
 - Windows Defender ATP
 
 >[!NOTE]
->The Windows Defender AV filter will only appear if your endpoints are using Windows Defender as the default real-time protection antimalware product.
+>The Windows Defender Antivirus filter will only appear if your endpoints are using Windows Defender as the default real-time protection antimalware product.
 
 **Time period**</br>
 - 1 day
diff --git a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..d551629b2e
--- /dev/null
+++ b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,80 @@
+---
+title: Windows Defender ATP alert API fields
+description: Understand how the alert API fields map to the values in the Windows Defender ATP portal.
+keywords: alerts, alert fields, fields, api, fields, pull alerts, rest api, request, response
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Windows Defender ATP alert API fields
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
+
+
+#	Alert API fields and portal mapping
+Field numbers match the numbers in the images below.
+
+Portal label  | SIEM field name | Description
+:---|:---|:---
+1	| LinkToWDATP |	Link back to the alert page in Windows Defender ATP
+2	|	Alert ID	| Alert ID visible in the link: `https://securitycenter.windows.com/alert/<alert id>`
+3	| AlertTitle | Alert	title
+4	| Actor |	Actor name
+5	| AlertTime |	Last time the alert was observed
+6 | Severity |	Alert severity
+7	| Category |	Alert category
+8 | Status in queue | Alert status in queue
+9	| ComputerDnsName|	Computer DNS name and machine name
+10| IoaDefinitionId	| (Internal only)  <br><br>  ID for the IOA (Indication of attack) that this alert belongs to. It usually correlates with the title. <br><br> **Note**: This is an internal ID of the rule which triggers the alert. It's provided here as it can be used for aggregations in the SIEM.
+11 | UserName	| The user context relevant to the activity on the machine which triggered the alert. NOTE: Not yet populated.
+12 | FileName	| File name
+13 | FileHash	| Sha1 of file observed
+14 | FilePath	| File path
+15 | IpAddress |	IP of the IOC (when relevant)
+16 | URL	| URL of the IOC (when relevant)  
+17 | FullId	| (Internal only)  <br><br> Unique ID for each combination of IOC and Alert ID. Provides the ability to apply dedup logic in the SIEM.
+18 | AlertPart	| (Internal only)  <br><br> Alerts which contain multiple IOCs will be split into several messages, each message contains one IOC and a running counter. The counter provides the ability to reconstruct the alerts in the SIEM.
+19 | LastProccesedTimeUtc | (Internal only)  <br><br>	Time the alert was last processed in Windows Defender ATP.
+20 | Source| Alert detection source (Windows Defender AV, Windows Defender ATP, and Device Guard)
+21 | ThreatCategory| Windows Defender AV threat category
+22 | ThreatFamily |	Windows Defender AV family name
+23 | RemediationAction |	Windows Defender AV threat category	 |
+24 | WasExecutingWhileDetected	| Indicates if a file was running while being detected.
+25|	RemediationIsSuccess	| Indicates if an alert was successfully remediated.
+26 | Sha1	| Sha1 of file observed	in alert timeline and in file side pane (when available)
+27 | Md5 | Md5 of file observed	(when available)
+28 | Sha256 |	Sha256 of file observed	(when available)
+29	|	ThreatName	| Windows Defender AV threat name
+
+>[!NOTE]
+> Fields #21-29 are related to Windows Defender Antivirus alerts.
+
+![Image of actor profile with numbers](images/atp-actor.png)
+
+![Image of alert timeline with numbers](images/atp-alert-timeline-numbered.png)
+
+![Image of new alerts with numbers](images/atp-alert-source.png)
+
+![Image of machine timeline with numbers](images/atp-remediated-alert.png)
+
+![Image of file details](images/atp-file-details.png)
+
+
+## Related topics
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index d3826c3629..6cd59dffcb 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -13,12 +13,24 @@ author: brianlic-msft
 This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
 
+## March 2017
+|New or changed topic |Description |
+|---------------------|------------|
+|[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|
+|[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|
+|[Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)|New |
+|[Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md)|New |
+|[Use Windows Defender Security Center to set Windows Defender SmartScreen for individual devices](windows-defender-smartscreen-set-individual-device.md)|New |
+
+
 ## February 2017
 
 |New or changed topic |Description |
 |---------------------|------------|
 |[Overview of threat mitigations in Windows 10](overview-of-threat-mitigations-in-windows-10.md) | Reorganized from existing content, to provide a better overview of threat mitigations. Added information that maps the Enhanced Mitigation Experience Toolkit (EMET) to Windows 10 features. |
 
+
+
 ## January 2017
 |New or changed topic |Description |
 |---------------------|------------|
diff --git a/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md
index 6f9e2ee36d..f00f86053f 100644
--- a/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md
@@ -21,7 +21,6 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
 
 The sensor health tile provides information on the individual endpoint’s ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
 
diff --git a/windows/keep-secure/code/example-script.ps1 b/windows/keep-secure/code/example-script.ps1
new file mode 100644
index 0000000000..e6563c2378
--- /dev/null
+++ b/windows/keep-secure/code/example-script.ps1
@@ -0,0 +1,60 @@
+$authUrl = 'Your Authorization URL'
+$clientId = 'Your Client ID'
+$clientSecret = 'Your Client Secret'
+
+
+Try
+{
+    $tokenPayload = @{
+        "resource" = 'https://graph.windows.net'
+        "client_id" = $clientId
+        "client_secret" = $clientSecret
+        "grant_type"='client_credentials'}
+
+    "Fetching an access token"
+    $response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
+    $token = $response.access_token
+    "Token fetched successfully"
+
+    $headers = @{
+        "Content-Type" = "application/json"
+        "Accept" = "application/json"
+        "Authorization" = "Bearer {0}" -f $token }
+
+    $apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
+
+    $alertDefinitionPayload = @{
+        "Name" = "Test Alert"
+        "Severity" = "Medium"
+        "InternalDescription" = "A test alert used to demonstrate the Windows Defender ATP TI API feature"
+        "Title" = "Test alert."
+        "UxDescription" = "This is a test alert based on a sample custom alert definition. This alert was triggered manually using a provided test command. It indicates that the Threat Intelligence API has been properly enabled."
+        "RecommendedAction" = "No recommended action for this test alert."
+        "Category" = "SuspiciousNetworkTraffic"
+        "Enabled" = "true"}
+    "Creating an Alert Definition"
+    $alertDefinition =
+        Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
+            -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
+    "Alert Definition created successfully"
+    $alertDefinitionId = $alertDefinition.Id
+
+    $iocPayload = @{
+        "Type"="IpAddress"
+        "Value"="52.184.197.12"
+        "DetectionFunction"="Equals"
+        "Enabled"="true"
+        "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
+
+    "Creating an Indicator of Compromise"
+    $ioc =
+        Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
+             -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
+    "Indicator of Compromise created successfully"
+
+    "All done!"
+}
+Catch
+{
+    'Something went wrong! Got the following exception message: {0}' -f $_.Exception.Message
+}
diff --git a/windows/keep-secure/code/example.ps1 b/windows/keep-secure/code/example.ps1
index 278824d13a..6941c80627 100644
--- a/windows/keep-secure/code/example.ps1
+++ b/windows/keep-secure/code/example.ps1
@@ -1,8 +1,6 @@
-$tenantId = '{Your Tenant ID}'
-$clientId = '{Your Client ID}'
-$clientSecret = '{Your Client Secret}'
-
-$authUrl = "https://login.windows.net/{0}/oauth2/token" -f $tenantId
+$authUrl = 'Your Authorization URL'
+$clientId = 'Your Client ID'
+$clientSecret = 'Your Client Secret'
 
 $tokenPayload = @{
     "resource"='https://graph.windows.net'
diff --git a/windows/keep-secure/code/example.py b/windows/keep-secure/code/example.py
index 7bf906738c..6203b5230b 100644
--- a/windows/keep-secure/code/example.py
+++ b/windows/keep-secure/code/example.py
@@ -2,11 +2,9 @@ import json
 import requests
 from pprint import pprint
 
-tenant_id="{your tenant ID}"
-client_id="{your client ID}"
-client_secret="{your client secret}"
-
-auth_url = "https://login.windows.net/{0}/oauth2/token".format(tenant_id)
+auth_url="Your Authorization URL"
+client_id="Your Client ID"
+client_secret="Your Client Secret"
 
 payload = {"resource": "https://graph.windows.net",
            "client_id": client_id,
diff --git a/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md b/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md
new file mode 100644
index 0000000000..ea9f0e7d05
--- /dev/null
+++ b/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md
@@ -0,0 +1,59 @@
+---
+title: Use the command line to manage Windows Defender AV
+description: Windows Defender AV has a dedicated command-line utility that can run scans and configure protection.
+keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+# Use the mpcmdrun.exe command-line tool to configure and manage Windows Defender Antivirus
+
+**Applies to:**
+
+- Windows 10
+
+
+You can use a dedicated command-line tool to perform various functions in Windows Defender Antivirus. 
+
+This utility can be handy when you want to automate the use of Windows Defender Antivirus. 
+
+The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt.
+
+> [!NOTE]
+> You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+
+
+The utility has the following commands:
+
+```DOS
+MpCmdRun.exe [command] [-options]
+```
+
+Command | Description 
+:---|:---
+\- ? **or** -h | Displays all available options for the tool
+\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]][-Timeout <days>] | Scans for malicious software
+\-Trace  [-Grouping #] [-Level #]| Starts diagnostic tracing
+\-GetFiles | Collects support information
+\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
+\-AddDynamicSignature [-Path] | Loads a dynamic signature
+\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
+\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
+\-ValidateMapsConnection | Used to validate connection to the [cloud-delivered protection service](configure-network-connections-windows-defender-antivirus.md)
+
+
+
+
+## Related topics
+
+- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+
+
diff --git a/windows/keep-secure/configuration-management-reference-windows-defender-antivirus.md b/windows/keep-secure/configuration-management-reference-windows-defender-antivirus.md
new file mode 100644
index 0000000000..edf44cdddc
--- /dev/null
+++ b/windows/keep-secure/configuration-management-reference-windows-defender-antivirus.md
@@ -0,0 +1,44 @@
+---
+title: Windows Defender AV reference for management tools
+description: Learn how Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the comman line can be used to manage Windows Defender AV
+keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Reference topics for management and configuration tools
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+Windows Defender Antivirus can be managed and configured with the following tools:
+
+- Group Policy
+- System Center Configuration Manager and Microsoft Intune
+- PowerShell cmdlets
+- Windows Management Instruction (WMI)
+- The mpcmdrun.exe utility
+
+The topics in this section provide further information, links, and resources for using these tools in conjunction with Windows Defender AV.
+
+## In this section
+
+Topic | Description 
+---|---
+[Use Group Policy settings to configure and manage Windows Defender AV](use-group-policy-windows-defender-antivirus.md)|List of all Group Policy settings located in the Windows 10, version 1703 ADMX templates
+[Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](use-intune-config-manager-windows-defender-antivirus.md)|Information on using System Center Configuration Manager and Microsoft Intune to deploy, manage, report, and configure Windows Defender AV
+[Use PowerShell cmdlets to configure and manage Windows Defender AV](use-powershell-cmdlets-windows-defender-antivirus.md)|Instructions on using PowerShell cmdlets in the Defender Module and links to documentation for all cmdlets and allowed parameters
+[Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](use-wmi-windows-defender-antivirus.md)| Instructions on using WMI to manage Windows Defender AV and links to documentation for the Windows Defender WMIv2 APIs (including all classes, methods, and properties)
+[Use the mpcmdrun.exe command-line tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Windows Defender AV
+
diff --git a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
index d7147d12a9..7f3ba226aa 100644
--- a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
@@ -22,7 +22,7 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application  to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal.
+You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application  to communicate with it so that your security information and events management (SIEM) tool can pull alerts from Windows Defender ATP portal.
 
 1. Login to the [Azure management portal](https://ms.portal.azure.com).
 
@@ -78,12 +78,12 @@ You need to add an application in your Azure Active Directory (AAD) tenant then
 
 23. Save the application changes.
 
-After configuring the application in AAD, you'll need to obtain a refresh token. You'll need to use the token when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be consumed by your SIEM.
+After configuring the application in AAD, you'll need to obtain a refresh token. You'll need to use the token when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be pulled by your SIEM.
 
 ## Obtain a refresh token using an events URL
 Obtain a refresh token used to retrieve the Windows Defender Advanced Threat Protection events to your SIEM. This section provides information on how you can use an events URL to obtain the required refresh token.
 >[!NOTE]
->For HP ArcSight, you can obtain a refresh token using the restutil tool. For more information, see [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md).
+>For HP ArcSight, you can obtain a refresh token using the restutil tool. For more information, see [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md).
 
 ### Before you begin
 Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
@@ -111,6 +111,6 @@ You'll use these values to obtain a refresh token.
 After configuring your AAD application and generating a refresh token, you can proceed to configure your SIEM tool.
 
 ## Related topics
-- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
-- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
-- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Configure security information and events management (SIEM) tools to pull alerts](configure-siem-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
new file mode 100644
index 0000000000..cd5a3e9874
--- /dev/null
+++ b/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
@@ -0,0 +1,158 @@
+---
+title: Configure advanced scanning types for Windows Defender AV
+description: You can configure Windows Defender AV to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files).
+keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure email, removable storage, network, reparse point, and archive scanning in Windows Defender AV
+
+
+**Applies to**
+-   Windows 10
+
+
+
+
+
+
+
+## Manage email scans in Windows Defender
+
+You can use Windows Defender to scan email files. Malware can install itself and hide in email files, and although real-time protection offers you the best protection from email malware, you can also scan emails stored on your PC or server with Windows Defender.
+> **Important:**  Mail scanning only applies to on-demand and scheduled scans, not on-access scans.
+ 
+Windows Defender scans Microsoft Office Outlook 2003 and older email files. We identify the file type at run-time based on the content of the file, not on location or extension.
+> **Note: **  Scanning email files might increase the time required to complete a scan.
+ 
+Windows Defender can extract embedded objects within a file (attachments and archived files, for example) and scan internally.
+> **Note:**  While Windows Defender can be configured to scan email files, it can only remediate threats detected inside certain files, for example:
+-   DBX
+-   MBX
+-   MIME
+ 
+You can configure Windows Defender to scan PST files used by Outlook 2003 or older versions (where the archive type is set to non-uni-code), but Windows Defender cannot remediate threats detected inside PST files. We recommend using real-time protection to protect against email malware.
+
+If Windows Defender detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat:
+-   Email subject
+-   Attachment name
+Email scanning in Windows Defender is turned off by default. There are three ways you can manage scans through Windows Defender:
+-   *Group Policy* settings
+-   WMI
+-   PowerShell
+> **Important:**  There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:
+-   [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1)
+-   [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2)
+ 
+## Use *Group Policy* settings to enable email scans
+
+This policy setting allows you to turn on email scanning. When email scanning is enabled, the engine will parse the mailbox and mail files to analyze the mail bodies and attachments.
+
+Turn on email scanning with the following *Group Policy* settings:
+1.  Open the **Group Policy Editor**.
+2.  In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
+3.  Click **Scan**.
+4.  Double-click **Turn on e-mail scanning**.
+
+    This will open the **Turn on e-mail scanning** window:
+    
+    ![turn on e-mail scanning window](images/defender-scanemailfiles.png)
+    
+5.  Select **Enabled**.
+6.  Click **OK** to apply changes.
+
+## Use WMI to disable email scans
+
+You can write a WMI script or application to disable email scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
+
+Use the **DisableEmailScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
+**DisableEmailScanning**
+Data type: **boolean**
+Access type: Read-only
+Disable email scanning.
+
+## Use PowerShell to enable email scans
+
+You can also enable email scanning using the following PowerShell parameter:
+1.  Open PowerShell or PowerShellIntegrated Scripting Environment (ISE).
+2.  Type **Set-MpPreference -DisableEmailScanning $false**.
+
+Read more about this in:
+-   [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
+-   [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
+
+## Manage archive scans in Windows Defender
+
+You can use Windows Defender to scan archive files. Malware can install itself and hide in archive files, and although real-time protection offers you the best protection from malware, you can also scan archives stored on your PC or server with Windows Defender.
+> **Important:**  Archive scanning only applies to on-demand and scheduled scans, not on-access scans.
+ 
+Archive scanning in Windows Defender is turned on by default. There are four ways you can manage scans through Windows Defender:
+-   *Group Policy* settings
+-   WMI
+-   PowerShell
+-   Endpoint Protection
+> **Note:**  Scanning archive files might increase the time required to complete a scan.
+ 
+If you exclude an archive file type by using the **Extensions** box, Windows Defender will not scan files with that extension (no matter what the content is), even when you have selected the **Scan archive files** check box. For example, if you exclude .rar files but there�s a .r00 file that�s actually .rar content, it will still be scanned if archive scanning is enabled.
+
+## Use *Group Policy* settings to enable archive scans
+
+This policy setting allows you to turn on archive scanning.
+
+Turn on email scanning with the following *Group Policy* settings:
+1.  Open the **Group Policy Editor**.
+2.  In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
+3.  Click **Scan**.
+4.  Double-click **Scan archive files**.
+
+    This will open the **Scan archive files** window:
+    
+    ![scan archive files window](images/defender-scanarchivefiles.png)
+    
+5.  Select **Enabled**.
+6.  Click **OK** to apply changes.
+
+There are a number of archive scan settings in the **Scan** repository you can configure through *Group Policy*, for example:
+-   Maximum directory depth level into which archive files are unpacked during scanning
+
+    ![specify the maximum depth to scan archive files window](images/defender-scanarchivedepth.png)
+    
+-   Maximum size of archive files that will be scanned
+
+    ![specify the maximum size of archive files to be scanned window](images/defender-scanarchivesize.png)
+    
+-   Maximum percentage CPU utilization permitted during a scan
+
+    ![specify the maximum percentage od cpu utilization during a scan window](images/defender-scanarchivecpu.png)
+
+## Use WMI to disable archive scans
+
+You can write a WMI script or application to disable archive scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
+
+Use the **DisableArchiveScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
+**DisableArchiveScanning**
+Data type: **boolean**
+Access type: Read-only
+Disable archive scanning.
+
+## Use PowerShell to enable archive scans
+
+You can also enable archive scanning using the following PowerShell parameter:
+1.  Open PowerShell or PowerShellISE.
+2.  Type **Set-MpPreference -DisableArchiveScanning $false**.
+
+Read more about this in:
+-   [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
+-   [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
+
+## Use Endpoint Protection to configure archive scans
+
+In Endpoint Protection, you can use the advanced scanning options to configure archive scanning. For more information, see [What are advanced scanning options?](https://technet.microsoft.com/library/ff823807.aspx)
+ 
diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
index c4ebb2bd23..21b8b172ec 100644
--- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
 ---
-title: Configure HP ArcSight to consume Windows Defender ATP alerts
-description: Configure HP ArcSight to receive and consume alerts from the Windows Defender ATP portal.
+title: Configure HP ArcSight to pull Windows Defender ATP alerts
+description: Configure HP ArcSight to receive and pull alerts from the Windows Defender ATP portal.
 keywords: configure hp arcsight, security information and events management tools, arcsight
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -11,7 +11,7 @@ author: mjcaparas
 localizationpriority: high
 ---
 
-# Configure HP ArcSight to consume Windows Defender ATP alerts
+# Configure HP ArcSight to pull Windows Defender ATP alerts
 
 **Applies to:**
 
@@ -21,86 +21,165 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-You'll need to configure HP ArcSight so that it can consume Windows Defender ATP alerts.
+You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Windows Defender ATP alerts.
 
 ## Before you begin
+Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse alerts from your Azure Active Directory (AAD) application.
 
-- Get the following information from your Azure Active Directory (AAD) application by selecting **View Endpoint** on the application configuration page:
-    - OAuth 2 Token refresh URL
-    - OAuth 2 Client ID
-    - OAuth 2 Client secret
-- Download the [WDATP-connector.properties](http://download.microsoft.com/download/3/9/C/39C703C2-487C-4C3E-AFD8-14C2253C2F12/WDATP-connector.properties) file and update the following values:
+This section guides you in getting the necessary information to set and use the required configuration files correctly.
 
-  - **client_ID**: OAuth 2 Client ID
-  - **client_secret**: OAuth 2 Client secret
-  - **auth_url**:  ```https://login.microsoftonline.com/<tenantID>?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com ```
+- Make sure you have enabled the SIEM integration feature from the **Preferences setup** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md).
 
-    >[!NOTE]
-    >Replace *tenantID* with your tenant ID.
+- Have the file you saved from enabling the SIEM integration feature ready. You'll need to get the following values:
+  - OAuth 2.0 Token refresh URL
+  - OAuth 2.0 Client ID
+  - OAuth 2.0 Client secret
 
-  - **token_url**: `https://login.microsoftonline.com/<tenantID>/oauth2/token`
+- Have the following configuration files ready:
+  - WDATP-connector.properties
+  - WDATP-connector.jsonparser.properties
 
-    >[!NOTE]
-    >Replace the *tenantID* value with your tenant ID.
+    You would have saved a .zip file which contains these two files when you chose HP ArcSight as the SIEM type you use in your organization.
 
-  - **redirect_uri**: ```https://localhost:44300/wdatpconnector```
-  - **scope**: Leave the value blank
+- Make sure you generate the following tokens and have them ready:
+  - Access token
+  - Refresh token
 
-- Download the [WDATP-connector.jsonparser.properties](http://download.microsoft.com/download/0/8/A/08A4957D-0923-4353-B25F-395EAE363E8C/WDATP-connector.jsonparser.properties) file. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format.
-- Install the HP ArcSight REST FlexConnector package. You can find this in the HPE Software center. Install the package on a server that has access to the Internet.
+  You can generate these tokens from the **SIEM integration** setup section of the portal.
 
-## Configure HP ArcSight
-The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). For more information, see the ArcSight FlexConnector Developer's guide.
+## Install and configure HP ArcSight SmartConnector
+The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
 
-1. Save the [WDATP-connector.jsonparser.properties file](http://download.microsoft.com/download/0/8/A/08A4957D-0923-4353-B25F-395EAE363E8C/WDATP-connector.jsonparser.properties) file into the connector installation folder. 
+1. Install the latest 32-bit Windows SmartConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightSmartConnectors\current\bin`.</br></br>You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location.
 
-2. Save the [WDATP-connector.properties](http://download.microsoft.com/download/3/9/C/39C703C2-487C-4C3E-AFD8-14C2253C2F12/WDATP-connector.properties) file into the `<root>\current\user\agent\flexagent` folder of the connector installation folder.
+2. Follow the installation wizard through the following tasks:
+  - Introduction
+  - Choose Install Folder
+  - Choose Install Set
+  - Choose Shortcut Folder
+  - Pre-Installation Summary
+  - Installing...
 
-3. Open an elevated command-line:
+  You can keep the default values for each of these tasks or modify the selection to suit your requirements.
 
-    a. Go to **Start** and type **cmd**.
+3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the SmartConnector installation location, for example:
 
-    b. Right-click **Command prompt** and select **Run as administrator**.
+  - WDATP-connector.jsonparser.properties: C:\\*folder_location*\current\user\agent\flexagent\
 
-4. Enter the following command and press **Enter**: ```runagentsetup.bat```. The Connector Setup pop-up window appears.
+  - WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\
 
-5. In the form fill in the following required fields with these values:
-    >[!NOTE]
-    >All other values in the form are optional and can be left blank.
+  NOTE:
+  You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool.
 
-    <table>
-    <tbody style="vertical-align:top;">
-    <tr>
-    <th>Field</th>
-    <th>Value</th>
-    </tr>
-    <tr>
-    <td>Configuration File</td>
-    <td>Type in the name of the client property file. It must match the client property file.</td>
-    </tr>
-    <td>Events URL</td>
-    <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**:  https://<i></i>wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
- </br>**For US:** https://<i></i>wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME</td>
-    <tr>
-    <td>Authentication Type</td>
-    <td>OAuth 2</td>
-    </tr>
-    <td>OAuth 2 Client Properties file</td>
-    <td>Select *wdatp-connector.properties*.</td>
-    <tr>
-    <td>Refresh Token</td>
-    <td>You can use the Windows Defender ATP events URL or the restutil tool to get obtain a refresh token. <br> For more information on getting your refresh token using the events URL, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token). </br> </br>**To get your refresh token using the restutil tool:** </br> a. Open a command prompt. Navigate to `C:\ArcSightSmartConnectors\<descriptive_name>\current\bin`. </br></br> b. Type: `arcsight restutil token -config C:\ArcSightSmartConnectors_Prod\WDATP\WDATP-connector.properties`. A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d.	A refresh token is shown in the command prompt. </br></br> e. Paste the value in the form.
-    </td>
-    </tr>
-    </tr>
-    </table>
-6. Select **Next**, then **Save**.
+4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**.
 
-7. Run the connector. You can choose to run in Service mode or Application mode.
+5. Select Type: **ArcSight FlexConnector REST** and click **Next**.
 
-8. In the HP ArcSight console, create a **Windows Defender ATP** channel with intervals and properties suitable to your enterprise needs. Windows Defender ATP alerts will appear as discrete events, with “Microsoft” as the vendor and “Windows Defender ATP” as the device name.  
+6.	Type the following information in the parameter details form. All other values in the form are optional and can be left blank.
+
+  <table>
+     <tbody style="vertical-align:top;">
+     <tr>
+     <th>Field</th>
+     <th>Value</th>
+     </tr>
+     <tr>
+     <td>Configuration File</td>
+     <td>Type in the name of the client property file. The name must match the file provided in the .zip that you downloaded.
+     For example, if the configuration file in "flexagent" directory is named "WDATP-Connector.jsonparser.properties", you must type "WDATP-Connector" as the name of the client property file.</td>
+     </tr>
+     <td>Events URL</td>
+     <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**:  https://<i></i>wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
+  </br>**For US:** https://<i></i>wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME</td>
+     <tr>
+     <td>Authentication Type</td>
+     <td>OAuth 2</td>
+     </tr>
+     <td>OAuth 2 Client Properties file</td>
+     <td>Browse to the location of the *wdatp-connector.properties* file. The name must match the file provided in the .zip that you downloaded.</td>
+     <tr>
+     <td>Refresh Token</td>
+     <td>You can obtain a refresh token in two ways: by generating a refresh token from the **SIEM integration preferences setup** page or using the restutil tool. <br><br> For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). </br> </br>**Get your refresh token using the restutil tool:** </br> a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool. </br></br> b. Type: `arcsight restutil token -config` from the bin directory. A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d.	A refresh token is shown in the command prompt. </br></br> e. Copy and paste it into the **Refresh Token** field.
+     </td>
+     </tr>
+     </tr>
+     </table>  
+7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate. </br></br>
+If the `redirect_uri` is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https. </br></br> If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
+
+8. Continue with the connector setup by returning to the HP ArcSight Connector Setup window.
+
+9. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**.
+
+10. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**.
+
+11. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**.
+
+11.	The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported.
+
+12. Verify that the details in the **Add connector Summary** window is correct, then click **Next**.
+
+13. Select **Install as a service** and click **Next**.
+
+14.	Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**.
+
+13.	Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**.
+
+14. Finish the installation by selecting **Exit** and **Next**.
+
+## Install and configure the HP ArcSight console
+1. Follow the installation wizard through the following tasks:
+  - Introduction
+  - License Agreement
+  - Special Notice
+  - Choose ArcSight installation directory
+  - Choose Shortcut Folder
+  - Pre-Installation Summary
+
+2. Click **Install**. After the installation completes, the ArcSight Console Configuration Wizard opens.
+
+3. Type localhost in **Manager Host Name** and 8443 in **Manager Port** then click **Next**.
+
+4. Select **Use direct connection**, then click **Next**.
+
+5. Select **Password Based Authentication**, then click **Next**.
+
+6. Select **This is a single user installation. (Recommended)**, then click **Next**.
+
+7. Click **Done** to quit the installer.
+
+8. Login to the HP ArcSight console.
+
+9. Navigate to **Active channel set** > **New Condition** > **Device** > **Device Product**.
+
+10. Set **Device Product = Windows Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST.
+
+You can now run queries in the HP ArcSight console.
+
+Windows Defender ATP alerts will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.
+
+
+## Troubleshooting HP ArcSight connection
+**Problem:** Failed to refresh the token. You can find the log located in C:\\*folder_location*\current\logs where *folder_location* represents the location where you installed the tool. Open _agent.log_ and look for `ERROR/FATAL/WARN`.
+
+**Symptom:** You get the following error message:
+
+`Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token`
+
+**Solution:**
+1. Stop the process by clicking Ctrl + C on the Connector window. Click **Y** when asked "Terminate batch job Y/N?".
+2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the following value:
+`reauthenticate=true`.
+
+3. Restart the connector by running the following command: `arcsight.bat connectors`.
+
+  A browser window appears. Allow it to run, it should disappear, and the connector should now be running.
+
+> [!NOTE]
+> Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear.
 
 ## Related topics
-- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
-- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
-- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md
new file mode 100644
index 0000000000..7bd0777196
--- /dev/null
+++ b/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -0,0 +1,149 @@
+---
+title: Enable Block at First Sight to detect malware in seconds
+description: Enable the Block at First sight feature to detect and block malware within seconds, and validate that it is configured correctly.
+keywords: scan, BAFS, malware, first seen, first sight, cloud, defender
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+
+
+
+# Enable the Block at First Sight feature
+
+**Applies to**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+- Windows Defender Security Center app
+
+
+Block at First Sight is a feature of Windows Defender Antivirus cloud-delivered protection that provides a way to detect and block new malware within seconds. 
+
+It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. You can use group policy settings to confirm the feature is enabled.
+
+You can also [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file.
+
+> [!IMPORTANT]
+> There is no specific individual setting in System Center Configuration Manager to enable or disable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly. You must use Group Policy settings to enable or disable the feature.
+
+## How it works
+
+When a Windows Defender Antivirus client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. The following video describes how this feature works.
+
+The Block at first sight feature only uses the cloud protection backend for executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the EXE file is checked via the cloud backend to determine if this is a previously undetected file.
+
+<iframe 
+src="https://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc62c59" width="768" height="432" allowFullScreen="true" frameBorder="0" scrolling="no"></iframe> 
+
+If the cloud backend is unable to make a determination, the file will be locked by Windows Defender AV while a copy is uploaded to the cloud. The cloud will perform additional analysis to reach a determination before it allows the file to run or blocks it in all future encounters, depending on whether the file is determined to be malicious or safe. 
+
+In many cases this process can reduce the response time for new malware from hours to seconds.
+
+
+## Confirm and validate Block at First Sight is enabled
+
+Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work. Usually, these settings are already enabled in most default Windows Defender AV deployments in enterprise networks.
+
+
+
+### Confirm Block at First Sight is enabled with Group Policy
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** and configure the following Group Policies:
+    
+    1.  Double-click the **Join Microsoft MAPS** setting and ensure the option is set to **Enabled**. Click **OK**.
+    
+    1.  Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following:
+    
+        1. Send safe samples (1)
+        
+        1. Send all samples (3)
+
+        > [!WARNING]
+        > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function.
+
+    1. Click **OK**.
+
+1.  In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender Antivirus > Real-time Protection**:
+    
+    1.  Double-click the **Scan all downloaded files and attachments** setting and ensure the option is set to **Enabled**. Click **OK**.
+    
+    1.  Double-click the **Turn off real-time protection** setting and ensure the option is set to **Disabled**. Click **OK**.
+
+If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered.
+
+
+### Confirm Block at First Sight is enabled with the Windows Defender Security Center app
+
+You can confirm that Block at First Sight is enabled in Windows Settings. 
+
+The feature is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on.
+
+**Confirm Block at First Sight is enabled on individual clients**
+
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+
+![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png)
+    
+3.	Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
+
+> [!NOTE]
+> If the pre-requisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
+
+
+### Validate Block at First Sight is working
+
+You can validate that the feature is working by following the steps outlined in the [Validate connections between your network and the cloud](configure-network-connections-windows-defender-antivirus.md#validate) topic.
+
+
+## Disable Block at First Sight
+
+> [!WARNING]
+> Disabling the Block at First Sight feature will lower the protection state of the endpoint and your network.
+
+You may choose to disable the Block at First Sight feature if you want to retain the pre-requisite settings without using Block at First Sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
+
+**Disable Block at First Sight with Group Policy**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree through **Windows components > Windows Defender Antivirus > MAPS**.
+
+1.  Double-click the **Configure the �Block at First Sight� feature** setting and set the option to **Disabled**.
+
+    > [!NOTE]
+    > Disabling the Block at First Sight feature will not disable or alter the pre-requisite group policies.
+
+
+## Related topics
+
+- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+
+
diff --git a/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md
new file mode 100644
index 0000000000..8846515965
--- /dev/null
+++ b/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md
@@ -0,0 +1,74 @@
+---
+title: Configure the Windows Defender AV cloud block timeout period
+description: You can configure how long Windows Defender Antivirus will block a file from running while waiting for a cloud determination.
+keywords: windows defender antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure the cloud block timeout period
+
+
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+
+
+
+
+
+
+When Windows Defender Antivirus is suspicious of a file, it can prevent the file from running while it queries the [Windows Defender Antivirus cloud-protection service](utilize-microsoft-cloud-protection-windows-defender-antivirus.md).
+
+The default period that the file will be [blocked](configure-block-at-first-sight-windows-defender-antivirus.md) for is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Windows Defender Antivirus cloud.
+
+
+
+## Prerequisites to use the extended cloud block timeout
+
+The [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature and its prerequisites must be enabled before you can specifiy an extended timeout period. 
+    
+## Specify the extended timeout period
+
+You can use Group Policy to specify an extended timeout for cloud checks.
+
+**Use Group Policy to specify an extended timeout period:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+3.  Click **Policies** then **Administrative templates**.
+
+4.  Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**
+    
+5.  Double-click the **Configure extended cloud check** setting and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination.  You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds.
+    
+6. Click **OK**.
+
+
+## Related topics
+
+- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
+- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+- [Configure the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+
+
+
+
diff --git a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
index 2ad2430c0e..c4a85d0274 100644
--- a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
@@ -64,5 +64,5 @@ This section lists various issues that you may encounter when using email notifi
 
 ## Related topics
 - [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
-- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advacned-threat-protection.md)
+- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
 - [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-end-user-interaction-windows-defender-antivirus.md b/windows/keep-secure/configure-end-user-interaction-windows-defender-antivirus.md
new file mode 100644
index 0000000000..47b2f3f968
--- /dev/null
+++ b/windows/keep-secure/configure-end-user-interaction-windows-defender-antivirus.md
@@ -0,0 +1,39 @@
+---
+title: Configure how users can interact with Windows Defender AV
+description: Configure how end-users interact with Windows Defender AV, what notifications they see, and if they can override settings.
+keywords: endpoint, user, interaction, notifications, ui lockdown mode, headless mode, hide interface
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure end-user interaction with Windows Defender Antivirus
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+
+You can configure how users of the endpoints on your network can interact with Windows Defender Antivirus.
+
+This includes whether they see the Windows Defender AV interface, what notifications they see, and if they can locally override globally deployed Group Policy settings.
+
+## In this section
+
+Topic | Description 
+---|---
+[Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation
+[Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md) | Hide the user interface from users
+[Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) | Prevent (or allow) users from overriding policy settings on their individual endpoints
diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 775b756512..49e9d275ab 100644
--- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -45,9 +45,7 @@ You can use System Center Configuration Manager’s existing functionality to cr
 
 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
 
-3. Onboard your devices using SCCM by following the steps in the  [Onboard devices to Windows Defender ATP](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/windows-defender-advanced-threat-protection#onboard-devices-for-windows-defender-atp) topic.
-
-4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
+3. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
 
     a. Choose a predefined device collection to deploy the package to.
 
diff --git a/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md
new file mode 100644
index 0000000000..11e86abb86
--- /dev/null
+++ b/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md
@@ -0,0 +1,141 @@
+---
+title: Set up exclusions for Windows Defender AV scans
+description: You can exclude files (including files modified by specified processes) and folders from being scanned by Windows Defender AV
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Exclude files and processes from Windows Defender AV scans
+
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager 
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- Microsoft Intune
+- Windows Defender Security Center
+
+You can exclude certain files, folders, and process-modified files from being scanned by Windows Defender AV. The exclusions apply to both [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md).
+
+Changes made via Group Policy to the exclusion lists will show in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
+
+However, changes made in the Windows Defender Security Center app will not show in the lists in the Group Policy settings.
+
+
+## Exclude file extensions from Windows Defender AV scans
+
+You can exclude certain file extenstions from being scanned by Windows Defender AV.
+
+**Use Group Policy to exclude specified file extensions from scans:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. 
+
+
+6. Double-click the **Extension Exclusions** setting and add the exclusions:
+
+    1. Set the option to **Enabled**. 
+    2. Under the **Options** section, click **Show...**
+    3. Enter each file extension on its own line under the **Value name** column.  Enter **0** in the **Value** column for all processes.
+
+7. Click **OK**. 
+
+![The Group Policy setting for file exclusions](images/defender/wdav-extension-exclusions.png)
+
+
+
+
+## Exclude paths and files from Windows Defender AV scans
+
+**Use Group Policy to exclude specified paths or folders from scans:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. 
+
+
+6. Double-click the **Path Exclusions** setting and add the exclusions:
+
+    1. Set the option to **Enabled**. 
+    2. Under the **Options** section, click **Show...**
+    3. Enter each path or file on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extesnsion. Enter **0** in the **Value** column for all processes.
+
+7. Click **OK**. 
+
+![The Group Policy setting for folder exclusions](images/defender/wdav-path-exclusions.png)
+
+
+## Exclude files opened by processes from Windows Defender AV scns
+
+You can exclude files that are opened by specified processes from being scanned. The specified process won't be excluded - but any files that are opened by that process will be.
+
+You can only exclude executable files.
+
+**Use Group Policy to exclude files that have been used or modified by specified processes from scans:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. 
+
+
+6. Double-click the **Process Exclusions** setting and add the exclusions:
+
+    1. Set the option to **Enabled**. 
+    2. Under the **Options** section, click **Show...**
+    3. Enter each process on its own line under the **Value name** column. Ensure you enter a fully qualified path to the process, including the drive letter, folder path, filename, and extesnsion. Enter **0** in the **Value** column for all processes.
+
+7. Click **OK**. 
+
+![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png)
+
+
+ ## Configure auto exclusions lists for Windows Server deployments
+
+If you are using Windows Defender AV to protect Windows Server endpoints or machines, you are [automatically enrolled in certain exclusions](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender), as defined by your specified Server role.
+
+These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
+
+You can also [add custom exclusions to the auto exclusions with PowerShell](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server#BKMK_DefExclusions).
+Exclusions | Turn off Auto Exclusions | 
+
+
+
+
+
+
+
+## Related topics
+
+- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md
new file mode 100644
index 0000000000..fb1993e2a1
--- /dev/null
+++ b/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md
@@ -0,0 +1,103 @@
+---
+title: Configure local overrides for Windows Defender AV settings
+description: Enable or disable users from locally changing settings in Windows Defender AV.
+keywords: local override, local policy, group policy, gpo, lockdown,merge, lists
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Prevent or allow users to locally modify Windows Defender AV policy settings
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+
+
+By default, Windows Defender AV settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances. 
+
+For example, it may be necessary to allow certain user groups (such as security researchers and threat investigators) further control over individual settings on the endpoints they use.
+
+## Configure local overrides for Windows Defender AV settings
+
+The default setting for these policies is **Disabled**.
+
+If they are set to **Enabled**, users on endpoints can make changes to the associated setting with the [Windows Defender Security Center](windows-defender-security-center-antivirus.md) app, local Group Policy settings, and PowerShell cmdlets (where appropriate).
+
+The following table lists each of the override policy setting and the configuration instructions for the associated feature or setting.
+
+To configure these settings:
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+
+6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+
+7. Deploy the Group Policy Object as usual.
+
+Location | Setting | Impact if **Enabled** | Configuration topic
+---|---|---|---
+MAPS | Configure local setting override for reporting to Microsoft MAPS | User can disable cloud protection | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+Quarantine | Configure local setting override for the removal of items from Quarantine folder | User can change the number of days threats are kept in the quarantine folder before being removed |[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for monitoring file and program activity on your computer | User can disable real-time protection | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | User can change direction for file activity monitoring | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for scanning all downloaded files and attachments | Allow user to disable scans of downloaded files and attachments | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for turn on behavior monitoring | User  | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override to turn on real-time protection | xxx | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | xxx | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
+Scan | Configure local setting override for maximum percentage of CPU utilization | xxx | [Configure and run scans](run-scan-windows-defender-antivirus.md)
+Scan | Configure local setting override for schedule scan day | xxx | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Configure local setting override for scheduled quick scan time | xxx | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Configure local setting override for scheduled scan time | xxx | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Configure local setting override for the scan type to use for a scheduled scan | xxx | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+
+
+
+
+
+
+## Configure how locally and globally defined threat remediation and exclusions lists are merged
+
+You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md) and [specified remediation lists](configure-remediation-windows-defender-antivirus.md).
+
+By default, lists that have been configured in local group policy and the Windows Defender Security Center app are merged with lists that are defined by the appropriate GPO that you have deployed on your network. Where there are conflicts, the globally defined list takes precendence.
+
+You can disable this setting to ensure that only globally defined lists (such as those from any deployed GPOs) are used.
+
+
+**Use Group Policy to disable local list merging:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus**.
+
+6. Double-click the **Configure local administrator merge behavior for lists** setting and set the option to **Enabled**. Click **OK**. 
+
+
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
\ No newline at end of file
diff --git a/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md b/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md
new file mode 100644
index 0000000000..4bba9f4ec2
--- /dev/null
+++ b/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md
@@ -0,0 +1,199 @@
+---
+title: Configure and test Windows Defender Antivirus network connections
+description: Configure and test your connection to the Windows Defender Antivirus cloud-delivered protection service.
+keywords: windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure and validate network connections for Windows Defender Antivirus
+
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+
+To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
+
+This topic lists the connections that must be allowed, including firewall rules, and provides instructions for validating your connection. This will help ensure you receive the best protection from our cloud-delivered protection services.
+
+See the Enterprise Mobility and Security blog post [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) for some details about network connectivity.
+
+## Allow connections to the Windows Defender Antivirus cloud
+
+The Windows Defender Antivirus cloud provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommend as it provides very important protection against malware on your endpoints and across your network.
+
+>[!NOTE] 
+>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
+
+See the [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) topic for details on enabling the service with Group Policy, System Center Configuration Manager, PowerShell cmdlets, Microsoft Intune, or on individual clients in the Windows Defender Security Center app.
+
+After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
+
+The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them:
+
+<table  style="vertical-align:top">
+<tr style="vertical-align:top">
+<th >Service</th>
+<th>Description</th>
+<th>URL</th>
+</tr>
+<tr style="vertical-align:top">
+<td>
+ Windows Defender Antivirus cloud-based protection service, also referred to as Microsoft Active Protection Service (MAPS)
+</td>
+<td>
+ Used by Windows Defender Antivirus to provide cloud-based protection
+</td>
+<td>
+*.wdcp.microsoft.com*<br />
+*.wdcpalt.microsoft.com*
+</td>
+</tr>
+<tr style="vertical-align:top">
+<td>
+Microsoft Update Service (MU)
+</td>
+<td>
+Signature and product updates
+</td>
+<td>
+*.updates.microsoft.com
+</td>
+</tr>
+<tr style="vertical-align:top">
+<td>
+ Definition updates alternate download location (ADL)
+</td>
+<td>
+ Alternate location for Windows Defender Antivirus definition updates if the installed definitions fall out of date (7 or more days behind)
+</td>
+<td>
+*.download.microsoft.com
+</td>
+</tr>
+<tr style="vertical-align:top">
+<td>
+ Malware submission storage 
+</td>
+<td>
+ Upload location for files submitted to Microsoft via the <a href="https://www.microsoft.com/en-us/security/portal/submission/submit.aspx">Submission form</a> or automatic sample submission
+</td>
+<td>
+*.blob.core.windows.net
+</td>
+</tr>
+<tr style="vertical-align:top">
+<td>
+Certificate Revocation List (CRL)
+</td>
+<td>
+Used by Windows when creating the SSL connection to MAPS for updating the CRL
+</td>
+<td>
+http://www.microsoft.com/pkiops/crl/<br />
+http://www.microsoft.com/pkiops/certs<br />
+http://crl.microsoft.com/pki/crl/products<br />
+http://www.microsoft.com/pki/certs
+</ul>
+</td>
+</tr>
+<tr style="vertical-align:top">
+<td>
+Symbol Store 
+</td>
+<td>
+Used by Windows Defender Antivirus to restore certain critical files during remediation flows
+</td>
+<td>
+https://msdl.microsoft.com/download/symbols
+</td>
+</tr>
+<tr style="vertical-align:top">
+<td>
+Universal Telemetry Client
+</td>
+<td>
+Used by Windows to send client telemetry, Windows Defender Antivirus uses this for product quality monitoring purposes
+</td>
+<td>
+This update uses SSL (TCP Port 443) to download manifests and upload telemetry to Microsoft that uses the following DNS endpoints:  <ul><li>vortex-win.data.microsoft.com</li><li>settings-win.data.microsoft.com</li></ul></td>
+</tr>
+</table>
+
+<a id="validate"></a>
+
+
+## Validate connections between your network and the cloud
+
+After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender AV cloud and are correctly reporting and receiving information to ensure you are fully protected.
+
+**Use the cmdline tool to validate cloud-delivered protection:**
+
+Use the following argument with the Windows Defender AV command line utility (*mpcmdrun.exe*) to verify that your network can communicate with the Windows Defender AV cloud:
+
+```DOS
+MpCmdRun - ValidateMapsConnection 
+```
+
+See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility.
+
+**Attempt to download a fake malware file from Microsoft:**
+
+You can download a sample file that Windows Defender AV will detect and block if you are properly connected to the cloud.
+
+Download the file by visiting the following link:
+- http://aka.ms/ioavtest
+
+>[!NOTE] 
+>This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud.
+
+If you are properly connected, you will see a warning notification from Windows Defender Antivirus:
+
+![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-malware-detected.png)
+
+If you are using Microsoft Edge, you'll also see a notification message:
+
+![Microsoft Edge informing the user that malware was found](images/defender/wdav-bafs-edge.png)
+
+A similar message occurs if you are uding Internet Explorer:
+
+![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-bafs-ie.png)
+
+You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Defender Security Center app:
+
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label:
+
+    ![Screenshot of the Scan history label in the Windows Defender Security Center app](images/defender/wdav-history-wdsc.png)
+    
+3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware:
+
+    ![Screenshot of quarantined items in the Windows Defender Security Center app](images/defender/wdav-quarantined-history-wdsc.png)
+
+The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md).
+
+>[!IMPORTANT]
+>You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will  need to verify your proxy servers and any network filtering tools manually to ensure connectivity.
+
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+- [Run a Windows Defender scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md)
+- [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) 
+
+
diff --git a/windows/keep-secure/configure-notifications-windows-defender-antivirus.md b/windows/keep-secure/configure-notifications-windows-defender-antivirus.md
new file mode 100644
index 0000000000..2244318943
--- /dev/null
+++ b/windows/keep-secure/configure-notifications-windows-defender-antivirus.md
@@ -0,0 +1,129 @@
+---
+title: Configure notifications for Windows Defender Antivirus
+description: Configure and customize notifications from Windows Defender AV.
+keywords: notifications, defender, endpoint, management, admin
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure the notifications that appear on endpoints
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+- Windows Defender Security Center app
+
+In Windows 10, application notifications about malware detection and remediation by Windows Defender are more robust, consistent, and concise.
+
+Notifications will appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications will also be seen in the **Notification Center**, and a summary of scans and threat detections will also appear at regular time intervals.
+
+You can also configure how standard notifications appear on endpoints, such as notfications for reboot or when a threat has been detected and remediated.
+
+## Configure the additional notifications that appear on endpoints
+
+You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md) and with Group Policy.
+
+> [!NOTE]
+> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10 it is called **Enhanced notifications**.
+
+> [!IMPORTANT]
+> Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts.
+
+**Use the Windows Defender Security Center app to disable additional notifications:** 
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+
+![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](images/defender/wdav-protection-settings-wdsc.png)
+    
+3.	Scroll to the **Notifications** section and click **Change notification settings**.
+
+4. Slide the switch to **Off** or **On** to disable or enable additional notifications.
+
+**Use Group Policy to disable additional notifications:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**. 
+
+6.  Double-click the **Turn off enhanced notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
+
+
+## Configure standard notifications on endpoints
+
+You can use Group Policy to:
+- Display additional, customized text on endpoints when the user needs to perform an action
+- Hide all notifications on endpoints
+- Hide reboot notifications on endpoints
+
+Hiding notifications can be useful in situations where you cannot hide the entire Windows Defender AV interface. See [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information.
+
+> [!NOTE]
+> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection).
+
+**Use Group Policy to display additional, custom text in notifications:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. 
+
+6.  Double-click the **Display additional text to clients when they need to perform an action** setting and set the option to **Enabled**. 
+
+7. Enter the additional text you want to be shown to users. Click **OK**. 
+
+**Use Group Policy to hide notifications:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. 
+
+6.  Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
+
+**Use Group Policy to hide reboot notifications:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. 
+
+6.  Double-click the **Suppresses reboot notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
+
+
+
+
+
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
diff --git a/windows/keep-secure/configure-protection-features-windows-defender-antivirus.md b/windows/keep-secure/configure-protection-features-windows-defender-antivirus.md
new file mode 100644
index 0000000000..bf1f2f595e
--- /dev/null
+++ b/windows/keep-secure/configure-protection-features-windows-defender-antivirus.md
@@ -0,0 +1,43 @@
+---
+title: Enable and configure protection features in Windows Defender AV
+description: Enable behavior-based, heuristic, and real-time protection in Windows Defender AV.
+keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, windows defender antivirus, antimalware, security, defender
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure behavioral, heuristic, and real-time protection
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+Windows Defender Antivirus uses several methods to provide threat protection:
+
+- Cloud-delivered protection for near-instant detection and blocking of new and emerging threats
+- Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection")
+- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
+
+You can configure how Windows Defender AV uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
+
+This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware. 
+
+See the [Utilize Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) section for how to enable and configure Windows Defender AV cloud-delivered protection.
+
+
+## In this section
+
+ Topic | Description 
+---|---
+[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps
+[Enable and configure Windows Defender AV protection capabilities](configure-real-time-protection-windows-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on antivirus monitoring features
\ No newline at end of file
diff --git a/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md b/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md
new file mode 100644
index 0000000000..ad4ca873ec
--- /dev/null
+++ b/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md
@@ -0,0 +1,99 @@
+---
+title: Configure always-on real-time protection in Windows Defender AV
+description: Enable and configure real-time protectoin features such as behavior monitoring, heuristics, and machine-learning in Windows Defender AV
+keywords: real-time protection, rtp, machine-learning, behavior monitoring, heuristics
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+
+# Enable and configure Windows Defender AV always-on protection and monitoring
+
+
+
+**Applies to:**
+
+- Windows 10
+
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+
+
+
+
+Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. 
+
+These activities include events such as processes making unusual changes to existing files, modifiying or creating automatic startup registry keys and startup locations (also known as auto-start extensibilty points, or ASEPs), and other changes to the file system or file structure.
+
+
+## Configure and enable always-on protection
+
+You can configure how always-on protection works with the following Group Policy settings described in this section.
+
+To configure these settings:
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+
+6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+
+
+
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Real-time protection | Monitor file and program activity on your computer | The AV engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled
+Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to Windows Defender SmartScreen filter, which scans files before and during downloading | Enabled
+Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the AV engine to scan running processes for suspicious modifications or behaviors. This is useful if you have disabled real-time protection | Enabled
+Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled
+Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analysed by behavior monitoring | Enabled
+Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled 
+Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or server roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. 
+Scan	| Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the AV engine is asked to detect the activity | Enabled (both directions)
+
+
+
+
+## Disable real-time protection
+> [!WARNING]
+> Disabling real-time protection will drastically reduce the protection on your endpoints and is not recommended.
+
+The main real-time protection capability is enabled by default, but you can disable it with Group Policy:
+
+**Use Group Policy to diasble real-time protection:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Real-time protection**.
+
+6. Double-click the **Turn off real-time protection** setting and set the option to **Enabled**. Click **OK**. 
+
+
+
+## Related topics
+
+- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/configure-remediation-windows-defender-antivirus.md b/windows/keep-secure/configure-remediation-windows-defender-antivirus.md
new file mode 100644
index 0000000000..bfc941c20c
--- /dev/null
+++ b/windows/keep-secure/configure-remediation-windows-defender-antivirus.md
@@ -0,0 +1,17 @@
+---
+title: Remediate and resolve infections detected by Windows Defender AV
+description: Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+
+# Configure remediation for Windows Defender AV scans
\ No newline at end of file
diff --git a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
index 35dead1efe..011897e94c 100644
--- a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
 ---
-title: Consume alerts and create custom indicators in Windows Defender Advanced Threat Protection
-description: Learn how to configure supported security information and events management tools to receive and consume alerts and create custom indicators using REST API.
+title: Pull alerts to your SIEM tools from Windows Defender Advanced Threat Protection
+description: Learn how to use REST API and configure supported security information and events management tools to receive and pull alerts.
 keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -11,7 +11,7 @@ author: mjcaparas
 localizationpriority: high
 ---
 
-# Consume alerts and create custom indicators
+# Pull alerts to your SIEM tools
 
 **Applies to:**
 
@@ -21,8 +21,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-## Consume alerts using supported security information and events management (SIEM) tools
-Windows Defender ATP supports (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to get alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
+## Pull alerts using supported security information and events management (SIEM) tools
+Windows Defender ATP supports (SIEM) tools to pull alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
 
 
 Windows Defender ATP currently supports the following SIEM tools:
@@ -32,20 +32,26 @@ Windows Defender ATP currently supports the following SIEM tools:
 
 To use either of these supported SIEM tools you'll need to:
 
-- [Configure an Azure Active Directory application for SIEM integration in your tenant](configure-aad-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
 - Configure the supported SIEM tool:
-    - [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
-    - [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+    - [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+    - [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
 
-## Create custom threat indicators in Windows Defender ATP
-You can also create custom threat indicators using the available REST API so that you can create specific alerts that are applicable to your organization.
+For more information on the list of fields exposed in the alerts API see, [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md).
+
+
+## Pull Windows Defender ATP alerts using REST API
+Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts using REST API.
+
+For more information, see [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md).
 
-For more information, see [Create custom threat indicators (TI) using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md).
 
 ## In this section
 
 Topic | Description
 :---|:---
-[Configure an Azure Active Directory application](configure-aad-windows-defender-advanced-threat-protection.md)| Learn about configuring an Azure Active Directory application to integrate with supported security information and events management (SIEM) tools.
- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to consume Windows Defender ATP alerts.
- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to consume Windows Defender ATP alerts.
+[Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
+[Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
+[Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
+[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
+[Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API.
diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
index 8dc36252d3..f40c7d579d 100644
--- a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
 ---
-title: Configure Splunk to consume Windows Defender ATP alerts
-description: Configure Splunk to receive and consume alerts from the Windows Defender ATP portal.
+title: Configure Splunk to pull Windows Defender ATP alerts
+description: Configure Splunk to receive and pull alerts from the Windows Defender ATP portal.
 keywords: configure splunk, security information and events management tools, splunk
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -11,7 +11,7 @@ author: mjcaparas
 localizationpriority: high
 ---
 
-# Configure Splunk to consume Windows Defender ATP alerts
+# Configure Splunk to pull Windows Defender ATP alerts
 
 **Applies to:**
 
@@ -21,16 +21,19 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-You'll need to configure Splunk so that it can consume Windows Defender ATP alerts.
+You'll need to configure Splunk so that it can pull Windows Defender ATP alerts.
 
 ## Before you begin
 
 - Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk.
-- Obtain your refresh token. For more information, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token).
-- Get the following information from your Azure Active Directory (AAD) application by selecting **View Endpoint** on the application configuration page:
-    - OAuth 2 Token refresh URL
-    - OAuth 2 Client ID
-    - OAuth 2 Client secret
+- Make sure you have enabled the **SIEM integration** feature from the **Preferences setup** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+
+- Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values:
+  - OAuth 2 Token refresh URL
+  - OAuth 2 Client ID
+  - OAuth 2 Client secret
+
+- Have the refresh token that you generated from the SIEM integration feature ready.
 
 ## Configure Splunk
 
@@ -39,14 +42,16 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
 2. Click **Search & Reporting**, then **Settings** > **Data inputs**.
 
 3. Click **REST** under **Local inputs**.
-> [!NOTE]
-> This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/).
+
+  NOTE:
+  This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/).
 
 4. Click **New**.
 
 5. Type the following values in the required fields, then click **Save**:
-> [!NOTE]
->All other values in the form are optional and can be left blank.
+
+  NOTE:
+  All other values in the form are optional and can be left blank.
 
   <table>
   <tbody style="vertical-align:top;">
@@ -56,8 +61,7 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
   </tr>
   <tr>
   <td>Endpoint URL</td>
-  <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**:  https://<i></i>wdatp-alertexporter-eu.windows.com/api/alerts  </br>**For US:** https://<i></i>wdatp-alertexporter-us.windows.com/api/alerts
-
+  <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**:  `https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts`</br>**For US:**` https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts`
   </tr>
   <tr>
   <td>HTTP Method</td>
@@ -66,16 +70,24 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
   <td>Authentication Type</td>
   <td>oauth2</td>
   <tr>
+  <td>OAuth 2 Access token</td>
+  <td>Use the value that you generated when you enabled the SIEM integration feature. </br></br> NOTE: The access token expires after an hour. </td>
+  </tr>
+  <tr>
+  <td>OAuth 2 Refresh Token</td>
+  <td>Use the value that you generated when you enabled the **SIEM integration** feature.</td>
+  </tr>
+  <tr>
   <td>OAuth 2 Token Refresh URL</td>
-  <td>	Value taken from AAD application</td>
+  <td>Use the value from the details file you saved when you enabled the **SIEM integration** feature.</td>
   </tr>
   <tr>
   <td>OAuth 2 Client ID</td>
-  <td>Value taken from AAD application</td>
+  <td>Use the value from the details file you saved when you enabled the **SIEM integration** feature.</td>
   </tr>
   <tr>
   <td>OAuth 2 Client Secret</td>
-  <td>Value taken from AAD application</td>
+  <td>Use the value from the details file you saved when you enabled the **SIEM integration** feature.</td>
   </tr>
   <tr>
   <td>Response type</td>
@@ -102,11 +114,27 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
 
 After completing these configuration steps, you can go to the Splunk dashboard and run queries.
 
-You can use the following query as an example in Splunk: <br>
-```source="rest://windows atp alerts"|spath|table*```
+## View alerts using Splunk solution explorer
+Use the solution explorer to view alerts in Splunk.
+
+1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**.
+
+2. Select **New**.
+
+3. Enter the following details:
+  - Destination app: Select Search & Reporting (search)
+  - Search name: Enter a name for the query
+  - Search: Enter a query, for example:</br>
+    `source="rest://windows atp alerts"|spath|table*`
+
+    Other values are optional and can be left with the default values.
+4. Click **Save**. The query is saved in the list of searches.
+
+5. Find the query you saved in the list and click **Run**. The results are displayed based on your query.
 
 
 ## Related topics
-- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
-- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
-- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-windows-defender-antivirus-features.md b/windows/keep-secure/configure-windows-defender-antivirus-features.md
new file mode 100644
index 0000000000..d1da91abab
--- /dev/null
+++ b/windows/keep-secure/configure-windows-defender-antivirus-features.md
@@ -0,0 +1,54 @@
+---
+title: Configure Windows Defender Antivirus features (Windows 10)
+description: You can configure features for Windows Defender Antivirus using Configuration Manager, MDM software (such as Intune), PowerShell, and with Group Policy settings.
+keywords: windows defender antivirus, antimalware, security, defender, configure, configuration, Config Manager, System Center Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure Windows Defender Antivirus features
+
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+Windows Defender Antivirus can be configured with a number of tools, including:
+
+- Group Policy settings
+- System Center Configuration Manager
+- PowerShell cmdlets
+- Windows Management Instrumentation (WMI)
+- Microsoft Intune
+
+
+The following broad categories of features can be configured:
+
+- Cloud-delivered protection
+- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection
+- How end-users interact with the client on individual endpoints
+
+The topics in this section describe how to perform key tasks when configuring Windows Defender AV. Each topic includes instructions for the applicable configuration tool (or tools).
+
+You can also review the [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) topic for an overview of each tool and links to further help.
+
+
+## In this section
+Topic | Description
+:---|:---
+[Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection
+[Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time protection in Windows Defender AV
+[Configure end-user interaction with WDAM](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with Windows Defender AV, what notifications they see, and if they can override settings
+
+
+
diff --git a/windows/keep-secure/configure-windows-defender-in-windows-10.md b/windows/keep-secure/configure-windows-defender-in-windows-10.md
index 93469dafa2..32dc5bdf7d 100644
--- a/windows/keep-secure/configure-windows-defender-in-windows-10.md
+++ b/windows/keep-secure/configure-windows-defender-in-windows-10.md
@@ -1,6 +1,6 @@
 ---
 title: Configure and use Windows Defender in Windows 10
-description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
+description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
 ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -8,197 +8,9 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: jasesso
+redirect_url: /itpro/windows/keep-secure/deploy-manage-report-windows-defender-antivirus/
 ---
 
 # Configure Windows Defender in Windows 10
 
-**Applies to**
--   Windows 10
-
-You can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
-
-You can also enable and configure the Microsoft Active Protection Service to ensure endpoints are protected by cloud-based protection technologies.
-
-## Configure definition updates
-
-It is important to update definitions regularly to ensure that your endpoints are protected. Definition updates can be configured to suit the requirements of your organization.
-
-Windows Defender supports the same updating options (such as using multiple definition sources) as other Microsoft endpoint protection products; for more information, see [Configuring Definition Updates](https://technet.microsoft.com/library/gg412502.aspx).
-
-When you configure multiple definition sources in Windows Defender, you can configure the fallback order using the following values through *Group Policy* settings:
-
--   InternalDefinitionUpdateServer - WSUS
--   MicrosoftUpdateServer - Microsoft Update
--   MMPC - [Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx)
--   FileShares - file share
-
-Read about deploying administrative template files for Windows Defender in the article [Description of the Windows Defender Group Policy administrative template settings](https://support.microsoft.com/kb/927367).
-
-You can also manage your Windows Defender update configuration settings through System Center Configuration Manager. See [How to Configure Definition Updates for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/jj822983.aspx) for details.
-
-## Definition update logic
-
-You can update Windows Defender definitions in four ways depending on your business requirements:
-
--   WSUS, the managed server. You can manage the distribution of updates that are released through Microsoft Update to computers in your enterprise environment; read more on the [Windows Server Update Services](https://technet.microsoft.com/windowsserver/bb332157.aspx) website.
--   Microsoft Update, the unmanaged server. You can use this method to get regular updates from Microsoft Update.
--   The [Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx), as an alternate download location. You can use this method if you want to download the latest definitions.
--   File share, where the definition package is downloaded. You can retrieve definition updates from a file share. The file share must be provisioned on a regular basis with the update files.
-
-## Update Windows Defender definitions through Active Directory and WSUS
-
-This section details how to update Windows Defender definitions for Windows 10 endpoints through Active Directory and WSUS.
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Method</th>
-<th align="left">Instructions</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>WSUS</p></td>
-<td align="left"><p>See [Software Updates and Windows Server Update Services Definition Updates](https://technet.microsoft.com/library/gg398036.aspx) in the [Configuring Definition Updates](https://technet.microsoft.com/library/gg412502.aspx) topic that also applies to Windows Defender.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Microsoft Update</p></td>
-<td align="left"><p>Set the following fallback order <em>Group Policy</em> to enable Microsoft Update:</p>
-<ol>
-<li>Open the <strong>Group Policy Editor</strong>.</li>
-<li>In the <strong>Local Computer Policy</strong> tree, expand <strong>Computer Configuration</strong>, then <strong>Administrative Templates</strong>, then <strong>Windows Components</strong>, then <strong>Windows Defender</strong>.</li>
-<li>Click on <strong>Signature Updates</strong>.</li>
-<li><p>Double-click on <strong>Define the order of sources for downloading definition updates</strong>.</p>
-<p>This will open the <strong>Define the order of sources for downloading definition updates</strong> window.</p></li>
-<li>Click <strong>Enable</strong>.</li>
-<li><p>In the <strong>Options</strong> pane, define the following <em>Group Policy</em> to enable Microsoft Update:</p>
-<p><strong>{MicrosoftUpdateServer}</strong></p>
-<p><img src="images/defender-gp-defsourcefield.png" alt="&quot;Define the order of sources for downloading definition updates&quot; field" /></p></li>
-<li><p>Click <strong>OK</strong>.</p>
-<p>The window will close automatically.</p></li>
-</ol></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx)</p></td>
-<td align="left"><p>Set the following fallback order <em>Group Policy</em> to enable Windows Defender to download updated signatures:</p>
-<ol>
-<li>Open the <strong>Group Policy Editor</strong>.</li>
-<li>In the <strong>Local Computer Policy</strong> tree, expand <strong>Computer Configuration</strong>, then <strong>Administrative Templates</strong>, then <strong>Windows Components</strong>, then <strong>Windows Defender</strong>.</li>
-<li>Click on <strong>Signature Updates</strong>.</li>
-<li><p>Double-click on <strong>Define the order of sources for downloading definition updates</strong>.</p>
-<p>This will open the <strong>Define the order of sources for downloading definition updates</strong> window.</p></li>
-<li>Click <strong>Enable</strong>.</li>
-<li><p>In the <strong>Options</strong> pane, define the following <em>Group Policy</em> to enable Windows Defender to download updated signatures:</p>
-<p><strong>{MMPC}</strong></p>
-<p><img src="images/defender-gp-defsourcefield.png" alt="&quot;Define the order of sources for downloading definition updates&quot; field" /></p></li>
-<li><p>Click <strong>OK</strong>.</p>
-<p>The window will close automatically.</p></li>
-</ol></td>
-</tr>
-<tr class="even">
-<td align="left"><p>File share</p></td>
-<td align="left"><p></p>
-<ol>
-<li>Open the <strong>Group Policy Editor</strong>.</li>
-<li>In the <strong>Local Computer Policy</strong> tree, expand <strong>Computer Configuration</strong>, then <strong>Administrative Templates</strong>, then <strong>Windows Components</strong>, then <strong>Windows Defender</strong>.</li>
-<li>Click on <strong>Signature Updates</strong>.</li>
-<li><p>Double-click on <strong>Define the order of sources for downloading definition updates</strong>.</p>
-<p>This will open the <strong>Define the order of sources for downloading definition updates</strong> window:</p></li>
-<li>Click <strong>Enable</strong>.</li>
-<li><p>In the <strong>Options</strong> pane, define the following <em>Group Policy</em> to enable Windows Defender to download updated signatures:</p>
-<p><strong>{FileShares}</strong></p>
-<p><img src="images/defender-gp-defsourcefield.png" alt="&quot;Define the order of sources for downloading definition updates&quot; field" /></p></li>
-<li><p>Click <strong>OK</strong>.</p>
-<p>The window will close automatically.</p></li>
-<li><p>Double-click on <strong>Define file shares for downloading definition updates</strong>.</p>
-<p>This will open the <strong>Define file shares for downloading definition updates</strong> window.</p></li>
-<li>Click <strong>Enable</strong>.</li>
-<li><p>In the <strong>Options</strong> pane, define the following <em>Group Policy</em> to specify the Universal Naming Convention (UNC) share source:</p>
-<p><strong>{\\unc1\\unc2}</strong> - where you define [unc] as the UNC shares.</p>
-<p><img src="images/defender-gp-defsharesfield.png" alt="&quot;Define the file shares for downloading definition updates&quot; field" /></p></li>
-<li><p>Click <strong>OK</strong>.</p>
-<p>The window will close automatically.</p></li>
-</ol></td>
-</tr>
-</tbody>
-</table>
- 
-## Manage cloud-based protection
-
-Windows Defender offers improved cloud-based protection and threat intelligence for endpoint protection clients using the Microsoft Active Protection Service. Read more about the Microsoft Active Protection Service community in [Join the Microsoft Active Protection Service community](http://windows.microsoft.com/windows-8/join-maps-community).
-
-You can enable or disable the Microsoft Active Protection Service using *Group Policy* settings and administrative template files.
-
-More information on deploying administrative template files for Windows Defender is available in the article [Description of the Windows Defender Group Policy administrative template settings](https://support.microsoft.com/kb/927367).
-
-The Microsoft Active Protection Service can be configured with the following *Group Policy* settings:
-
-1.  Open the **Group Policy Editor**.
-2.  In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
-3.  Click on **MAPS**.
-4.  Double-click on **Join Microsoft MAPS**.
-5.  Select your configuration option from the **Join Microsoft MAPS** list.
-
-    >**Note:**  Any settings modified on an endpoint will be overridden by the administrator's policy setting.
-     
-Use the Windowsdefender.adm *Group Policy* template file to control the policy settings for Windows Defender in Windows 10:
-
-Policy setting: **Configure Microsoft SpyNet Reporting**
-
-Registry key name: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\SpyNetReporting**
-
-Policy description: **Adjusts membership in Microsoft Active Protection Service**
-
-You can also configure preferences using the following PowerShell parameters:
-
--   Turn Microsoft Active Protection Service off: *Set-MpPreference -MAPSReporting 0*
--   Turn Microsoft Active Protection Service on: *Set-MpPreference -MAPSReporting 2*
-
-Read more about this in:
-
--   [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
--   [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
-
->**Note:**  Any information that Windows Defender collects is encrypted in transit to our servers, and then stored in secure facilities. Microsoft takes several steps to avoid collecting any information that directly identifies you, such as your name, email address, or account ID.
- 
-Read more about how to manage your privacy settings in [Setting your preferences for Windows 10 services](http://windows.microsoft.com/windows-10/services-setting-preferences).
-
-## Opt-in to Microsoft Update
-
-You can use Microsoft Update to keep definitions on mobile computers running Windows Defender in Windows 10 up to date when they are not connected to the corporate network. If the mobile computer doesn't have a [Windows Server Update Service](https://technet.microsoft.com/windowsserver/bb332157.aspx) (WSUS) connection, the signatures will still come from Microsoft Update. This means that signatures can be pushed down (via Microsoft Update) even if WSUS overrides Windows Update.
-
-You need to opt-in to Microsoft Update on the mobile computer before it can retrieve the definition updates from Microsoft Update.
-
-There are two ways you can opt-in to Microsoft Update in Windows Defender for Windows 10:
-
-1.  Use a VBScript to create a script, then run it on each computer in your network.
-2.  Manually opt-in every computer on your network through the **Settings** menu.
-
-You can create a VBScript and run it on each computer on your network; this is an efficient way to opt-in to Microsoft Update.
-
-**Use a VBScript to opt in to Microsoft Update**
-
-1.  Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript.
-2.  Run the VBScript you created on each computer in your network.
-
-You can manually opt-in each individual computer on your network to receive Microsoft Update.
-
-**Manually opt-in to Microsoft Update**
-
-1.  Open **Windows Update** in **Update & security** settings on the computer you want to opt-in.
-2.  Click **Advanced** options.
-3.  Select the checkbox for **Give me updates for other Microsoft products when I update Windows**.
-
-## Schedule updates for Microsoft Update
-
-Opting-in to Microsoft Update means that your system administrator can schedule updates to your mobile computer, so that it keeps up-to-date with the latest software versions and security definitions, even when you’re on the road.
-
-For more information on scheduling updates, see [Configure definition updates](https://technet.microsoft.com/library/mt622088.aspx#configure-definition-updates).
-
-## Related topics
-
-- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
-- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+This page has been redirected to *Windows Defender Antivirus in Windows 10*.
diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 5fdb54b819..dab9e6eabd 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -316,7 +316,7 @@ DG_Readiness_Tool_v3.0.ps1 -Ready
     -   **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
     -   **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
     You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -&gt; **Windows** -&gt; **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
-    -   **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
+        -   **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
 -   Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
 -   Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
 -   As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malwar efrom taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running.
diff --git a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md
index 8c54c753a6..18a8804998 100644
--- a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
 ---
-title: Create custom threat intelligence using REST API in Windows Defender ATP
+title: Create threat intelligence using REST API in Windows Defender ATP
 description: Create your custom alert definitions and indicators of compromise in Windows Defender ATP using the available APIs in Windows Enterprise, Education, and Pro editions.
 keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api
 search.product: eADQiWindows 10XVcnh
@@ -21,8 +21,6 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to generate specific alerts that are applicable to your organization.
 
 ## Before you begin
@@ -54,6 +52,44 @@ For this URL:
 **Quotas**</br>
 Each tenant has a defined quota that limits the number of possible alert definitions, IOCs and another quota for IOCs of Action different than “equals” in the system. If you upload data beyond this quota, you'll encounter an HTTP error status code 507 (Insufficient Storage).
 
+## Request an access token from the token issuing endpoint
+Windows Defender ATP Threat Intelligence API uses OAuth 2.0. In the context of Windows Defender ATP, the alert definitions are a protected resource. To issue tokens for ad-hoc, non-automatic operations you can use the **Preferences settings** page and click the **Generate Token** button. However, if you’d like to create an automated client, you need to use the “Client Credentials Grant” flow. For more information, see the [OAuth 2.0 authorization framework](https://tools.ietf.org/html/rfc6749#section-4.4).
+
+For more information about the authorization flow, see [OAuth 2.0 authorization flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code#oauth-20-authorization-flow).
+
+Make an HTTP POST request to the token issuing endpoint with the following parameters, replacing `<ClientId>`, `<ClientSecret>`, and `<AuthorizationServerUrl>` with your app's client ID, client secret and authorization server URL.
+
+>[!NOTE]
+> The authorization server URL is `https://login.windows.net/<AADTenantID>/oauth2/token`. Replace `<AADTenantID>` with your Azure Active Directory tenant ID.
+
+>[!NOTE]
+> The `<ClientId>`, `<ClientSecret>`, and the `<AuthorizationServerUrl>` are all provided to you when enabling the custom threat intelligence application. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md).
+
+
+```
+POST <AuthorizationServerUrl> HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+
+grant_type=client_credentials
+&client_id=<ClientId>
+&client_secret=<ClientSecret>
+&resource=https://graph.microsoft.com
+```
+The response will include an access token and expiry information.
+
+```json
+{
+  "token_type": "Bearer",
+  "expires_in": "3599",
+  "ext_expires_in": "0",
+  "expires_on": "1449685363",
+  "not_before": "1449681463",
+  "resource": "https://graph.microsoft.com",
+  "access_token": "<token>"
+}
+
+```
+
 ## Threat intelligence API metadata
 The metadata document ($metadata) is published at the service root.
 
diff --git a/windows/keep-secure/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/keep-secure/customize-run-review-remediate-scans-windows-defender-antivirus.md
new file mode 100644
index 0000000000..ac57f3e615
--- /dev/null
+++ b/windows/keep-secure/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -0,0 +1,40 @@
+---
+title: Run and customize scheduled and on-demand scans
+description: Customize and initiate scans using Windows Defender AV on endpoints across your network.
+keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Customize, initiate, and review the results of Windows Defender AV scans and remediation
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+
+You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure scans run by Windows Defender Antivirus.
+
+
+
+## In this section
+
+Topic | Description 
+---|---
+[Exclude files and processes from scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
+[Configure email, removable storage, network, reparse point, and archive scanning](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender AV to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
+[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quaratine folder
+[Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
+[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app 
+[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using  System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app
+
diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
index c2c75d2d52..e8de1cb1b4 100644
--- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
@@ -21,8 +21,6 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 The **Dashboard** displays a snapshot of:
 
 - The latest active alerts on your network
@@ -55,17 +53,17 @@ This tile shows you a list of machines with the highest number of active alerts.
 
 Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
 
-You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
+You can also click **Machines list** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
 
 ## Users at risk
 The tile shows you a list of user accounts with the most active alerts. The total number of alerts for each user is shown in a circle next to the user account, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
 
 ![User accounts at risk tile shows a list of user accounts with the highest number of alerts and a breakdown of the severity of the alerts](images/atp-users-at-risk.png)
 
-Click the user account to see details about the user account. For more information see [Investigate a user entity in Windows Defender Advanced Threat Protection]
+Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md).
 
 ## Machines with active malware detections
-The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender.
+The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender Antivirus.
 
 Active malware is defined as threats that were actively executing at the time of detection.
 
@@ -86,7 +84,7 @@ Threats are considered "active" if there is a very high probability that the mal
 Clicking on any of these categories will navigate to the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine.
 
 > [!NOTE]
-> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
 
 ## Sensor health
 The **Sensor health** tile provides information on the individual endpoint’s ability to provide sensor data to the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines.
@@ -97,7 +95,7 @@ There are two status indicators that provide information on the number of machin
 - **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month.
 -	**Misconfigured** – These machines might partially be reporting telemetry to the Windows Defender ATP service and might have configuration errors that need to be corrected.
 
-When you click any of the groups, you’ll be directed to machines view, filtered according to your choice. For more information, see [Check sensor health state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md).
+When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more information, see [Check sensor health state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md).
 
 ## Service health
 The **Service health** tile informs you if the service is active or if there are issues.
diff --git a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
index 9c17747345..de668b5c69 100644
--- a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
@@ -22,12 +22,12 @@ localizationpriority: high
 - Windows Defender
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-The Windows Defender Advanced Threat Protection agent depends on Windows Defender for some capabilities such as file scanning.
+The Windows Defender Advanced Threat Protection agent depends on Windows Defender Antivirus for some capabilities such as file scanning.
 
-If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender on that endpoint will enter into passive mode.
+If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode.
 
-Windows Defender will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
+Windows Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
 
-The Windows Defender interface will be disabled, and users on the endpoint will not be able to use Windows Defender to perform on-demand scans or configure most options.
+The Windows Defender Antivirus interface will be disabled, and users on the endpoint will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options.
 
-For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md).
+For more information, see the **Compatibility** section in the [Windows Defender Antivirus in Windows 10 topic](windows-defender-in-windows-10.md).
diff --git a/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md b/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md
new file mode 100644
index 0000000000..18cfd5e134
--- /dev/null
+++ b/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md
@@ -0,0 +1,94 @@
+---
+title: Deploy, manage, and report on Windows Defender Antivirus
+description: You can deploy and manage Windows Defender Antivirus with Group Policy, Configuration Manager, WMI, PowerShell, or Intune
+keywords: deploy, manage, update, protection, windows defender antivirus
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Deploy, manage, and report on Windows Defender Antivirus
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- IT administrators
+
+You can deploy, manage, and report on Windows Defender Antivirus in a number of ways. 
+
+As the Windows Defender AV client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply.
+
+However, in most cases you will still need to enable the protection service on your endpoints with System Center Configuration Manager, Microsoft Intune, Azure Secrutiy Center, or Group Policy Objects, which is described in the following table.
+
+You'll also see additional links for:
+- Managing Windows Defender Antivirus protection, including managing product and protection updates
+- Reporting on Windows Defender Antivirus protection
+
+> [!IMPORTANT]
+> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-part antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus.
+
+
+Tool|Deployment options (<a href="#fn1" id="ref1">1</a>)|Management options (network-wide configuration and policy or baseline deployment) ([2](#fn2))|Reporting options  
+---|---|---|---  
+System Center Configuration Manager ([3](#fn3))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]  
+Microsoft Intune|[Deploy the Microsoft Intune client to endpoints][]|Use and deploy a [custom Intune policy][] and use the Intune console to [manage tasks][]|[Monitor endpoint protection in the Microsoft Intune administration console][]  
+Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
+PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][]
+Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
+Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD.
+
+1. <span id="fn1" />The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager, current branch (for example, System Center Configuration Manager 2016) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager, current branch (2016). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for a table that describes the major differences.  [(Return to table)](#ref1)
+
+1. <span id="fn2" />Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library.  [(Return to table)](#ref2)
+  
+1.	<span id="fn3" />In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date. Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers.  [(Return to table)](#ref3)
+
+
+
+
+
+[Endpoint Protection point site system role]: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection-site-role
+[default and customized antimalware policies]:  https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies
+[client management]:  https://docs.microsoft.com/en-us/sccm/core/clients/manage/manage-clients
+[enable Endpoint Protection with custom client settings]:  https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection-configure-client
+[Configuration Manager Monitoring workspace]:  https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection 
+[email alerts]:  https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts
+[Deploy the Microsoft Intune client to endpoints]: https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune
+[custom Intune policy]:  https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection
+ [custom Intune policy]:  https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection 
+[manage tasks]: https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-management-tasks-for-endpoint-protection
+[Monitor endpoint protection in the Microsoft Intune administration console]: https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection
+[Set method of the MSFT_MpPreference class]:  https://msdn.microsoft.com/en-us/library/dn439474 
+[Update method of the MSFT_MpSignature class]:  https://msdn.microsoft.com/en-us/library/dn439474
+[MSFT_MpComputerStatus]:  https://msdn.microsoft.com/en-us/library/dn455321 
+[Windows Defender WMIv2 Provider]: https://msdn.microsoft.com/en-us/library/dn439477
+[Set-MpPreference]:  https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference.md
+[Update-MpSignature]: https://technet.microsoft.com/itpro/powershell/windows/defender/update-mpsignature
+[Get- cmdlets available in the Defender module]: https://technet.microsoft.com/itpro/powershell/windows/defender/index
+[Configure update options for Windows Defender Antivirus]: manage-updates-baselines-windows-defender-antivirus.md
+[Configure Windows Defender features]: configure-windows-defender-antivirus-features.md
+[Group Policies to determine if any settings or policies are not applied]: https://technet.microsoft.com/en-us/library/cc771389.aspx
+[Possibly infected devices]: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-sign-ins-from-possibly-infected-devices
+[Windows Defender Antivirus events]: troubleshoot-windows-defender-antivirus.md
+
+
+## In this section
+
+Topic | Description 
+---|---
+[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with System Center Configuration Manager, Microsoft Intune, or Group Policy Objects.
+[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating definitions (protection updates). You can update definitions in a number of ways, using System Center Configuration Manager, Group Policy, PowerShell, and WMI.
+[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use System Center Configuration Manager, a third-party SIEM product (by consuming Windows event logs), or Microsoft Intune to monitor protection status and create reports about endpoint protection
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Configure Windows Defender Antivirus features](configure-windows-defender-antivirus-features.md)
diff --git a/windows/keep-secure/deploy-windows-defender-antivirus.md b/windows/keep-secure/deploy-windows-defender-antivirus.md
new file mode 100644
index 0000000000..6f98f62d52
--- /dev/null
+++ b/windows/keep-secure/deploy-windows-defender-antivirus.md
@@ -0,0 +1,40 @@
+---
+title: Deploy and enable Windows Defender Antivirus 
+description: Deploy Windows Defender AV for protection of your endpoints with Configuration Manager, Microsoft Intune, Group Policy, PowerShell cmdlets, or WMI.
+keywords: deploy, enable, windows defender av
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Deploy and enable Windows Defender Antivirus
+
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Network administrators
+- IT administrators
+
+
+Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender AV protection.
+
+See the [(Deployment, managament, and reporting options table)](deploy-manage-report-windows-defender-antivirus.md#ref1) for instructions on how to enable protection with System Center Configuration Manager, Group Policy, Active Directory, Microsoft Azure, Microsoft Intune, PowerShell cmdlets, and Windows Management Instruction (WMI).
+
+Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender AV protection, such as Virtual Desktop Infrastructure (VDI) environments.
+
+The remaining topic in this section provides end-to-end advice and best practices for [setting up Windows Defender AV ion virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-windows-defender-antivirus.md).
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
+- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrasructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md)
\ No newline at end of file
diff --git a/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md b/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md
new file mode 100644
index 0000000000..50d37bfe9d
--- /dev/null
+++ b/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md
@@ -0,0 +1,309 @@
+---
+title: Windows Defender Antivirus VDI deployment guide
+description: Learn how to deploy Windows Defender Antivirus in a VDI environment for the best balance between protection and performance.
+keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- IT professionals
+
+**Manageability available with**
+
+- System Center Configuration Manager (current branch)
+- Group Policy
+
+
+
+In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus (Windows Defender AV) in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment. 
+
+Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware. For more details on the best configuration options to ensure a good balance between performance and protection, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section.
+
+See the [Microsoft Desktop virtualization site](https://www.microsoft.com/en-us/server-cloud/products/virtual-desktop-infrastructure/) for more details on Microsoft Remote Desktop Services and VDI support.
+
+For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection) topic.
+
+There are three main steps in this guide to help roll out Windows Defender AV protection across your VDI:
+
+1.	[Create and deploy the base image (for example, as a virtual hard disk (VHD)) that your virtual machines (VMs) will use](#create-and-deploy-the-base-image)
+2.	[Manage the base image and updates for your VMs](#manage-vms-and-base-image)
+3.	[Configure the VMs for optimal protection and performance](#configure-endpoints-for-optimal-performance), including:
+    - [Randomize scheduled scans](#randomize-scheduled-scans)
+    - [Use quick scans](#use-quick-scans)
+    - [Prevent notifications](#prevent-notifications)
+    - [Disable scans from occuring after every update](#disable-scans-after-an-update)
+    - [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
+
+>[!IMPORTANT]
+> While the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
+
+>[!NOTE] 
+>When you manage Windows with System Center Configuration Manager, Windows Defender AV protection will be referred to as Endpoint Protection or System Center Endpoint Protection. See the [Endpoint Protection section at the Configuration Manager library]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) for more information.
+
+The following table lists the configuration settings that we recommend when deploying Windows Defender AV in a VDI environment:
+
+
+
+## Create and deploy the base image 
+
+The main steps in this section include:
+1.	Create your standard base image according to your requirements
+2.	Apply Windows Defender AV protection updates to your base image
+3.	Seal or “lock” the image to create a “known-good” image
+4.	Deploy your image to your VMs
+
+### Create the base image  
+First, you should create your base image according to your business needs, applying or installing the relevant line of business (LOB) apps and settings as you normally would. Typically, this would involve creating a VHD or customized .iso, depending on how you will deploy the image to your VMs.
+
+### Apply protection updates to the base image
+After creating the image, you should ensure it is fully updated. See [Configure Windows Defender in Windows 10]( https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-windows-defender-in-windows-10) for instructions on how to update Windows Defender AV protection via WSUS, Microsoft Update, the MMPC site, or UNC file shares. You should ensure that your initial base image is also fully patched with Microsoft and Windows updates and patches.
+
+### Seal the base image
+When the base image is fully updated, you should run a quick scan on the image. This “sealing” or “locking” of the image helps Windows Defender AV build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted.
+
+You can run a quick scan [from the command line](command-line-arguments-windows-defender-antivirus.md) or via [System Center Configuration Manager](run-scan-windows-defender-antivirus.md).
+
+>[!NOTE] 
+><b>Quick scan versus full scan</b>
+>Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. Combined with our always on real-time protection capability - which reviews files when they are opened and closed, and whenever a user navigates to a folder – quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.  
+>Therefore, when considering performance – especially for creating a new or updated image in preparation for deployment – it makes sense to use a quick scan only. 
+>A full scan, however, can be useful on a VM that has encountered a malware threat to identify if there are any inactive components lying around and help perform a thorough clean-up.
+
+
+### Deploy the base image  
+You’ll then need to deploy the base image across your VDI. For example, you can create or clone a VHD from your base image, and then use that VHD when you create or start your VMs. 
+
+The following references provide ways you can create and deploy the base image across your VDI:
+
+- [Single image management for Virtual Desktop Collections](https://blogs.technet.microsoft.com/enterprisemobility/2012/10/29/single-image-management-for-virtual-desktop-collections-in-windows-server-2012/)
+- [Using Hyper-V to create a Base OS image that can be used for VMs and VHDs](https://blogs.technet.microsoft.com/haroldwong/2011/06/12/using-hyper-v-to-create-a-base-os-image-that-can-be-used-for-vms-and-boot-to-vhd/)
+- [Plan for Hyper-V security in Windows Server 2016]( https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/plan/plan-for-hyper-v-security-in-windows-server-2016)
+- [Create a virtual machine in Hyper-V (with a VHD)](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/get-started/create-a-virtual-machine-in-hyper-v)
+- [Build Virtual Desktop templates]( https://technet.microsoft.com/en-us/library/dn645526(v=ws.11).aspx)
+
+
+
+
+
+## Manage your VMs and base image
+How you manage your VDI will affect the performance impact of Windows Defender AV on your VMs and infrastructure.
+
+Because Windows Defender AV downloads protection updates every day, [or based on your protection update settings](manage-protection-updates-windows-defender-antivirus.md), network bandwidth can be a problem if multiple VMs attempt to download updates at the same time.  
+
+Following the guidelines in this means the VMs will only need to download “delta” updates, which are the differences between an existing definition set and the next one. Delta updates are typically much smaller (a few kilobytes) than a full definition download (which can average around 150 mb).
+
+
+### Manage updates for persistent VDIs
+
+If you are using a persistent VDI, you should update the base image monthly, and set up protection updates to be delivered daily via a file share, as follows:  
+1. Create a dedicated file share location on your network that can be accessed by your VMs and your VM host (or other, persistent machine, such as a dedicated admin console that you use to manage your VMs).
+2. Set up a scheduled task on your VM host to automatically download updates from the MMPC website or Microsoft Update and save them to the file share (the [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) can help with this).
+3. [Configure the VMs to pull protection updates from the file share](manage-protection-updates-windows-defender-antivirus.md).
+4. Disable or delay automatic Microsoft updates on your VMs. See [Update Windows 10 in the enterprise](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-update-windows-10) for information on managing operating system updates with WSUS, SCCM, and others.
+5. On or just after each Patch Tuesday (the second Tuesday of each month), update your base image with [the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md). Also apply all other Windows patches and fixes that were delivered on the Patch Tuesday. You can automate this by following the instructions in [Orchestrated offline VM Patching using Service Management Automation](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/).
+5. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
+
+A benefit to aligning your image update to the monthly Microsoft Update is that you ensure your VMs will have the latest Windows security patches and other important Microsoft updates without each VM needing to individually download them. 
+
+
+### Manage updates for non-persistent VDIs
+
+If you are using a non-persistent VDI, you can update the base image daily (or nightly) and directly apply the latest updates to the image.
+
+An example:  
+1. Every night or other time when you can safely take your VMs offline, update your base image with t[the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md).
+2. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
+
+
+
+
+## Configure endpoints for optimal performance
+There are a number of settings that can help ensure optimal performance on your VMs and VDI without affecting the level of protection, including:
+    - [Randomize scheduled scans](#randomize-scheduled-scans)
+    - [Use quick scans](#use-quick-scans)
+    - [Prevent notifications](#prevent-notifications)
+    - [Disable scans from occuring after every update](#disable-scans-after-an-update)
+    - [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
+
+These settings can be configured as part of creating your base image, or as a day-to-day management function of your VDI infrastructure or network.
+
+
+
+
+### Randomize scheduled scans
+
+Windows Defender AV supports the randomization of scheduled scans and signature updates. This can be extremely helpful in reducing boot storms (especially when used in conjuction with [Disable scans from occuring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline).
+
+Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-windows-defender-antivirus.md).
+
+The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime, ScheduleQuickScanTime.  
+ 
+<!-- individual instructions will be removed and linked to RS2 content when it’s live, for now I’ll put them inline-->
+
+**Use Group Policy to randomize scheduled scan start times:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender** and configure the following setting:
+    
+    1.  Double-click the **Randomize scheduled task times** setting and set the option to **Enabled**. Click **OK**. This adds a true randomization (it is still random if the disk image is replicated) of plus or minus 30 minutes (using all of the intervals) to the start of the scheduled scan and the signature update. For example, if the sechedule start time was set at 2.30pm, then enabling this setting  could cause one machine to scan and update at 2.33pm and another machine to scan and update at 2.14pm.
+
+**Use Configuration Manager to randomize schedule scans:**
+
+See [How to create and deploy antimalware policies: Advanced settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#advanced-settings) for details on configuring System Center Configuration Manager (current branch).
+
+See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans.
+
+### Use quick scans
+
+You can specify the type of scan that should be performed during a scheduled scan.
+Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. 
+
+**Use Group Policy to specify the type of scheduled scan:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+3.  Click **Policies** then **Administrative templates**.
+
+4.  Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:  
+    1.  Double-click the **Specify the scan type to use for a scheduled scan** setting and set the option to **Enabled** and **Quick scan**. Click **OK**. 
+
+**Use Configuration Manager to specify the type of scheduled scan:**
+
+See [How to create and deploy antimalware policies: Scheduled scans settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) for details on configuring System Center Configuration Manager (current branch).
+
+<!--
+See [Schedule scans](schedule-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans.
+-->
+
+### Prevent notifications
+
+Sometimes, Windows Defender AV notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the user interface for Windows Defender AV.
+
+**Use Group Policy to hide notifications:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender > Client Interface** and configure the following settings:
+    
+1.	Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This prevents notifications from Windows Defender AV appearing in the action center on Windows 10 when scans or remediation is performed.
+2.	Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users.
+
+
+**Use Configuration Manager to hide notifications:**
+
+1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+
+2.  Go to the **Advanced** section and configure the following settings:
+
+1.	Set **Disable the client user interface** to **Yes**. This hides the entire Windows Defender AV user interface.
+2.	Set **Show notifications messages on the client computer...** to **Yes**. This hides notifications from appearing.
+
+3. Click **OK**.
+
+3.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+
+### Disable scans after an update
+
+This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as you’ve already scanned it when you created the base image).
+
+>[!IMPORTANT]
+>Running scans after an update will help ensure your VMs are protected with the latest definition updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image.
+
+**Use Group Policy to disable scans after an update:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender > Signature Updates** and configure the following setting:
+    
+1.  Double-click the **Turn on scan after signature update** setting and set the option to **Disabled**. Click **OK**. This prevents a scan from running immediately after an update.
+
+
+**Use Configuration Manager to disable scans after an update:**
+
+1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+
+2.  Go to the **Scheduled scans** section and configure the following setting:
+
+1.	Set **Check for the latest definition updates before running a scan** to **No**. This prevents a scan after an update.
+
+3. Click **OK**.
+
+2.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+
+
+
+
+
+### Scan VMs that have been offline 
+
+This setting will help ensure protection for a VM that has been offline for some time or has otherwise missed a scheduled scan. 
+
+DisableCatchupQuickScan, is the setting that I use (set to OFF) to ensure that a quick scan is performed on a VM which has been offline and has missed a schedule scan. 
+
+
+**Use Group Policy to enable a catch-up scan:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:
+    
+1.  Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. Click **OK**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
+
+
+**Use Configuration Manager to disable scans after an update:**
+
+1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+
+2.  Go to the **Scheduled scans** section and configure the following setting:
+
+1.	Set **Force a scan of the selected scan type if client computer is offline during...** to **Yes**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
+
+3. Click **OK**.
+
+2.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+
+
+
+### Exclusions
+Windows Server 2016 contains Windows Defender Antivirus and will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page:
+- [Automatic exclusions for Windows Server Antimalware](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender)
+
+## Additional resources
+
+- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( http://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s)
+- [Project VRC: Antivirus impact and best practices on VDI](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/)
+- [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS)
+- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) 
diff --git a/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
new file mode 100644
index 0000000000..30d7011a23
--- /dev/null
+++ b/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -0,0 +1,110 @@
+---
+title: Block Potentially Unwanted Applications with Windows Defender AV
+description: Enable the Potentially Unwanted Application (PUA) feature in Windows Defender Antivirus to block unwanted software such as adware.
+keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, windows defender
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: detect
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Detect and block Potentially Unwanted Applications
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- System Center Configuration Manager
+- PowerShell cmdlets
+- Microsoft Intune
+
+The Potentially Unwanted Application (PUA) protection feature in Windows Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network.
+
+These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have a poor reputation.
+
+Typical PUA behavior includes:
+- Various types of software bundling
+- Ad-injection into web browsers
+- Driver and registry optimizers that detect issues, request payment to fix the errors, but remain on the endpoint and make no changes or optimizations (also known as "rogue antivirus" programs)
+
+These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications.
+
+## How it works
+
+PUAs are blocked when a user attempts to download or install the detected file, and if the file meets one of the following conditions:
+- The file is being scanned from the browser
+- The file is in the %downloads% folder
+- The file is in the %temp% folder
+
+The file is placed in the quarantine section so it won’t run. 
+
+When a PUA is detected on an endpoint, the endpoint will present a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:"). 
+
+They will also appear in the usual [quarantine list in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#detection-history).
+
+
+## View PUA events
+
+PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. 
+
+See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID 1160.
+
+
+## Configure the PUA protection feature
+
+You can enable the PUA protection feature with System Center Configuration Manager, PowerShell cmdlets, or Microsoft Intune.
+
+You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log. 
+
+This feature is useful if your company is conducting an internal software security compliance check and you’d like to avoid any false positives.
+
+
+**Use Configuration Manager to configure the PUA protection feature:**
+
+PUA protection is enabled by default in System Center Configuration Manager (current branch), including version 1606 and later. 
+
+See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring System Center Configuration Manager (current branch).
+
+For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA).
+
+> [!NOTE]
+> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.  
+
+**Use PowerShell cmdlets to configure the PUA protection feature:**
+
+Use the following cmdlet:
+
+```PowerShell
+Set-MpPreference -PUAProtection
+```
+
+Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. 
+
+Setting `AuditMode` will detect PUAs but will not block them.
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+
+
+**Use Intune to configure the PUA protection feature**
+
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details.
+
+
+
+## Related topics
+
+- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md)
+- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
+
+
diff --git a/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md b/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md
new file mode 100644
index 0000000000..ddb0ce57ac
--- /dev/null
+++ b/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md
@@ -0,0 +1,153 @@
+---
+title: Enable cloud-delivered protection in Windows Defender Antivirus
+description: Enable cloud-delivered protection to benefit from fast and advanced protection features.
+keywords: windows defender antivirus, antimalware, security, cloud, block at first sight
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Enable cloud-delivered protection in Windows Defender AV
+
+
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager
+- PowerShell cmdlets
+- Windows Management Instruction (WMI)
+- Microsoft Intune
+- Windows Defender Security Center app
+
+
+>[!NOTE] 
+>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
+
+
+
+You can enable or disable Windows Defender Antivirus cloud-delivered protection with Group Policy, System Center Configuration Manager, PowerShell cmdlets, Microsoft Intune, or on individual clients in the Windows Defender Security Center app.
+
+See [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-based protection.
+
+There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections for Windows Defender AV](configure-network-connections-windows-defender-antivirus.md) for more details.
+
+>[!NOTE]
+>In Windows 10, there is no difference between the **Basic** and **Advanced** options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect.
+
+
+**Use Group Policy to enable cloud-delivered protection:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > MAPS**
+    
+1.  Double-click the **Join Microsoft MAPS** setting and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**.
+
+1.  Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following:
+    
+    1. **Send safe samples** (1)
+    1. **Send all samples** (3)
+
+        > [!WARNING]
+        > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
+
+1. Click **OK**.
+
+
+
+**Use Configuration Manager to enable cloud-delivered protection:**
+
+See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
+
+
+**Use PowerShell cmdlets to enable cloud-delivered protection:**
+
+Use the following cmdlets to enable cloud-delivered protection:
+
+```PowerShell
+Set-MpPreference -MAPSReporting Advanced
+Set-MpPreference -SubmitSamplesConsent 3
+```
+>[!NOTE]
+>You can also set -SubmitSamplesConsent to 1. Setting it to 0 will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to enable cloud-delivered protection:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn439474(v=vs.85).aspx) class for the following properties:
+
+```WMI
+MAPSReporting 
+SubmitSamplesConsent
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+**Use Intune to enable cloud-delivered protection**
+
+1.  Open the [Microsoft Intune administration console](https://manage.microsoft.com/), and navigate to the associated policy you want to configure.
+2.  Under the **Endpoint Protection** setting, scroll down to the **Endpoint Protection Service** section set the **Submit files automatically when further analysis is required** setting to either of the following:
+    1. **Send samples automatically**
+    1. **Send all samples automatically**
+
+        > [!WARNING]
+        > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
+5. Scoll down to the **Microsoft Active Protection Service** section and set the following settings:
+    
+   Setting | Set to
+    --|--
+    Join Microsoft Active Protection Service | Yes
+    Membership level | Advanced
+    Receive dynamic definitions based on Microsoft Active Protection Service reports | Yes
+  
+3.  Save and [deploy the policy as usual](https://docs.microsoft.com/en-us/intune/deploy-use/common-windows-pc-management-tasks-with-the-microsoft-intune-computer-client).
+
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) for more details.
+
+**Enable cloud-delivered protection on individual clients with the Windows Defender Security Center app**
+> [!NOTE]
+> If the **Configure local setting override for reporting Microsoft MAPS** GP setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
+
+
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+
+![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png)
+    
+3.	Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
+
+>[!NOTE]
+>If automatic sample submission has been configured with GP then the setting will be greyed-out and unavailble.
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+- [Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
+- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)
+- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)]
+- [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx)
+- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
\ No newline at end of file
diff --git a/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md
index e62a85a083..dd97cca65e 100644
--- a/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
 ---
-title: Enable the custom threat intelligence application in Windows Defender ATP
-description: Enable the custom threat intelligence application in Windows Defender ATP so that you can create custom threat intelligence using REST API.
+title: Enable the custom threat intelligence API in Windows Defender ATP
+description: Learn how to setup the custom threat intelligence application in Windows Defender ATP to create custom threat intelligence (TI).
 keywords: enable custom threat intelligence application, custom ti application, application name, client id, authorization url, resource, client secret, access tokens
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -11,7 +11,7 @@ author: mjcaparas
 localizationpriority: high
 ---
 
-# Enable the custom threat intelligence application
+# Enable the custom threat intelligence API in Windows Defender ATP
 
 **Applies to:**
 
@@ -21,19 +21,19 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal.
 
 1. In the navigation pane, select **Preference Setup** > **Threat intel API**.
 
+  ![Image of threat intel API menu](images/atp-threat-intel-api.png)
+
 2. Select **Enable threat intel API**. This activates the **Azure Active Directory application** setup sections with pre-populated values.
 
 3. Copy the individual values or select **Save details to file** to download a file that contains all the values.
 
-  >[!WARNING]
-  >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
-  >For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
+  WARNING:<br>
+  The client secret is only displayed once. Make sure you keep a copy of it in a safe place. <br>
+  For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
 
 4. Select **Generate tokens** to get an access and refresh token.
 
diff --git a/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md b/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
index 82a3908d87..0feb3a91f8 100644
--- a/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
@@ -10,111 +10,9 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: dulcemv
+redirect_url: /detect-block-potentially-unwanted-apps-windows-defender-antivirus/
 ---
 
 # Detect and block Potentially Unwanted Application in Windows 10
 
-**Applies to:**
-
-- Windows 10
-
-You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
-
-Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
-
-Typical examples of PUA behavior include:
-*	Various types of software bundling
-*	Ad-injection into your browsers
-*	Driver and registry optimizers that detect issues, request payment to fix them, and persist
-
-These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
-
-Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
-
-##Enable PUA protection in System Center Configuration Manager and Intune
-
-The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
-
-###Configure PUA in System Center Configuration Manager
-
-For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
-
-If you are using these versions | See these topics
-:---|:---
-System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
-System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
-
-<br>
-###Use PUA audit mode in System Center Configuration Manager
-
-You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and you’d like to avoid any false positives.
-
-1. Open PowerShell as Administrator: <br>
-
-    a.  Click **Start**, type **powershell**, and press **Enter**.
-    
-    b.  Click **Windows PowerShell** to open the interface.
-    >[!NOTE]
-    >You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
-2. Enter the PowerShell command:
-
-  ```text
-  set-mpPreference -puaprotection 2
-  ```
-> [!NOTE]
-> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.  
-
-
-###Configure PUA in Intune
-
- PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
-
-
-###Use PUA audit mode in Intune
-
- You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
-
-1. Open PowerShell as Administrator: <br>
-
-    a.  Click **Start**, type **powershell**, and press **Enter**.
-    
-    b.  Click **Windows PowerShell** to open the interface.
-    
-    >[!NOTE]
-    >You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
-    
-2. Enter the PowerShell command:
-
-  ```text
-  set-mpPreference -puaprotection 1
-  ```
-
-##View PUA events
-
-PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
-
-1.  Open **Event Viewer**.
-2.  In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
-3.  Double-click on **Operational**.
-4.  In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
-
-You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
-
-
-##What PUA notifications look like
-
-When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
-
-
-To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
-
-##PUA threat naming convention
-
-When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
-
-##PUA blocking conditions
-
-PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
-*	The file is being scanned from the browser
-*	The file is in the %downloads% folder
-*	Or if the file in the %temp% folder
+This page has been redirected to *Detect and block unwanted applications*.
\ No newline at end of file
diff --git a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..a645f8ccad
--- /dev/null
+++ b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,55 @@
+---
+title: Enable SIEM integration in Windows Defender Advanced Threat Protection
+description: Enable SIEM integration to receive alerts in your security information and event management (SIEM) solution.
+keywords: enable siem connector, siem, connector, security information and events
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Enable SIEM integration in Windows Defender ATP
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API.
+
+1. In the navigation pane, select **Preferences setup** > **SIEM integration**.
+
+  ![Image of SIEM integration from Preferences setup menu](images/atp-siem-integration.png)
+
+2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant.
+
+  WARNING:<br>
+  The client secret is only displayed once. Make sure you keep a copy of it in a safe place.<br>
+  For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
+
+3. Choose the SIEM type you use in your organization.
+
+  NOTE:<br>
+  If you select HP ArcSight, you'll need to save these two configuration files:<br>
+  - WDATP-connector.jsonparser.properties
+  - WDATP-connector.properties <br>
+
+  If you want to connect directly to the alerts REST API through programmatic access, choose **Generic API**.
+
+4. Copy the individual values or select **Save details to file** to download a file that contains all the values.
+
+5. Select **Generate tokens** to get an access and refresh token.
+
+You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal.
+
+## Related topics
+- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/enterprise-certificate-pinning.md b/windows/keep-secure/enterprise-certificate-pinning.md
new file mode 100644
index 0000000000..b6b15f7df9
--- /dev/null
+++ b/windows/keep-secure/enterprise-certificate-pinning.md
@@ -0,0 +1,450 @@
+---
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.author: mstephens
+author: MikeStephens-MS
+description: Enterprise certificate pinning is a Windows feature for remembering, or “pinning” a root, issuing certificate authority, or end entity certificate to a given domain name.  
+manager: alanth
+ms.date: 2016-12-27
+ms.prod: w10
+ms.technology: security
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+---
+
+# Enterprise Certificate Pinning
+
+**Applies to**
+-   Windows 10
+
+Enterprise certificate pinning is a Windows feature for remembering, or “pinning,” a root issuing certificate authority or end entity certificate to a given domain name. 
+Enterprise certificate pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates.
+
+>[!NOTE] 
+> External domain names, where the certificate issued to these domains is issued by a public certificate authority, are not ideal for enterprise certificate pinning. Web administrators should configure their web servers to use HTTP public key pinning (HPKP) and encourage users to use web browsers that support HPKP.
+
+Windows Certificate APIs (CertVerifyCertificateChainPolicy and WinVerifyTrust) are updated to check if the site’s server authentication certificate chain matches a restricted set of certificates. 
+These restrictions are encapsulated in a Pin Rules Certificate Trust List (CTL) that is configured and deployed to Windows 10 computers. 
+Any site certificate triggering a name mismatch causes Windows to write an event to the CAPI2 event log and prevents the user from navigating to the web site using Microsoft Edge or Internet Explorer.
+
+## Deployment
+
+To deploy enterprise certificate pinning, you need to:
+
+- Create a well-formatted certificate pinning rule XML file
+- Create a pin rules certificate trust list file from the XML file
+- Apply the pin rules certificate trust list file to a reference administrative computer
+- Deploy the registry configuration on the reference computer using Group Policy Management Console (GPMC), which is included in the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/download/details.aspx?id=45520).
+
+### Create a Pin Rules XML file  
+
+The XML-based pin rules file consists of a sequence of PinRule elements. 
+Each PinRule element contains a sequence of one or more Site elements and a sequence of zero or more Certificate elements.
+
+```code
+<PinRules ListIdentifier="PinRulesExample" Duration="P28D">
+
+  <PinRule Name="AllCertificateAttributes" Error="None" Log="true">
+    <Certificate File="Single.cer"/>
+    <Certificate File="Multiple.p7b"/>
+    <Certificate File="Multiple.sst"/>
+    <Certificate Directory="Multiple"/>
+    <Certificate Base64="MIIBy … QFzuM"/>
+    <Certificate File="WillExpire.cer" EndDate="2015-05-12T00:00:00Z"/>
+    <Site Domain="xyz.com"/>
+  </PinRule>
+
+  <PinRule Name="MultipleSites" Log="false">
+    <Certificate File="Root.cer"/>
+    <Site Domain="xyz.com"/>
+    <Site Domain=".xyz.com"/>
+    <Site Domain="*.abc.xyz.com" AllSubdomains="true"/>
+    <Site Domain="WillNormalize.com"/>
+  </PinRule>
+
+</PinRules>
+
+```
+
+#### PinRules Element
+
+The PinRules element can have the following attributes. 
+For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml) or [Representing a Duration in XML](#representing-a-duration-in-xml). 
+
+- **Duration** or **NextUpdate**
+
+    Specifies when the Pin Rules will expire. 
+    Either is required. 
+    **NextUpdate** takes precedence if both are specified. 
+    
+    **Duration**, represented as an XML TimeSpan data type, does not allow years and months. 
+    You represent the **NextUpdate** attribute as a XML DateTime data type in UTC. 
+    
+    **Required?** Yes. At least one is required.
+
+- **LogDuration** or **LogEndDate**
+
+    Configures auditing only to extend beyond the expiration of enforcing the Pin Rules.
+    
+    **LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified. 
+    
+    You represent **LogDuration** as an XML TimeSpan data type, which does not allow years and months. 
+    
+    If neither attribute is specified, auditing expiration uses **Duration** or **NextUpdate** attributes.
+    
+    **Required?** No.
+
+- **ListIdentifier**
+
+    Provides a friendly name for the list of pin rules. 
+    Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL).
+
+    **Required?** No.
+
+#### PinRule Element    
+
+The **PinRule** element can have the following attributes: 
+
+- **Name**
+
+    Uniquely identifies the **PinRule**. 
+    Windows uses this attribute to identify the element for a parsing error or for verbose output. 
+    The attribute is not included in the generated certificate trust list (CTL).
+
+    **Required?** Yes.
+
+- **Error**
+
+    Describes the action Windows performs when it encounters a PIN mismatch. 
+    You can choose from the following string values:
+        - **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site.
+        - **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate does not match the name of the site. This typically results in prompting the user before accessing the site.
+        - **None** - The default value.  No error is returned. You can use this setting to audit the pin rules without introducing any user friction.      
+
+    **Required?** No.
+
+- **Log**  
+
+    A Boolean value represent as string that equals **true** or **false**. 
+    By default, logging is enabled (**true**).
+
+    **Required?** No.
+
+#### Certificate element 
+
+The **Certificate** element can have the following attributes:
+
+- **File**
+
+    Path to a file containing one or more certificates. 
+    Where the certificate(s) can be encoded as:
+        - single certificate
+        - p7b
+        - sst.
+
+    These files can also be Base64 formatted. 
+    All **Site** elements included in the same **PinRule** element can match any of these certificates.
+    
+    **Required?** Yes (File, Directory or Base64 must be present).
+
+- **Directory** 
+
+    Path to a directory containing one or more of the above certificate files. 
+    Skips any files not containing any certificates.    
+
+    **Required?** Yes (File, Directory or Base64 must be present).
+
+- **Base64**
+
+    Base64 encoded certificate(s). 
+    Where the certificate(s) can be encoded as:
+        - single certificate
+        - p7b
+        - sst.
+
+    This allows the certificates to be included in the XML file without a file directory dependency.
+
+    > [!Note]
+    > You can use **certutil -encode** to a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule.    
+
+    **Required?** Yes (File, Directory or Base64 must be present).
+
+- **EndDate** 
+
+    Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.  
+
+    If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates.
+
+    If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL.
+
+    For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).
+
+    **Required?** No. 
+
+#### Site element
+
+The **Site** element can have the following attributes:
+
+- **Domain** 
+
+    Contains the DNS name to be matched for this pin rule. 
+    When creating the certificate trust list, the parser normalizes the input name string value as follows:
+        - If the DNS name has a leading "*" it is removed.
+        - Non-ASCII DNS name are converted to ASCII Puny Code.
+        - Upper case ASCII characters are converted to lower case.
+
+    If the normalized name has a leading ".", then, wildcard left hand label matching is enabled. 
+    For example, ".xyz.com" would match "abc.xyz.com".
+
+    **Required?** Yes.
+
+- **AllSubdomains**
+
+    By default, wildcard left hand label matching is restricted to a single left hand label. 
+    This attribute can be set to "true" to enable wildcard matching of all of the left hand labels. 
+    
+    For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.
+    
+    **Required?** No. 
+    
+### Create a Pin Rules Certificate Trust List
+
+The command line utility, **Certutil.exe**, includes the **generatePinRulesCTL** argument to parse the XML file and generate the encoded certificate trust list (CTL) that you add to your reference Windows 10 version 1703 computer and subsequently deploy. 
+The usage syntax is:
+
+```code
+CertUtil [Options] -generatePinRulesCTL XMLFile CTLFile [SSTFile]
+  Generate Pin Rules CTL
+    XMLFile -- input XML file to be parsed.
+    CTLFile -- output CTL file to be generated.
+    SSTFile -- optional .sst file to be created.
+         The .sst file contains all of the certificates
+         used for pinning.
+
+Options:
+  -f                -- Force overwrite
+  -v                -- Verbose operation
+```
+
+The same certificate(s) can occur in multiple **PinRule** elements. 
+The same domain can occur in multiple **PinRule** elements. 
+Certutil coalesces these in the resultant pin rules certificate trust list. 
+
+Certutil.exe does not strictly enforce the XML schema definition. 
+It does perform the following to enable other tools to add/consume their own specific elements and attributes:
+
+- Skips elements before and after the **PinRules** element.
+- Skips any element not matching **Certificate** or **Site** within the **PinRules** element.
+- Skips any attributes not matching the above names for each element type.
+
+Use the **certutil** command with the **generatePinRulesCTL** argument along with your XML file that contains your certificate pinning rules. 
+Lastly, provide the name of an output file that will include your certificate pinning rules in the form of a certificate trust list.
+
+```code
+certutil -generatePinRulesCTL certPinRules.xml pinrules.stl
+```
+
+### Applying Certificate Pinning Rules to a Reference Computer
+
+Now that your certificate pinning rules are in the certificate trust list format, you need to apply the settings to a reference computer as a prerequisite to deploying the setting to your enterprise. 
+To simplify the deployment configuration, it is best to apply your certificate pinning rules to a computer that has the Group Policy Management Console (GPMC) that is include in the Remote Server Administration Tools (RSAT). 
+
+Use **certutil.exe** to apply your certificate pinning rules to your reference computer using the **setreg** argument. 
+The **setreg** argument takes a secondary argument that determines the location of where certutil writes the certificate pining rules. 
+This secondary argument is **chain\PinRules**. 
+The last argument you provide is the name of file that contains your certificate pinning rules in certificate trust list format (.stl). 
+You’ll pass the name of the file as the last argument; however, you need to prefix the file name with the '@' symbol as shown in the following example. 
+You need to perform this command from an elevated command prompt.
+
+```code
+Certutil -setreg chain\PinRules @pinrules.stl 
+```
+
+Certutil writes the binary information to the following registration location:
+
+| Name | Value |
+|------|-------|
+| Key | HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config |
+| Name | PinRules |
+| Value | Binary contents from the certificate pin rules certificate trust list file |
+| Data type | REG_BINARY |
+
+![Registry binary information](images/enterprise-pinning-registry-binary-information.png)
+
+### Deploying Enterprise Pin Rule Settings using Group Policy
+
+You’ve successfully created a certificate pinning rules XML file. 
+From the XML file you have created a certificate pinning trust list file, and you have applied the contents of that file to your reference computer from which you can run the Group Policy Management Console. 
+Now you need to configure a Group Policy object to include the applied certificate pin rule settings and deploy it to your environment.
+
+Sign-in to the reference computer using domain administrator equivalent credentials.
+
+1.	Start the **Group Policy Management Console** (gpmc.msc)
+2.	In the navigation pane, expand the forest node and then expand the domain node.
+3.	Expand the node that has contains your Active Directory’s domain name
+4.	Select the **Group Policy objects** node.  Right-click the **Group Policy objects** node and click **New**.
+5.	In the **New GPO** dialog box, type _Enterprise Certificate Pinning Rules_ in the **Name** text box and click **OK**.
+6.	In the content pane, right-click the **Enterprise Certificate Pinning Rules** Group Policy object and click **Edit**.
+7.	In the **Group Policy Management Editor**, in the navigation pane, expand the **Preferences** node under **Computer Configuration**. Expand **Windows Settings**.
+8.	Right-click the **Registry** node and click **New**.
+9.	In the **New Registry Properties** dialog box, select **Update** from the **Action** list.  Select **HKEY_LOCAL_MACHINE** from the **Hive** list.
+10.	For the **Key Path**, click **…** to launch the **Registry Item Browser**.  Navigate to the following registry key and select the **PinRules** registry value name:
+    HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config  
+    Click **Select** to close the **Registry Item Browser**.
+11.	The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REGBINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal).  Click **OK** to save your settings and close the dialog box.
+
+    ![PinRules Properties](images/enterprise-certificate-pinning-pinrules-properties.png)
+    
+12. Close the **Group Policy Management Editor** to save your settings.
+13.	Link the **Enterprise Certificate Pinning Rules** Group Policy object to apply to computers that run Windows 10, version 1703 in your enterprise. When these domain-joined computers apply Group Policy, the registry information configured in the Group Policy object is applied to the computer.
+
+## Additional Pin Rules Logging
+
+To assist in constructing certificate pinning rules, you can configure the **PinRulesLogDir** setting under the certificate chain configuration registry key to include a parent directory to log pin rules.
+
+```code
+HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config
+```
+
+| Name | Value |
+|------|-------|
+| Key | HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config |
+| Name | PinRulesLogDir |
+| Value | The Parent directory where Windows should write the additional pin rule logs |
+| Data type | REG_SZ |
+
+### Permission for the Pin Rule Log Folder
+
+The folder in which Windows writes the additional pin rule logs must have permissions so that all users and applications have full access. 
+You can run the following commands from an elevated command prompt to achieved the proper permissions. 
+
+```code
+set PinRulesLogDir=c:\PinRulesLog
+mkdir %PinRulesLogDir%
+icacls %PinRulesLogDir% /grant *S-1-15-2-1:(OI)(CI)(F)
+icacls %PinRulesLogDir% /grant *S-1-1-0:(OI)(CI)(F)  
+icacls %PinRulesLogDir% /grant *S-1-5-12:(OI)(CI)(F)
+icacls %PinRulesLogDir% /inheritance:e /setintegritylevel (OI)(CI)L
+```
+
+Whenever an application verifies a TLS/SSL certificate chain that contains a server name matching a DNS name in the server certificate, Windows writes a .p7b file consisting of all the certificates in the server’s chain to one of three child folders:
+
+- AdminPinRules
+    Matched a site in the enterprise certificate pinning rules.
+- AutoUpdatePinRules
+    Matched a site in the certificate pinning rules managed by Microsoft.
+- NoPinRules
+    Didn’t match any site in the certificate pin rules.
+
+The output file name consists of the leading 8 ASCII hex digits of the root’s SHA1 thumbprint followed by the server name. 
+For example:
+
+- D4DE20D0_xsi.outlook.com.p7b
+- DE28F4A4_www.yammer.com.p7b
+
+If there is either an enterprise certificate pin rule or Microsoft certificate pin rule mismatch, then Windows writes the .p7b file to the **MismatchPinRules** child folder. 
+If the pin rules have expired, then Windows writes the .p7b to the **ExpiredPinRules** child folder. 
+
+## Representing a Date in XML
+
+Many attributes within the pin rules xml file are dates.  
+These dates must be properly formatted and represented in UTC.  
+You can use Windows PowerShell to format these dates.  
+You can then copy and paste the output of the cmdlet into the XML file. 
+
+![Representing a date](images/enterprise-certificate-pinning-representing-a-date.png)
+
+For simplicity, you can truncate decimal point (.) and the numbers after it. 
+However, be certain to append the uppercase “Z” to the end of the XML date string.
+
+```code
+2015-05-11T07:00:00.2655691Z
+2015-05-11T07:00:00Z
+```
+
+## Converting an XML Date
+
+You can also use Windows PowerShell to validate convert an XML date into a human readable date to validate it’s the correct date.
+
+![Converting an XML date](images/enterprise-certificate-pinning-converting-an-xml-date.png)
+
+## Representing a Duration in XML
+
+Some elements may be configured to use a duration rather than a date. 
+You must represent the duration as an XML timespan data type. 
+You can use Windows PowerShell to properly format and validate durations (timespans) and copy and paste them into your XML file.
+
+![Representing a duration](images/enterprise-certificate-pinning-representing-a-duration.png)
+
+## Converting an XML Duration
+
+You can convert a XML formatted timespan into a timespan variable that you can read. 
+
+![Converting an XML duration](images/enterprise-certificate-pinning-converting-a-duration.png)
+
+## Certificate Trust List XML Schema Definition (XSD)
+
+```code
+<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
+  <xs:element name="PinRules">
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element name="PinRule" maxOccurs="unbounded" minOccurs="1">
+          <xs:complexType>
+            <xs:sequence>
+              <xs:element name="Certificate" maxOccurs="unbounded" minOccurs="0">
+                <xs:complexType>
+                  <xs:simpleContent>
+                    <xs:extension base="xs:string">
+                      <xs:attribute type="xs:dateTime" name="EndDate" use="optional"/>
+                      <xs:attribute type="xs:string" name="File" use="optional"/>
+                      <xs:attribute type="xs:string" name="Directory" use="optional"/>
+                      <xs:attribute type="xs:base64Binary" name="Base64" use="optional"/>
+                    </xs:extension>
+                  </xs:simpleContent>
+                </xs:complexType>
+              </xs:element>
+              <xs:element name="Site" maxOccurs="unbounded" minOccurs="1">
+                <xs:complexType>
+                  <xs:simpleContent>
+                    <xs:extension base="xs:string">
+                      <xs:attribute type="xs:string" name="Domain"/>
+                      <xs:attribute type="xs:boolean" name="AllSubdomains" use="optional" default="false"/>
+                    </xs:extension>
+                  </xs:simpleContent>
+                </xs:complexType>
+              </xs:element>
+            </xs:sequence>
+            <xs:attribute type="xs:string" name="Name"/>
+            <xs:attribute name="Error" use="optional" default="None">
+              <xs:simpleType>
+                <xs:restriction base="xs:string">
+                  <xs:enumeration value ="Revoked"/>
+                  <xs:enumeration value ="InvalidName"/>
+                  <xs:enumeration value ="None"/>
+                </xs:restriction>
+              </xs:simpleType>
+            </xs:attribute>
+            <xs:attribute type="xs:boolean" name="Log" use="optional" default="true"/>
+          </xs:complexType>
+        </xs:element>
+      </xs:sequence>
+      <xs:attribute type="xs:duration" name="Duration" use="optional"/>
+      <xs:attribute type="xs:duration" name="LogDuration" use="optional"/>
+      <xs:attribute type="xs:dateTime" name="NextUpdate" use="optional"/>
+      <xs:attribute type="xs:dateTime" name="LogEndDate" use="optional"/>
+      <xs:attribute type="xs:string" name="ListIdentifier" use="optional"/>
+    </xs:complexType>
+  </xs:element>
+</xs:schema>
+```
+
+
+
+
+
+
+
+
+
diff --git a/windows/keep-secure/evaluate-windows-defender-antivirus.md b/windows/keep-secure/evaluate-windows-defender-antivirus.md
new file mode 100644
index 0000000000..af84e29eb5
--- /dev/null
+++ b/windows/keep-secure/evaluate-windows-defender-antivirus.md
@@ -0,0 +1,51 @@
+---
+title: Evaluate Windows Defender Antivirus
+description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Windows Defender Antivirus in Windows 10.
+keywords: windows defender antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Evaluate Windows Defender Antivirus protection
+
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+
+If you�re an enterprise security administrator, and you want to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications, then you can use this guide to help you evaluate Microsoft protection.
+
+It explains the important features available for both small and large enterprises in Windows Defender, and how they will increase malware detection and protection across your network.
+
+You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the settings.
+
+The guide is available in PDF format for offline viewing:
+- [Download the guide in PDF format](https://www.microsoft.com/download/details.aspx?id=54795)
+
+You can also download a PowerShell that will enable all the settings described in the guide automatically. You can obtain the script alongside the PDF download above, or individually from PowerShell Gallery:
+- [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings/1.0/DisplayScript)
+
+> [!IMPORTANT]
+> The guide is currently intended for single-machine evaluation of Windows Defender Antivirus protection. Enabling all of the settings in this guide may not be suitable for real-world deployment.
+>
+> For the latest recommendations for real-world deployment and monitoring of Windows Defender Antivirus across a network, see the [Deploy, manage, and report](deploy-manage-report-windows-defender-antivirus.md) topic in this library. 
+
+
+## Related topics
+
+- [Windows Defender Antivirus](windows-defender-in-windows-10.md)
+- [Deploy, manage, and report](deploy-manage-report-windows-defender-antivirus.md)
+
+
+
diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
index 2c68fb6704..c32cb54316 100644
--- a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -25,7 +25,7 @@ localizationpriority: high
 
 You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual endpoints.
 
-For example, if endpoints are not appearing in the **Machines view** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
+For example, if endpoints are not appearing in the **Machines list** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
 
 > [!NOTE]
 > It can take several days for endpoints to begin reporting to the Windows Defender ATP service.
@@ -192,8 +192,8 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
 </tr>
 <tr>
 <td>27</td>
-<td>Windows Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender. Onboarding process failed. Failure code: ```variable```.</td>
-<td>Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
+<td>Windows Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender Antivirus. Onboarding process failed. Failure code: ```variable```.</td>
+<td>Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
 <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
 See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).<br>
 Ensure real-time antimalware protection is running properly.</td>
@@ -208,8 +208,8 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
 </tr>
 <tr>
 <td>30</td>
-<td>Windows Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender. Failure code: ```variable```.</td>
-<td>Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
+<td>Windows Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender Antivirus. Failure code: ```variable```.</td>
+<td>Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
 <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
 See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
 Ensure real-time antimalware protection is running properly.</td>
diff --git a/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..670b72a6d5
--- /dev/null
+++ b/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,84 @@
+---
+title: Experiment with custom threat intelligence alerts
+description: Use this end-to-end guide to start using the Windows Defender ATP threat intelligence API.
+keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Experiment with custom threat intelligence (TI) alerts
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+With the Windows Defender ATP threat intelligence API, you can create custom threat intelligence alerts that can help you keep track of possible attack activities in your organization.  
+
+For more information about threat intelligence concepts, see [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md).
+
+This article demonstrates an end-to-end usage of the threat intelligence API to get you started in using the threat intelligence API.
+
+You'll be guided through sample steps so you can experience how the threat intelligence API feature works. Sample steps include creating alerts definitions and indicators of compromise (IOCs), and examples of how triggered custom TI alerts look like.
+
+## Step 1: Enable the threat intelligence API and obtain authentication details
+To use the threat intelligence API feature, you'll need to enable the feature. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md).
+
+This step is required to generate security credentials that you need to use while working with the API.
+
+## Step 2: Create a sample alert definition and IOCs
+This step will guide you in creating an alert definition and an IOC for a malicious IP.
+
+1. Open a Windows PowerShell ISE.
+
+2. Copy and paste the following PowerShell script. This script will upload a sample alert definition and IOC to Windows Defender ATP which you can use to generate an alert.
+
+    NOTE:<br>
+    Make sure you replace the `authUrl`, `clientId`, and `clientSecret` values with your details which you saved in when you enabled the threat intelligence application.
+
+    [!code[ExampleScript](./code/example-script.ps1#L1-L60)]
+
+3. Run the script and verify that the operation succeeded in the results the window. Wait up to 20 minutes until the new or updated alert definition propagates to the detection engines.
+
+    ![Image of the script running](images/atp-running-script.png)
+
+    NOTE:<br>
+    If you get the exception “The remote server returned an error: (407) Proxy Authentication Required", you need to add the proxy configuration by adding the following code to the PowerShell script:
+
+    ```syntax
+    $webclient=New-Object System.Net.WebClient
+    $creds=Get-Credential
+    $webclient.Proxy.Credentials=$creds
+    ```
+
+## Step 3: Simulate a custom TI alert
+This step will guide you in simulating an event in connection to a malicious IP that will trigger the Windows Defender ATP custom TI alert.
+
+1. Open a Windows PowerShell ISE in the machine you onboarded to Windows Defender ATP.
+
+2. Type `Invoke-WebRequest 52.184.197.12` in the editor and click **Run**. This call will generate a network communication event to a Microsoft's dedicated demo server that will raise an alert based on the custom alert definition.
+
+    ![Image of editor with command to Invoke-WebRequest](images/atp-simulate-custom-ti.png)
+
+## Step 4: Explore the custom alert in the portal
+This step will guide you in exploring the custom alert in the portal.
+
+1.	Open the [Windows Defender ATP portal](http: /securitycenter.windows.com/) on a browser.
+
+2.	Log in with your Windows Defender ATP credentials.
+
+3.	The dashboard should display the custom TI alert for the victim machine resulting from the simulated attack.
+
+    ![Image of sample custom ti alert in the portal](images/atp-sample-custom-ti-alert.png)
+
+> [!NOTE]
+> It can take up to 15 minutes for the alert to appear in the portal.
diff --git a/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
index 749d25c114..0e7e6fa111 100644
--- a/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
@@ -21,8 +21,6 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section provides some explanations as to what might have caused a machine to be categorized as inactive or misconfigured.
 
 ## Inactive machines
@@ -36,7 +34,7 @@ If the machine has not been in use for more than 7 days for any reason, it will
 A reinstalled or renamed machine will generate a new machine entity in Windows Defender ATP portal. The previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting normally.
 
 **Machine was offboarded**</br>
-If the machine was offboarded it will still appear in machines view. After 7 days, the machine health state should change to inactive.
+If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive.
 
 Do you expect a machine to be in ‘Active’ status? [Open a CSS ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
 
@@ -60,7 +58,7 @@ If you took corrective actions and the machine status is still misconfigured, [o
 
 ### No sensor data
 A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report partial sensor data.
-Follow theses actions to correct known issues related to a misconfigured machine with status ‘Impaired communication’:
+Follow theses actions to correct known issues related to a misconfigured machine with status ‘No sensor data’:
 
 - [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)</br>
   The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
diff --git a/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md
index b8021ab337..d53c76fc27 100644
--- a/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md
@@ -23,14 +23,16 @@ localizationpriority: high
 During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update some settings which you'll be able to do through the **Preferences setup** menu.
 
 1. In the navigation pane, select **Preferences setup** > **General**.
+
 2. Modify settings such as data retention policy or the industry that best describes your organization.
 
-  >[!NOTE]
-  >Other settings are not editable.
+    > [!NOTE]
+    > Other settings are not editable.
+
 3. Click **Save preferences**.
 
 
 ## Related topics
-- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advacned-threat-protection.md)
+- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
 - [Turn on the preview experience in Windows Defender ATP ](preview-settings-windows-defender-advanced-threat-protection.md)
 - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
index f7c920bb4f..e9c2b82470 100644
--- a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
@@ -8,183 +8,9 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: jasesso
+redirect_url: /deploy-manage-report-windows-defender-antivirus/
 ---
 
 # Update and manage Windows Defender in Windows 10
 
-**Applies to**
--   Windows 10
-
-IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using:
-
--   Group Policy Settings
--   Windows Management Instrumentation (WMI)
--   PowerShell
-
-## Manage Windows Defender endpoints through Active Directory and WSUS
-
-All Windows 10 endpoints are installed with Windows Defender and include support for management through:
--   Active Directory
--   WSUS
-
-You can use the Active Directory to configure the settings; Group policies can be used for centralized configuration and enforcement of many Windows Defender settings including client user interface, scan settings, and exclusions.
-WSUS can be used to view basic update compliance and deploy updates manually or through automatic rules.
-
-Note that System Center 2012 R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including:
-
--   Settings management
--   Definition update management
--   Alerts and alert management
--   Reports and reporting
-
-When you enable *Endpoint Protection* on your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for System Center Endpoint Protection or Intune will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed. Learn more about managing *Endpoint Protection*:
-
--   [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://technet.microsoft.com/library/dn646970.aspx)
--   [Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508760.aspx)
-
-Read more about System Center Configuration Manager in [Introduction to Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508781.aspx).
-> **Important:**  You must be licensed to use *Endpoint Protection* to manage clients in your Configuration Manager hierarchy.
- 
-## Apply updates to Windows Defender endpoints
-
-It is important to keep Windows Defender endpoints updated to ensure they are protected. All Windows Defender updates, including General Distribution Release (GDR) updates, are now applied as operating system updates.
-You can manage the distribution of updates through the [Windows Server Update Services (WSUS)](https://technet.microsoft.com/windowsserver/bb332157).
-
-## Manage email scans in Windows Defender
-
-You can use Windows Defender to scan email files. Malware can install itself and hide in email files, and although real-time protection offers you the best protection from email malware, you can also scan emails stored on your PC or server with Windows Defender.
-> **Important:**  Mail scanning only applies to on-demand and scheduled scans, not on-access scans.
- 
-Windows Defender scans Microsoft Office Outlook 2003 and older email files. We identify the file type at run-time based on the content of the file, not on location or extension.
-> **Note: **  Scanning email files might increase the time required to complete a scan.
- 
-Windows Defender can extract embedded objects within a file (attachments and archived files, for example) and scan internally.
-> **Note:**  While Windows Defender can be configured to scan email files, it can only remediate threats detected inside certain files, for example:
--   DBX
--   MBX
--   MIME
- 
-You can configure Windows Defender to scan PST files used by Outlook 2003 or older versions (where the archive type is set to non-uni-code), but Windows Defender cannot remediate threats detected inside PST files. We recommend using real-time protection to protect against email malware.
-
-If Windows Defender detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat:
--   Email subject
--   Attachment name
-Email scanning in Windows Defender is turned off by default. There are three ways you can manage scans through Windows Defender:
--   *Group Policy* settings
--   WMI
--   PowerShell
-> **Important:**  There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:
--   [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1)
--   [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2)
- 
-## Use *Group Policy* settings to enable email scans
-
-This policy setting allows you to turn on email scanning. When email scanning is enabled, the engine will parse the mailbox and mail files to analyze the mail bodies and attachments.
-
-Turn on email scanning with the following *Group Policy* settings:
-1.  Open the **Group Policy Editor**.
-2.  In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
-3.  Click **Scan**.
-4.  Double-click **Turn on e-mail scanning**.
-
-    This will open the **Turn on e-mail scanning** window:
-    
-    ![turn on e-mail scanning window](images/defender-scanemailfiles.png)
-    
-5.  Select **Enabled**.
-6.  Click **OK** to apply changes.
-
-## Use WMI to disable email scans
-
-You can write a WMI script or application to disable email scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
-
-Use the **DisableEmailScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
-**DisableEmailScanning**
-Data type: **boolean**
-Access type: Read-only
-Disable email scanning.
-
-## Use PowerShell to enable email scans
-
-You can also enable email scanning using the following PowerShell parameter:
-1.  Open PowerShell or PowerShellIntegrated Scripting Environment (ISE).
-2.  Type **Set-MpPreference -DisableEmailScanning $false**.
-
-Read more about this in:
--   [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
--   [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
-
-## Manage archive scans in Windows Defender
-
-You can use Windows Defender to scan archive files. Malware can install itself and hide in archive files, and although real-time protection offers you the best protection from malware, you can also scan archives stored on your PC or server with Windows Defender.
-> **Important:**  Archive scanning only applies to on-demand and scheduled scans, not on-access scans.
- 
-Archive scanning in Windows Defender is turned on by default. There are four ways you can manage scans through Windows Defender:
--   *Group Policy* settings
--   WMI
--   PowerShell
--   Endpoint Protection
-> **Note:**  Scanning archive files might increase the time required to complete a scan.
- 
-If you exclude an archive file type by using the **Extensions** box, Windows Defender will not scan files with that extension (no matter what the content is), even when you have selected the **Scan archive files** check box. For example, if you exclude .rar files but there’s a .r00 file that’s actually .rar content, it will still be scanned if archive scanning is enabled.
-
-## Use *Group Policy* settings to enable archive scans
-
-This policy setting allows you to turn on archive scanning.
-
-Turn on email scanning with the following *Group Policy* settings:
-1.  Open the **Group Policy Editor**.
-2.  In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
-3.  Click **Scan**.
-4.  Double-click **Scan archive files**.
-
-    This will open the **Scan archive files** window:
-    
-    ![scan archive files window](images/defender-scanarchivefiles.png)
-    
-5.  Select **Enabled**.
-6.  Click **OK** to apply changes.
-
-There are a number of archive scan settings in the **Scan** repository you can configure through *Group Policy*, for example:
--   Maximum directory depth level into which archive files are unpacked during scanning
-
-    ![specify the maximum depth to scan archive files window](images/defender-scanarchivedepth.png)
-    
--   Maximum size of archive files that will be scanned
-
-    ![specify the maximum size of archive files to be scanned window](images/defender-scanarchivesize.png)
-    
--   Maximum percentage CPU utilization permitted during a scan
-
-    ![specify the maximum percentage od cpu utilization during a scan window](images/defender-scanarchivecpu.png)
-
-## Use WMI to disable archive scans
-
-You can write a WMI script or application to disable archive scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
-
-Use the **DisableArchiveScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
-**DisableArchiveScanning**
-Data type: **boolean**
-Access type: Read-only
-Disable archive scanning.
-
-## Use PowerShell to enable archive scans
-
-You can also enable archive scanning using the following PowerShell parameter:
-1.  Open PowerShell or PowerShellISE.
-2.  Type **Set-MpPreference -DisableArchiveScanning $false**.
-
-Read more about this in:
--   [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
--   [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
-
-## Use Endpoint Protection to configure archive scans
-
-In Endpoint Protection, you can use the advanced scanning options to configure archive scanning. For more information, see [What are advanced scanning options?](https://technet.microsoft.com/library/ff823807.aspx)
-
-## Related topics
-
-- [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
-- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
- 
- 
+This page has been redirected to *Windows Defender Antivirus in Windows 10*.
diff --git a/windows/keep-secure/hello-and-password-changes.md b/windows/keep-secure/hello-and-password-changes.md
index dc6bb1e021..336c82005d 100644
--- a/windows/keep-secure/hello-and-password-changes.md
+++ b/windows/keep-secure/hello-and-password-changes.md
@@ -41,7 +41,6 @@ Suppose instead that you sign in on **Device B** and change your password for yo
 - [Windows Hello for Business](hello-identity-verification.md)
 - [How Windows Hello for Business works](hello-how-it-works.md)
 - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
diff --git a/windows/keep-secure/hello-biometrics-in-enterprise.md b/windows/keep-secure/hello-biometrics-in-enterprise.md
index caf9da8a9b..c57043af82 100644
--- a/windows/keep-secure/hello-biometrics-in-enterprise.md
+++ b/windows/keep-secure/hello-biometrics-in-enterprise.md
@@ -79,7 +79,6 @@ To allow facial recognition, you must have devices with integrated special infra
 - [Windows Hello for Business](hello-identity-verification.md)
 - [How Windows Hello for Business works](hello-how-it-works.md)
 - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
diff --git a/windows/keep-secure/hello-enable-phone-signin.md b/windows/keep-secure/hello-enable-phone-signin.md
deleted file mode 100644
index b325dd3b58..0000000000
--- a/windows/keep-secure/hello-enable-phone-signin.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: Enable phone sign-in to PC or VPN (Windows 10)
-description: You can set policies to allow your users to sign in to a PC or VPN using their Windows 10 phone.
-keywords: ["identity", "PIN", "biometric", "Hello"]
-ms.prod: W10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: DaniHalfin
-localizationpriority: high
----
-
-# Enable phone sign-in to PC or VPN
-
-
-**Applies to**
-
--   Windows 10
--   Windows 10 Mobile
-
-In Windows 10, version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call -- just unlock the phone and tap the app.
-
-![Sign in to a device](images/phone-signin-menu.png)
-
-> [!NOTE]
-> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
-
-You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone.
-
- ## Prerequisites
- 
- - Both phone and PC must be running Windows 10, version 1607.
- - The PC must be running Windows 10 Pro, Enterprise, or Education
- - Both phone and PC must have Bluetooth.
- - The **Microsoft Authenticator** app must be installed on the phone.
- - The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
- - The phone must be joined to Azure AD or have a work account added.
- - The VPN configuration profile must use certificate-based authentication.
- 
-## Set policies
-
-To enable phone sign-in, you must enable the following policies using Group Policy or MDM.
-
--  Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**
-    - Enable **Use Windows Hello for Business**
-    - Enable **Phone Sign-in**
-- MDM: 
-    - Set **UsePassportForWork** to **True**
-    - Set **Remote\UseRemotePassport** to **True**
-
-## Configure VPN 
-
-To enable phone sign-in to VPN, you must enable the [policy](#set-policies) for phone sign-in and ensure that VPN is configured as follows:
-
-- For inbox VPN, set up the VPN profile with Extensible Authentication Protocol (EAP) with the **Smart card or other certificate (TLS)** EAP type, also known as EAP-Transport Level Security (EAP-TLS). To exclusively access the VPN certificates on the phone, in the EAP filtering XML, add either **EKU** or **Issuer** (or both) filtering to make sure it picks only the Remote NGC certificate.
-- For a Universal Windows Platform (UWP) VPN plug-in, add filtering criteria based on the 3rd party mechanism for the Remote NGC Certificate.
-
-## Get the app
-
-If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a [Line of Business (LOB) publisher](../manage/working-with-line-of-business-apps.md).
-
-[Tell people how to sign in using their phone.](hello-prepare-people-to-use.md#bmk-remote)
-
-
-## Related topics
-
-- [Windows Hello for Business](hello-identity-verification.md)
-- [How Windows Hello for Business works](hello-how-it-works.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
-
-
- 
-
- 
-
-
-
-
-
diff --git a/windows/keep-secure/hello-errors-during-pin-creation.md b/windows/keep-secure/hello-errors-during-pin-creation.md
index 98dce6bbda..b9f0619b20 100644
--- a/windows/keep-secure/hello-errors-during-pin-creation.md
+++ b/windows/keep-secure/hello-errors-during-pin-creation.md
@@ -225,7 +225,6 @@ For errors listed in this table, contact Microsoft Support for assistance.
 - [Windows Hello for Business](hello-identity-verification.md)
 - [How Windows Hello for Business works](hello-how-it-works.md)
 - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
diff --git a/windows/keep-secure/hello-event-300.md b/windows/keep-secure/hello-event-300.md
index a59c57e6be..1eecd8dd53 100644
--- a/windows/keep-secure/hello-event-300.md
+++ b/windows/keep-secure/hello-event-300.md
@@ -37,7 +37,6 @@ This is a normal condition. No further action is required.
 - [Windows Hello for Business](hello-identity-verification.md)
 - [How Windows Hello for Business works](hello-how-it-works.md)
 - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
diff --git a/windows/keep-secure/hello-how-it-works.md b/windows/keep-secure/hello-how-it-works.md
index 8a3c433fa4..379783c65a 100644
--- a/windows/keep-secure/hello-how-it-works.md
+++ b/windows/keep-secure/hello-how-it-works.md
@@ -14,7 +14,7 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
-TWindows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
+Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
 
 ## Register a new user or device
 
@@ -112,10 +112,9 @@ Windows Hello depends on having compatible IDPs available to it. As of this writ
 
 - [Windows Hello for Business](hello-identity-verification.md)
 - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
 - [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/keep-secure/hello-identity-verification.md b/windows/keep-secure/hello-identity-verification.md
index c13f490b56..063ed2cfe2 100644
--- a/windows/keep-secure/hello-identity-verification.md
+++ b/windows/keep-secure/hello-identity-verification.md
@@ -72,10 +72,6 @@ Imagine that someone is looking over your shoulder as you get money from an ATM
 
 Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
 
-For customers using a hybrid Active Directory and Azure Active Directory environment, Windows Hello also enables Windows 10 Mobile devices to be used as [a remote credential](hello-prepare-people-to-use.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Windows Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Windows Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
-
-> [!NOTE]
->  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
 
  
 ## How Windows Hello for Business works: key points
@@ -119,7 +115,6 @@ Windows Hello for Business can use either keys (hardware or software) or certifi
 
 - [How Windows Hello for Business works](hello-how-it-works.md)
 - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
diff --git a/windows/keep-secure/hello-manage-in-organization.md b/windows/keep-secure/hello-manage-in-organization.md
index beca5f89e3..44cef02636 100644
--- a/windows/keep-secure/hello-manage-in-organization.md
+++ b/windows/keep-secure/hello-manage-in-organization.md
@@ -131,16 +131,12 @@ The following table lists the Group Policy settings that you can configure for W
 </td>
 </tr>
 <tr>
-<td><a href="hello-prepare-people-to-use.md#bmk-remote">Phone Sign-in</a></td>
+<td>>Phone Sign-in</td>
 <td>
 <p>Use Phone Sign-in</p>
-<div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
-<div> </div>
 </td>
 <td>
-<p><b>Not configured</b>: Phone sign-in is disabled.</p>
-<p><b>Enabled</b>: Users can use a portable, registered device as a companion device for desktop authentication.</p>
-<p><b>Disabled</b>: Phone sign-in is disabled.</p>
+<p>Not currently supported.</p>
 </td>
 </tr>
 </table>
@@ -283,14 +279,11 @@ The following table lists the MDM policy settings that you can configure for Win
 <td>Remote</td>
 <td>
 <p>UseRemotePassport</p>
-<div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
-<div> </div>
 </td>
 <td>Device or user</td>
 <td>False</td>
 <td>
-<p>True: <a href="hello-prepare-people-to-use.md#bmk-remote">Phone sign-in</a> is enabled.</p>
-<p>False: <a href="hello-prepare-people-to-use.md#bmk-remote">Phone sign-in</a> is disabled.</p>
+<p>Not currently supported.</p>
 </td>
 </tr>
 </table>
@@ -381,7 +374,6 @@ If you want to use Windows Hello for Business with certificates, you’ll need a
 
 - [Windows Hello for Business](hello-identity-verification.md)
 - [How Windows Hello for Business works](hello-how-it-works.md)
-- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
diff --git a/windows/keep-secure/hello-prepare-people-to-use.md b/windows/keep-secure/hello-prepare-people-to-use.md
index 41c323ada1..8426ced11d 100644
--- a/windows/keep-secure/hello-prepare-people-to-use.md
+++ b/windows/keep-secure/hello-prepare-people-to-use.md
@@ -51,56 +51,13 @@ If your policy allows it, people can use biometrics (fingerprint, iris, and faci
 
 ![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png)
 
-## <a href="" id="bmk-remote"></a>Use a phone to sign in to a PC or VPN
 
-If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Windows Hello credentials.
-
-> [!NOTE]
-> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
-
- 
-**Prerequisites:**
-   
-- Both phone and PC must be running Windows 10, version 1607.
-- The PC must be running Windows 10 Pro, Enterprise, or Education
-- Both phone and PC must have Bluetooth.
-- The **Microsoft Authenticator** app must be installed on the phone.
-- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
-- The phone must be joined to Azure AD or have a work account added.
-- The VPN configuration profile must use certificate-based authentication.
-
-**Pair the PC and phone**
-
-1.  On the PC, go to **Settings** &gt; **Devices** &gt; **Bluetooth**. Tap the name of the phone and then tap **Pair** to begin pairing.
-
-    ![bluetooth pairing](images/btpair.png)
-    
-2.  On the phone, go to **Settings** &gt; **Devices** &gt; **Bluetooth**, and verify that the passcode for **Pairing accessory** on the phone matches the passcode displayed on the PC, and then tap **ok**.
-
-    ![bluetooth pairing passcode](images/bt-passcode.png)
-    
-3.  On the PC, tap **Yes**.
-
-**Sign in to PC using the phone**
-
-
-1.  Open the **Microsoft Authenticator** app, choose your account, and tap the name of the PC to sign in to.
-    > **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account.
-    
-    ![select a device](images/phone-signin-device-select.png)
-     
-2.  Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account.
-
-**Connect to VPN**
-
-You simply connect to VPN as you normally would. If the phone's certificates are being used, a notification will be pushed to the phone asking if you approve. If you click **allow** in the notification, you will be prompted for your PIN. After you enter your PIN, the VPN session will connect. 
 
 ## Related topics
 
 - [Windows Hello for Business](hello-identity-verification.md)
 - [How Windows Hello for Business works](hello-how-it-works.md)
 - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
diff --git a/windows/keep-secure/hello-why-pin-is-better-than-password.md b/windows/keep-secure/hello-why-pin-is-better-than-password.md
index e79b6e5348..9c24738397 100644
--- a/windows/keep-secure/hello-why-pin-is-better-than-password.md
+++ b/windows/keep-secure/hello-why-pin-is-better-than-password.md
@@ -75,7 +75,6 @@ If you only had a biometric sign-in configured and, for any reason, were unable
 - [Windows Hello for Business](hello-identity-verification.md)
 - [How Windows Hello for Business works](hello-how-it-works.md)
 - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
diff --git a/windows/keep-secure/images/atp-actor.png b/windows/keep-secure/images/atp-actor.png
new file mode 100644
index 0000000000..dc9c9dd6fc
Binary files /dev/null and b/windows/keep-secure/images/atp-actor.png differ
diff --git a/windows/keep-secure/images/atp-alert-source.png b/windows/keep-secure/images/atp-alert-source.png
new file mode 100644
index 0000000000..c2155cc7ee
Binary files /dev/null and b/windows/keep-secure/images/atp-alert-source.png differ
diff --git a/windows/keep-secure/images/atp-alert-timeline-numbered.png b/windows/keep-secure/images/atp-alert-timeline-numbered.png
new file mode 100644
index 0000000000..e791757460
Binary files /dev/null and b/windows/keep-secure/images/atp-alert-timeline-numbered.png differ
diff --git a/windows/keep-secure/images/atp-file-details.png b/windows/keep-secure/images/atp-file-details.png
new file mode 100644
index 0000000000..ad92f3af0c
Binary files /dev/null and b/windows/keep-secure/images/atp-file-details.png differ
diff --git a/windows/keep-secure/images/atp-machine-details-view.png.pdf b/windows/keep-secure/images/atp-machine-details-view.png.pdf
deleted file mode 100644
index 6f018827bb..0000000000
Binary files a/windows/keep-secure/images/atp-machine-details-view.png.pdf and /dev/null differ
diff --git a/windows/keep-secure/images/atp-machines-at-risk.png b/windows/keep-secure/images/atp-machines-at-risk.png
index e733606c0c..219e958d7d 100644
Binary files a/windows/keep-secure/images/atp-machines-at-risk.png and b/windows/keep-secure/images/atp-machines-at-risk.png differ
diff --git a/windows/keep-secure/images/atp-remediated-alert.png b/windows/keep-secure/images/atp-remediated-alert.png
new file mode 100644
index 0000000000..d49b681907
Binary files /dev/null and b/windows/keep-secure/images/atp-remediated-alert.png differ
diff --git a/windows/keep-secure/images/atp-running-script.png b/windows/keep-secure/images/atp-running-script.png
new file mode 100644
index 0000000000..ebfdebadc5
Binary files /dev/null and b/windows/keep-secure/images/atp-running-script.png differ
diff --git a/windows/keep-secure/images/atp-sample-custom-ti-alert.png b/windows/keep-secure/images/atp-sample-custom-ti-alert.png
new file mode 100644
index 0000000000..e536f6f4cc
Binary files /dev/null and b/windows/keep-secure/images/atp-sample-custom-ti-alert.png differ
diff --git a/windows/keep-secure/images/atp-siem-integration.png b/windows/keep-secure/images/atp-siem-integration.png
new file mode 100644
index 0000000000..0205980406
Binary files /dev/null and b/windows/keep-secure/images/atp-siem-integration.png differ
diff --git a/windows/keep-secure/images/atp-simulate-custom-ti.png b/windows/keep-secure/images/atp-simulate-custom-ti.png
new file mode 100644
index 0000000000..2828654c79
Binary files /dev/null and b/windows/keep-secure/images/atp-simulate-custom-ti.png differ
diff --git a/windows/keep-secure/images/atp-threat-intel-api.png b/windows/keep-secure/images/atp-threat-intel-api.png
new file mode 100644
index 0000000000..ef6720b29e
Binary files /dev/null and b/windows/keep-secure/images/atp-threat-intel-api.png differ
diff --git a/windows/keep-secure/images/defender/malware-detected.png b/windows/keep-secure/images/defender/malware-detected.png
new file mode 100644
index 0000000000..91fce5a44b
Binary files /dev/null and b/windows/keep-secure/images/defender/malware-detected.png differ
diff --git a/windows/keep-secure/images/defender/order-update-sources-wdav.png b/windows/keep-secure/images/defender/order-update-sources-wdav.png
new file mode 100644
index 0000000000..904f314699
Binary files /dev/null and b/windows/keep-secure/images/defender/order-update-sources-wdav.png differ
diff --git a/windows/keep-secure/images/defender/quarantine.png b/windows/keep-secure/images/defender/quarantine.png
new file mode 100644
index 0000000000..6a908aedec
Binary files /dev/null and b/windows/keep-secure/images/defender/quarantine.png differ
diff --git a/windows/keep-secure/images/defender/wdav-bafs-edge.png b/windows/keep-secure/images/defender/wdav-bafs-edge.png
new file mode 100644
index 0000000000..d7376570b6
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-bafs-edge.png differ
diff --git a/windows/keep-secure/images/defender/wdav-bafs-ie.png b/windows/keep-secure/images/defender/wdav-bafs-ie.png
new file mode 100644
index 0000000000..94cb3a30fb
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-bafs-ie.png differ
diff --git a/windows/keep-secure/images/defender/wdav-extension-exclusions.png b/windows/keep-secure/images/defender/wdav-extension-exclusions.png
new file mode 100644
index 0000000000..e1a86e09e0
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-extension-exclusions.png differ
diff --git a/windows/keep-secure/images/defender/wdav-headless-mode-1607.png b/windows/keep-secure/images/defender/wdav-headless-mode-1607.png
new file mode 100644
index 0000000000..7ccaf5d0ff
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-headless-mode-1607.png differ
diff --git a/windows/keep-secure/images/defender/wdav-headless-mode-1703.png b/windows/keep-secure/images/defender/wdav-headless-mode-1703.png
new file mode 100644
index 0000000000..d4288ca82c
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-headless-mode-1703.png differ
diff --git a/windows/keep-secure/images/defender/wdav-headless-mode-off-1703.png b/windows/keep-secure/images/defender/wdav-headless-mode-off-1703.png
new file mode 100644
index 0000000000..d5599ce99b
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-headless-mode-off-1703.png differ
diff --git a/windows/keep-secure/images/defender/wdav-history-wdsc.png b/windows/keep-secure/images/defender/wdav-history-wdsc.png
new file mode 100644
index 0000000000..cdc75b8852
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-history-wdsc.png differ
diff --git a/windows/keep-secure/images/defender/wdav-malware-detected.png b/windows/keep-secure/images/defender/wdav-malware-detected.png
new file mode 100644
index 0000000000..b0add084db
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-malware-detected.png differ
diff --git a/windows/keep-secure/images/defender/wdav-order-update-sources.png b/windows/keep-secure/images/defender/wdav-order-update-sources.png
new file mode 100644
index 0000000000..fb6fefee98
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-order-update-sources.png differ
diff --git a/windows/keep-secure/images/defender/wdav-path-exclusions.png b/windows/keep-secure/images/defender/wdav-path-exclusions.png
new file mode 100644
index 0000000000..2fb0f6e107
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-path-exclusions.png differ
diff --git a/windows/keep-secure/images/defender/wdav-process-exclusions.png b/windows/keep-secure/images/defender/wdav-process-exclusions.png
new file mode 100644
index 0000000000..559d65ac2f
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-process-exclusions.png differ
diff --git a/windows/keep-secure/images/defender/wdav-protection-settings-wdsc.png b/windows/keep-secure/images/defender/wdav-protection-settings-wdsc.png
new file mode 100644
index 0000000000..854e2b209d
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-protection-settings-wdsc.png differ
diff --git a/windows/keep-secure/images/defender/wdav-quarantined-history-wdsc.png b/windows/keep-secure/images/defender/wdav-quarantined-history-wdsc.png
new file mode 100644
index 0000000000..e8e2eec956
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-quarantined-history-wdsc.png differ
diff --git a/windows/keep-secure/images/defender/wdav-settings-old.png b/windows/keep-secure/images/defender/wdav-settings-old.png
new file mode 100644
index 0000000000..05c23e510a
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-settings-old.png differ
diff --git a/windows/keep-secure/images/defender/wdav-wdsc.png b/windows/keep-secure/images/defender/wdav-wdsc.png
new file mode 100644
index 0000000000..81c50c1635
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-wdsc.png differ
diff --git a/windows/keep-secure/images/defender/wdav-windows-defender-app-old.png b/windows/keep-secure/images/defender/wdav-windows-defender-app-old.png
new file mode 100644
index 0000000000..09cea8052c
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-windows-defender-app-old.png differ
diff --git a/windows/keep-secure/images/enterprise-certificate-pinning-converting-a-duration.png b/windows/keep-secure/images/enterprise-certificate-pinning-converting-a-duration.png
new file mode 100644
index 0000000000..6d14d64c36
Binary files /dev/null and b/windows/keep-secure/images/enterprise-certificate-pinning-converting-a-duration.png differ
diff --git a/windows/keep-secure/images/enterprise-certificate-pinning-converting-an-xml-date.png b/windows/keep-secure/images/enterprise-certificate-pinning-converting-an-xml-date.png
new file mode 100644
index 0000000000..ab932c226f
Binary files /dev/null and b/windows/keep-secure/images/enterprise-certificate-pinning-converting-an-xml-date.png differ
diff --git a/windows/keep-secure/images/enterprise-certificate-pinning-pinrules-properties.png b/windows/keep-secure/images/enterprise-certificate-pinning-pinrules-properties.png
new file mode 100644
index 0000000000..7a9b31f55f
Binary files /dev/null and b/windows/keep-secure/images/enterprise-certificate-pinning-pinrules-properties.png differ
diff --git a/windows/keep-secure/images/enterprise-certificate-pinning-representing-a-date.png b/windows/keep-secure/images/enterprise-certificate-pinning-representing-a-date.png
new file mode 100644
index 0000000000..929cae9617
Binary files /dev/null and b/windows/keep-secure/images/enterprise-certificate-pinning-representing-a-date.png differ
diff --git a/windows/keep-secure/images/enterprise-certificate-pinning-representing-a-duration.png b/windows/keep-secure/images/enterprise-certificate-pinning-representing-a-duration.png
new file mode 100644
index 0000000000..dd79819a96
Binary files /dev/null and b/windows/keep-secure/images/enterprise-certificate-pinning-representing-a-duration.png differ
diff --git a/windows/keep-secure/images/enterprise-pinning-registry-binary-information.png b/windows/keep-secure/images/enterprise-pinning-registry-binary-information.png
new file mode 100644
index 0000000000..ee36266a6d
Binary files /dev/null and b/windows/keep-secure/images/enterprise-pinning-registry-binary-information.png differ
diff --git a/windows/keep-secure/images/rules-legend.png b/windows/keep-secure/images/rules-legend.png
index dea7d1dc70..a48783c6e3 100644
Binary files a/windows/keep-secure/images/rules-legend.png and b/windows/keep-secure/images/rules-legend.png differ
diff --git a/windows/keep-secure/images/threat-mitigations-pre-breach-post-breach-conceptual.png b/windows/keep-secure/images/threat-mitigations-pre-breach-post-breach-conceptual.png
index 6b9c37489c..f23868fdde 100644
Binary files a/windows/keep-secure/images/threat-mitigations-pre-breach-post-breach-conceptual.png and b/windows/keep-secure/images/threat-mitigations-pre-breach-post-breach-conceptual.png differ
diff --git a/windows/keep-secure/images/windows-defender-security-center.png b/windows/keep-secure/images/windows-defender-security-center.png
new file mode 100644
index 0000000000..a3286fb528
Binary files /dev/null and b/windows/keep-secure/images/windows-defender-security-center.png differ
diff --git a/windows/keep-secure/images/windows-defender-smartscreen-control.png b/windows/keep-secure/images/windows-defender-smartscreen-control.png
new file mode 100644
index 0000000000..b2700addba
Binary files /dev/null and b/windows/keep-secure/images/windows-defender-smartscreen-control.png differ
diff --git a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md
index aad3155b35..5442141ce8 100644
--- a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md
+++ b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md
@@ -12,77 +12,78 @@ author: brianlic-msft
 # Interactive logon: Display user information when the session is locked
 
 **Applies to**
--   Windows 10
+-   Windows 10
 
 Describes the best practices, location, values, and security considerations for the **Interactive logon: Display user information when the session is locked** security policy setting.
 
 ## Reference
-This setting controls whether details such as email address or domain\username appear with the username on the sign-in screen. 
-For clients that run Windows 10 version 1511 and 1507 (RTM), this setting works similarly to previous versions of Windows. 
-Due to a new **Privacy** setting in Windows 10 version 1607, this setting affects those clients differently. 
+This security setting controls whether details such as email address or domain\username appear with the username on the sign-in screen.
+For clients that run Windows 10 version 1511 and 1507 (RTM), this setting works similarly to previous versions of Windows.
+However, because of a new **Privacy** setting introduced in Windows 10 version 1607, this security setting affects those clients differently.
 
-### Changes in Windows 10 version 1607
+### Changes beginning with Windows 10 version 1607
 
-Beginning with Windows 10 version 1607, new functionality was added to Windows 10 to hide username details such as email address by default, with the ability to change the default to show the details. 
-This functionality is controlled by a new **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. 
-The Privacy setting is off by default, which hides the details. 
+Beginning with Windows 10 version 1607, new functionality was added to Windows 10 to hide username details such as email address by default, with the ability to change the default to show the details.
+This functionality is controlled by a new **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
+The Privacy setting is off by default, which hides the details.
 
 ![Privacy setting](images\privacy-setting-in-sign-in-options.png)
 
-The **Interactive logon: Display user information when the session is locked** Group Policy setting controls the same functionality. 
+The **Interactive logon: Display user information when the session is locked** Group Policy setting controls the same functionality.
 
 This setting has these possible values:
 
 -   **User display name, domain and user names**
 
-    For a local logon, the user's full name is displayed. 
-    If the user signed in using a Microsoft Account, the user's email address is displayed. 
-    For a domain logon, the domain\username is displayed. 
-    This has the same effect as turning on the **Privacy** setting. 
+    For a local logon, the user's full name is displayed.
+    If the user signed in using a Microsoft account, the user's email address is displayed.
+    For a domain logon, the domain\username is displayed.
+    This has the same effect as turning on the **Privacy** setting.
 
 -   **User display name only**
 
-    The full name of the user who locked the session is displayed. 
+    The full name of the user who locked the session is displayed.
     This has the same effect as turning off the **Privacy** setting.
 
 -   **Do not display user information**
 
-    No names are displayed. 
-    Beginning with Windows 10 version 1607, this option is not supported. 
-    If this option is chosen, the full name of the user who locked the session is displayed instead. 
-    This change makes this setting consistent with the functionality of the new **Privacy** setting. 
-    To have no user information displayed, enable the Group Policy setting **Interactive logon: Don't display last signed-in**.
+    No names are displayed.
+    Beginning with Windows 10 version 1607, this option is not supported.
+    If this option is chosen, the full name of the user who locked the session is displayed instead.
+    This change makes this setting consistent with the functionality of the new **Privacy** setting.
+    To display no user information, enable the Group Policy setting **Interactive logon: Don't display last signed-in**.
 
 -   Blank.
 
-    Default setting. 
-    This translates to “Not defined,” but it will display the user’s full name in the same manner as the option **User display name only**. 
+    Default setting.
+    This translates to “Not defined,” but it will display the user’s full name in the same manner as the option **User display name only**.
     When an option is set, you cannot reset this policy to blank, or not defined.
 
 ### Hotfix for Windows 10 version 1607
 
-Clients that run Windows 10 version 1607 will not show details on the sign-in screen even if the **User display name, domain and user names** option is chosen because the **Privacy** setting is off. 
-If the **Privacy** setting is turned on, details will show. 
+Clients that run Windows 10 version 1607 will not show details on the sign-in screen even if the **User display name, domain and user names** option is chosen because the **Privacy** setting is off.
+If the **Privacy** setting is turned on, details will show.
 
-The **Privacy** setting cannot be changed for clients in bulk. 
-Instead, apply [KB 4013429](https://support.microsoft.com/help/4000825/windows-10-and-windows-server-2016-update-history) to clients that run Windows 10 version 1607 so they behave similarly to previous versions of Windows. 
+The **Privacy** setting cannot be changed for clients in bulk.
+Instead, apply [KB 4013429](http://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) to clients that run Windows 10 version 1607 so they behave similarly to previous versions of Windows. 
+Clients that run later versions of Windows 10 do not require a hotfix.
 
 There are related Group Policy settings:
 
-- **Computer Configuration\Policies\Administrative Templates\System\Logon\Block user from showing account details on sign-in** prevents users from showing account details on the sign-in screen. 
+- **Computer Configuration\Policies\Administrative Templates\System\Logon\Block user from showing account details on sign-in** prevents users from showing account details on the sign-in screen.
 - **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Don’t display last signed-in** prevents the username of the last user to sign in from being shown.
-- **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Don’t display user name at sign in** prevents the username from being shown at Windows sign-in and immediately after credentials are entered and before the desktop appears. 
+- **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Don’t display username at sign-in** prevents the username from being shown at Windows sign-in and immediately after credentials are entered and before the desktop appears.
 
 ### Interaction with related Group Policy settings
 
-For all versions of Windows 10, only the user display name is shown by default. 
+For all versions of Windows 10, only the user display name is shown by default.
 
-If **Block user from showing account details on sign-in** is enabled, then only the user display name is shown regardless of any other Group Policy settings. 
+If **Block user from showing account details on sign-in** is enabled, then only the user display name is shown regardless of any other Group Policy settings.
 Users will not be able to show details.
 
-If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** to show additional details such as domain\username. 
-In this case, clients that run Windows 10 version 1607 need [KB 4013429](https://support.microsoft.com/help/4000825/windows-10-and-windows-server-2016-update-history) applied. 
-Users will not be able to hide additional details. 
+If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** to show additional details such as domain\username.
+In this case, clients that run Windows 10 version 1607 need [KB 4013429](http://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) applied.
+Users will not be able to hide additional details.
 
 If **Block user from showing account details on sign-in** is not enabled and **Don’t display last signed-in** is enabled, the username will not be shown.
 
@@ -100,13 +101,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 
 | Server type or Group Policy object (GPO) | Default value |
 | - | - |
-| Default domain policy| Not defined| 
-| Default domain controller policy | Not defined| 
-| Stand-alone server default settings | Not defined| 
-| Domain controller effective default settings | **User display name, domain and user names**| 
-| Member server effective default settings | **User display name, domain and user names**| 
-| Effective GPO default settings on client computers | **User display name, domain and user names**| 
- 
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | **User display name, domain and user names**|
+| Member server effective default settings | **User display name, domain and user names**|
+| Effective GPO default settings on client computers | **User display name, domain and user names**|
+
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
index 5af92d1bcf..302baa44b9 100644
--- a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
+++ b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
@@ -1,5 +1,5 @@
 ---
-title: Interactive logon Do not display last user name (Windows 10)
+title: Interactive logon Don't display last signed-in (Windows 10)
 description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not display last user name security policy setting.
 ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd
 ms.prod: w10
@@ -9,12 +9,12 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Interactive logon: Do not display last user name
+# Interactive logon: Don't display last signed-in
 
 **Applies to**
 -   Windows 10
 
-Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display last user name** security policy setting.
+Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display last signed-in** security policy setting. Before Windows 10 version 1703, this policy setting was named **Interactive logon:Do not display last user name.**
 
 ## Reference
 
@@ -40,14 +40,14 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 
 ### Default values
 
-| Server type or Group Policy object (GPO) | Default value| 
+| Server type or Group Policy object (GPO) | Default value|
 | - | - |
-| Default domain policy| Disabled| 
-| Default domain controller policy| Disabled| 
-| Stand-alone server default settings | Disabled| 
-| Domain controller effective default settings | Disabled| 
-| Member server effective default settings | Disabled| 
-| Effective GPO default settings on client computers | Disabled| 
+| Default domain policy| Disabled|
+| Default domain controller policy| Disabled|
+| Stand-alone server default settings | Disabled|
+| Domain controller effective default settings | Disabled|
+| Member server effective default settings | Disabled|
+| Effective GPO default settings on client computers | Disabled|
  
 ## Policy management
 
diff --git a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md
index 3b6173cf5c..e188c2bed0 100644
--- a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md
+++ b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md
@@ -43,10 +43,10 @@ The following table lists the actual and effective default values for this polic
 | - | - |
 | Default Domain Policy| Not defined| 
 | Default Domain Controller Policy | Not defined| 
-| Stand-Alone Server Default Settings | 14 days|
-| DC Effective Default Settings | 14 days | 
-| Member Server Effective Default Settings| 14 days |
-| Client Computer Effective Default Settings | 14 days| 
+| Stand-Alone Server Default Settings | 5 days|
+| DC Effective Default Settings | 5 days | 
+| Member Server Effective Default Settings| 5 days |
+| Client Computer Effective Default Settings | 5 days| 
  
 ## Policy management
 
@@ -74,11 +74,11 @@ If user passwords are configured to expire periodically in your organization, us
 
 ### Countermeasure
 
-Configure the **Interactive logon: Prompt user to change password before expiration** setting to 14 days.
+Configure the **Interactive logon: Prompt user to change password before expiration** setting to 5 days.
 
 ### Potential impact
 
-Users see a dialog-box prompt to change their password each time that they log on to the domain when their password is configured to expire in 14 or fewer days.
+Users see a dialog-box prompt to change their password each time that they log on to the domain when their password is configured to expire in 5 or fewer days.
 
 ## Related topics
 
diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
index 640b0a524c..5073e541f6 100644
--- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
 ---
 title: Investigate machines in the Windows Defender ATP Machines view
 description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines view.
-keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, active malware detections, threat category, filter, sort, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, low severity
+keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md
index 76dd0c900d..73f0e86007 100644
--- a/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
 ---
-title: View and organize the Windows Defender ATP machines view
-description: Learn about the available features that you can use from the Machines view such as sorting, filtering, and exporting the machine list which can enhance investigations.
+title: View and organize the Windows Defender ATP machines list
+description: Learn about the available features that you can use from the Machines list such as sorting, filtering, and exporting the machine list which can enhance investigations.
 keywords: sort, filter, export, csv, machine name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -11,7 +11,7 @@ author: mjcaparas
 localizationpriority: high
 ---
 
-# View and organize the Windows Defender ATP Machines view
+# View and organize the Windows Defender ATP Machines list
 
 **Applies to:**
 
@@ -21,23 +21,23 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-The **Machines view** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network.
+The **Machines list** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network.
 
 Use the Machines view in these main scenarios:
 
 - **During onboarding**</br>
-  During the onboarding process, the **Machines view** is gradually populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis.
+  During the onboarding process, the **Machines list** is gradually populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis.
 - **Day-to-day work**
-  The **Machines view** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them.
+  The **Machines list** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them.
 
 ## Sort, filter, and download the list of machines from the Machines view
-You can sort the **Machines view** by clicking on any column header to sort the view in ascending or descending order.  
+You can sort the **Machines list** by clicking on any column header to sort the view in ascending or descending order.  
 
-Filter the **Machines view** by time period, **Active malware categories**, or **Sensor health state** to focus on certain sets of machines, according to the desired criteria.  
+Filter the **Machines list** by time period, **Active malware categories**, or **Sensor health state** to focus on certain sets of machines, according to the desired criteria.  
 
 You can also download the entire list in CSV format using the **Export to CSV** feature.
 
-![Image of machines view with list of machines](images/atp-machines-view-list.png)
+![Image of machines list with list of machines](images/atp-machines-view-list.png)
 
 You can use the following filters to limit the list of machines displayed during an investigation:
 
@@ -71,7 +71,7 @@ You can  download a full list of all the machines in your organization, in CSV f
 Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself.
 
 ## Sort the Machines view
-You can sort the **Machines view** by the following columns:
+You can sort the **Machines list** by the following columns:
 
 - **Machine name** - Name or GUID of the machine
 - **Last seen** - Date and time when the machine last reported sensor data
diff --git a/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md b/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md
new file mode 100644
index 0000000000..39ecd14409
--- /dev/null
+++ b/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md
@@ -0,0 +1,179 @@
+---
+title: Apply Windows Defender AV updates after certain events
+description: Manage how Windows Defender Antivirus applies proteciton updates after startup or receiving cloud-delivered detection reports.
+keywords: updates, protection, force updates, events, startup, check for latest, notifications
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Manage event-based forced updates
+
+**Applies to**
+-   Windows 10
+
+**Audience**
+
+- Network administrators
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager
+- PowerShell cmdlets
+- Windows Management Instruction (WMI)
+
+
+Windows Defender AV allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
+
+
+## Check for protection updates before running a scan
+
+You can use Group Policy, Configuration Manager, PowerShell cmdlets, and WMI to force Windows Defender AV to check and download protection updates before running a scheduled scan.
+
+
+**Use Group Policy to check for protection updates before running a scan:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Scan**.
+
+6.  Double-click the **Check for the latest virus and spyware definitions before running a scheduled scan** setting and set the option to **Enabled**. 
+
+7.  Click **OK**.
+
+**Use Configuration Manager to check for protection updates before running a scan:**
+
+1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+
+2.  Go to the **Scheduled scans** section and set **Check for the latest definition updates before running a scan** to **Yes**.
+
+3. Click **OK**.
+
+4.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+
+**Use PowerShell cmdlets to to check for protection updates before running a scan:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -CheckForSignaturesBeforeRunningScan
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+
+**Use Windows Management Instruction (WMI) to to check for protection updates before running a scan**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+CheckForSignaturesBeforeRunningScan
+```
+
+See the following for more information:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+
+
+
+
+## Check for protection updates on startup
+
+You can use Group Policy to force Windows Defender AV to check and download protection updates when the machine is started.
+
+**Use Group Policy to download protection updates at startup:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
+
+5.  Double-click the **Check for the latest virus and spyware definitions on startup** setting and set the option to **Enabled**. 
+
+6.  Click **OK**.
+
+You can also use Group Policy, PowerShell, or WMI to configure Windows Defender AV to check for updates at startup even when it is not running.
+
+**Use Group Policy to download updates when Windows Defender AV is not present:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
+
+6.  Double-click the **Initiate definition update on startup** setting and set the option to **Enabled**. 
+
+7.  Click **OK**.
+
+**Use PowerShell cmdlets to download updates when Windows Defender AV is not present:**
+
+Use the following cmdlets to enable cloud-delivered protection:
+
+```PowerShell
+Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+
+**Use Windows Management Instruction (WMI) to download updates when Windows Defender AV is not present:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureDisableUpdateOnStartupWithoutEngine
+```
+
+See the following for more information:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+
+
+
+<a id="cloud-report-updates"></a>
+## Allow ad hoc changes to protection based on cloud-delivered protection
+
+Windows Defender AV can make changes to its protection based on cloud-delivered protection. This can occur outside of normal or scheduled protection updates.
+
+If you have enabled cloud-delivered protection, Windows Defender AV will send files it is suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Windows Defender AV to automatically receive that protection update. Other important protection updates can also be applied.
+
+**Use Group Policy to automatically download recent updates based on cloud-delivered protection:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following:
+    1. Double-click the **Allow real-time definition updates based on reports to Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**.
+    2. Double-click the **Allow notifications to disable definitions based reports to Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**.
+
+
+
+## Related topics
+
+- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
+- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
+- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+
+
+
diff --git a/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md
new file mode 100644
index 0000000000..87b9ad4cbd
--- /dev/null
+++ b/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md
@@ -0,0 +1,190 @@
+---
+title: Apply Windows Defender AV protection updates to out of date endpoints
+description: Define when and how updates should be applied for endpoints that have not updated in a while.
+keywords: updates, protection, out-of-date, outdated, old, catch-up
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Manage updates and scans for endpoints that are out of date
+
+**Applies to**
+-   Windows 10
+
+**Audience**
+
+- Network administrators
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager
+- PowerShell cmdlets
+- Windows Management Instruction (WMI)
+
+
+
+Windows Defender AV lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis.
+
+For example, an employee that uses a particular PC is on break for three days and does not log on to their PC during that time.
+
+When the user returns to work and logs on to their PC, Windows Defender AV will immediately check and download the latest protection updates, and run a scan.
+
+## Set up catch-up protection updates for endpoints that haven't updated for a while
+
+If Windows Defender AV did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-windows-defender-antivirus.md).
+
+**Use Group Policy to enable and configure the catch-up update feature:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
+
+6.  Double-click the **Define the number of days after which a catch-up definition update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update.
+
+7. Click **OK**.
+
+**Use PowerShell cmdlets to configure catch-up protection updates:**
+
+Use the following cmdlets to enable cloud-delivered protection:
+
+```PowerShell
+Set-MpPreference -SignatureUpdateCatchupInterval
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to configure catch-up protection updates:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureUpdateCatchupInterval
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+**Use Configuration Manager to configure catch-up protection updates:**
+
+1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+
+2.  Go to the **Definition updates** section and configure the following settings:
+
+    1.	Set **Force a definition update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**.
+    2.	For the  **If Configuration Manager is used as a source for definition updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
+
+3. Click **OK**.
+
+4.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+
+
+## Set the number of days before protection is reported as out-of-date
+
+You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
+
+**Use Group Policy to specify the number of days before protection is considered out-of-date:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings:
+
+    1.  Double-click the **Define the number of days before spyware definitions are considered out of date** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to consider spyware definitions as out-of-date.
+
+    2. Click **OK**.
+
+    3.  Double-click the **Define the number of days before virus definitions are considered out of date** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to consider virus and other threat definitions as out-of-date.
+
+    4. Click **OK**.
+
+
+
+
+## Set up catch-up scans for endpoints that have not been scanned for a while
+
+You can set the number of consecutive scheduled scans that can be missed before Windows Defender AV will force a scan.
+
+The process for enabling this feature is:
+
+1. Set up at least one scheduled scan (see the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic).
+2. Enable the catch-up scan feature.
+3. Define the number of scans that can be skipped before a catch-up scan occurs.
+
+This feature can be enabled for both full and quick scans.
+
+**Use Group Policy to enable and configure the catch-up scan feature:**
+
+1.  Ensure you have set up at least one scheduled scan.
+
+2.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Scan** and configure the following settings:
+
+    1.  If you have set up scheduled quick scans, double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. 
+    2. If you have set up scheduled full scans, double-click the **Turn on catch-up full scan** setting and set the option to **Enabled**. Click **OK**.
+    3. Double-click the **Define the number of days after which a catch-up scan is forced** setting and set the option to **Enabled**. 
+    4. Enter the number of scans that can be missed before a scan will be automatically run when the user next logs on to the PC. The type of scan that is run is determined by the **Specify the scan type to use for a scheduled scan** (see the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic). Click **OK**.
+
+> [!NOTE]
+> The GP setting title refers to the number of days. The setting, however, is applied to the number of scans (not days) before the catch-up scan will be run.
+
+**Use PowerShell cmdlets to XX:**
+
+Use the following cmdlets to enable cloud-delivered protection:
+
+```PowerShell
+Set-MpPreference -DisableCatchupFullScan
+Set-MpPreference -DisableCatchupQuickScan
+
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to configure catch-up scans:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+DisableCatchupFullScan
+DisableCatchupQuickScan
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+**Use Configuration Manager to configure catch-up scans:**
+
+1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+
+2.  Go to the **Scheduled scans** section and **Force a scan of the selected scan type if client computer is offline...** to **Yes**. 
+
+3. Click **OK**.
+
+4.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+
+
+## Related topics
+
+- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
+- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
+- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
diff --git a/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md
new file mode 100644
index 0000000000..8112758cdd
--- /dev/null
+++ b/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md
@@ -0,0 +1,111 @@
+---
+title: Schedule Windows Defender Antivirus protection updates
+description: Schedule the day, time, and interval for when protection updates should be downloaded 
+keywords: updates, security baselines, schedule updates
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Manage the schedule for when protection updates should be downloaded and applied
+
+**Applies to**
+-   Windows 10
+
+**Audience**
+
+- Network administrators
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager
+- PowerShell cmdlets
+- Windows Management Instruction (WMI)
+
+
+Windows Defender AV lets you determine when it should look for and download updates.
+
+You can schedule updates for your endpoints by: 
+
+- Specifying the day of the week to check for protection updates 
+- Specifying the interval to check for protection updates
+- Specifying the time to check for protection updates
+
+You can also randomize the times when each endpoint checks and downloads protection updates. See the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic for more information.
+
+**Use Group Policy to schedule protection updates:**
+
+> [!IMPORTANT]
+> By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default.
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings:
+
+    1.  Double-click the **Specify the interval to check for definition updates** setting and set the option to **Enabled**. Enter the nuber of hours between updates. Click **OK**.
+    2. Double-click the **Specify the day of the week to check for definition updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
+    3. Double-click the **Specify the time to check for definition updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.
+
+
+**Use Configuration Manager to schedule protection updates:**
+
+1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+
+2.  Go to the **Definition updates** section.
+
+3. To check and download updates at a certain time:
+      1. Set **Check for Endpoint Protection definitions at a specific interval...** to **0**.
+      2. Set **Check for Endpoint Protection definitions daily at...** to the time when updates should be checked.
+      3
+4. To check and download updates on a continual interval, Set **Check for Endpoint Protection definitions at a specific interval...** to the number of hours that should occur between updates.
+
+5.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+
+
+**Use PowerShell cmdlets to schedule protection updates:**
+
+Use the following cmdlets to enable cloud-delivered protection:
+
+```PowerShell
+Set-MpPreference -SignatureScheduleDay
+Set-MpPreference -SignatureScheduleTime
+Set-MpPreference -SignatureUpdateInterval
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to schedule protection updates:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureScheduleDay
+SignatureScheduleTime
+SignatureUpdateInterval
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+## Related topics
+
+- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
+- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
+- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+
+
+
+
+
+
diff --git a/windows/keep-secure/manage-protection-updates-windows-defender-antivirus.md b/windows/keep-secure/manage-protection-updates-windows-defender-antivirus.md
new file mode 100644
index 0000000000..00e332bca1
--- /dev/null
+++ b/windows/keep-secure/manage-protection-updates-windows-defender-antivirus.md
@@ -0,0 +1,136 @@
+---
+title: Manage how and where Windows Defender AV receives updates
+description: Manage how Windows Defender Antivirus receives protection updates.
+keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Manage Windows Defender Antivirus protection and definition updates
+
+**Applies to**
+-   Windows 10
+
+**Audience**
+
+- Network administrators
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager
+- PowerShell cmdlets
+- Windows Management Instruction (WMI)
+
+<a id="protection-updates"></a>  
+<!-- this has been used as anchor in VDI content -->
+
+Windows Defender AV uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates".
+
+The cloud-based protection is “always-on” and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured).  
+
+There are two components to managing protection updates - where the updates are downloaded from, and when updates are downloaded and applied.
+
+This topic describes the locations 
+
+<a id="fallback-order"></a>
+## Manage the fallback order for downloading protection updates
+There are five locations where you can specify where an endpoint should obtain updates. Typically, you would configure each endpoint to individually download the updates from a primary source and specify fallback sources in case the primary source is unavailable.
+
+-   [Windows Server Update Service (WSUS)](https://technet.microsoft.com/windowsserver/bb332157.aspx)
+-   Microsoft Update.
+-   The [Microsoft Malware Protection Center definitions page (MMPC)](http://www.microsoft.com/security/portal/definitions/adl.aspx)
+-   A network file share
+-   Configuration manager
+
+Each location has typical scenarios (in addition to acting as fallback locations) for when you would use that source, as described in the following table:
+
+Location | Sample scenario
+---|---
+WSUS | You are using WSUS to manage updates for your network
+Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network.
+MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md).
+File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.
+Configuration Manager | You are using System Center Configuration Manager to update your endpoints.
+
+You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI.
+
+> [!IMPORTANT]
+> If you set WSUS as a download location, you must approve the updates - regardless of what management tool you use to specify the location. You can set up an automatic approval rule with WSUS, which may be useful as updates arrive at least once a day. See [To synchronize endpoint protection updates in standalone WSUS](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus) for more details.
+
+
+**Use Group Policy to manage the update location:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender > Signature updates** and configure the following settings:
+    
+    1.  Double-click the **Define the order of sources for downloading definition updates** setting and set the option to **Enabled**.  
+
+    2.  Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, shown in the following screenshot.  
+
+    ![Screenshot of group policy setting listing the order of sources](images/defender/wdav-order-update-sources.png)
+
+    3.  Click **OK**. This will set the order of protection update sources.  
+
+    1.  Double-click the **Define file shares for downloading definition updates** setting and set the option to **Enabled**.  
+
+    2.  Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://msdn.microsoft.com/en-us/library/gg465305.aspx) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`.  If you do not enter any paths then this source will be skipped when the VM downloads updates.
+
+    3.  Click **OK**. This will set the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting.
+
+
+**Use Configuration Manager to manage the update location:**
+
+See [Configure Definition Updates for Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-definition-updates) for details on configuring System Center Configuration Manager (current branch).
+
+
+**Use PowerShell cmdlets to manage the update location:**
+
+Use the following PowerShell cmdlets to set the update order.
+
+```PowerShell
+Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION}
+Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce {\\UNC SHARE PATH|\\UNC SHARE PATH}
+```
+See the following for more information:
+- [Set-MpPreference -SignatureFallbackOrder](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference#-signaturefallbackorder)
+- [Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources)
+- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)
+- [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) 
+
+**Use Windows Management Instruction (WMI) to manage the update location:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureFallbackOrder
+SignatureDefinitionUpdateFileSharesSouce
+```
+
+See the following for more information:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+
+
+
+
+
+
+
+
+## Related topics
+
+- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
+- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
diff --git a/windows/keep-secure/manage-updates-baselines-windows-defender-antivirus.md b/windows/keep-secure/manage-updates-baselines-windows-defender-antivirus.md
new file mode 100644
index 0000000000..f2036b77ff
--- /dev/null
+++ b/windows/keep-secure/manage-updates-baselines-windows-defender-antivirus.md
@@ -0,0 +1,53 @@
+---
+title: Manage Windows Defender Antivirus updates and apply baselines
+description: Manage how Windows Defender Antivirus receives protection and product updates.
+keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Manage Windows Defender Antivirus updates and apply baselines
+
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Network administrators
+
+There are two types of updates related to keeping Windows Defender Antivirus:
+1. Protection updates
+2. Product updates
+
+You can also apply [Windows security baselines](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-security-baselines) to quickly bring your endpoints up to a uniform level of protection.
+
+## Protection updates
+
+Windows Defender AV uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates".
+
+The cloud-based protection is �always-on� and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. 
+
+
+## Product updates
+
+Windows Defender AV requires monthly updates (known as "engine updates"), and will receive major feature updates alongside Windows 10 releases.
+
+You can manage the distribution of updates through Windows Server Update Service (WSUS), with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.
+
+## In this section
+
+Topic | Description 
+---|---
+[Manage how protection updates are downloaded and applied](manage-protection-updates-windows-defender-antivirus.md) | Protection updates can be delivered through a number of sources.
+[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) | You can schedule when protection updates should be downloaded.
+[Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next log on.
+[Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-based protection events.
+[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines.
diff --git a/windows/keep-secure/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/keep-secure/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
new file mode 100644
index 0000000000..660d4049a7
--- /dev/null
+++ b/windows/keep-secure/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
@@ -0,0 +1,104 @@
+---
+title: Define how mobile devices are updated by Windows Defender AV
+description: Manage how mobile devices, such as laptops, should be updated with Windows Defender AV protection updates.
+keywords: updates, protection, schedule updates, battery, mobile device, laptop, notebook, opt-in, microsoft update, wsus, override
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Manage updates for mobile devices and virtual machines (VMs)
+
+**Applies to**
+-   Windows 10
+
+**Audience**
+
+- Network administrators
+
+**Manageability available with**
+
+- Group Policy
+
+
+
+
+Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates.
+
+There are two settings that are particularly useful for these devices:
+
+- Opt-in to Microsoft Update on mobile computers without a WSUS connection
+- Prevent definition updates when running on battery power
+
+The following topics may also be useful in this situations:
+- [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md)
+
+## Opt-in to Microsoft Update on mobile computers without a WSUS connection
+
+You can use Microsoft Update to keep definitions on mobile devices running Windows Defender AV up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection. 
+
+This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update.
+
+You can opt-in to Microsoft Update on the mobile device in one of the following ways:
+
+1. Change the setting with Group Policy
+2. Use a VBScript to create a script, then run it on each computer in your network.
+3. Manually opt-in every computer on your network through the **Settings** menu.
+
+**Use Group Policy to opt-in to Microsoft Update:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
+
+6.  Double-click the **Allow definition updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**.
+
+
+**Use a VBScript to opt-in to Microsoft Update**
+
+1.  Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript.
+2.  Run the VBScript you created on each computer in your network.
+
+
+**Manually opt-in to Microsoft Update**
+
+1.  Open **Windows Update** in **Update & security** settings on the computer you want to opt-in.
+2.  Click **Advanced** options.
+3.  Select the checkbox for **Give me updates for other Microsoft products when I update Windows**.
+
+## Prevent definition updates when running on battery power
+
+You can configure Windows Defender AV to only download protection updates when the PC is connected to a wired power source. 
+
+**Use Group Policy to prevent definition updates on battery power:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following setting:
+
+    1. Double-click the **Allow definition updates when running on battery power** setting and set the option to **Disabled**. 
+    2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power.
+
+
+
+
+
+## Related topics
+
+- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
+- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
diff --git a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md
index 2220558610..2e7af88cf4 100644
--- a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md
@@ -1,4 +1,15 @@
-# Mitigate threats by using Windows 10 security features
+---
+title: Mitigate threats by using Windows 10 security features (Windows 10)
+description: This topic provides an overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. 
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: justinha
+---
+
+# Mitigate threats by using Windows 10 security features
 
 **Applies to:**
 - Windows 10
@@ -14,7 +25,7 @@ This topic provides an overview of software and firmware threats faced in the cu
 
 <a href="" id="threat-landscape"></a>This topic focuses on pre-breach mitigations aimed at device protection and threat resistance. These protections work with other security defenses in Windows 10, as shown in the following illustration:
 
-<img src="images/threat-mitigations-pre-breach-post-breach-conceptual.png" alt="Types of defenses in Windows 10" width="900" height="206" />
+<img src="images/threat-mitigations-pre-breach-post-breach-conceptual.png" alt="Types of defenses in Windows 10" />
 
 **Figure 1.&nbsp;&nbsp;Device protection and threat resistance as part of the Windows 10 security defenses**
 
@@ -44,7 +55,7 @@ Windows 10 mitigations that you can configure are listed in the following two ta
 |---|---|
 | **Windows Defender SmartScreen**,<br>which helps prevent<br>malicious applications<br>from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.<br><br>**More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic |
 | **Credential Guard**,<br>which helps keep attackers<br>from gaining access through<br>Pass-the-Hash or<br>Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.<br>Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Protect derived domain credentials with Credential Guard](credential-guard.md) |
-| **Enterprise certificate pinning**,<br>which helps keep users<br>from being deceived by<br>man-in-the-middle attacks<br>that leverage PKI | With enterprise certificate pinning, you can “pin” (associate) an X.509 certificate and its public key to its legitimate Certification Authority, either root or leaf. This helps protect your enterprise’s intranet sites (not external Internet sites) by providing validation for digitally signed certificates (SSL certificates) used while browsing. This feature mitigates man-in the-middle attacks that involve these certificates.<br><br>**More information**: ENTERPRISE_CERTIFICATE_PINNING_LINK |
+| **Enterprise certificate pinning**,<br>which helps keep users<br>from being deceived by<br>man-in-the-middle attacks<br>that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can “pin” (associate) an X.509 certificate and its public key to its legitimate Certification Authority, either root or leaf. <br><br>**More information**: [Enterprise Certificate Pinning](enterprise-certificate-pinning.md) |
 | **Device Guard**,<br>which helps keep a device<br>from running malware or<br>other untrusted apps | Device Guard includes Code Integrity policies, a whitelist you create of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows’ kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain entrance to the kernel.<br>Device Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Introduction to Device Guard](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) |
 | **Windows Defender Antivirus**,<br>which helps keep devices<br>free of viruses and other<br>known software threats | Windows 10 includes Windows Defender Antivirus, a robust inbox antimalware solution. Windows Defender Antivirus has been significantly improved since it was introduced in Windows 8.<br><br>**More information**: [Windows Defender Antivirus](#windows-defender-antivirus), later in this topic |
 | **Blocking of untrusted fonts**,<br>which helps prevent fonts<br>from being used in<br>elevation-of-privilege attacks | The Block Untrusted Fonts setting allows you to prevent users from loading untrusted fonts onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).<br><br>**More information**: [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) |
@@ -73,9 +84,7 @@ Starting with Windows Internet Explorer 8, the SmartScreen Filter has helped pro
 
 For Windows 10, Microsoft further developed SmartScreen, now called Windows Defender SmartScreen, by integrating its app reputation abilities into the operating system itself, which allows SmartScreen to check the reputation of files downloaded from the Internet and warn users when they’re about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings.
 
-<!-- Next sentence needs a link to the main SmartScreen topic, whatever it's called. --> 
-
-For more information, see Windows Defender SmartScreen overview.
+For more information, see [Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md).
 
 ### Windows Defender Antivirus
 
@@ -202,7 +211,7 @@ With Protected Processes, Windows 10 prevents untrusted processes from interacti
 
 ### Universal Windows apps protections
 
-When users download Universal Windows apps or even Windows Classic applications (Win32) from the Windows Store, it’s highly unlikely that they will encounter malware, because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements.
+When users download Universal Windows apps or even Windows Classic applications (Win32) from the Windows Store, it’s unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements.
 
 Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Unlike Windows Classic applications, which can run with elevated privileges and have potentially sweeping access to the system and data, Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission.
 
@@ -366,7 +375,7 @@ The Converter feature is currently available as a Windows PowerShell cmdlet, **S
 
 -   **Converting Attack Surface Reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET’s Attack Surface Reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). This will enable protections on Windows 10 equivalent to EMET’s ASR protections.
 
--   **Converting Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use **Set-ProcessMitigations -Convert** to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in the Enterprise_certificate_pinning_documentation.
+-   **Converting Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use **Set-ProcessMitigations -Convert** to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](enterprise-certificate-pinning.md).
 
 #### EMET-related products
 
diff --git a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
index ac785c854a..3e1b3c8a80 100644
--- a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
 ---
 title: Windows Defender Advanced Threat Protection portal overview
 description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches.
-keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines view, preferences setup, endpoint management, advanced attacks
+keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, preferences setup, endpoint management, advanced attacks
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -38,7 +38,7 @@ When you open the portal, you’ll see the main areas of the application:
 - (3) Main portal
 
 > [!NOTE]
-> Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+> Malware related detections will only appear if your endpoints are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
 
 You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
 
@@ -48,10 +48,10 @@ Area | Description
 (2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Service health**, **Preferences setup**, and **Enpoint Management**.
 **Dashboard**	| Provides clickable tiles that open detailed information on various alerts that have been detected in your organization.
 **Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts.
-**Machines view**| Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
+**Machines view** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
 **Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service status is healthy or if there are current issues.
-**Preferences setup**|	Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set email notifications, activate the preview experience, and enable or turn off advanced features.
-**Endpoint Management**|	Allows you to download the onboarding configuration package. It provides access to endpoint offboarding.
+**Preferences setup** |	Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set email notifications, activate the preview experience, and enable or turn off advanced features.
+**Endpoint Management** |	Allows you to download the onboarding configuration package. It provides access to endpoint offboarding.
 (3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines view.
 
 ## Windows Defender ATP icons
diff --git a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
index 5574319409..1e062c51a0 100644
--- a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
@@ -21,8 +21,6 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 This article provides PowerShell code examples for using the custom threat intelligence API.
 
 These code examples demonstrate the following tasks:
@@ -36,7 +34,7 @@ These code examples demonstrate the following tasks:
 ## Step 1: Obtain an Azure AD access token
 The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token.
 
-Replace the *tenantid*, *clientid*, and *clientSecret* values with the ones you got from **Preferences settings** page in the portal:
+Replace the *authUrl*, *clientid*, and *clientSecret* values with the ones you got from **Preferences settings** page in the portal:
 
 [!code[CustomTIAPI](./code/example.ps1#L1-L14)]
 
diff --git a/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md
index 5d51de963a..1523930b5c 100644
--- a/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md
@@ -27,6 +27,6 @@ Use the **Preferences setup** menu to modify general settings, advanced features
 Topic | Description
 :---|:---
 [Update general settings](general-settings-windows-defender-advanced-threat-protection.md) | Modify your general settings that were previously defined as part of the onboarding process.
-[Enable advanced features](advanced-features-windows-defender-advacned-threat-protection.md)| Enable features such as **Block file** and other features that require integration with other products.
+[Enable advanced features](advanced-features-windows-defender-advanced-threat-protection.md)| Enable features such as **Block file** and other features that require integration with other products.
 [Enable the preview experience](preview-settings-windows-defender-advanced-threat-protection.md) | Allows you to turn on preview features so you can try upcoming features.
 [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) | Enables you to configure and identify a group of individuals who will immediately be informed of new alerts through email notifications.
diff --git a/windows/keep-secure/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/keep-secure/prevent-end-user-interaction-windows-defender-antivirus.md
new file mode 100644
index 0000000000..ce95481ff2
--- /dev/null
+++ b/windows/keep-secure/prevent-end-user-interaction-windows-defender-antivirus.md
@@ -0,0 +1,89 @@
+---
+title: Hide the Windows Defender Antivirus interface
+description: You can hide virus and threat protection tile in the Windows Defender Security Center app.
+keywords: ui lockdown, headless mode, hide app, hide settings, hide interface
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Prevent users from seeing or interacting with the Windows Defender AV user interface
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+
+
+You can use Group Policy to prevent users on endpoints from seeing the Windows Defender Antivirus interface. You can also prevent them from pausing scans.
+
+## Hide the Windows Defender Antivirus interface
+
+In Windows 10, versions 1703, hiding the interface will hide Windows Defender AV notifications and prevent the Virus & threat protection tile from appearing in the Windows Defender Security Center app.
+
+With the setting set to **Enabled**:
+
+![Screenshot of Windows Defender Security Center without the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-1703.png)
+
+With the setting set to **Disabled** or not configured:
+
+![Scheenshot of Windows Defender Security Center showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png)
+
+>[!NOTE]
+>Hiding the interface will also prevent Windows Defender AV notifications from appearing on the endpoint. Windows Defender Advanced Threat Protection notifications will still appear. You can also individually [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+
+
+In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning "Your system administrator has restricted access to this app.":
+
+![Warning message when headless mode is enabled in Windows 10, versions earlier than 1703 that says Your system administrator has restricted access to this app](images/defender/wdav-headless-mode-1607.png)
+
+**Use Group Policy to hide the Windows Defender AV interface from users:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
+
+6. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**. 
+
+
+Also see the [Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topic for more options on preventing users form modifying protection on their PCs.
+
+## Prevent users from pausing a scan
+
+You can prevent users from pausing scans. This can be helpful to ensure scheduled or on-demand scans are not interrupted by users.
+
+
+**Use Group Policy to prevent users from pausing a scan:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Scan**.
+
+6. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**. 
+
+
+## Related topics
+
+
+- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md
index 9304e0ab7e..f1e4b41964 100644
--- a/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md
@@ -27,5 +27,5 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 
 ## Related topics
 - [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
-- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advacned-threat-protection.md)
+- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
 - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md
index 3a89c15e0b..0306678e79 100644
--- a/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md
@@ -21,7 +21,6 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
 
 The Windows Defender ATP service is constantly being updated to include new feature enhancements and capabilities.
 
diff --git a/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..670143cd10
--- /dev/null
+++ b/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,195 @@
+---
+title: Pull Windows Defender ATP alerts using REST API
+description: Pull alerts from the Windows Defender ATP portal REST API.
+keywords: alerts, pull alerts, rest api, request, response
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Pull Windows Defender ATP alerts using REST API
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts from the portal.
+
+In general, the OAuth 2.0 protocol supports four types of flows:
+- Authorization grant flow
+- Implicit flow
+- Client credentials flow
+- Resource owner flow
+
+For more information about the OAuth specifications, see the [OAuth Website](http://www.oauth.net).
+
+Windows Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to generate alerts from the portal, with Azure Active Directory (AAD) as the authorization server.
+
+The _Authorization grant flow_ uses user credentials to get an authorization code, which is then used to obtain an access token.
+
+The _Client credential flow_ uses client credentials to authenticate against the Windows Defender ATP endpoint URL. This flow is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials.
+
+Use the following method in the Windows Defender ATP API to pull alerts in JSON format.
+
+## Before you begin
+- Before calling the Windows Defender ATP endpoint to pull alerts, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md).
+
+- Take note of the following values in your Azure application registration. You need these values to configure the OAuth flow in your service or daemon app:
+  - Application ID (unique to your application)
+  - App key, or secret (unique to your application)
+  - Your app's OAuth 2.0 token endpoint
+    - Find this value by clicking **View Endpoints** at the bottom of the Azure Management Portal in your app's page. The endpoint will look like `https://login.microsoftonline.com/{tenantId}/oauth2/token`.
+
+## Get an access token
+Before creating calls to the endpoint, you'll need to get an access token.
+
+You'll use the access token to access the protected resource, which are alerts in Windows Defender ATP.
+
+To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request:
+
+```syntax
+
+POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token HTTP/1.1
+Host: login.microsoftonline.com
+Content-Type: application/x-www-form-urlencoded
+
+resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com&client_id=35e0f735-5fe4-4693-9e68-3de80f1d3745&client_secret=IKXc6PxB2eoFNJ%2FIT%2Bl2JZZD9d9032VXz6Ul3D2WyUQ%3D&grant_type=client_credentials
+```
+The response will include an access token and expiry information.
+
+```json
+{
+  "token type": "Bearer",
+  "expires in": "3599"
+  "ext_expires_in": "0",
+  "expires_on": "1488720683",
+  "not_before": "1488720683",
+  "resource": "https://WDATPAlertExport.Seville.onmicrosoft.com",
+  "access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..."
+}
+```
+You can now use the value in the *access_token* field in a request to the Windows Defender ATP API.
+
+## Request
+With an access token, your app can make authenticated requests to the Windows Defender ATP API. Your app must append the access token to the Authorization header of each request.
+
+### Request syntax
+Method | Request URI
+:---|:---|
+GET| Use the URI applicable for your region. <br><br> **For EU**: `https://wdatp-alertexporter-eu.windows.com/api/alerts` </br> **For US**: `https://wdatp-alertexporter-us.windows.com/api/alerts`
+
+### Request header
+Header | Type | Description|
+:--|:--|:--
+Authorization | string | Required. The Azure AD access token in the form **Bearer** &lt;*token*&gt;. |
+
+### Request parameters
+
+Use optional query parameters to specify and control the amount of data returned in a response. If you call this method without parameters, the response contains all the alerts in your organization.
+
+Name | Value| Description
+:---|:---|:---
+DateTime?sinceTimeUtc | string | Defines the time alerts are retrieved from based from `LastProccesedTimeUtc` time to current time. <br><br> **NOTE**: When not specified, all alerts generated in the last two hours are retrieved.
+int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.<br><br> **NOTE**: When not specified, all alerts available in the time range will be retrieved.
+
+### Request example
+The following example demonstrates how to retrieve all the alerts in your organization.
+
+```syntax
+GET  https://wdatp-alertexporter-eu.windows.com/api/alerts
+Authorization: Bearer <your access token>
+```
+
+The following example demonstrates a request to get the last 20 alerts since 2016-09-12 00:00:00.
+
+```syntax
+GET  https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc="2016-09-12 00:00:00"
+Authorization: Bearer <your access token>
+```
+
+## Response
+The return value is an array of alert objects in JSON format.
+
+Here is an example return value:
+
+```json
+{"AlertTime":"2017-01-23T07:32:54.1861171Z",
+"ComputerDnsName":"desktop-bvccckk",
+"AlertTitle":"Suspicious PowerShell commandline",
+"Category":"SuspiciousActivity",
+"Severity":"Medium",
+"AlertId":"636207535742330111_-1114309685",
+"Actor":null,
+"LinkToWDATP":"https://securitycenter.windows.com/alert/636207535742330111_-1114309685",
+"IocName":null,
+"IocValue":null,
+"CreatorIocName":null,
+"CreatorIocValue":null,
+"Sha1":"69484ca722b4285a234896a2e31707cbedc59ef9",
+"FileName":"powershell.exe",
+"FilePath":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0",
+"IpAddress":null,
+"Url":null,
+"IoaDefinitiondId":"7f1c3609-a3ff-40e2-995b-c01770161d68",
+"UserName":null,
+"AlertPart":0,
+"FullId":"636207535742330111_-1114309685:9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF",
+"LastProcessedTimeUtc":"2017-01-23T11:33:45.0760449Z",
+"ThreatCategory":null,
+"ThreatFamily":null,
+"ThreatName":null,
+"RemediationAction":null,
+"RemediationIsSuccess":null,
+"Source":"Windows Defender ATP",
+"Md5":null,
+"Sha256":null,
+"WasExecutingWhileDetected":null,
+"FileHash":"69484ca722b4285a234896a2e31707cbedc59ef9",
+"IocUniqueId":"9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF"}
+```
+
+## Code examples
+### Get access token
+The following code example demonstrates how to obtain an access token and call the Windows Defender ATP API.
+
+```syntax
+AuthenticationContext context = new AuthenticationContext(string.Format("https://login.windows.net/{0}/oauth2", tenantId));
+ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret);
+AuthenticationResult authenticationResult  = context.AcquireToken(resource, clientCredentials);
+```
+### Use token to connect to the alerts endpoint
+
+```
+HttpClient httpClient = new HttpClient();
+httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(authenticationResult.AccessTokenType, authenticationResult.AccessToken);
+HttpResponseMessage response = httpClient.GetAsync("https://wdatp-alertexporter-eu.windows.com/api/alert").GetAwaiter().GetResult();
+string alertsJson = response.Content.ReadAsStringAsync().Result;
+Console.WriteLine("Got alert list: {0}", alertsJson);
+
+```
+
+
+
+
+## Error codes
+The Windows Defender ATP REST API returns the following error codes caused by an invalid request.
+
+HTTP error code | Description
+:---|:---
+401 | Malformed request or invalid token.
+403 | Unauthorized exception - any of the domains is not managed by the tenant administrator or tenant state is deleted.
+500 | Error in the service.
+
+## Related topics
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
index 6e63d9f1b5..fb4e54687b 100644
--- a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
@@ -21,7 +21,6 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
 
 ## Before you begin
 You must [install](http://docs.python-requests.org/en/master/user/install/#install) the "[requests](http://docs.python-requests.org/en/master/)" python library.
@@ -37,7 +36,7 @@ These code examples demonstrate the following tasks:
 ## Step 1: Obtain an Azure AD access token
 The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token.
 
-Replace the *tenant\_id*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal:
+Replace the *auth_url*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal:
 
 [!code[CustomTIAPI](./code/example.py#L1-L17)]
 
diff --git a/windows/keep-secure/report-monitor-windows-defender-antivirus.md b/windows/keep-secure/report-monitor-windows-defender-antivirus.md
new file mode 100644
index 0000000000..c2a5ab14a1
--- /dev/null
+++ b/windows/keep-secure/report-monitor-windows-defender-antivirus.md
@@ -0,0 +1,38 @@
+---
+title: Monitor and report on Windows Defender Antivirus protection
+description: Use Configuration Manager or SIEM tools to consume reports, and monitor Windows Defender AV with PowerShell and WMI.
+keywords: siem, monitor, report, windows defender av
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Report on Windows Defender Antivirus protection
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- IT administrators
+
+There are a number of ways you can review protection status and alerts, depending on the management tool you are using for Windows Defender AV.
+
+
+
+You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using the [Microsoft Intune console](ttps://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection).  
+
+If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
+
+For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, managament, and reporting options table)](deploy-manage-report-windows-defender-antivirus.md#ref1).
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
diff --git a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
index 0d15caf8a1..53ab4cc32a 100644
--- a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -21,7 +21,6 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre–released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
 
 Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center.
 
@@ -130,7 +129,7 @@ For prevalent files in the organization, a warning is shown before an action is
 1.	Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box:
 
   –	**Alerts** - Click the file links from the Description or Details in the Alert timeline
-  –	**Machines view** - Click the file links in the Description or Details columns in the Observed on machine section
+  –	**Machines list** - Click the file links in the Description or Details columns in the Observed on machine section
   –	**Search box** - Select File from the drop–down menu and enter the file name
 
 2.	Open the **Actions** menu and select **Remove file from blocked list**.
@@ -175,7 +174,7 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure
 
 1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
   – Alerts - click the file links from the **Description** or **Details** in the Alert timeline
-  – **Machines View** - click the file links from the **Description** or **Details** in the **Machine in organization** section
+  – **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section
   – Search box - select **File** from the drop–down menu and enter the file name
 2. In the **Deep analysis** section of the file view, click **Submit**.
 
diff --git a/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md
index 7262eeac48..0e2b10168f 100644
--- a/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -21,7 +21,6 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
 
 Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center.
 
@@ -40,7 +39,7 @@ This machine isolation feature disconnects the compromised machine from the netw
 
   -	**Dashboard** - Select the machine name from the Top machines with active alerts section.
   -	**Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
-  -	**Machines view** - Select the machine name from the list of machines.
+  -	**Machines list** - Select the machine name from the list of machines.
   -	**Search box** - Select Machine from the drop-down menu and enter the machine name.
 
 2.	Open the **Actions** menu and select **Isolate machine**.
@@ -102,7 +101,7 @@ CollectionSummaryReport.xls | This file is a summary of the investigation packag
 
   -	**Dashboard** - Select the machine name from the Top machines with active alerts section.
   -	**Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
-  -	**Machines view** - Select the heading of the machine name from the machines view.
+  -	**Machines list** - Select the heading of the machine name from the machines list.
   -	**Search box** - Select Machine from the drop-down menu and enter the machine name.
 
 2.	Open the **Actions** menu and select **Collect investigation package**.
diff --git a/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md b/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md
index 3fdf40354f..22b507a210 100644
--- a/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md
@@ -21,7 +21,6 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
 
 You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization.
 
diff --git a/windows/keep-secure/review-scan-results-windows-defender-antivirus.md b/windows/keep-secure/review-scan-results-windows-defender-antivirus.md
new file mode 100644
index 0000000000..7147c968b9
--- /dev/null
+++ b/windows/keep-secure/review-scan-results-windows-defender-antivirus.md
@@ -0,0 +1,15 @@
+---
+title: Review the results of Windows Defender AV scans 
+description: Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Review Windows Defender AV scan results
diff --git a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
index 2234eebd86..f8f3682a5d 100644
--- a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
@@ -10,46 +10,9 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: mjcaparas
+redirect_url: /command-line-arguments-windows-defender-antivirus/
 ---
 
 # Run a Windows Defender scan from the command line
 
-**Applies to:**
-
-- Windows 10
-
-IT professionals can use a command-line utility to run a Windows Defender scan. 
-
-The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_.
-
-This utility can be handy when you want to automate the use of Windows Defender. 
-
-**To run a quick scan from the command line**
-
-1. Click **Start**, type **cmd**, and press **Enter**.
-2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**:
-
-```
-C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 1
-```
-The quick scan will start. When the scan completes, you'll see a message indicating that the scan is finished. 
-
-
-The utility also provides other commands that you can run:
-
-```
-MpCmdRun.exe [command] [-options]
-```
-
-Command | Description 
-:---|:---
-\- ? / -h | Displays all available options for the tool
-\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]][-Timeout <days>] | Scans for malicious software
-\-Trace  [-Grouping #] [-Level #]| Starts diagnostic tracing
-\-GetFiles | Collects support information
-\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
-\-AddDynamicSignature [-Path] | Loads a dynamic signature
-\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
-\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
-<br>
-The command-line utility provides detailed information on the other commands supported by the tool. 
+This page has been redirected to *Use�the�mpcmdrun.exe�commandline�tool�to�configure�and�manage�Windows�Defender�Antivirus*.
\ No newline at end of file
diff --git a/windows/keep-secure/run-scan-windows-defender-antivirus.md b/windows/keep-secure/run-scan-windows-defender-antivirus.md
new file mode 100644
index 0000000000..2c09909c04
--- /dev/null
+++ b/windows/keep-secure/run-scan-windows-defender-antivirus.md
@@ -0,0 +1,59 @@
+---
+title: Run and customize on-demand scans in Windows Defender AV
+description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+
+
+
+# Configure and run Windows Defender AV scans
+
+**Applies to:**
+
+- Windows 10
+
+IT professionals can use a command-line utility to run a Windows Defender scan. 
+
+The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_.
+
+This utility can be handy when you want to automate the use of Windows Defender. 
+
+**To run a quick scan from the command line**
+
+1. Click **Start**, type **cmd**, and press **Enter**.
+2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**:
+
+```
+C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 1
+```
+The quick scan will start. When the scan completes, you'll see a message indicating that the scan is finished. 
+
+
+The utility also provides other commands that you can run:
+
+```
+MpCmdRun.exe [command] [-options]
+```
+
+Command | Description 
+:---|:---
+\- ? / -h | Displays all available options for the tool
+\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]][-Timeout <days>] | Scans for malicious software
+\-Trace  [-Grouping #] [-Level #]| Starts diagnostic tracing
+\-GetFiles | Collects support information
+\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
+\-AddDynamicSignature [-Path] | Loads a dynamic signature
+\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
+\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
+<br>
+The command-line utility provides detailed information on the other commands supported by the tool. 
diff --git a/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md
new file mode 100644
index 0000000000..0c16327c23
--- /dev/null
+++ b/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md
@@ -0,0 +1,50 @@
+---
+title: Schedule regular scans with Windows Defender AV
+description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+# Configure scheduled scans for Windows Defender AV
+
+
+
+**Applies to**
+-   Windows 10
+
+**Audience**
+
+- Network administrators
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager
+- PowerShell cmdlets
+- Windows Management Instruction (WMI)
+
+
+
+> [!IMPORTANT]
+> By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default. 
+
+
+RANDOMIZE
+
+
+
+
+
+## Related topics
+
+- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
+- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
+- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
diff --git a/windows/keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md
new file mode 100644
index 0000000000..923b49d30a
--- /dev/null
+++ b/windows/keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md
@@ -0,0 +1,69 @@
+---
+title: Specify cloud-delivered protection level in Windows Defender Antivirus
+description: Set the aggressiveness of cloud-delivered protection in Windows Defender Antivirus.
+keywords: windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Specify the cloud-delivered protection level
+
+
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager (current branch)
+
+You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager.
+
+>[!NOTE] 
+>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
+
+
+
+**Use Group Policy to specify the level of cloud-delivered protection:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.  
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**.
+
+1.  Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:  
+    1.  Setting to **Default Windows Defender Antivirus blocking level** will provide strong detection without increasing the risk of detecting legitimate files.  
+    2.  Setting to **High blocking level** will apply a strong level of detection. While unlikely, some legitimate files may be detected (although you will have the option to unblock or dispute that detection).  
+ 
+1. Click **OK**.
+
+  
+**Use Configuration Manager to specify the level of cloud-delivered protection:**
+
+1.  See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
+
+
+
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
+
+
diff --git a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
index be6cfe9d8e..96e53b49bd 100644
--- a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
 ---
 title: Understand threat intelligence concepts in Windows Defender ATP
-description: Understand the concepts around threat intelligence in Windows Defender Advanced Threat Protection so that you can effectively create custom intelligence for your organization.
+description: Create custom threat alerts for your organization and learn the concepts around threat intelligence in Windows Defender Advanced Threat Protection.
 keywords: threat intelligence, alert definitions, indicators of compromise, ioc
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -21,8 +21,6 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 Advanced cybersecurity attacks comprise of multiple complex malicious events, attributes, and contextual information. Identifying and deciding which of these activities qualify as suspicious can be a challenging task. Your knowledge of known attributes and abnormal activities specific to your industry is fundamental in knowing when to call an observed behavior as suspicious.
 
 With Windows Defender ATP, you can create custom threat alerts that can help you keep track of possible attack activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack chain. These custom threat alerts will only appear in your organization and will flag events that you set it to track.
diff --git a/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
index d63bd1bf4c..d1a50e1df1 100644
--- a/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
@@ -21,7 +21,6 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
 
 You might need to troubleshoot issues while using the custom threat intelligence feature.
 
@@ -37,7 +36,7 @@ If your client secret expires or if you've misplaced the copy provided when you
 
 3. Select your tenant.
 
-4. Click **Application**, then select your custom threat intelligence application.
+4. Click **Application**, then select your custom threat intelligence application. The application name is **WindowsDefenderATPThreatIntelAPI** (formerly known as **WindowsDefenderATPCustomerTiConnector**).
 
 5. Select **Keys** section, then provide a key description and specify the key validity duration.
 
diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index e95197be01..3a2b9f8868 100644
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -45,7 +45,7 @@ Deployment with the above-mentioned versions of System Center Configuration Mana
 
 If the deployment fails, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint).
 
-If the onboarding completed successfully but the endpoints are not showing up in the **Machines view** after an hour, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur.
+If the onboarding completed successfully but the endpoints are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur.
 
 ## Troubleshoot onboarding when deploying with a script on the endpoint
 
@@ -119,7 +119,7 @@ ID | Severity | Event description | Troubleshooting steps
 1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760).
 
 ## Troubleshoot onboarding issues on the endpoint
-If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines view an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:
+If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:
 - [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log)
 - [Ensure the telemetry and diagnostics service is enabled](#ensure-the-telemetry-and-diagnostics-service-is-enabled)
 - [Ensure the service is set to start](#ensure-the-service-is-set-to-start)
diff --git a/windows/keep-secure/troubleshoot-windows-defender-antivirus.md b/windows/keep-secure/troubleshoot-windows-defender-antivirus.md
new file mode 100644
index 0000000000..0006cde7b3
--- /dev/null
+++ b/windows/keep-secure/troubleshoot-windows-defender-antivirus.md
@@ -0,0 +1,3325 @@
+---
+title: Windows Defender AV event IDs and error codes
+description: Look up the causes and solutions for Windows Defender Antivirus event IDs and errors
+keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding
+ms.assetid: EE488CC1-E340-4D47-B50B-35BD23CB4D70
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Review event logs and error codes to troubleshoot issues with Windows Defender AV
+
+
+**Applies to**
+-   Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+
+If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution.
+
+The tables list:
+
+- [Windows Defender AV client event IDs](#windows-defender-av-ids)
+- [Windows Defender AV client error codes](#error-codes)
+- [Internal Windows Defender AV client error codes (used by Microsoft during development and testing)](#internal-error-codes)
+
+
+<a id="windows-defender-av-ids"></a>
+## Windows Defender AV client event IDs
+
+Windows Defender AV records event IDs in the Windows event log.
+
+You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
+
+The table in this section lists the main Windows Defender Antivirus client event IDs and, where possible, provides suggested solutions to fix or resolve the error. 
+
+**To view a Windows Defender client event**
+
+1.  Open **Event Viewer**.
+2.  In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
+3.  Double-click on **Operational**.
+4.  In the details pane, view the list of individual events to find your event.
+5.  Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
+
+
+
+<table>
+<tr>
+<th rowspan="3">Event ID: 1000</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SCAN_STARTED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>An antimalware scan started.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>Scan Resources: &lt;Resources (such as files/directories/BHO) that were scanned.&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1001</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SCAN_COMPLETED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>An antimalware scan finished.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Scan Time: &lt;The duration of a scan.&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1002</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SCAN_CANCELLED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>An antimalware scan was stopped before it finished.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Scan Time: &lt;The duration of a scan.&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1003</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SCAN_PAUSED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>An antimalware scan was paused.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1004</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SCAN_RESUMED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>An antimalware scan was resumed.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1005</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SCAN_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>An antimalware scan failed. 
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>The Windows Defender client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
+</p>
+<p>To troubleshoot this event:
+<ol>
+<li>Run the scan again.</li>
+<li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
+<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1006</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_MALWARE_DETECTED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine found malware or other potentially unwanted software.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>Status: &lt;Status&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1007</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_MALWARE_ACTION_TAKEN
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:</p>
+<dl>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Action: &lt;Action&gt;, for example:<ul>
+<li>Clean: The resource was cleaned</li>
+<li>Quarantine: The resource was quarantined</li>
+<li>Remove: The resource was deleted</li>
+<li>Allow: The resource was allowed to execute/exist</li>
+<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
+<li>No action: No action</li>
+<li>Block: The resource was blocked from executing</li>
+</ul>
+</dt>
+<dt>Status: &lt;Status&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1008</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_MALWARE_ACTION_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:</p>
+<dl>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Action: &lt;Action&gt;, for example:<ul>
+<li>Clean: The resource was cleaned</li>
+<li>Quarantine: The resource was quarantined</li>
+<li>Remove: The resource was deleted</li>
+<li>Allow: The resource was allowed to execute/exist</li>
+<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
+<li>No action: No action</li>
+<li>Block: The resource was blocked from executing</li>
+</ul>
+</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values. </dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Status: &lt;Status&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1009</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_QUARANTINE_RESTORE
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform restored an item from quarantine.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has restored an item from quarantine. For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1010</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform could not restore an item from quarantine.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to restore an item from quarantine. For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values. </dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1011</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_QUARANTINE_DELETE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform deleted an item from quarantine.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has deleted an item from quarantine.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1012</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_QUARANTINE_DELETE_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform could not delete an item from quarantine.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to delete an item from quarantine.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values. </dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1013</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform deleted history of malware and other potentially unwanted software.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has removed history of malware and other potentially unwanted software.</p>
+<dl>
+<dt>Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1014</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p>The antimalware platform could not delete history of malware and other potentially unwanted software.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software.</p>
+<dl>
+<dt>Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values. </dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1015</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_BEHAVIOR_DETECTED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform detected suspicious behavior.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has detected a suspicious behavior.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:
+<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>Status: &lt;Status&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Signature ID: Enumeration matching severity.</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+<dt>Fidelity Label:</dt>
+<dt>Target File Name: &lt;File name&gt;
+Name of the file.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1116</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_STATE_MALWARE_DETECTED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform detected malware or other potentially unwanted software.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has detected malware or other potentially unwanted software.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:
+<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is required. Windows Defender can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender interface, click <b>Clean Computer</b>.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1117</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has taken action to protect this machine from malware or other potentially unwanted software.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:
+<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Action: &lt;Action&gt;, for example:<ul>
+<li>Clean: The resource was cleaned</li>
+<li>Quarantine: The resource was quarantined</li>
+<li>Remove: The resource was deleted</li>
+<li>Allow: The resource was allowed to execute/exist</li>
+<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
+<li>No action: No action</li>
+<li>Block: The resource was blocked from executing</li>
+</ul>
+</dt>
+<dt>Action Status: &lt;Description of additional actions&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+<p>NOTE:
+<p>Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:<ul>
+<li>Default Internet Explorer or Edge setting</li>
+<li>User Access Control settings</li>
+<li>Chrome settings</li>
+<li>Boot Control Data</li>
+<li>Regedit and Task Manager registry settings</li>
+<li>Windows Update, Background Intelligent Transfer Service, and Remote Procedure Call service</li>
+<li>Windows Operating System files</li></ul>
+The above context applies to the following client and server versions:
+<table>
+<tr>
+<th>Operating system</th>
+<th>Operating system version</th>
+</tr>
+<tr>
+<td>
+<p>Client Operating System </p>
+</td>
+<td>
+<p>Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Server Operating System</p>
+</td>
+<td>
+<p>Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016</p>
+</td>
+</tr>
+</table>
+</p>
+</dl>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is necessary. Windows Defender removed or quarantined a threat. </p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1118</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered a non-critical error when taking action on malware or other potentially unwanted software.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:
+<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Action: &lt;Action&gt;, for example:<ul>
+<li>Clean: The resource was cleaned</li>
+<li>Quarantine: The resource was quarantined</li>
+<li>Remove: The resource was deleted</li>
+<li>Allow: The resource was allowed to execute/exist</li>
+<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
+<li>No action: No action</li>
+<li>Block: The resource was blocked from executing</li>
+</ul>
+</dt>
+<dt>Action Status: &lt;Description of additional actions&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is necessary. Windows Defender failed to complete a task related to the malware remediation. This is not a critical failure.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1119</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:
+<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Action: &lt;Action&gt;, for example:<ul>
+<li>Clean: The resource was cleaned</li>
+<li>Quarantine: The resource was quarantined</li>
+<li>Remove: The resource was deleted</li>
+<li>Allow: The resource was allowed to execute/exist</li>
+<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
+<li>No action: No action</li>
+<li>Block: The resource was blocked from executing</li>
+</ul>
+</dt>
+<dt>Action Status: &lt;Description of additional actions&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>The Windows Defender client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant <b>User action</b> steps below.</p>
+<table>
+<tr>
+<th>Action</th>
+<th>User action</th>
+</tr>
+<tr>
+<td>
+<p><b>Remove</b></p>
+</td>
+<td>
+<p>Update the definitions then verify that the removal was successful.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><b>Clean</b></p>
+</td>
+<td>
+<p>Update the definitions then verify that the remediation was successful.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><b>Quarantine</b></p>
+</td>
+<td>
+<p>Update the definitions and verify that the user has permission to access the necessary resources.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><b>Allow</b></p>
+</td>
+<td>
+<p>Verify that the user has permission to access the necessary resources.</p>
+</td>
+</tr>
+</table>
+<p> </p>
+<p>If this event persists:<ol>
+<li>Run the scan again.</li>
+<li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
+<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1120</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_THREAT_HASH</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Windows Defender has deduced the hashes for a threat resource.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender client is up and running in a healthy state.</p>
+<dl>
+<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
+<dt>Threat Resource Path: &lt;Path&gt;</dt>
+<dt>Hashes: &lt;Hashes&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td></td>
+<td colspan="2">
+<div class="alert"><b>Note</b>  This event will only be logged if the following policy is set: <b>ThreatFileHashLogging 	unsigned</b>.</div>
+<div> </div>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1150</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SERVICE_HEALTHY</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender client is up and running in a healthy state.</p>
+<dl>
+<dt>Platform Version: &lt;Current platform version&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is necessary. The Windows Defenderclient is in a healthy state. This event is reported on an hourly basis.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2000</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_UPDATED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware definitions updated successfully.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender signature version has been updated.</p>
+<dl>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
+<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Update Type: &lt;Update type&gt;, either Full or Delta.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is necessary. The Windows Defender client is in a healthy state. This event is reported when signatures are successfully updated.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2001</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware definition update failed. 
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to update signatures.</p>
+<dl>
+<dt>New Signature Version: &lt;New version number&gt;</dt>
+<dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
+<dt>Update Source: &lt;Update source&gt;, for example:
+<ul>
+<li>Signature update folder</li>
+<li>Internal definition update server</li>
+<li>Microsoft Update Server</li>
+<li>File share</li>
+<li>Microsoft Malware Protection Center (MMPC)</li>
+</ul>
+</dt>
+<dt>Update Stage: &lt;Update stage&gt;, for example:
+<ul>
+<li>Search</li>
+<li>Download</li>
+<li>Install</li>
+</ul>
+</dt>
+<dt>Source Path: File share name for Universal Naming Convention (UNC), server name for Windows Server Update Services (WSUS)/Microsoft Update/ADL.</dt>
+<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Update Type: &lt;Update type&gt;, either Full or Delta.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>This error occurs when there is a problem updating definitions.</p>
+<p>To troubleshoot this event:
+<ol>
+<li>Update the definitions. Either:<ol>
+<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
+</li>
+<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
+<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
+</li>
+</ol>
+</li>
+<li>Review the entries in the %Windir%\WindowsUpdate.log file for more information about this error.</li>
+<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2002</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ENGINE_UPDATED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine updated successfully.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender engine version has been updated.</p>
+<dl>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
+<dt>Engine Type: &lt;Engine type&gt;, either antimalware engine or Network Inspection System engine.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the antimalware engine is successfully updated.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2003</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ENGINE_UPDATE_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine update failed.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to update the engine.</p>
+<dl>
+<dt>New Engine Version:</dt>
+<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
+<dt>Engine Type: &lt;Engine type&gt;, either antimalware engine or Network Inspection System engine.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>The Windows Defender client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.</p>
+<p>To troubleshoot this event:
+<ol>
+<li>Update the definitions. Either:<ol>
+<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
+</li>
+<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
+<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
+</li>
+</ol>
+</li>
+<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2004</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_REVERSION</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.</p>
+<dl>
+<dt>Signatures Attempted:</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>The Windows Defender client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender will attempt to revert back to a known-good set of definitions.</p>
+<p>To troubleshoot this event:
+<ol>
+<li>Restart the computer and try again.</li>
+<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
+<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
+</li>
+<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2005</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender could not load antimalware engine because current platform version is not supported. Windows Defender will revert back to the last known-good engine and a platform update will be attempted.</p>
+<dl>
+<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2006</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_PLATFORM_UPDATE_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The platform update failed.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to update the platform.</p>
+<dl>
+<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2007</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The platform will soon be out of date. Download the latest platform to maintain up-to-date protection.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender platform to maintain the best level of protection available.</p>
+<dl>
+<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2010</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine used the Dynamic Signature Service to get additional definitions.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender used <i>Dynamic Signature Service</i> to retrieve additional signatures to help protect your machine.</p>
+<dl>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Dynamic Signature Type: &lt;Dynamic signature type&gt;, for example:
+<ul>
+<li>Version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+<li>Duration</li>
+</ul>
+</dt>
+<dt>Persistence Path: &lt;Path&gt;</dt>
+<dt>Dynamic Signature Version: &lt;Version number&gt;</dt>
+<dt>Dynamic Signature Compilation Timestamp: &lt;Timestamp&gt;</dt>
+<dt>Persistence Limit Type: &lt;Persistence limit type&gt;, for example:
+<ul>
+<li>VDM version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+</ul>
+</dt>
+<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2011</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The Dynamic Signature Service deleted the out-of-date dynamic definitions.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender used <i>Dynamic Signature Service</i> to discard obsolete signatures.</p>
+<dl>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Dynamic Signature Type: &lt;Dynamic signature type&gt;, for example:
+<ul>
+<li>Version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+<li>Duration</li>
+</ul>
+</dt>
+<dt>Persistence Path: &lt;Path&gt;</dt>
+<dt>Dynamic Signature Version: &lt;Version number&gt;</dt>
+<dt>Dynamic Signature Compilation Timestamp: &lt;Timestamp&gt;</dt>
+<dt>Removal Reason:</dt>
+<dt>Persistence Limit Type: &lt;Persistence limit type&gt;, for example:
+<ul>
+<li>VDM version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+</ul>
+</dt>
+<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2012</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine encountered an error when trying to use the Dynamic Signature Service.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to use <i>Dynamic Signature Service</i>.</p>
+<dl>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Dynamic Signature Type: &lt;Dynamic signature type&gt;, for example:
+<ul>
+<li>Version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+<li>Duration</li>
+</ul>
+</dt>
+<dt>Persistence Path: &lt;Path&gt;</dt>
+<dt>Dynamic Signature Version: &lt;Version number&gt;</dt>
+<dt>Dynamic Signature Compilation Timestamp: &lt;Timestamp&gt;</dt>
+<dt>Persistence Limit Type: &lt;Persistence limit type&gt;, for example:
+<ul>
+<li>VDM version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+</ul>
+</dt>
+<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>Check your Internet connectivity settings.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2013</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The Dynamic Signature Service deleted all dynamic definitions.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender discarded all <i>Dynamic Signature Service</i> signatures.</p>
+<dl>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2020</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine downloaded a clean file.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender downloaded a clean file.</p>
+<dl>
+<dt>Filename: &lt;File name&gt;
+Name of the file.</dt>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2021</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine failed to download a clean file.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to download a clean file.</p>
+<dl>
+<dt>Filename: &lt;File name&gt;
+Name of the file.</dt>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>Check your Internet connectivity settings.
+</p>
+<p>The Windows Defender client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. 
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2030</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine was downloaded and is configured to run offline on the next system restart.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender downloaded and configured Windows Defender Offline to run on the next reboot.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2031</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine was unable to download and configure an offline scan.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to download and configure Windows Defender Offline.</p>
+<dl>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2040</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_OS_EXPIRING
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Antimalware support for this operating system version will soon end.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>The support for your operating system will expire shortly. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2041</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_OS_EOL
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Antimalware support for this operating system has ended. You must upgrade the operating system for continued support.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>The support for your operating system has expired. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2042</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_PROTECTION_EOL
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 3002</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_RTP_FEATURE_FAILURE
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Real-time protection encountered an error and failed.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender Real-Time Protection feature has encountered an error and failed.</p>
+<dl>
+<dt>Feature: &lt;Feature&gt;, for example:
+<ul>
+<li>On Access</li>
+<li>Internet Explorer downloads and Microsoft Outlook Express attachments</li>
+<li>Behavior monitoring</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Reason: The reason Windows Defender real-time protection has restarted a feature.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>You should restart the system then run a full scan because it’s possible the system was not protected for some time.
+</p>
+<p>The Windows Defender client’s real-time protection feature encountered an error because one of the services failed to start. 
+</p>
+<p>If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure. 
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 3007</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_RTP_FEATURE_RECOVERED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Real-time protection recovered from a failure. We recommend running a full system scan when you see this error.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.</p>
+<dl>
+<dt>Feature: &lt;Feature&gt;, for example:
+<ul>
+<li>On Access</li>
+<li>IE downloads and Outlook Express attachments</li>
+<li>Behavior monitoring</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Reason: The reason Windows Defender real-time protection has restarted a feature.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>The real-time protection feature has restarted. If this event happens again, contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>. </p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5000</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_RTP_ENABLED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Real-time protection is enabled.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was enabled.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5001</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_RTP_DISABLED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Real-time protection is disabled.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled. </p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5004</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_RTP_FEATURE_CONFIGURED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The real-time protection configuration changed.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender Real-time Protection feature configuration has changed.</p>
+<dl>
+<dt>Feature: &lt;Feature&gt;, for example:
+<ul>
+<li>On Access</li>
+<li>IE downloads and Outlook Express attachments</li>
+<li>Behavior monitoring</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Configuration: </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5007</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_CONFIG_CHANGED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform configuration changed.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.</p>
+<dl>
+<dt>Old value: &lt;Old value number&gt;
+Old Windows Defender configuration value.</dt>
+<dt>New value: &lt;New value number&gt;
+New Windows Defender configuration value.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="5">Event ID: 5008</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ENGINE_FAILURE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine encountered an error and failed.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender  engine has been terminated due to an unexpected error.</p>
+<dl>
+<dt>Failure Type: &lt;Failure type&gt;, for example:
+Crash
+or Hang</dt>
+<dt>Exception Code: &lt;Error code&gt;</dt>
+<dt>Resource: &lt;Resource&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>To troubleshoot this event:<ol>
+<li>Try to restart the service.<ul>
+<li>For antimalware, antivirus and spyware, at an elevated command prompt, type <b>net stop msmpsvc</b>, and then type <b>net start msmpsvc</b> to restart the antimalware engine.</li>
+<li>For the <i>Network Inspection System</i>, at an elevated command prompt, type <b>net start nissrv</b>, and then type <b>net start nissrv</b> to restart the <i>Network Inspection System</i> engine by using the NiSSRV.exe file.
+</li>
+</ul>
+</li>
+<li>If it fails in the same way, look up the error code by accessing the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support Site</a>  and entering the error number in the <b>Search</b> box, and contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>The Windows Defender client engine stopped due to an unexpected error.</p>
+<p>To troubleshoot this event:
+<ol>
+<li>Run the scan again.</li>
+<li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
+<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5009</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ANTISPYWARE_ENABLED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Scanning for malware and other potentially unwanted software is enabled.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender scanning for malware and other potentially unwanted software has been enabled.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5010</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ANTISPYWARE_DISABLED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Scanning for malware and other potentially unwanted software is disabled.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender scanning for malware and other potentially unwanted software is disabled.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5011</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ANTIVIRUS_ENABLED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Scanning for viruses is enabled.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender scanning for viruses has been enabled. </p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5012</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ANTIVIRUS_DISABLED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Scanning for viruses is disabled.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender scanning for viruses is disabled. </p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5100</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_EXPIRATION_WARNING_STATE
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform will expire soon.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender  has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.</p>
+<dl>
+<dt>Expiration Reason: The reason Windows Defender will expire.</dt>
+<dt>Expiration Date: The date Windows Defender will expire.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5101</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_DISABLED_EXPIRED_STATE
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform is expired.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description::</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender  grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.</p>
+<dl>
+<dt>Expiration Reason:</dt>
+<dt>Expiration Date: </dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+</table>
+
+<a id="error-codes"></a>
+## Windows Defender client error codes
+If Windows Defender Antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
+This section provides the following information about Windows Defender Antivirus client errors.
+-   The error code
+-   The possible reason for the error
+-   Advice on what to do now
+Use the information in these tables to help troubleshoot Windows Defender Antivirus error codes.
+<table>
+<tr>
+<th colspan="4">External error codes</th>
+</tr>
+<tr>
+<th>Error code</th>
+<th>Message displayed</th>
+<th>Possible reason for error</th>
+<th>What to do now</th>
+</tr>
+<tr>
+<td>
+<p>0x80508007 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_NO_MEMORY 
+</b></p>
+</td>
+<td>
+<p>This error indicates that you might have run out of memory. 
+</p>
+</td>
+<td>
+<p>
+<ol>
+<li>Check the available memory on your device.</li>
+<li>Close any unused applications that are running to free up memory on your device.</li>
+<li>Restart the device and run the scan again. 
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050800C</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_INPUT_DATA</b></p>
+</td>
+<td>
+<p>This error indicates that there might be a problem with your security product.</p>
+</td>
+<td rowspan="4">
+<p>
+<ol>
+<li>Update the definitions. Either:<ol>
+<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
+</li>
+<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
+<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
+</li>
+</ol>
+</li>
+<li>Run a full scan.
+</li>
+<li>Restart the device and try again.</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508020</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_CONFIGURATION 
+</b></p>
+</td>
+<td>
+<p>This error indicates that there might be an engine configuration error; commonly, this is related to input 
+data that does not allow the engine to function properly. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x805080211 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_QUARANTINE_FAILED 
+</b></p>
+</td>
+<td>
+<p>This error indicates that Windows Defender failed to quarantine a threat. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508022 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_REBOOT_REQUIRED 
+</b></p>
+</td>
+<td>
+<p>This error indicates that a reboot is required to complete threat removal. 
+</p>
+</td>
+</tr>
+<tr>
+<td rowspan="2">
+<p>0x80508023 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_THREAT_NOT_FOUND 
+</b></p>
+</td>
+<td>
+<p>This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device. 
+</p>
+</td>
+<td>
+<p>Run the <a href="https://www.microsoft.com/security/scanner/default.aspx">Microsoft Safety Scanner</a> then update your security software and try again. 
+</p>
+</td>
+</tr>
+<tr>
+<td rowspan="2">
+<p><b>ERR_MP_FULL_SCAN_REQUIRED 
+</b></p>
+</td>
+<td rowspan="2">
+<p>This error indicates that a full system scan might be required. 
+</p>
+</td>
+<td rowspan="2">
+<p>Run a full system scan. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508024 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508025 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_MANUAL_STEPS_REQUIRED 
+</b></p>
+</td>
+<td>
+<p>This error indicates that manual steps are required to complete threat removal. 
+</p>
+</td>
+<td>
+<p>Follow the manual remediation steps outlined in the <a href="https://www.microsoft.com/security/portal/threat/Threats.aspx">Microsoft Malware Protection Encyclopedia</a>. You can find a threat-specific link in the event history.  
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508026 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_REMOVE_NOT_SUPPORTED 
+</b></p>
+</td>
+<td>
+<p>This error indicates that removal inside the container type might not be not supported. 
+</p>
+</td>
+<td>
+<p>Windows Defender is not able to remediate threats detected inside the archive. Consider manually removing the detected resources. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508027 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_REMOVE_LOW_MEDIUM_DISABLED 
+</b></p>
+</td>
+<td>
+<p>This error indicates that removal of low and medium threats might be disabled. 
+</p>
+</td>
+<td>
+<p>Check the detected threats and resolve them as required. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508029 
+</p>
+</td>
+<td>
+<p><b>ERROR_MP_RESCAN_REQUIRED 
+</b></p>
+</td>
+<td>
+<p>This error indicates a rescan of the threat is required. 
+</p>
+</td>
+<td>
+<p>Run a full system scan. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508030 
+</p>
+</td>
+<td>
+<p><b>ERROR_MP_CALLISTO_REQUIRED 
+</b></p>
+</td>
+<td>
+<p>This error indicates that an offline scan is required. 
+</p>
+</td>
+<td>
+<p>Run Windows Defender Offline. You can read about how to do this in the <a href="http://windows.microsoft.com/windows/what-is-windows-defender-offline">Windows Defender Offline 
+article</a>.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508031 
+</p>
+</td>
+<td>
+<p><b>ERROR_MP_PLATFORM_OUTDATED  
+</b></p>
+</td>
+<td>
+<p>This error indicates that Windows Defender does not support the current version of the platform and requires a new version of the platform. 
+</p>
+</td>
+<td>
+<p>You can only use Windows Defender in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use <a href="https://www.microsoft.com/server-cloud/system-center/endpoint-protection-2012.aspx">System Center Endpoint Protection</a>.  
+</p>
+</td>
+</tr>
+</table>
+
+<a id="internal-error-codes"></a>
+The following error codes are used during internal testing of Windows Defender AV.
+
+<table>
+<tr>
+<th colspan="4">Internal error codes</th>
+</tr>
+<tr>
+<th>Error code</th>
+<th>Message displayed</th>
+<th>Possible reason for error</th>
+<th>What to do now</th>
+</tr>
+<tr>
+<td>
+<p>0x80501004</p>
+</td>
+<td>
+<p><b>ERROR_MP_NO_INTERNET_CONN 
+</b></p>
+</td>
+<td>
+<p>Check your Internet connection, then run the scan again.</p>
+</td>
+<td>
+<p>Check your Internet connection, then run the scan again.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501000</p>
+</td>
+<td>
+<p><b>ERROR_MP_UI_CONSOLIDATION_BAS</b>E</p>
+</td>
+<td rowspan="34">
+<p>This is an internal error. The cause is not clearly defined.</p>
+</td>
+<td rowspan="36">
+<p>
+<ol>
+<li>Update the definitions. Either:<ol>
+<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
+</li>
+<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
+<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
+</li>
+</ol>
+</li>
+<li>Run a full scan.
+</li>
+<li>Restart the device and try again.</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501001</p>
+</td>
+<td>
+<p><b>ERROR_MP_ACTIONS_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501002</p>
+</td>
+<td>
+<p><b>ERROR_MP_NOENGINE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501003</p>
+</td>
+<td>
+<p><b>ERROR_MP_ACTIVE_THREATS</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x805011011</p>
+</td>
+<td>
+<p><b>MP_ERROR_CODE_LUA_CANCELLED </b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501101</p>
+</td>
+<td>
+<p><b>ERROR_LUA_CANCELLATION </b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501102</p>
+</td>
+<td>
+<p><b>MP_ERROR_CODE_ALREADY_SHUTDOWN</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501103</p>
+</td>
+<td>
+<p><b>MP_ERROR_CODE_RDEVICE_S_ASYNC_CALL_PENDING </b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501104</p>
+</td>
+<td>
+<p><b>MP_ERROR_CODE_CANCELLED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501105</p>
+</td>
+<td>
+<p><b>MP_ERROR_CODE_NO_TARGETOS</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501106</p>
+</td>
+<td>
+<p><b>MP_ERROR_CODE_BAD_REGEXP</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501107</p>
+</td>
+<td>
+<p><b>MP_ERROR_TEST_INDUCED_ERROR</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501108</p>
+</td>
+<td>
+<p><b>MP_ERROR_SIG_BACKUP_DISABLED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508001</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_INIT_MODULES</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508002</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_DATABASE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508004</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_UFS </b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050800C</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_INPUT_DATA</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050800D</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_GLOBAL_STORAGE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050800E</p>
+</td>
+<td>
+<p><b>ERR_MP_OBSOLETE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050800F</p>
+</td>
+<td>
+<p><b>ERR_MP_NOT_SUPPORTED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050800F
+0x80508010
+</p>
+</td>
+<td>
+<p><b>ERR_MP_NO_MORE_ITEMS </b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508011</p>
+</td>
+<td>
+<p><b>ERR_MP_DUPLICATE_SCANID</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508012</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_SCANID</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508013</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_USERDB_VERSION</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508014</p>
+</td>
+<td>
+<p><b>ERR_MP_RESTORE_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508016</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_ACTION</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508019</p>
+</td>
+<td>
+<p><b>ERR_MP_NOT_FOUND</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80509001</p>
+</td>
+<td>
+<p><b>ERR_RELO_BAD_EHANDLE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80509003</p>
+</td>
+<td>
+<p><b>ERR_RELO_KERNEL_NOT_LOADED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050A001</p>
+</td>
+<td>
+<p><b>ERR_MP_BADDB_OPEN</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050A002</p>
+</td>
+<td>
+<p><b>ERR_MP_BADDB_HEADER</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050A003</p>
+</td>
+<td>
+<p><b>ERR_MP_BADDB_OLDENGINE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050A004</p>
+</td>
+<td>
+<p><b>ERR_MP_BADDB_CONTENT </b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050A005</p>
+</td>
+<td>
+<p><b>ERR_MP_BADDB_NOTSIGNED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050801</p>
+</td>
+<td>
+<p><b>ERR_MP_REMOVE_FAILED</b></p>
+</td>
+<td>
+<p>This is an internal error. It might be triggered when malware removal is not successful. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508018 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_SCAN_ABORTED 
+</b></p>
+</td>
+<td>
+<p>This is an internal error. It might have triggered when a scan fails to complete. 
+</p>
+</td>
+</tr>
+</table>
+
+## Related topics
+
+- [Report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
index 3730d58e83..2c5e7c8ce8 100644
--- a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
+++ b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
@@ -1,6 +1,6 @@
 ---
 title: Troubleshoot Windows Defender in Windows 10 (Windows 10)
-description: IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take.
+description: IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take.
 ms.assetid: EE488CC1-E340-4D47-B50B-35BD23CB4D70
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -8,3315 +8,9 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: jasesso
+redirect_url: /troubleshoot-windows-defender-antivirus/
 ---
 
 # Troubleshoot Windows Defender in Windows 10
 
-**Applies to**
--   Windows 10
-
-IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take.
-
-## Windows Defender client event IDs
-
-This section provides the following information about Windows Defender client events:
-
--   The text of the message as it appears in the event
--   The name of the source of the message
--   The symbolic name that identifies each message in the programming source code
--   Additional information about the message
-
-Use the information in this table to help troubleshoot Windows Defender client events; these are located in the **Windows Event Viewer**, under **Windows Logs**.
-
-**To view a Windows Defender client event**
-
-1.  Open **Event Viewer**.
-2.  In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
-3.  Double-click on **Operational**.
-4.  In the details pane, view the list of individual events to find your event.
-5.  Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
-
-You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
-
-<table>
-<tr>
-<th rowspan="3">Event ID: 1000</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_STARTED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>An antimalware scan started.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<dl>
-<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
-<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-</ul>
-</dt>
-<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
-<li>Full scan</li>
-<li>Quick scan</li>
-<li>Customer scan</li>
-</ul>
-</dt>
-<dt>Scan Resources: &lt;Resources (such as files/directories/BHO) that were scanned.&gt;</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1001</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_COMPLETED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>An antimalware scan finished.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<dl>
-<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
-<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-</ul>
-</dt>
-<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
-<li>Full scan</li>
-<li>Quick scan</li>
-<li>Customer scan</li>
-</ul>
-</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Scan Time: &lt;The duration of a scan.&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1002</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_CANCELLED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>An antimalware scan was stopped before it finished.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<dl>
-<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
-<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-</ul>
-</dt>
-<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
-<li>Full scan</li>
-<li>Quick scan</li>
-<li>Customer scan</li>
-</ul>
-</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Scan Time: &lt;The duration of a scan.&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1003</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_PAUSED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>An antimalware scan was paused.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<dl>
-<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
-<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-</ul>
-</dt>
-<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
-<li>Full scan</li>
-<li>Quick scan</li>
-<li>Customer scan</li>
-</ul>
-</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1004</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_RESUMED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>An antimalware scan was resumed.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<dl>
-<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
-<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-</ul>
-</dt>
-<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
-<li>Full scan</li>
-<li>Quick scan</li>
-<li>Customer scan</li>
-</ul>
-</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 1005</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_FAILED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>An antimalware scan failed. 
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<dl>
-<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
-<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-</ul>
-</dt>
-<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
-<li>Full scan</li>
-<li>Quick scan</li>
-<li>Customer scan</li>
-</ul>
-</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>The Windows Defender client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
-</p>
-<p>To troubleshoot this event:
-<ol>
-<li>Run the scan again.</li>
-<li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
-<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
-</li>
-</ol>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1006</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_MALWARE_DETECTED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine found malware or other potentially unwanted software.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>For more information please see the following:</p>
-<dl>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>Detection Origin: &lt;Detection origin&gt;, for example:<ul>
-<li>Unknown</li>
-<li>Local computer</li>
-<li>Network share</li>
-<li>Internet</li>
-<li>Incoming traffic</li>
-<li>Outgoing traffic</li>
-</ul>
-</dt>
-<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
-<li>Heuristics</li>
-<li>Generic</li>
-<li>Concrete</li>
-<li>Dynamic signature</li>
-</ul>
-</dt>
-<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
-<li>User: user initiated</li>
-<li>System: system initiated</li>
-<li>Real-time: real-time component initiated</li>
-<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
-<li>NIS: Network inspection system</li>
-<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
-<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
-<li>Remote attestation</li>
-</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
-UAC</dt>
-<dt>Status: &lt;Status&gt;</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Process Name: &lt;Process in the PID&gt;</dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1007</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_MALWARE_ACTION_TAKEN
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:</p>
-<dl>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Action: &lt;Action&gt;, for example:<ul>
-<li>Clean: The resource was cleaned</li>
-<li>Quarantine: The resource was quarantined</li>
-<li>Remove: The resource was deleted</li>
-<li>Allow: The resource was allowed to execute/exist</li>
-<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
-<li>No action: No action</li>
-<li>Block: The resource was blocked from executing</li>
-</ul>
-</dt>
-<dt>Status: &lt;Status&gt;</dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1008</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_MALWARE_ACTION_FAILED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:</p>
-<dl>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>Action: &lt;Action&gt;, for example:<ul>
-<li>Clean: The resource was cleaned</li>
-<li>Quarantine: The resource was quarantined</li>
-<li>Remove: The resource was deleted</li>
-<li>Allow: The resource was allowed to execute/exist</li>
-<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
-<li>No action: No action</li>
-<li>Block: The resource was blocked from executing</li>
-</ul>
-</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values. </dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-<dt>Status: &lt;Status&gt;</dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1009</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_QUARANTINE_RESTORE
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform restored an item from quarantine.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has restored an item from quarantine. For more information please see the following:</p>
-<dl>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1010</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform could not restore an item from quarantine.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to restore an item from quarantine. For more information please see the following:</p>
-<dl>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values. </dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1011</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_QUARANTINE_DELETE</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform deleted an item from quarantine.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has deleted an item from quarantine.  
-For more information please see the following:</p>
-<dl>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1012</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_QUARANTINE_DELETE_FAILED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform could not delete an item from quarantine.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to delete an item from quarantine.  
-For more information please see the following:</p>
-<dl>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values. </dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1013</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform deleted history of malware and other potentially unwanted software.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has removed history of malware and other potentially unwanted software.</p>
-<dl>
-<dt>Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1014</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p>The antimalware platform could not delete history of malware and other potentially unwanted software.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software.</p>
-<dl>
-<dt>Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values. </dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 1015</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_BEHAVIOR_DETECTED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform detected suspicious behavior.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has detected a suspicious behavior.  
-For more information please see the following:</p>
-<dl>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>Detection Origin: &lt;Detection origin&gt;, for example:
-<ul>
-<li>Unknown</li>
-<li>Local computer</li>
-<li>Network share</li>
-<li>Internet</li>
-<li>Incoming traffic</li>
-<li>Outgoing traffic</li>
-</ul>
-</dt>
-<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
-<li>Heuristics</li>
-<li>Generic</li>
-<li>Concrete</li>
-<li>Dynamic signature</li>
-</ul>
-</dt>
-<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
-<li>User: user initiated</li>
-<li>System: system initiated</li>
-<li>Real-time: real-time component initiated</li>
-<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
-<li>NIS: Network inspection system</li>
-<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
-<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
-<li>Remote attestation</li>
-</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
-UAC</dt>
-<dt>Status: &lt;Status&gt;</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Process Name: &lt;Process in the PID&gt;</dt>
-<dt>Signature ID: Enumeration matching severity.</dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-<dt>Fidelity Label:</dt>
-<dt>Target File Name: &lt;File name&gt;
-Name of the file.</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 1116</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_STATE_MALWARE_DETECTED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform detected malware or other potentially unwanted software.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has detected malware or other potentially unwanted software.  
-For more information please see the following:</p>
-<dl>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>Detection Origin: &lt;Detection origin&gt;, for example:
-<ul>
-<li>Unknown</li>
-<li>Local computer</li>
-<li>Network share</li>
-<li>Internet</li>
-<li>Incoming traffic</li>
-<li>Outgoing traffic</li>
-</ul>
-</dt>
-<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
-<li>Heuristics</li>
-<li>Generic</li>
-<li>Concrete</li>
-<li>Dynamic signature</li>
-</ul>
-</dt>
-<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
-<li>User: user initiated</li>
-<li>System: system initiated</li>
-<li>Real-time: real-time component initiated</li>
-<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
-<li>NIS: Network inspection system</li>
-<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
-<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
-<li>Remote attestation</li>
-</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
-UAC</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Process Name: &lt;Process in the PID&gt;</dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>No action is required. Windows Defender can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender interface, click <b>Clean Computer</b>.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 1117</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has taken action to protect this machine from malware or other potentially unwanted software.  
-For more information please see the following:</p>
-<dl>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>Detection Origin: &lt;Detection origin&gt;, for example:
-<ul>
-<li>Unknown</li>
-<li>Local computer</li>
-<li>Network share</li>
-<li>Internet</li>
-<li>Incoming traffic</li>
-<li>Outgoing traffic</li>
-</ul>
-</dt>
-<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
-<li>Heuristics</li>
-<li>Generic</li>
-<li>Concrete</li>
-<li>Dynamic signature</li>
-</ul>
-</dt>
-<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
-<li>User: user initiated</li>
-<li>System: system initiated</li>
-<li>Real-time: real-time component initiated</li>
-<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
-<li>NIS: Network inspection system</li>
-<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
-<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
-<li>Remote attestation</li>
-</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
-UAC</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Process Name: &lt;Process in the PID&gt;</dt>
-<dt>Action: &lt;Action&gt;, for example:<ul>
-<li>Clean: The resource was cleaned</li>
-<li>Quarantine: The resource was quarantined</li>
-<li>Remove: The resource was deleted</li>
-<li>Allow: The resource was allowed to execute/exist</li>
-<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
-<li>No action: No action</li>
-<li>Block: The resource was blocked from executing</li>
-</ul>
-</dt>
-<dt>Action Status: &lt;Description of additional actions&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-<p>NOTE:
-<p>Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:<ul>
-<li>Default Internet Explorer or Edge setting</li>
-<li>User Access Control settings</li>
-<li>Chrome settings</li>
-<li>Boot Control Data</li>
-<li>Regedit and Task Manager registry settings</li>
-<li>Windows Update, Background Intelligent Transfer Service, and Remote Procedure Call service</li>
-<li>Windows Operating System files</li></ul>
-The above context applies to the following client and server versions:
-<table>
-<tr>
-<th>Operating system</th>
-<th>Operating system version</th>
-</tr>
-<tr>
-<td>
-<p>Client Operating System </p>
-</td>
-<td>
-<p>Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Server Operating System</p>
-</td>
-<td>
-<p>Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016</p>
-</td>
-</tr>
-</table>
-</p>
-</dl>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>No action is necessary. Windows Defender removed or quarantined a threat. </p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 1118</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered a non-critical error when taking action on malware or other potentially unwanted software.  
-For more information please see the following:</p>
-<dl>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>Detection Origin: &lt;Detection origin&gt;, for example:
-<ul>
-<li>Unknown</li>
-<li>Local computer</li>
-<li>Network share</li>
-<li>Internet</li>
-<li>Incoming traffic</li>
-<li>Outgoing traffic</li>
-</ul>
-</dt>
-<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
-<li>Heuristics</li>
-<li>Generic</li>
-<li>Concrete</li>
-<li>Dynamic signature</li>
-</ul>
-</dt>
-<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
-<li>User: user initiated</li>
-<li>System: system initiated</li>
-<li>Real-time: real-time component initiated</li>
-<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
-<li>NIS: Network inspection system</li>
-<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
-<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
-<li>Remote attestation</li>
-</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
-UAC</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Process Name: &lt;Process in the PID&gt;</dt>
-<dt>Action: &lt;Action&gt;, for example:<ul>
-<li>Clean: The resource was cleaned</li>
-<li>Quarantine: The resource was quarantined</li>
-<li>Remove: The resource was deleted</li>
-<li>Allow: The resource was allowed to execute/exist</li>
-<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
-<li>No action: No action</li>
-<li>Block: The resource was blocked from executing</li>
-</ul>
-</dt>
-<dt>Action Status: &lt;Description of additional actions&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>No action is necessary. Windows Defender failed to complete a task related to the malware remediation. This is not a critical failure.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 1119</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software.  
-For more information please see the following:</p>
-<dl>
-<dt>Name: &lt;Threat name&gt;</dt>
-<dt>ID: &lt;Threat ID&gt;</dt>
-<dt>Severity: &lt;Severity&gt;, for example:<ul>
-<li>Low</li>
-<li>Moderate</li>
-<li>High</li>
-<li>Severe</li>
-</ul>
-</dt>
-<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
-<dt>Path: &lt;File path&gt;</dt>
-<dt>Detection Origin: &lt;Detection origin&gt;, for example:
-<ul>
-<li>Unknown</li>
-<li>Local computer</li>
-<li>Network share</li>
-<li>Internet</li>
-<li>Incoming traffic</li>
-<li>Outgoing traffic</li>
-</ul>
-</dt>
-<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
-<li>Heuristics</li>
-<li>Generic</li>
-<li>Concrete</li>
-<li>Dynamic signature</li>
-</ul>
-</dt>
-<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
-<li>User: user initiated</li>
-<li>System: system initiated</li>
-<li>Real-time: real-time component initiated</li>
-<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
-<li>NIS: Network inspection system</li>
-<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
-<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
-<li>Remote attestation</li>
-</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
-UAC</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Process Name: &lt;Process in the PID&gt;</dt>
-<dt>Action: &lt;Action&gt;, for example:<ul>
-<li>Clean: The resource was cleaned</li>
-<li>Quarantine: The resource was quarantined</li>
-<li>Remove: The resource was deleted</li>
-<li>Allow: The resource was allowed to execute/exist</li>
-<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
-<li>No action: No action</li>
-<li>Block: The resource was blocked from executing</li>
-</ul>
-</dt>
-<dt>Action Status: &lt;Description of additional actions&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>The Windows Defender client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant <b>User action</b> steps below.</p>
-<table>
-<tr>
-<th>Action</th>
-<th>User action</th>
-</tr>
-<tr>
-<td>
-<p><b>Remove</b></p>
-</td>
-<td>
-<p>Update the definitions then verify that the removal was successful.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><b>Clean</b></p>
-</td>
-<td>
-<p>Update the definitions then verify that the remediation was successful.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><b>Quarantine</b></p>
-</td>
-<td>
-<p>Update the definitions and verify that the user has permission to access the necessary resources.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><b>Allow</b></p>
-</td>
-<td>
-<p>Verify that the user has permission to access the necessary resources.</p>
-</td>
-</tr>
-</table>
-<p> </p>
-<p>If this event persists:<ol>
-<li>Run the scan again.</li>
-<li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
-<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
-</li>
-</ol>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 1120</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_THREAT_HASH</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Windows Defender has deduced the hashes for a threat resource.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender client is up and running in a healthy state.</p>
-<dl>
-<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
-<dt>Threat Resource Path: &lt;Path&gt;</dt>
-<dt>Hashes: &lt;Hashes&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td></td>
-<td colspan="2">
-<div class="alert"><b>Note</b>  This event will only be logged if the following policy is set: <b>ThreatFileHashLogging 	unsigned</b>.</div>
-<div> </div>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 1150</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SERVICE_HEALTHY</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender client is up and running in a healthy state.</p>
-<dl>
-<dt>Platform Version: &lt;Current platform version&gt;</dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>No action is necessary. The Windows Defenderclient is in a healthy state. This event is reported on an hourly basis.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 2000</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_UPDATED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware definitions updated successfully.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender signature version has been updated.</p>
-<dl>
-<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
-<dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
-<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-<li>Network Inspection System</li>
-</ul>
-</dt>
-<dt>Update Type: &lt;Update type&gt;, either Full or Delta.</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
-<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>No action is necessary. The Windows Defender client is in a healthy state. This event is reported when signatures are successfully updated.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 2001</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware definition update failed. 
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to update signatures.</p>
-<dl>
-<dt>New Signature Version: &lt;New version number&gt;</dt>
-<dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
-<dt>Update Source: &lt;Update source&gt;, for example:
-<ul>
-<li>Signature update folder</li>
-<li>Internal definition update server</li>
-<li>Microsoft Update Server</li>
-<li>File share</li>
-<li>Microsoft Malware Protection Center (MMPC)</li>
-</ul>
-</dt>
-<dt>Update Stage: &lt;Update stage&gt;, for example:
-<ul>
-<li>Search</li>
-<li>Download</li>
-<li>Install</li>
-</ul>
-</dt>
-<dt>Source Path: File share name for Universal Naming Convention (UNC), server name for Windows Server Update Services (WSUS)/Microsoft Update/ADL.</dt>
-<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-<li>Network Inspection System</li>
-</ul>
-</dt>
-<dt>Update Type: &lt;Update type&gt;, either Full or Delta.</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
-<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>This error occurs when there is a problem updating definitions.</p>
-<p>To troubleshoot this event:
-<ol>
-<li>Update the definitions. Either:<ol>
-<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
-</li>
-<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
-<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
-</li>
-</ol>
-</li>
-<li>Review the entries in the %Windir%\WindowsUpdate.log file for more information about this error.</li>
-<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
-</li>
-</ol>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 2002</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ENGINE_UPDATED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine updated successfully.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender engine version has been updated.</p>
-<dl>
-<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
-<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
-<dt>Engine Type: &lt;Engine type&gt;, either antimalware engine or Network Inspection System engine.</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the antimalware engine is successfully updated.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 2003</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ENGINE_UPDATE_FAILED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine update failed.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to update the engine.</p>
-<dl>
-<dt>New Engine Version:</dt>
-<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
-<dt>Engine Type: &lt;Engine type&gt;, either antimalware engine or Network Inspection System engine.</dt>
-<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>The Windows Defender client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.</p>
-<p>To troubleshoot this event:
-<ol>
-<li>Update the definitions. Either:<ol>
-<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
-</li>
-<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
-<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
-</li>
-</ol>
-</li>
-<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
-</li>
-</ol>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 2004</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_REVERSION</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.</p>
-<dl>
-<dt>Signatures Attempted:</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-<dt>Signature Version: &lt;Definition version&gt;</dt>
-<dt>Engine Version: &lt;Antimalware engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>The Windows Defender client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender will attempt to revert back to a known-good set of definitions.</p>
-<p>To troubleshoot this event:
-<ol>
-<li>Restart the computer and try again.</li>
-<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
-<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
-</li>
-<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
-</li>
-</ol>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2005</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender could not load antimalware engine because current platform version is not supported. Windows Defender will revert back to the last known-good engine and a platform update will be attempted.</p>
-<dl>
-<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2006</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_PLATFORM_UPDATE_FAILED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The platform update failed.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to update the platform.</p>
-<dl>
-<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2007</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The platform will soon be out of date. Download the latest platform to maintain up-to-date protection.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender platform to maintain the best level of protection available.</p>
-<dl>
-<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2010</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine used the Dynamic Signature Service to get additional definitions.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender used <i>Dynamic Signature Service</i> to retrieve additional signatures to help protect your machine.</p>
-<dl>
-<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
-<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-<li>Network Inspection System</li>
-</ul>
-</dt>
-<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
-<dt>Dynamic Signature Type: &lt;Dynamic signature type&gt;, for example:
-<ul>
-<li>Version</li>
-<li>Timestamp</li>
-<li>No limit</li>
-<li>Duration</li>
-</ul>
-</dt>
-<dt>Persistence Path: &lt;Path&gt;</dt>
-<dt>Dynamic Signature Version: &lt;Version number&gt;</dt>
-<dt>Dynamic Signature Compilation Timestamp: &lt;Timestamp&gt;</dt>
-<dt>Persistence Limit Type: &lt;Persistence limit type&gt;, for example:
-<ul>
-<li>VDM version</li>
-<li>Timestamp</li>
-<li>No limit</li>
-</ul>
-</dt>
-<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 2011</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The Dynamic Signature Service deleted the out-of-date dynamic definitions.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender used <i>Dynamic Signature Service</i> to discard obsolete signatures.</p>
-<dl>
-<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
-<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-<li>Network Inspection System</li>
-</ul>
-</dt>
-<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
-<dt>Dynamic Signature Type: &lt;Dynamic signature type&gt;, for example:
-<ul>
-<li>Version</li>
-<li>Timestamp</li>
-<li>No limit</li>
-<li>Duration</li>
-</ul>
-</dt>
-<dt>Persistence Path: &lt;Path&gt;</dt>
-<dt>Dynamic Signature Version: &lt;Version number&gt;</dt>
-<dt>Dynamic Signature Compilation Timestamp: &lt;Timestamp&gt;</dt>
-<dt>Removal Reason:</dt>
-<dt>Persistence Limit Type: &lt;Persistence limit type&gt;, for example:
-<ul>
-<li>VDM version</li>
-<li>Timestamp</li>
-<li>No limit</li>
-</ul>
-</dt>
-<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 2012</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine encountered an error when trying to use the Dynamic Signature Service.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to use <i>Dynamic Signature Service</i>.</p>
-<dl>
-<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
-<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
-<li>Antivirus</li>
-<li>Antispyware</li>
-<li>Antimalware</li>
-<li>Network Inspection System</li>
-</ul>
-</dt>
-<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-<dt>Dynamic Signature Type: &lt;Dynamic signature type&gt;, for example:
-<ul>
-<li>Version</li>
-<li>Timestamp</li>
-<li>No limit</li>
-<li>Duration</li>
-</ul>
-</dt>
-<dt>Persistence Path: &lt;Path&gt;</dt>
-<dt>Dynamic Signature Version: &lt;Version number&gt;</dt>
-<dt>Dynamic Signature Compilation Timestamp: &lt;Timestamp&gt;</dt>
-<dt>Persistence Limit Type: &lt;Persistence limit type&gt;, for example:
-<ul>
-<li>VDM version</li>
-<li>Timestamp</li>
-<li>No limit</li>
-</ul>
-</dt>
-<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>Check your Internet connectivity settings.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2013</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The Dynamic Signature Service deleted all dynamic definitions.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender discarded all <i>Dynamic Signature Service</i> signatures.</p>
-<dl>
-<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2020</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine downloaded a clean file.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender downloaded a clean file.</p>
-<dl>
-<dt>Filename: &lt;File name&gt;
-Name of the file.</dt>
-<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
-<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 2021</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine failed to download a clean file.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to download a clean file.</p>
-<dl>
-<dt>Filename: &lt;File name&gt;
-Name of the file.</dt>
-<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
-<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>Check your Internet connectivity settings.
-</p>
-<p>The Windows Defender client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. 
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2030</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine was downloaded and is configured to run offline on the next system restart.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>Windows Defender downloaded and configured Windows Defender Offline to run on the next reboot.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2031</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine was unable to download and configure an offline scan.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to download and configure Windows Defender Offline.</p>
-<dl>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2040</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_OS_EXPIRING
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Antimalware support for this operating system version will soon end.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>The support for your operating system will expire shortly. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2041</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_OS_EOL
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Antimalware support for this operating system has ended. You must upgrade the operating system for continued support.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>The support for your operating system has expired. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 2042</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_PROTECTION_EOL
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.</p>
-</td>
-</tr>
-<tr><th rowspan="3">Event ID: 2050</th><td><p>Symbolic name:</p></td><td colspan="2"><p><b>MALWAREPROTECTION_SAMPLESUBMISSION_UPLOAD</b></p></td></tr><tr><td><p>Message:</p></td><td colspan="2"><p><b>The antimalware engine has uploaded a file for further analysis.<br />Filename &lt;uploaded filename&gt;<br />Sha256: &lt;file SHA&gt;</b></p></td></tr><tr><td><p>Description:</p></td><td colspan="2"><p>A file was uploaded to the Windows Defender Antimalware cloud for further analysis or processing.</p></td></tr>
-
-<tr><th rowspan="4">Event ID: 2051</th><td><p>Symbolic name:</p></td><td colspan="2"><p><b>MALWAREPROTECTION_SAMPLESUBMISSION_UPLOADED_FAILED</b></p></td></tr><tr><td><p>Message:</p></td><td colspan="2"><p><b>The antimalware engine has encountered an error trying to upload a suspicious file for further analysis.<br />
-Filename: &lt;uploaded filename&gt;<br />
-Sha256: &lt;file SHA&gt;<br />
-Current Signature Version: &lt;signature version number&gt;<br/>
-Current Engine Version: &lt;engine version number&gt;<br />
-Error code: &lt;error code&gt;</b></p></td></tr><tr><td><p>Description:</p></td><td colspan="2"><p>A file could not be uploaded to the Windows Defender Antimalware cloud.</p></td></tr><tr><td><p>User action:</p></td><td colspan="2"><p>You can attempt to manually submit the file.</p></td></tr>
-
-
-
-
-
-<tr>
-<th rowspan="4">Event ID: 3002</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_RTP_FEATURE_FAILURE
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Real-time protection encountered an error and failed.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender Real-Time Protection feature has encountered an error and failed.</p>
-<dl>
-<dt>Feature: &lt;Feature&gt;, for example:
-<ul>
-<li>On Access</li>
-<li>Internet Explorer downloads and Microsoft Outlook Express attachments</li>
-<li>Behavior monitoring</li>
-<li>Network Inspection System</li>
-</ul>
-</dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-<dt>Reason: The reason Windows Defender real-time protection has restarted a feature.</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>You should restart the system then run a full scan because it’s possible the system was not protected for some time.
-</p>
-<p>The Windows Defender client’s real-time protection feature encountered an error because one of the services failed to start. 
-</p>
-<p>If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure. 
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="4">Event ID: 3007</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_RTP_FEATURE_RECOVERED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Real-time protection recovered from a failure. We recommend running a full system scan when you see this error.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.</p>
-<dl>
-<dt>Feature: &lt;Feature&gt;, for example:
-<ul>
-<li>On Access</li>
-<li>IE downloads and Outlook Express attachments</li>
-<li>Behavior monitoring</li>
-<li>Network Inspection System</li>
-</ul>
-</dt>
-<dt>Reason: The reason Windows Defender real-time protection has restarted a feature.</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>The real-time protection feature has restarted. If this event happens again, contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>. </p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 5000</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_RTP_ENABLED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Real-time protection is enabled.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was enabled.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 5001</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_RTP_DISABLED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Real-time protection is disabled.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled. </p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 5004</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_RTP_FEATURE_CONFIGURED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The real-time protection configuration changed.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender Real-time Protection feature configuration has changed.</p>
-<dl>
-<dt>Feature: &lt;Feature&gt;, for example:
-<ul>
-<li>On Access</li>
-<li>IE downloads and Outlook Express attachments</li>
-<li>Behavior monitoring</li>
-<li>Network Inspection System</li>
-</ul>
-</dt>
-<dt>Configuration: </dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 5007</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_CONFIG_CHANGED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform configuration changed.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.</p>
-<dl>
-<dt>Old value: &lt;Old value number&gt;
-Old Windows Defender configuration value.</dt>
-<dt>New value: &lt;New value number&gt;
-New Windows Defender configuration value.</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="5">Event ID: 5008</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ENGINE_FAILURE</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware engine encountered an error and failed.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender  engine has been terminated due to an unexpected error.</p>
-<dl>
-<dt>Failure Type: &lt;Failure type&gt;, for example:
-Crash
-or Hang</dt>
-<dt>Exception Code: &lt;Error code&gt;</dt>
-<dt>Resource: &lt;Resource&gt;</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>To troubleshoot this event:<ol>
-<li>Try to restart the service.<ul>
-<li>For antimalware, antivirus and spyware, at an elevated command prompt, type <b>net stop msmpsvc</b>, and then type <b>net start msmpsvc</b> to restart the antimalware engine.</li>
-<li>For the <i>Network Inspection System</i>, at an elevated command prompt, type <b>net start nissrv</b>, and then type <b>net start nissrv</b> to restart the <i>Network Inspection System</i> engine by using the NiSSRV.exe file.
-</li>
-</ul>
-</li>
-<li>If it fails in the same way, look up the error code by accessing the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support Site</a>  and entering the error number in the <b>Search</b> box, and contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.</li>
-</ol>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>User action:</p>
-</td>
-<td colspan="2">
-<p>The Windows Defender client engine stopped due to an unexpected error.</p>
-<p>To troubleshoot this event:
-<ol>
-<li>Run the scan again.</li>
-<li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
-<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
-</li>
-</ol>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 5009</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ANTISPYWARE_ENABLED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Scanning for malware and other potentially unwanted software is enabled.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>Windows Defender scanning for malware and other potentially unwanted software has been enabled.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 5010</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ANTISPYWARE_DISABLED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Scanning for malware and other potentially unwanted software is disabled.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>Windows Defender scanning for malware and other potentially unwanted software is disabled.</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 5011</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ANTIVIRUS_ENABLED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Scanning for viruses is enabled.</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>Windows Defender scanning for viruses has been enabled. </p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 5012</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ANTIVIRUS_DISABLED
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>Scanning for viruses is disabled.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>Windows Defender scanning for viruses is disabled. </p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 5100</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_EXPIRATION_WARNING_STATE
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform will expire soon.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description:</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender  has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.</p>
-<dl>
-<dt>Expiration Reason: The reason Windows Defender will expire.</dt>
-<dt>Expiration Date: The date Windows Defender will expire.</dt>
-</dl>
-</p>
-</td>
-</tr>
-<tr>
-<th rowspan="3">Event ID: 5101</th>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_DISABLED_EXPIRED_STATE
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Message:</p>
-</td>
-<td colspan="2">
-<p><b>The antimalware platform is expired.
-</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Description::</p>
-</td>
-<td colspan="2">
-<p>
-<p>Windows Defender  grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.</p>
-<dl>
-<dt>Expiration Reason:</dt>
-<dt>Expiration Date: </dt>
-<dt>Error Code: &lt;Error code&gt;
-Result code associated with threat status. Standard HRESULT values.</dt>
-<dt>Error Description: &lt;Error description&gt;
-Description of the error. </dt>
-</dl>
-</p>
-</td>
-</tr>
-</table>
-
-## Windows Defender client error codes
-If Windows Defender experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
-This section provides the following information about Windows Defender client errors.
--   The error code
--   The possible reason for the error
--   Advice on what to do now
-Use the information in these tables to help troubleshoot Windows Defender error codes.
-<table>
-<tr>
-<th colspan="4">External error codes</th>
-</tr>
-<tr>
-<th>Error code</th>
-<th>Message displayed</th>
-<th>Possible reason for error</th>
-<th>What to do now</th>
-</tr>
-<tr>
-<td>
-<p>0x80508007 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_NO_MEMORY 
-</b></p>
-</td>
-<td>
-<p>This error indicates that you might have run out of memory. 
-</p>
-</td>
-<td>
-<p>
-<ol>
-<li>Check the available memory on your device.</li>
-<li>Close any unused applications that are running to free up memory on your device.</li>
-<li>Restart the device and run the scan again. 
-</li>
-</ol>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050800C</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_INPUT_DATA</b></p>
-</td>
-<td>
-<p>This error indicates that there might be a problem with your security product.</p>
-</td>
-<td rowspan="4">
-<p>
-<ol>
-<li>Update the definitions. Either:<ol>
-<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
-</li>
-<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
-<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
-</li>
-</ol>
-</li>
-<li>Run a full scan.
-</li>
-<li>Restart the device and try again.</li>
-</ol>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508020</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_CONFIGURATION 
-</b></p>
-</td>
-<td>
-<p>This error indicates that there might be an engine configuration error; commonly, this is related to input 
-data that does not allow the engine to function properly. 
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x805080211 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_QUARANTINE_FAILED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that Windows Defender failed to quarantine a threat. 
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508022 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_REBOOT_REQUIRED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that a reboot is required to complete threat removal. 
-</p>
-</td>
-</tr>
-<tr>
-<td rowspan="2">
-<p>0x80508023 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_THREAT_NOT_FOUND 
-</b></p>
-</td>
-<td>
-<p>This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device. 
-</p>
-</td>
-<td>
-<p>Run the <a href="https://www.microsoft.com/security/scanner/default.aspx">Microsoft Safety Scanner</a> then update your security software and try again. 
-</p>
-</td>
-</tr>
-<tr>
-<td rowspan="2">
-<p><b>ERR_MP_FULL_SCAN_REQUIRED 
-</b></p>
-</td>
-<td rowspan="2">
-<p>This error indicates that a full system scan might be required. 
-</p>
-</td>
-<td rowspan="2">
-<p>Run a full system scan. 
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508024 
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508025 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_MANUAL_STEPS_REQUIRED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that manual steps are required to complete threat removal. 
-</p>
-</td>
-<td>
-<p>Follow the manual remediation steps outlined in the <a href="https://www.microsoft.com/security/portal/threat/Threats.aspx">Microsoft Malware Protection Encyclopedia</a>. You can find a threat-specific link in the event history.  
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508026 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_REMOVE_NOT_SUPPORTED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that removal inside the container type might not be not supported. 
-</p>
-</td>
-<td>
-<p>Windows Defender is not able to remediate threats detected inside the archive. Consider manually removing the detected resources. 
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508027 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_REMOVE_LOW_MEDIUM_DISABLED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that removal of low and medium threats might be disabled. 
-</p>
-</td>
-<td>
-<p>Check the detected threats and resolve them as required. 
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508029 
-</p>
-</td>
-<td>
-<p><b>ERROR_MP_RESCAN_REQUIRED 
-</b></p>
-</td>
-<td>
-<p>This error indicates a rescan of the threat is required. 
-</p>
-</td>
-<td>
-<p>Run a full system scan. 
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508030 
-</p>
-</td>
-<td>
-<p><b>ERROR_MP_CALLISTO_REQUIRED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that an offline scan is required. 
-</p>
-</td>
-<td>
-<p>Run Windows Defender Offline. You can read about how to do this in the <a href="http://windows.microsoft.com/windows/what-is-windows-defender-offline">Windows Defender Offline 
-article</a>.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508031 
-</p>
-</td>
-<td>
-<p><b>ERROR_MP_PLATFORM_OUTDATED  
-</b></p>
-</td>
-<td>
-<p>This error indicates that Windows Defender does not support the current version of the platform and requires a new version of the platform. 
-</p>
-</td>
-<td>
-<p>You can only use Windows Defender in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use <a href="https://www.microsoft.com/server-cloud/system-center/endpoint-protection-2012.aspx">System Center Endpoint Protection</a>.  
-</p>
-</td>
-</tr>
-</table>
-<p> </p>
-<table>
-<tr>
-<th colspan="4">Internal error codes</th>
-</tr>
-<tr>
-<th>Error code</th>
-<th>Message displayed</th>
-<th>Possible reason for error</th>
-<th>What to do now</th>
-</tr>
-<tr>
-<td>
-<p>0x80501004</p>
-</td>
-<td>
-<p><b>ERROR_MP_NO_INTERNET_CONN 
-</b></p>
-</td>
-<td>
-<p>Check your Internet connection, then run the scan again.</p>
-</td>
-<td>
-<p>Check your Internet connection, then run the scan again.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501000</p>
-</td>
-<td>
-<p><b>ERROR_MP_UI_CONSOLIDATION_BAS</b>E</p>
-</td>
-<td rowspan="34">
-<p>This is an internal error. The cause is not clearly defined.</p>
-</td>
-<td rowspan="36">
-<p>
-<ol>
-<li>Update the definitions. Either:<ol>
-<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
-</li>
-<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
-<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
-</li>
-</ol>
-</li>
-<li>Run a full scan.
-</li>
-<li>Restart the device and try again.</li>
-</ol>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501001</p>
-</td>
-<td>
-<p><b>ERROR_MP_ACTIONS_FAILED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501002</p>
-</td>
-<td>
-<p><b>ERROR_MP_NOENGINE</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501003</p>
-</td>
-<td>
-<p><b>ERROR_MP_ACTIVE_THREATS</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x805011011</p>
-</td>
-<td>
-<p><b>MP_ERROR_CODE_LUA_CANCELLED </b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501101</p>
-</td>
-<td>
-<p><b>ERROR_LUA_CANCELLATION </b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501102</p>
-</td>
-<td>
-<p><b>MP_ERROR_CODE_ALREADY_SHUTDOWN</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501103</p>
-</td>
-<td>
-<p><b>MP_ERROR_CODE_RDEVICE_S_ASYNC_CALL_PENDING </b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501104</p>
-</td>
-<td>
-<p><b>MP_ERROR_CODE_CANCELLED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501105</p>
-</td>
-<td>
-<p><b>MP_ERROR_CODE_NO_TARGETOS</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501106</p>
-</td>
-<td>
-<p><b>MP_ERROR_CODE_BAD_REGEXP</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501107</p>
-</td>
-<td>
-<p><b>MP_ERROR_TEST_INDUCED_ERROR</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80501108</p>
-</td>
-<td>
-<p><b>MP_ERROR_SIG_BACKUP_DISABLED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508001</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_INIT_MODULES</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508002</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_DATABASE</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508004</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_UFS </b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050800C</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_INPUT_DATA</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050800D</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_GLOBAL_STORAGE</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050800E</p>
-</td>
-<td>
-<p><b>ERR_MP_OBSOLETE</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050800F</p>
-</td>
-<td>
-<p><b>ERR_MP_NOT_SUPPORTED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050800F
-0x80508010
-</p>
-</td>
-<td>
-<p><b>ERR_MP_NO_MORE_ITEMS </b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508011</p>
-</td>
-<td>
-<p><b>ERR_MP_DUPLICATE_SCANID</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508012</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_SCANID</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508013</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_USERDB_VERSION</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508014</p>
-</td>
-<td>
-<p><b>ERR_MP_RESTORE_FAILED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508016</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_ACTION</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508019</p>
-</td>
-<td>
-<p><b>ERR_MP_NOT_FOUND</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80509001</p>
-</td>
-<td>
-<p><b>ERR_RELO_BAD_EHANDLE</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80509003</p>
-</td>
-<td>
-<p><b>ERR_RELO_KERNEL_NOT_LOADED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050A001</p>
-</td>
-<td>
-<p><b>ERR_MP_BADDB_OPEN</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050A002</p>
-</td>
-<td>
-<p><b>ERR_MP_BADDB_HEADER</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050A003</p>
-</td>
-<td>
-<p><b>ERR_MP_BADDB_OLDENGINE</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050A004</p>
-</td>
-<td>
-<p><b>ERR_MP_BADDB_CONTENT </b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050A005</p>
-</td>
-<td>
-<p><b>ERR_MP_BADDB_NOTSIGNED</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x8050801</p>
-</td>
-<td>
-<p><b>ERR_MP_REMOVE_FAILED</b></p>
-</td>
-<td>
-<p>This is an internal error. It might be triggered when malware removal is not successful. 
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508018 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_SCAN_ABORTED 
-</b></p>
-</td>
-<td>
-<p>This is an internal error. It might have triggered when a scan fails to complete. 
-</p>
-</td>
-</tr>
-</table>
-
-## Related topics
-
-- [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
-- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
+This page has been redirected to *Troubleshoot Windows Defender Antivirus*. 
\ No newline at end of file
diff --git a/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md b/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md
index 96a64490d0..efc97f3e17 100644
--- a/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md
+++ b/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md
@@ -14,7 +14,7 @@ author: brianlic-msft
 **Applies to**
 -   Windows 10
 
-There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) secure boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts.
+There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) Secure Boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts.
 
 The next few sections describe each type of attack that could be used to compromise a volume encryption key, whether for BitLocker or a non-Microsoft encryption solution. After an attacker has compromised a volume encryption key, the attacker can read data from your system drive or even install malware while Windows is offline. Each section begins with a graphical overview of the attack’s strengths and weaknesses as well as suggested mitigations.
 
@@ -40,7 +40,7 @@ Although password protection of the UEFI configuration is important for protecti
 
 For this reason, when BitLocker is configured on devices that include a TPM, the TPM and its PCRs are always used to secure and confirm the integrity of the pre–operating system environment before making encrypted volumes accessible.
 
-Any changes to the UEFI configuration invalidates the PCR7 and require the user to enter the BitLocker recovery key. Because of this feature, it’s not critical to password-protect your UEFI configuration. If an attacker successfully turns off Secure Boot or otherwise changes the UEFI configuration, they will need to enter the BitLocker recovery key, but UEFI password protection is a best practice and is still required for systems not using a TPM (such as non-Microsoft alternatives).
+Any change to the UEFI configuration invalidates the PCR7 and requires the user to enter the BitLocker recovery key. Because of this feature, it’s not critical to password-protect your UEFI configuration. But UEFI password protection is a best practice and is still required for systems not using a TPM (such as non-Microsoft alternatives).
 
 ### Brute-force Sign-in Attacks
 
diff --git a/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md
index 0757a26702..c155873b90 100644
--- a/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
 ---
-title: Use the threat intelligence API in Windows Defender Advanced Threat Protection to create custom alerts
-description: Use the custom threat intelligence API to create custom alerts for your organization.
+title: Use the custom threat intelligence API to create custom alerts for your organization
+description: Use the threat intelligence API in Windows Defender Advanced Threat Protection to create custom alerts
 keywords: threat intelligence, alert definitions, indicators of compromise
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -21,8 +21,6 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization.
 
 You can use the code examples to guide you in creating calls to the custom threat intelligence API.
diff --git a/windows/keep-secure/use-group-policy-windows-defender-antivirus.md b/windows/keep-secure/use-group-policy-windows-defender-antivirus.md
new file mode 100644
index 0000000000..07133adfb1
--- /dev/null
+++ b/windows/keep-secure/use-group-policy-windows-defender-antivirus.md
@@ -0,0 +1,15 @@
+---
+title: Configure Windows Defender AV with Group Policy
+description: Configure Windows Defender AV settings with Group Policy
+keywords: group policy, GPO, configuration, settings
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Use Group Policy settings to configure and manage Windows Defender AV
\ No newline at end of file
diff --git a/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md b/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md
new file mode 100644
index 0000000000..9f6c3a09b5
--- /dev/null
+++ b/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md
@@ -0,0 +1,15 @@
+---
+title: Configure Windows Defender AV with Configuration Manager and Intune
+description: Use System Center Configuration Manager and Microsoft Intune to configure Windows Defender AV and Endpoint Protection
+keywords: scep, intune, endpoint protection, configuration
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
\ No newline at end of file
diff --git a/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md
new file mode 100644
index 0000000000..7d975adcd1
--- /dev/null
+++ b/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -0,0 +1,51 @@
+---
+title: Use PowerShell cmdlets to configure and run Windows Defender AV
+description: In Windows 10, you can use PowerShell cmdlets to run scans, update definitions, and change settings in Windows Defender Antivirus.
+keywords: scan, command line, mpcmdrun, defender
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Use PowerShell cmdlets to configure and manage Windows Defender AV
+
+**Applies to:**
+
+- Windows 10
+
+You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/en-us/powershell/mt173057.aspx).
+
+For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) topic.
+
+PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software. 
+
+> [!NOTE]
+> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
+
+PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
+
+
+**Use Windows Defender PowerShell cmdlets**
+
+1. Click **Start**, type **powershell**, and press **Enter**.
+2. Click **Windows PowerShell** to open the interface. 
+    > [!NOTE]
+    > You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+3. Enter the command and parameters.
+
+To open online help for any of the cmdlets type the following:
+
+```PowerShell
+Get-Help <cmdlet> -Online
+```
+Omit the `-online` parameter to get locally cached help.
+
+## Related topics
+
+- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md b/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
index 0ab40df034..dec540347e 100644
--- a/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
@@ -10,41 +10,9 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: iaanw
+redirect_url: /use-powershell-cmdlets-windows-defender-antivirus/
 ---
 
 # Use PowerShell cmdlets to configure and run Windows Defender
 
-**Applies to:**
-
-- Windows 10
-
-You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/en-us/powershell/mt173057.aspx).
-
-For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) topic.
-
-PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software. 
-
-> [!NOTE]
-> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
-
-PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
-
-
-**Use Windows Defender PowerShell cmdlets**
-
-1. Click **Start**, type **powershell**, and press **Enter**.
-2. Click **Windows PowerShell** to open the interface. 
-    > [!NOTE]
-    > You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
-3. Enter the command and parameters.
-
-To open online help for any of the cmdlets type the following:
-
-```text
-Get-Help <cmdlet> -Online
-```
-Omit the `-online` parameter to get locally cached help.
-
-## Related topics
-
-- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
\ No newline at end of file
+This page has been redirected to *Use PowerShell cmdlets to configure and run Windows Defender Antivirus*.
\ No newline at end of file
diff --git a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
index 23bb45e5bf..e614c969ca 100644
--- a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
@@ -45,7 +45,7 @@ Topic | Description
 [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses.
 [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
 [View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)| You can sort, filter, and exporting the machine list.
-[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
+[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines list** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
 [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)| Investigate user accounts with the most active alerts.
 [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert.
 [Take response actions](response-actions-windows-defender-advanced-threat-protection.md)| Take action on a machine or file to quickly respond to detected attacks.
diff --git a/windows/keep-secure/use-wmi-windows-defender-antivirus.md b/windows/keep-secure/use-wmi-windows-defender-antivirus.md
new file mode 100644
index 0000000000..e369e90bd8
--- /dev/null
+++ b/windows/keep-secure/use-wmi-windows-defender-antivirus.md
@@ -0,0 +1,15 @@
+---
+title: Configure Windows Defender AV with WMI
+description: Use WMI scripts to configure Windows Defender AV
+keywords: wmi, scripts, windows management instrumentation, configuration
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
\ No newline at end of file
diff --git a/windows/keep-secure/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/keep-secure/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
new file mode 100644
index 0000000000..708740d908
--- /dev/null
+++ b/windows/keep-secure/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -0,0 +1,57 @@
+---
+title: Utilize cloud-delivered protection in Windows Defender Antivirus
+description: Cloud-delivered protection provides an advanced level of fast, robust antivirus detection.
+keywords: windows defender antivirus, antimalware, security, defender, cloud, cloud-delivered protection
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- Enterprise security administrators
+
+Cloud-delivered protection for Windows Defender Antivirus, also referred to as Microsoft Advanced Protection Service (MAPS), provides you with strong, fast protection in addition to our standard real-time protection.
+
+
+
+>[!NOTE] 
+>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
+
+Enabling cloud-delivered protection helps detect and block new malware - even if the malware has never been seen before - without needing to wait for a traditionally delivered definition update to block it. Definition updates can take hours to prepare and deliver, while our cloud service can deliver updated protection in seconds. 
+
+Cloud-delivered protecton is enabled by default, however you may need to re-enable it if it has been disabled as part of previous organizational policies.
+
+The following table describes the differences in cloud-based protection between recent versions of Windows and System Center Configuration Manager.
+
+
+Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | Configuration manager 2012 | Configuration manager (current branch) | Microsoft Intune
+---|---|---|---|---|---|---
+Cloud-protection service label | Microsoft Advanced Protection Service | Microsoft Advanced Protection Service | Cloud-based Protection | NA | Cloud protection service | Microsoft Advanced Protection Service
+Reporting level (MAPS membership level) | Basic, Advanced | Advanced | Advanced | Dependent on Windows version | Dependent on Windows version | Dependent on Windows version
+Block at first sight availability | No | Yes | Yes | Not configurable | Configurable | No
+Cloud block timeout period | No | No | Configurable | Not configurable | Configurable | No
+ 
+You can also [configure Windows Defender AV to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-windows-defender-antivirus.md#cloud-report-updates).
+
+
+## In this section
+
+ Topic | Description 
+---|---
+[Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with System Center Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets.
+[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and System Center Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
+[Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
+[Configure the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for a traditional signature. You can enable and configure it with System Center Configuration Manager and Group Policy.
+[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-based protection service. You can configure the amount of time the file will be prevented from running with System Center Configuration Manager and Group Policy.
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-antivirus-in-windows-10.md b/windows/keep-secure/windows-defender-antivirus-in-windows-10.md
new file mode 100644
index 0000000000..350b93809e
--- /dev/null
+++ b/windows/keep-secure/windows-defender-antivirus-in-windows-10.md
@@ -0,0 +1,74 @@
+---
+title: Windows Defender Antivirus
+description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10.
+keywords: windows defender antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security
+ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Windows Defender Antivirus in Windows 10
+
+**Applies to**
+-   Windows 10
+
+Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
+
+This library of documentation is aimed for enterprise security administrators who are either considering deployment, or have already deployed and are wanting to manage and configure Windows Defender AV on PC endpoints in their network.
+
+For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/library/dn765478.aspx).
+
+## What's new in Windows 10, version 1703
+
+New features for Windows Defender AV in Windows 10, version 1703 include:
+- [Updates to how the Block at First Sight feature can be configured](configure-block-at-first-sight-windows-defender-antivirus.md)
+- [The ability to specify the level of cloud-protection](specify-cloud-protection-level-windows-defender-antivirus.md)
+- [Windows Defender Antivirus protection in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md)
+
+We've expanded this documentation library to cover end-to-end deployment, management, and configuration for Windows Defender AV, and we've added some new guides that can help with evaluating and deploying Windows Defender AV in certain scenarios:
+- [Evaluation guide for Windows Defender AV](evaluate-windows-defender-antivirus.md)
+- [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](deployment-vdi-windows-defender-antivirus.md)
+
+See the [In this library](#in-this-library) list at the end of this topic for links to each of the updated sections in this library.
+
+
+## Minimum system requirements
+
+Windows Defender has the same hardware requirements as Windows 10. For more information, see:
+-   [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
+-   [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
+
+
+Some features require a certain version of Windows 10 - the minimum version required is specified at the top of each topic.
+
+## Compatibility with Windows Defender Advanced Threat Protection
+
+Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network. 
+
+See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service.
+
+If you are enrolled in Windows Defender ATP, and you are not using Windows Defender as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. 
+
+In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won’t run, and Windows Defender will not provide real-time protection from malware.
+
+You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
+
+If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
+
+
+ 
+## In this library
+
+Topic | Description
+:---|:---
+[Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and powershell script.
+[Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools.
+[Configure Windows Defender features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can use a number of management tools, including Group Policy, System Center Configuration Manager, Microsoft Intune, PowerShell cmdlets, and Windows Management Instrumentation (WMI). You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings.
+[Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) | You can set up scheduled scans, run on-demand scans, and configure how remediation works when threats are detected.
+[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-antivirus.md)|Review event IDs in Windows Defender Antivirus and take the appropriate actions.
+[Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)|The management and configuration tools that you can use with Windows Defender AV are listed and described here.
+
diff --git a/windows/keep-secure/windows-defender-block-at-first-sight.md b/windows/keep-secure/windows-defender-block-at-first-sight.md
index 342b7ac541..4c9af5e903 100644
--- a/windows/keep-secure/windows-defender-block-at-first-sight.md
+++ b/windows/keep-secure/windows-defender-block-at-first-sight.md
@@ -10,121 +10,10 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: iaanw
+redirect_url: /configure-block-at-first-sight-windows-defender-antivirus/
+
 ---
 
 # Block at First Sight
 
-**Applies to**
-
-- Windows 10, version 1607
-
-**Audience**
-
-- Network administrators
-
-Block at First Sight is a feature of Windows Defender cloud protection that provides a way to detect and block new malware within seconds. 
-
-It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention.
-
-## How it works
-
-When a Windows Defender client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.
-
-> [!NOTE]
-> The Block at first sight feature only uses the cloud-protection backend for "portable executable" (PE) files that are downloaded from the Internet, or originating from the Internet zone. This includes file types such as .exe, .dll, .scr, and so on. A hash value of the file is checked via the cloud backend to determine if this is a previously undetected file.
-
-If the cloud backend is unable to make a determination, the file will be locked by Windows Defender while a copy is uploaded to the cloud. Only after the cloud has received the file will Windows Defender release the lock and let the file run. The cloud will perform additional analysis to reach a determination, blocking all future encounters of that file. 
-
-In many cases this process can reduce the response time to new malware from hours to seconds.
-
-> [!NOTE]
-> Suspicious file downloads requiring additional backend processing to reach a determination will be locked by Windows Defender on the first machine where the file is encountered, until it is finished uploading to the backend. Users will see a longer "Running security scan" message in the browser while the file is being uploaded. This might result in what appear to be slower download times for some files.
-
-
-## Confirm Block at First Sight is enabled
-
-Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work. Usually, these settings are already enabled in most default Windows Defender deployments in enterprise networks.
-
-> [!IMPORTANT]
-> There is no specific individual setting in System Center Configuration Manager to enable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly.
-
-### Confirm Block at First Sight is enabled with Group Policy
-
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4.  Click **Policies** then **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Defender > MAPS** and configure the following Group Policies:
-    
-    1.  Double-click the **Join Microsoft MAPS** setting and ensure the option is set to **Enabled**. Click **OK**.
-    
-    1.  Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following:
-    
-        1. Send safe samples (1)
-        
-        1. Send all samples (3)
-
-        > [!WARNING]
-        > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function.
-
-    1. Click **OK**.
-
-1.  In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender > Real-time Protection**:
-    
-    1.  Double-click the **Scan all downloaded files and attachments** setting and ensure the option is set to **Enabled**. Click **OK**.
-    
-    1.  Double-click the **Turn off real-time protection** setting and ensure the option is set to **Disabled**. Click **OK**.
-
-If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered.
-
-
-### Confirm Block at First Sight is enabled with Windows Settings
-
-> [!NOTE]
-> If the pre-requisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
-
-You can confirm that Block at First Sight is enabled in Windows Settings. The feature is automatically enabled, as long as **Cloud-based protection** and **Automatic sample submission** are both turned on.
-
-**Confirm Block at First Sight is enabled on individual clients**
-
-1. Open Windows Defender settings:
-
-    a. Open the Windows Defender app and click **Settings**.
-    
-    b. On the main Windows Settings page, click **Update & Security** and then **Windows Defender**.
-
-2.	Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
-
-## Disable Block at First Sight
-
-> [!WARNING]
-> Disabling the Block at First Sight feature will lower the protection state of the endpoint and your network.
-
-> [!NOTE]
-> You cannot disable Block at First Sight with System Center Configuration Manager
-
-You may choose to disable the Block at First Sight feature if you want to retain the pre-requisite settings without using Block at First Sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
-
-**Disable Block at First Sight with Group Policy**
-
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4.  Click **Policies** then **Administrative templates**.
-
-5.  Expand the tree through **Windows components > Windows Defender > MAPS**.
-
-1.  Double-click the **Configure the ‘Block at First Sight’ feature** setting and set the option to **Disabled**.
-
-    > [!NOTE]
-    > Disabling the Block at First Sight feature will not disable or alter the pre-requisite group policies.
-
-
-## Related topics
-
-- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
-
-
+This page has been redirected to *Configure the Block at First Sight feature*.
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-enhanced-notifications.md b/windows/keep-secure/windows-defender-enhanced-notifications.md
index e70fede4fd..b63c67e65f 100644
--- a/windows/keep-secure/windows-defender-enhanced-notifications.md
+++ b/windows/keep-secure/windows-defender-enhanced-notifications.md
@@ -10,37 +10,9 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: iaanw
+redirect_url: /configure-notifications-windows-defender-antivirus/
 ---
 
 # Configure enhanced notifications for Windows Defender in Windows 10
 
-**Applies to:**
-
-- Windows 10, version 1607
-
-In Windows 10, application notifications about malware detection and remediation by Windows Defender are more robust, consistent, and concise.
-
-Notifications will appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications will also be seen in the **Notification Center**, and a summary of scans and threat detections will also appear at regular time intervals.
-
-You can enable and disable enhanced notifications in Windows Settings. 
-
-## Disable notifications
-
-You can disable enhanced notifications on individual endpoints in Windows Settings. 
-
-**Use Windows Settings to disable enhanced notifications on individual endpoints**
-
-1. Open the **Start** menu and click or type **Settings**.
-
-1. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Enhanced notifications** section.
-
-1. Toggle the setting between **On** and **Off**.
-
-![Windows Defender enhanced notifications](images/defender/enhanced-notifications.png)
-
-
-
-
-## Related topics
-
-- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
+This page has been redirected to *Configure notifications*.
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-in-windows-10.md b/windows/keep-secure/windows-defender-in-windows-10.md
index 58ecb02cde..4eb81e6c4e 100644
--- a/windows/keep-secure/windows-defender-in-windows-10.md
+++ b/windows/keep-secure/windows-defender-in-windows-10.md
@@ -8,72 +8,9 @@ ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
 author: jasesso
+redirect_url: /windows-defender-antivirus-in-windows-10/
 ---
 
 # Windows Defender in Windows 10
 
-**Applies to**
--   Windows 10
-
-Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
-This topic provides an overview of Windows Defender, including a list of system requirements and new features.
-
-For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server).
-
-Take advantage of Windows Defender by configuring settings and definitions using the following tools:
--   Microsoft Active Directory *Group Policy* for settings
--   Windows Server Update Services (WSUS) for definitions
-
-Windows Defender provides the most protection when cloud-based protection is enabled. Learn how to enable cloud-based protection in [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md).
-> **Note:**  System Center 2012 R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including:
--   Settings management
--   Definition update management
--   Alerts and alert management
--   Reports and report management
-
-When you enable endpoint protection for your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for Endpoint Protection will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed.
-
-
-### Compatibility with Windows Defender Advanced Threat Protection
-
-Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network. 
-
-See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service.
-
-If you are enrolled in Windows Defender ATP, and you are not using Windows Defender as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. 
-
-In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won’t run, and Windows Defender will not provide real-time protection from malware.
-
-You can [configure updates for Windows Defender](configure-windows-defender-in-windows-10.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
-
-If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
-
-
- 
-### Minimum system requirements
-
-Windows Defender has the same hardware requirements as Windows 10. For more information, see:
--   [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
--   [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
-
-### New and changed functionality
-
--   **Improved detection for unwanted applications and emerging threats using cloud-based protection.** Use the Microsoft Active Protection Service to improve protection against unwanted applications and advanced persistent threats in your enterprise.
--   **Windows 10 integration.** All Windows Defender in Windows 10 endpoints will show the Windows Defender user interface, even when the endpoint is managed.
--   **Operating system, enterprise-level management, and bring your own device (BYOD) integration.** Windows 10 introduces a mobile device management (MDM) interface for devices running Windows 10. Administrators can use MDM-capable products, such as Intune, to manage Windows Defender on Windows 10 devices.
-
-For more information about what's new in Windows Defender in Windows 10, see [Windows Defender in Windows 10: System integration](https://www.microsoft.com/security/portal/enterprise/threatreports_august_2015.aspx) on the Microsoft Active Protection Service website.
-
-## In this section
-
-Topic | Description
-:---|:---
-[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)|Use Active Directory or Windows Server Update Services to manage and deploy updates to endpoints on your network. Configure and run special scans, including archive and email scans.
-[Configure updates for Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)|Configure definition updates and cloud-based protection with Active Directory and Windows Server Update Services.
-[Windows Defender Offline in Windows 10](windows-defender-offline.md)|Manually run an offline scan directly from winthin Windows without having to download and create bootable media.
-[Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)|Run scans and configure Windows Defender options with Windows PowerShell cmdlets in Windows 10.
-[Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)|Use the Block at First Sight feature to leverage the Windows Defender cloud.
-[Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)|Enable or disable enhanced notifications on endpoints running Windows Defender for greater details about threat detections and removal.
-[Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md)|Use the command-line utility to run a Windows Defender scan.
-[Detect and block Potentially Unwanted Applications with Windows Defender](enable-pua-windows-defender-for-windows-10.md)|Use the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
-[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)|Review event IDs in Windows Defender for Windows 10 and take the appropriate actions.
+This page has been redirected to *Windows Defender Antivirus in Windows 10*.
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-offline.md b/windows/keep-secure/windows-defender-offline.md
index a90a308ed7..c3e4825764 100644
--- a/windows/keep-secure/windows-defender-offline.md
+++ b/windows/keep-secure/windows-defender-offline.md
@@ -1,6 +1,6 @@
 ---
 title: Windows Defender Offline in Windows 10
-description: You can use Windows Defender Offline straight from the Windows Defender client. You can also manage how it is deployed in your network.
+description: You can use Windows Defender Offline straight from the Windows Defender Antivirus app. You can also manage how it is deployed in your network.
 keywords: scan, defender, offline
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -12,15 +12,26 @@ localizationpriority: medium
 author: iaanw
 ---
 
-# Windows Defender Offline in Windows 10
+# Run and review the results of a Windows Defender Offline scan
+
 
 **Applies to:**
 
 - Windows 10, version 1607
 
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell cmdlets
+- Windows Management Instruction (WMI)
+
 Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
 
-In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Defender client. In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
+In Windows 10, Windows Defender Offline can be run with one click directly from the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
 
 ## Pre-requisites and requirements
 
@@ -39,16 +50,18 @@ To run Windows Defender Offline from the endpoint, the user must be logged in wi
  
 ## Windows Defender Offline updates
 
-Windows Defender Offline uses the most up-to-date signature definitions available on the endpoint; it's updated whenever Windows Defender is updated with new signature definitions. Depending on your setup, this is usually though Microsoft Update or through the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
+Windows Defender Offline uses the most recent protection updates available on the endpoint; it's updated whenever Windows Defender Antivirus is updated. 
 
 > [!NOTE]
-> Before running an offline scan, you should attempt to update the definitions on the endpoint. You can either force an update via Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
+> Before running an offline scan, you should attempt to update Windows Defender AV protection. You can either force an update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest protection updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
 
-For information on setting up Windows Defender updates, see the [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) topic.
+See the [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) topic for more information.
 
 ## Usage scenarios
 
-In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. The need to perform an offline scan will also be revealed in System Center Configuration Manager, if you're using it to manage your endpoints.
+In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. 
+
+The need to perform an offline scan will also be revealed in System Center Configuration Manager if you're using it to manage your endpoints.
 
 The prompt can occur via a notification, similar to the following:
 
@@ -58,125 +71,76 @@ The user will also be notified within the Windows Defender client:
 
 ![Windows Defender showing the requirement to run Windows Defender Offline](images/defender/client.png)
 
-In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
+In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. 
+
+Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
 
 ![System Center Configuration Manager indicating a Windows Defender Offline scan is required](images/defender/sccm-wdo.png)
 
-## Manage notifications
+## Configure notifications
 <a name="manage-notifications"></a>
 
-You can suppress Windows Defender Offline notifications with Group Policy. 
+Windows Defender Offline notifications are configured in the same policy setting as other Windows Defender AV notifications.
 
-> [!NOTE]
-> Changing these settings will affect *all* notifications from Windows Defender. Disabling notifications will mean the endpoint user will not see any messages about any threats detected, removed, or if additional steps are required.
-
-**Use Group Policy to suppress Windows Defender notifications:**
-
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4.  Click **Policies** then **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Defender > Client Interface**.
-
-1.  Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will disable all notifications shown by the Windows Defender client.
-
-## Configure Windows Defender Offline settings
-
-You can use Windows Management Instrumentation to enable and disable certain features in Windows Defender Offline. For example, you can use `Set-MpPreference` to change the `UILockdown` setting to disable and enable notifications. 
-
-For more information about using Windows Management Instrumentation to configure Windows Defender Offline, including configuration parameters and options, see the following topics:
-
--	[Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx)
-
--	[Windows Defender MSFT_MpPreference class](https://msdn.microsoft.com/en-us/library/windows/desktop/dn455323(v=vs.85).aspx)
-
-For more information about notifications in Windows Defender, see the [Configure enhanced notifications in Windows Defender](windows-defender-enhanced-notifications.md)] topic.
+For more information about notifications in Windows Defender, see the [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) topic.
 
 ## Run a scan 
 
-Windows Defender Offline uses up-to-date threat definitions to scan the endpoint for malware that might be hidden. In Windows 10, version 1607, you can manually force an offline scan using Windows Update and Security settings.
+> [!IMPORTANT]
+> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
 
-> [!NOTE]
-> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. 
+You can run a Windows Defender Offline scan with the following:
 
-You can set up a Windows Defender Offline scan with the following:
-
--	Windows Update and Security settings
-
--	Windows Defender
-
--	Windows Management Instrumentation
-
--	Windows PowerShell
-
--	Group Policy
-
-> [!NOTE]
-> The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
-
-**Run Windows Defender Offline from Windows Settings:**
-
-1.	Open the **Start** menu and click or type **Settings**.
-
-1.	Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Windows Defender Offline** section.
-
-1.	Click **Scan offline**. 
-
-    ![Windows Defender Offline setting](images/defender/settings-wdo.png)
-
-1.	Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
-
-**Run Windows Defender Offline from Windows Defender:**
-
-1.	Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client. 
-
-1.	On the **Home** tab click **Download and Run**.
-
-    ![Windows Defender home tab showing the Download and run button](images/defender/download-wdo.png)
-
-1.	Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- The Windows Defender Security Center app
 
 
-**Use Windows Management Instrumentation to configure and run Windows Defender Offline:**
 
-Use the `MSFT_MpWDOScan` class (part of the Windows Defender Windows Management Instrumentation provider) to run a Windows Defender Offline scan.
- 
-The following Windows Management Instrumentation script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
+**Use PowerShell cmdlets to run an offline scan:**
+
+Use the following cmdlets:
+
+```PowerShell
+Start-MpWDOScan
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to run an offline scan:**
+
+Use the [**MSFT_MpWDOScan**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class to run an offline scan.
+
+The following WMI script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
 
 ```WMI
 wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start 
 ```
 
-For more information about using Windows Management Instrumentation to run a scan in Windows Defender, including configuration parameters and options, see the following topics:
+See the following for more information:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
 
--	[Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx) 
 
--	[MSFT_MpWDOScan class article](https://msdn.microsoft.com/library/windows/desktop/mt622458(v=vs.85).aspx)
+**Use the Windows Defender Security app to run an offline scan:**
 
-**Run Windows Defender Offline using PowerShell:**
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
-Use the PowerShell parameter `Start-MpWDOScan` to run a Windows Defender Offline scan. 
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Advanced scan** label:
+
+    
+3.	Select **Windows Defender Offline scan** and click **Scan now**.
+
+
+> [!NOTE]
+> In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** > **Update & security** > **Windows Defender** or from the Windows Defender client.
 
-For more information on available cmdlets and optios, see the [Use PowerShell cmdlets to configure and run Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md) topic.
 
 ## Review scan results
 
-Windows Defender Offline scan results will be listed in the main Windows Defender user interface after performing the scan. 
+Windows Defender Offline scan results will be listed in the [Scan history section of the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#detection-history). 
 
-1.	Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client. 
-
-1.	Go to the **History** tab.
-
-1.	Select **All detected items**.
-
-1.	Click **View details**.
-
-Any detected items will display. Items that are detected by Windows Defender Offline will be listed as **Offline** in the **Detection source**:
-
-![Windows Defender detection source showing as Offline](images/defender/detection-source.png)
 
 ## Related topics
 
-- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
\ No newline at end of file
+- [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-security-center-antivirus.md b/windows/keep-secure/windows-defender-security-center-antivirus.md
new file mode 100644
index 0000000000..3eba103bd0
--- /dev/null
+++ b/windows/keep-secure/windows-defender-security-center-antivirus.md
@@ -0,0 +1,145 @@
+---
+title: Windows Defender Antivirus in the Windows Defender Security Center app
+description: Windows Defender AV is now included in the Windows Defender Security Center app.
+keywords: wdav, antivirus, firewall, security, windows
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+
+
+
+# Windows Defender Antivirus in the Windows Defender Security Center app
+
+**Applies to**
+
+- Windows 10, version 1703
+
+**Audience**
+
+- End-users
+
+**Manageability available with**
+
+- Windows Defender Security Center app  
+
+
+In Windows 10, version 1703 (also known as the Creators Update), the Windows Defender app is now part of the Windows Defender Security Center.
+
+Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
+
+The app also includes the settings and status of:
+
+- The PC (as "device health")
+- Windows Firewall
+- Windows Defender SmartScreen Filter
+- Parental and Family Controls
+
+**Review virus and threat protection settings in the Windows Defender Security Center app:**
+
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](images/defender/wdav-protection-settings-wdsc.png)
+    
+## Comparison of settings and functions of the old app and the new app
+
+All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Defender Security app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app. 
+
+The following diagrams compare the location of settings and functions between the old and new apps:
+
+![Version of Windows Defender in Windows 10 before version 1703](images/defender/wdav-windows-defender-app-old.png)
+
+![Windows Defender Antivirus in Windows 10, version 1703 and later](images/defender/wdav-wdsc.png)
+
+Item | Windows 10, before version 1703 | Windows 10, version 1703 | Description
+---|---|---|---
+1 | **Update** tab | **Protection updates** | Update the protection ("definition updates")
+2 | **History** tab | **Scan history** | Review threats that were quarantined, removed, or allowed
+3 | **Settings** (links to **Windows Settings**) | **Virus & threat protection settings** | Enable various features, including Real-time protection, Cloud-delivered protection, Advanced notifications, and Automatic ample submission
+4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Windows Defender Offline scan
+5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 you can run custom and full scans under the **Advanced scan** option
+
+
+## Common tasks
+
+This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the new Windows Defender Security app.
+
+> [!NOTE]
+> If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured.
+
+**Run a scan with the Windows Defender Security Center app**
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+3. Click **Quick scan**.
+
+4. Click **Advanced scan** to specify different types of scans, such as a full scan.
+
+
+**Download protection updates in the Windows Defender Security Center app**
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+3. Click **Protection updates**.
+
+4. Click **Check for updates** to download new protection updates (if there are any).
+
+
+
+**Ensure Windows Defender Antivirus is enabled in the Windows Defender Security Center app**
+
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+3. Click **Virus & threat protection settings**.
+
+4. Toggle the switches to **On** for the following settings:
+    1.  **Real-time protection**
+    2.  **Cloud-based protection**
+    3.  **Automatic sample submission**
+
+
+
+
+<a id="exclusions"></a>
+**Add exclusions for Windows Defender Antivirus in the Windows Defender Security Center app**
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+3. Click **Virus & threat protection settings**.
+
+4. Under the **Exclusions** setting, click **Add or remove exclusions**. 
+
+5. Click the plus icon to choose the type and set the options for each exclusion. 
+
+<a id="detection-history"></a>
+**Review threat detection history in the Windows Defender Security Center app**
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+3. Click **Scan history**.
+
+4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**).
+
+
+
+
+## Related topics
+
+- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md)
+
+
diff --git a/windows/keep-secure/windows-defender-smartscreen-available-settings.md b/windows/keep-secure/windows-defender-smartscreen-available-settings.md
new file mode 100644
index 0000000000..936751e349
--- /dev/null
+++ b/windows/keep-secure/windows-defender-smartscreen-available-settings.md
@@ -0,0 +1,215 @@
+---
+title: Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows 10)
+description: A list of all available setttings for Windows Defender SmartScreen using Group Policy and mobile device management (MDM) settings.
+keywords: SmartScreen Filter, Windows SmartScreen
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings
+**Applies to:**
+
+- Windows 10
+- Windows 10 Mobile
+
+Windows Defender SmartScreen works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Windows Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely.
+
+## Group Policy settings
+SmartScreen uses registry-based Administrative Template policy settings. For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy.
+<table>
+<tr>
+<th align="left">Setting</th>
+<th align="left">Supported on</th>
+<th align="left">Description</th>
+</tr>
+<tr>
+<td><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen<p><strong>Windows 10, Version 1607 and earlier:</strong><br>Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen</td>
+<td>At least Windows Server 2012, Windows 8 or Windows RT</td>
+<td>This policy setting turns on Windows Defender SmartScreen.<p>If you enable this setting, it turns on Windows Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).<p>If you disable this setting, it turns off Windows Defender SmartScreen and your employees are unable to turn it on.<p>If you don't configure this setting, your employees can decide whether to use Windows Defender SmartScreen.</td>
+</tr>
+<tr>
+<td>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td>
+<td>Windows 10, version 1703</td>
+<td>This setting helps protect PCs by allowing users to install apps only from the Windows Store. SmartScreen must be enabled for this feature to work properly.<p>If you enable this setting, your employees can only install apps from the Windows Store.<p>If you disable this setting, your employees can install apps from anywhere, including as a download from the Internet.<p>If you don't configure this setting, your employees can choose whether they can install from anywhere or only from Windows Store.</td>
+</tr>
+<tr>
+<td><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen<p><strong>Windows 10, Version 1607 and earlier:</strong><br>Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen</td>
+<td>Microsoft Edge on Windows 10 or later</td>
+<td>This policy setting turns on Windows Defender SmartScreen.<p>If you enable this setting, it turns on Windows Defender SmartScreen and your employees are unable to turn it off.<p>If you disable this setting, it turns off Windows Defender SmartScreen and your employees are unable to turn it on.<p>If you don't configure this setting, your employees can decide whether to use Windows Defender SmartScreen.</td>
+</tr>
+<tr>
+<td><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files<p><strong>Windows 10, Version 1511 and 1607:</strong><br>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files</td>
+<td>Microsoft Edge on Windows 10, version 1511 or later</td>
+<td>This policy setting stops employees from bypassing the Windows Defender SmartScreen warnings about potentially malicious files.<p>If you enable this setting, it stops employees from bypassing the warning, stopping the file download.<p>If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.</td>
+</tr>
+<tr>
+<td><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites<p><strong>Windows 10, Version 1511 and 1607:</strong><br>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites</td>
+<td>Microsoft Edge on Windows 10, version 1511 or later</td>
+<td>This policy setting stops employees from bypassing the Windows Defender SmartScreen warnings about potentially malicious sites.<p>If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.<p>If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.</td>
+</tr>
+<tr>
+<td>Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen Filter</td>
+<td>Internet Explorer 9 or later</td>
+<td>This policy setting prevents the employee from managing SmartScreen Filter.<p>If you enable this policy setting, the employee isn't prompted to turn on SmartScreen Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee.<p>If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on SmartScreen Filter during the first-run experience.</td>
+</tr>
+<tr>
+<td>Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings</td>
+<td>Internet Explorer 8 or later</td>
+<td>This policy setting determines whether an employee can bypass warnings from SmartScreen Filter.<p>If you enable this policy setting, SmartScreen Filter warnings block the employee.<p>If you disable or don't configure this policy setting, the employee can bypass SmartScreen Filter warnings.</td>
+</tr>
+<tr>
+<td>Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet</td>
+<td>Internet Explorer 9 or later</td>
+<td>This policy setting determines whether the employee can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the employee about executable files that Internet Explorer users do not commonly download from the Internet.<p>If you enable this policy setting, SmartScreen Filter warnings block the employee.<p>If you disable or don't configure this policy setting, the employee can bypass SmartScreen Filter warnings.</td>
+</tr>
+</table>
+
+## MDM settings
+If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices.
+<table>
+<tr>
+<th align="left">Setting</th>
+<th align="left">Supported versions</th>
+<th align="left">Details</th>
+</tr>
+<tr>
+<td>AllowSmartScreen</td>
+<td>Windows 10</td>
+<td>
+<ul>
+<li><strong>URI full path.</strong> ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen</li>
+<li><strong>Data type.</strong> Integer</li>
+<li><strong>Allowed values:</strong><ul>
+<li><strong>0 .</strong> Turns off Windows Defender SmartScreen.</li>
+<li><strong>1.</strong> Turns on Windows Defender SmartScreen.</li></ul></li></ul>
+</td>
+</tr>
+<tr>
+<td>EnableAppInstallControl</td>
+<td>Windows 10, version 1703</td>
+<td>
+<ul>
+<li><strong>URI full path.</strong> ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl</li>
+<li><strong>Data type.</strong> Integer</li>
+<li><strong>Allowed values:</strong><ul>
+<li><strong>0 .</strong> Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.</li>
+<li><strong>1.</strong> Turns on Application Installation Control, allowing users to install apps from the Windows Store only.</li></ul></li></ul>
+</td>
+</tr>
+<tr>
+<td>EnableSmartScreenInShell</td>
+<td>Windows 10, version 1703</td>
+<td>
+<ul>
+<li><strong>URI full path.</strong> ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell</li>
+<li><strong>Data type.</strong> Integer</li>
+<li><strong>Allowed values:</strong><ul>
+<li><strong>0 .</strong> Turns off SmartScreen in Windows.</li>
+<li><strong>1.</strong> Turns on SmartScreen in Windows.</li></ul></li></ul>
+</td>
+</tr>
+<tr>
+<td>PreventOverrideForFilesInShell</td>
+<td>Windows 10, version 1703</td>
+<td>
+<ul>
+<li><strong>URI full path.</strong> ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell</li>
+<li><strong>Data type.</strong> Integer</li>
+<li><strong>Allowed values:</strong><ul>
+<li><strong>0 .</strong> Employees can ignore SmartScreen warnings and run malicious files.</li>
+<li><strong>1.</strong> Employees can't ignore SmartScreen warnings and run malicious files.</li></ul></li></ul>
+</td>
+</tr>
+<tr>
+<td>PreventSmartScreenPromptOverride</td>
+<td>Windows 10, Version 1511 and later</td>
+<td>
+<ul>
+<li><strong>URI full path.</strong> ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride</li>
+<li><strong>Data type.</strong> Integer</li>
+<li><strong>Allowed values:</strong><ul>
+<li><strong>0 .</strong> Employees can ignore SmartScreen warnings.</li>
+<li><strong>1.</strong> Employees can't ignore SmartScreen warnings.</li></ul></li></ul>
+</td>
+</tr>
+<tr>
+<td>PreventSmartScreenPromptOverrideForFiles</td>
+<td>Windows 10, Version 1511 and later</td>
+<td>
+<ul>
+<li><strong>URI full path.</strong> ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles</li>
+<li><strong>Data type.</strong> Integer</li>
+<li><strong>Allowed values:</strong><ul>
+<li><strong>0 .</strong> Employees can ignore SmartScreen warnings for files.</li>
+<li><strong>1.</strong> Employees can't ignore SmartScreen warnings for files.</li></ul></li></ul>
+</td>
+</tr>
+</table>
+
+## Recommended Group Policy and MDM settings for your organization
+By default, Windows Defender SmartScreen lets employees bypass warnings. Unfortunately, this can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Windows Defender SmartScreen to block high-risk interactions instead of providing just a warning.
+
+To better help you protect your organization, we recommend turning on and using these specific Windows Defender SmartScreen Group Policy and MDM settings.
+<table>
+<tr>
+<th align="left">Group Policy setting</th>
+<th align="left">Recommendation</th>
+</tr>
+<tr>
+<td>Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreen</td>
+<td><strong>Enable.</strong> Turns on Windows Defender SmartScreen.</td>
+</tr>
+<tr>
+<td>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites</td>
+<td><strong>Enable.</strong> Stops employees from ignoring warning messages and continuing to a potentially malicious website.</td>
+</tr>
+<tr>
+<td>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files</td>
+<td><strong>Enable.</strong> Stops employees from ingnoring warning messages and continuing to download potentially malicious files.</td>
+</tr>
+<tr>
+<td>Administrative Templates\Windows Components\File Explorer\Configure Windows Defender SmartScreen</td>
+<td><strong>Enable with the Warn and prevent bypass option.</strong> Stops employees from ignoring warning messages about malicious files downloaded from the Internet.</td>
+</tr>
+</table>
+<p>
+<table>
+<tr>
+<th align="left">MDM setting</th>
+<th align="left">Recommendation</th>
+</tr>
+<tr>
+<td>Browser/AllowSmartScreen</td>
+<td><strong>1.</strong> Turns on Windows Defender SmartScreen.</td>
+</tr>
+<tr>
+<td>Browser/PreventSmartScreenPromptOverride</td>
+<td><strong>1.</strong> Stops employees from ignoring warning messages and continuing to a potentially malicious website.</td>
+</tr>
+<tr>
+<td>Browser/PreventSmartScreenPromptOverrideForFiles</td>
+<td><strong>1.</strong> Stops employees from ingnoring warning messages and continuing to download potentially malicious files.</td>
+</tr>
+<tr>
+<td>SmartScreen/EnableSmartScreenInShell</td>
+<td><strong>1.</strong> Turns on Windows Defender SmartScreen in Windows.<p>Requires at least Windows 10, version 1703.</td>
+</tr>
+<tr>
+<td>SmartScreen/PreventOverrideForFilesInShell</td>
+<td><strong>1.</strong> Stops employees from ignoring warning messages about malicious files downloaded from the Internet.<p>Requires at least Windows 10, version 1703.</td>
+</tr>
+</table> 
+
+## Related topics
+- [Keep Windows 10 secure](https://technet.microsoft.com/itpro/windows/keep-secure/index)
+
+- [Security technologies in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/security-technologies)
+
+- [Available Group Policy and Mobile Data Management (MDM) settings for Microsoft Edge](https://technet.microsoft.com/itpro/microsoft-edge/available-policies)
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-smartscreen-overview.md b/windows/keep-secure/windows-defender-smartscreen-overview.md
new file mode 100644
index 0000000000..4df34ae566
--- /dev/null
+++ b/windows/keep-secure/windows-defender-smartscreen-overview.md
@@ -0,0 +1,66 @@
+---
+title: Windows Defender SmartScreen overview (Windows 10)
+description: Conceptual info about Windows Defender SmartScreen.
+keywords: SmartScreen Filter, Windows SmartScreen
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Windows Defender SmartScreen
+**Applies to:**
+
+- Windows 10
+- Windows 10 Mobile
+
+Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files.
+
+>[!NOTE]
+>SmartScreen completely blocks apps from the Internet from running on Windows 10 Mobile.
+
+**SmartScreen determines whether a site is potentially malicious by:**
+
+- Analyzing visited webpages looking for indications of suspicious behavior. If it finds suspicious pages, SmartScreen shows a warning page, advising caution.
+
+- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious.
+
+**SmartScreen determines whether a downloaded app or app installer is potentially malicious by:**
+
+- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious. 
+
+- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, SmartScreen shows a warning, advising caution.
+
+    >[!NOTE]
+    >Before Windows 10, version 1703 this feature was called the SmartScreen Filter when used within the browser and Windows SmartScreen when used outside of the browser.
+
+## Benefits of Windows Defender SmartScreen
+Windows Defender SmartScreen helps to provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are:
+
+- **Anti-phishing and anti-malware support.** SmartScreen helps to protect your employees from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Microsoft SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97)
+
+- **Reputation-based URL and app protection.** SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, your employees won't see any warnings. If however there's no reputation, the item is marked as a higher risk and presents a warning to the employee.
+
+- **Operating system integration.** SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run.
+
+- **Improved heuristics and telemetry.** SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files.
+
+- **Management through Group Policy and Microsoft Intune.** SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md).
+
+## Viewing Windows Defender SmartScreen anti-phishing events
+When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/en-us/scriptcenter/dd565657(v=msdn.10).aspx).
+
+## Related topics
+- [SmartScreen Frequently Asked Questions (FAQ)](https://support.microsoft.com/en-us/products/windows?os=windows-10)
+
+- [How to recognize phishing email messages, links, or phone calls](https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx)
+
+- [Keep Windows 10 secure](https://technet.microsoft.com/itpro/windows/keep-secure/index)
+
+- [Security technologies in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/security-technologies)
+
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-smartscreen-set-individual-device.md b/windows/keep-secure/windows-defender-smartscreen-set-individual-device.md
new file mode 100644
index 0000000000..482d88a367
--- /dev/null
+++ b/windows/keep-secure/windows-defender-smartscreen-set-individual-device.md
@@ -0,0 +1,80 @@
+---
+title: Set up and use Windows Defender SmartScreen on individual devices (Windows 10)
+description: Steps about what happens when an employee tries to run an app, how employees can report websites as safe or unsafe, and how employees can use the Windows Defender Security Center to set Windows Defender SmartScreen for individual devices.
+keywords: SmartScreen Filter, Windows SmartScreen
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Set up and use Windows Defender SmartScreen on individual devices
+
+**Applies to:**
+- Windows 10, version 1703
+- Windows 10 Mobile
+
+Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files.
+
+## How employees can use Windows Defender Security Center to set up Windows Defender SmartScreen
+Starting with Windows 10, version 1703 your employees can use Windows Defender Security Center to set up Windows Defender SmartScreen for an individual device; unless you've used Group Policy or Microsoft Intune to prevent it.
+
+>[!NOTE]
+>If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee.
+
+**To use Windows Defender Security Center to set up Windows Defender SmartScreen on a device**
+1. Open the Windows Defender Security Center app, and then click **App & browser control**.
+
+    ![Windows Defender Security Center](images/windows-defender-security-center.png)
+
+2. In the **App & browser control** screen, choose from the following options:
+
+    - In the **Check apps and files** area:
+    
+        - **Block.** Stops employees from downloading and running unrecognized apps and files from the web.
+
+        - **Warn.** Warns employees that the apps and files being downloaded from the web are potentially dangerous, but allows the action to continue.
+
+        - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files.
+
+    - In the **SmartScreen for Microsoft Edge** area:
+    
+        - **Block.** Stops employees from downloading and running unrecognized apps and files from the web, while using Microsoft Edge.
+        
+        - **Warn.** Warns employees that sites and downloads are potentially dangerous, but allows the action to continue while running in Microsoft Edge.
+        
+        - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files.    
+
+    - In the **SmartScreen from Windows Store apps** area:
+        
+        - **Block** or **Warn.** Warns employees that the sites and downloads used by Windows Store apps are potentially dangerous, but allows the action to continue.
+        
+        - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files.
+
+        ![Windows Defender Security Center, SmartScreen controls](images/windows-defender-smartscreen-control.png)
+
+## How SmartScreen works when an employee tries to run an app
+Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, SmartScreen can warn the employee or block the app from running entirely, depending on how you've configured the feature to run in your organization.
+
+By default, your employees can bypass SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended).
+
+## How employees can report websites as safe or unsafe
+You can configure Windows Defender SmartScreen to warn employees from going to a potentially dangerous site. Employees can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11.
+
+**To report a website as safe from the warning message**
+- On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions.
+
+**To report a website as unsafe from Microsoft Edge**
+- If a site seems potentially dangerous, employees can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**.
+
+**To report a website as unsafe from Internet Explorer 11**
+- If a site seems potentially dangerous, employees can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**.
+
+## Related topics
+- [Keep Windows 10 secure](https://technet.microsoft.com/itpro/windows/keep-secure/index)
+- [Security technologies in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/security-technologies)
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index 530731086d..148d75201f 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -39,8 +39,9 @@
 ## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
 ## [Application Virtualization (App-V) for Windows](appv-for-windows.md)
 ### [Getting Started with App-V](appv-getting-started.md)
-#### [What's new in App-V](appv-about-appv.md)
-##### [Release Notes for App-V](appv-release-notes-for-appv-for-windows.md)
+#### [What's new in App-V for Windows 10, version 1703 and earlier](appv-about-appv.md)
+##### [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows.md)
+##### [Release Notes for App-V for Windows 10, version 1703](appv-release-notes-for-appv-for-windows-1703.md)
 #### [Evaluating App-V](appv-evaluating-appv.md)
 #### [High Level Architecture for App-V](appv-high-level-architecture.md)
 ### [Planning for App-V](appv-planning-for-appv.md)
@@ -77,7 +78,10 @@
 #### [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
 ### [Operations for App-V](appv-operations.md)
 #### [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md)
-##### [How to Sequence a New Application with App-V](appv-sequence-a-new-application.md)
+##### [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md)
+##### [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md)
+##### [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md)
+##### [Manually sequence a new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md)
 ##### [How to Modify an Existing Virtual Application Package](appv-modify-an-existing-virtual-application-package.md)
 ##### [How to Create and Use a Project Template](appv-create-and-use-a-project-template.md)
 ##### [How to Create a Package Accelerator](appv-create-a-package-accelerator.md)
@@ -108,6 +112,7 @@
 ##### [How to deploy App-V Packages Using Electronic Software Distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md)
 ##### [How to Enable Only Administrators to Publish Packages by Using an ESD](appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md)
 #### [Using the App-V Client Management Console](appv-using-the-client-management-console.md)
+##### [Automatically clean-up unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md)
 #### [Migrating to App-V from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md)
 ##### [How to Convert a Package Created in a Previous Version of App-V](appv-convert-a-package-created-in-a-previous-version-of-appv.md)
 #### [Maintaining App-V](appv-maintaining-appv.md)
@@ -126,6 +131,7 @@
 ##### [How to Install the App-V Databases and Convert the Associated Security Identifiers  by Using Windows PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md)
 ### [Troubleshooting App-V](appv-troubleshooting.md)
 ### [Technical Reference for App-V](appv-technical-reference.md)
+#### [Available Mobile Data Management (MDM) settings for App-V](appv-available-mdm-settings.md)
 #### [Performance Guidance for Application Virtualization](appv-performance-guidance.md)
 #### [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md)
 #### [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md)
diff --git a/windows/manage/appv-about-appv.md b/windows/manage/appv-about-appv.md
index ef43aeed3d..9fc61c9b7d 100644
--- a/windows/manage/appv-about-appv.md
+++ b/windows/manage/appv-about-appv.md
@@ -1,26 +1,43 @@
 ---
-title: What's new in App-V for Windows 10 (Windows 10)
-description: Information about what's new in App-V for Windows 10. 
-author: MaggiePucciEvans
+title: What's new in App-V for Windows 10, version 1703 and earlier (Windows 10)
+description: Information about what's new in App-V for Windows 10, version 1703 and earlier. 
+author: eross-msft
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
 ---
 
-
-# What's new in App-V
+# What's new in App-V for Windows 10, version 1703 and earlier
 
 **Applies to**
--   Windows 10, version 1607
+-   Windows 10, version 1703 and earlier
 
-Microsoft Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points and interact with them as if they were installed locally. 
+Microsoft Application Virtualization (App-V) helps organizations to deliver Win32 applications to employees as virtual apps. Virtual apps are installed on centrally managed servers and delivered to employees as a service – in real time and on an as-needed basis. Employees start virtual apps from familiar access points and interact with them as if they were installed locally. 
 
-Application Virtualization (App-V) for Windows 10, version 1607, includes these new features and capabilities compared to App-V 5.1. See [App-V release notes](appv-release-notes-for-appv-for-windows.md) for more information about the App-V for Windows 10, version 1607 release.
+## What's new in App-V Windows 10, version 1703
+The following are new features in App-V for Windows 10, version 1703.
 
+### Auto sequence and update your App-V packages singly or as a batch
+Previous versions of the App-V Sequencer have required you to manually sequence and update your app packages. This was time-consuming and required extensive interaction, causing many companies to deploy brand-new packages rather than update an existing one. Windows 10, version 1703 introduces the App-V Auto-Sequencer, which automatically sequences your app packages, improving your overall experience by streamlining the provisioning of the prerequisite environment, automating app installation, and expediting the package updating setup.
+
+Using the automatic sequencer to package your apps provides:
+-  Automatic virtual machine (VM) provisioning of the sequencing environment. For info about this, see [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md).
+
+- Batch-sequencing of packages. This means that multiple apps can be sequenced at the same time, in a single group. For info about this, see [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md).
+
+- Batch-updating of packages. This means that multiple apps can be updated at the same time, in a single group. For info about this, see [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md).
+
+### Updates to the App-V project template
+Starting with Windows 10, version 1703, you can save an App-V project template (.appvt) file as part of a sequenced App-V package, so it's automatically loaded every time the package opens for editing or updates. Your template can include general option settings, file exclusion list settings, and target operating system settings. For more info about this, see [Create and apply an App-V project template to a sequenced App-V package](appv-create-and-use-a-project-template.md)
+
+### Automatically cleanup unpublished App-V packages from the App-V client
+Previous versions of App-V have required you to manually remove your unpublished packages from your client devices, to free up additional storage space. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. For more info about this, see [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md)
+
+## What's new in App-V in Windows 10, version 1607
+The following are new features in App-V for Windows 10, version 1607.
 
 ## App-V is now a feature in Windows 10
-
 With Windows 10, version 1607 and later releases, Application Virtualization (App-V) is included with [Windows 10 for Enterprise and Windows 10 for Education](https://www.microsoft.com/en-us/WindowsForBusiness/windows-product-home) and is no longer part of the Microsoft Desktop Optimization Pack. 
 
 For information about earlier versions of App-V, see [MDOP Information Experience](https://technet.microsoft.com/itpro/mdop/index).
@@ -29,26 +46,25 @@ The changes in App-V for Windows 10, version 1607 impact already existing implem
 
 -   The App-V client is installed on user devices automatically with Windows 10, version 1607, and no longer has to be deployed separately. Performing an in-place upgrade to Windows 10, version 1607, on user devices automatically installs the App-V client.
 
--   The App-V application sequencer is available from the [Windows 10 Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). In previous releases of App-V, the application sequencer was included in the Microsoft Desktop Optimization Pack. Although you’ll need to use the new application sequencer to create new virtualized applications, existing virtualized applications will continue to work. 
+-   The App-V application sequencer is available from the [Windows 10 Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). In previous releases of App-V, the application sequencer was included in the Microsoft Desktop Optimization Pack. Although you’ll need to use the new application sequencer to create new virtualized applications, existing virtualized applications will continue to work.
 
->**Note**<br>If you're already using App-V 5.x, you don't need to re-deploy the App-V server components as they haven't changed since App-V 5.0 was released. 
+    >[!NOTE]
+    >If you're already using App-V 5.x, you don't need to re-deploy the App-V server components as they haven't changed since App-V 5.0 was released. 
 
 For more information about how to configure an existing App-V installation after upgrading user devices to Windows 10, see [Upgrading to App-V for Windows 10 from an existing installation](appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md) and [Migrating to App-V for Windows 10 from a previous version](appv-migrating-to-appv-from-a-previous-version.md).
 
->**Important**
-You can upgrade your existing App-V installation to Windows 10, version 1607 from App-V versions 5.0 SP2 and higher only. If you are using a previous version of App-V, you’ll need to upgrade from that version to App-V 5.0 SP2 before you upgrade to Windows 10, version 1607.
-
+>[!IMPORTANT]
+>You can upgrade your existing App-V installation to Windows 10, version 1607 from App-V versions 5.0 SP2 and higher only. If you are using a previous version of App-V, you’ll need to upgrade from that version to App-V 5.0 SP2 before you upgrade to Windows 10, version 1607.
  
 ## Support for System Center 
-
 App-V supports System Center 2016 and System Center 2012 R2 Configuration Manager SP1. See [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx) for information about integrating your App-V environment with Configuration Manager.
 
+## Related topics
+- [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows.md)
+
+- [Release Notes for App-V for Windows 10, version 1703](appv-release-notes-for-appv-for-windows-1703.md)
 
 ## Have a suggestion for App-V?
-
 Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
 
-## Related topics
 
-
-[Release Notes for App-V](appv-release-notes-for-appv-for-windows.md)
diff --git a/windows/manage/appv-auto-batch-sequencing.md b/windows/manage/appv-auto-batch-sequencing.md
new file mode 100644
index 0000000000..2722febd18
--- /dev/null
+++ b/windows/manage/appv-auto-batch-sequencing.md
@@ -0,0 +1,173 @@
+---
+title: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10)
+description: How to automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer).
+author: eross-msft
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)
+
+**Applies to**
+-   Windows 10, version 1703
+
+Sequencing multiple apps at the same time requires you to install and start Microsoft Application Virtualization Sequencer (App-V Sequencer), and to install the necessary apps to collect any changes made to the operating system during the installation and building of the App-V package.
+
+In Windows 10, version 1703, running the App-V Sequencer automatically captures and stores your customizations as an App-V project template (.appvt) file. If you want to make changes to this package later, your customizations will be automatically loaded from this template file. This is applicable to all of the sequencing scenarios:
+
+- Using the New-BatchAppVSequencerPackages cmdlet
+
+- Using the App-V Sequencer interface
+
+- Using the new-AppVSequencerPackage cmdlet
+
+>[!NOTE]
+>If you're trying to update multiple apps at the same time, see the [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) topic.
+
+### Sequence multiple apps by using a PowerShell cmdlet
+Sequencing multiple apps at the same time requires that you create a **ConfigFile** with info related to each round of sequencing. This file is then used by the cmdlet to start the VM at a "clean" checkpoint, to copy the installer from the Host device to the VM, and then to start the App-V Sequencer to monitor your specified app installations.
+
+**To create your ConfigFile for use by the PowerShell cmdlet**
+
+1. Determine the apps that need to be included in your App-V sequencing package, and then open a text editor, such as Notepad.
+
+2. Add the following required XML info for each app:
+
+    - **&lt;Name&gt;.** The name of the app you're adding to the package.
+    
+    - **&lt;InstallerFolder&gt;.** The file path to the folder with the app installer.
+
+    - **&lt;Installer&gt;.** The file name for the app executable. This will typically be an .exe or .msi file.
+
+    - **&lt;InstallerOptions&gt;.** The command-line options required for the app installation.
+
+    - **&lt;TimeoutInMinutes&gt;.** The maximum amount of time, in minutes, that the cmdlet should wait for sequencing to complete. You can enter a different value for each app, based on the size and complexity of the app itself.
+
+    - **&lt;Cmdlet&gt;.** Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to use cmdlet-based sequencing, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps.
+    
+    - **&lt;Enabled&gt;.** Indicates whether the app should be sequenced. **True** includes the app, while **False** ignores it. You can include as many apps as you want in the batch file, but optionally enable only a few of them.
+
+        **Example:**
+
+        ```XML
+        <?xml version="1.0"?>
+            <Applications>
+                <Application>
+                    <Name>Skype for Windows</Name>
+                    <InstallerFolder>D:\Install\New\SkypeforWindows</InstallerFolder>
+                    <Installer>SkypeSetup.exe</Installer>
+                    <InstallerOptions>/S</InstallerOptions>
+                    <TimeoutInMinutes>20</TimeoutInMinutes>
+                    <Cmdlet>True</Cmdlet>
+                    <Enabled>True</Enabled>
+                </Application>
+                <Application>
+                    <Name>Power BI</Name>
+                    <InstallerFolder>D:\Install\New\MicrosoftPowerBI</InstallerFolder>
+                    <Installer>PBIDesktop.msi</Installer>
+                    <InstallerOptions>/S</InstallerOptions>
+                    <TimeoutInMinutes>20</TimeoutInMinutes>
+                    <Cmdlet>True</Cmdlet>
+                    <Enabled>True</Enabled>
+                </Application>
+            </Applications>
+        </xml>
+        ```     
+3. Save your completed file, using the name **ConfigFile**.
+
+
+**To start the App-V Sequencer interface and app installation process**
+- Open PowerShell as an admin on the Host computer and run the following commands to start the batch sequencing:
+
+    ```ps1
+    New-BatchAppVSequencerPackages –ConfigFile <path_to_configfile> –VMName <name_of_vm> -OutputPath <path_to_your_output> 
+    ```
+    Where _VMName_ is the name of the virtual machine (VM) with the App-V Sequencer installed, where you'll run the batch sequencing, and _OutputPath_ is the full path to where the sequenced packages should be copied.
+
+    The cmdlet creates a "clean" checkpoint on the VM. Next, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM, and finally a new session of the VM opens (through VMConnect) and sequencing of the app begins from the command-line. After completing sequencing and package creation for the first app on the VM, the package is copied from the VM to the Host computer, specified in the OutputPath parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off.
+ 
+### Sequence multiple apps by using the App-V Sequencer interface
+Sequencing multipe apps at the same time requires that you create a **ConfigFIle** to collect all of the info related to each round of sequencing. This file is then used by the App-V Sequencer interface after creating a "clean" checkpoint on your VM.
+
+**To create your ConfigFile for use by the App-V Sequencer interface**
+
+1. Determine the apps that need to be included in your App-V sequencing package, and then open a text editor, such as Notepad.
+
+2. Add the following required XML info for each app:
+
+    - **&lt;Name&gt;.** The name of the app you're adding to the package.
+    
+    - **&lt;InstallerFolder&gt;.** The file path to the folder with the app installer.
+
+    - **&lt;Installer&gt;.** The file name for the app executable. This will typically be an .exe or .msi file.
+
+    - **&lt;TimeoutInMinutes&gt;.** The maximum amount of time, in minutes, that the cmdlet should wait for sequencing to complete. You can enter a different value for each app, based on the size and complexity of the app itself.
+
+    - **&lt;Cmdlet&gt;.** Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to usea cmdlet-based sequencing, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps.
+    
+    - **&lt;Enabled&gt;.** Indicates whether the app should be sequenced. **True** includes the app, while **False** ignores it. You can include as many apps as you want in the batch file, but optionally enable only a few of them.
+
+        **Example:**
+
+        ```XML
+        <?xml version="1.0"?>
+            <Applications>
+                <Application>
+                    <Name>Skype for Windows</Name>
+                    <InstallerFolder>D:\Install\New\SkypeforWindows</InstallerFolder>
+                    <Installer>SkypeSetup.exe</Installer>
+                    <TimeoutInMinutes>20</TimeoutInMinutes>
+                    <Cmdlet>False</Cmdlet>
+                    <Enabled>True</Enabled>
+                </Application>
+                <Application>
+                    <Name>Power BI</Name>
+                    <InstallerFolder>D:\Install\New\MicrosoftPowerBI</InstallerFolder>
+                    <Installer>PBIDesktop.msi</Installer>
+                    <TimeoutInMinutes>20</TimeoutInMinutes>
+                    <Cmdlet>False</Cmdlet>
+                    <Enabled>True</Enabled>
+                </Application>
+            </Applications>
+        </xml>
+        ```
+
+
+**To start the App-V Sequencer interface and app installation process**
+- Open PowerShell as an admin on the Host computer and run the following commands to start the batch sequencing:
+
+    ```ps1
+    New-BatchAppVSequencerPackages –ConfigFile <path_to_configfile> –VMName <name_of_vm> -OutputPath <path_to_your_output> 
+    ```
+    Where _VMName_ is the name of the virtual machine (VM) with the App-V Sequencer installed, where you'll run the batch sequencing, and _OutputPath_ is the full path to where the sequenced packages should be copied.
+
+    The cmdlet creates a "clean" checkpoint on the VM. Next, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM, and finally a new session of the VM opens (through VMConnect) and sequencing of the app begins from the command-line. After completing sequencing and package creation for the first app on the VM, the package is copied from the VM to the Host computer, specified in the OutputPath parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off.
+
+### Review the log files
+There are 3 types of log files that occur when you sequence multiple apps at the same time:
+
+- **New-BatchAppVSequencerPackages-&lt;*time_stamp*&gt;.txt**. Located in the %temp%\AutoSequencer\Logs directory. This log contains info about the sequencing activities, such as "Copying installer to VM", "Scheduling sequencing task", and so on for each app. Additionally, if an app times out, this log contains the failure along with the checkpoint for troubleshooting the problem.
+
+- **New-BatchAppVSequencerPackages-report-&lt;*time_stamp*&gt;.txt**. Located in the **OutputPath** folder you specified earlier. This log contains info about the connections made to the VM, showing if there were any failures. Additionally, it briefly includes success or failure info for all of the apps.
+
+- **Log.txt file**. Located in the **Output Package** folder. This file contains all code included in the NewAppVSequencerPackage cmdlet, including the allowed parameters.
+
+### Related topics
+- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+
+- [How to install the App-V Sequencer](appv-install-the-sequencer.md)
+
+- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server)
+
+- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md)
+
+- [Manually sequence a single app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md)
+
+- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md)
+
+- [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md)
+
+**Have a suggestion for App-V?**<p>
+Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
\ No newline at end of file
diff --git a/windows/manage/appv-auto-batch-updating.md b/windows/manage/appv-auto-batch-updating.md
new file mode 100644
index 0000000000..3c9a7531bc
--- /dev/null
+++ b/windows/manage/appv-auto-batch-updating.md
@@ -0,0 +1,177 @@
+---
+title: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10)
+description: How to automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer).
+author: eross-msft
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)
+
+**Applies to**
+-   Windows 10, version 1703
+
+Updating multiple apps at the same time follows the same process as [automatically sequencing multiple apps at the same time](appv-auto-batch-sequencing.md). However for updating, you'll pass your previously created app package files to the App-V Sequencer cmdlet for updating.
+
+Starting with Windows 10, version 1703, running the New-BatchAppVSequencerPackages cmdlet or the App-V Sequencer interface captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file.
+
+>[!NOTE]
+>If you're trying to sequence multiple apps at the same time, see the [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) topic.
+
+### Update multiple apps by using a PowerShell cmdlet
+Updating multiple apps at the same time requires that you create a **ConfigFile** with info related to each round of updating. This file is then used by the cmdlet to start the VM at a "clean" checkpoint, to copy the installer from the Host device to the VM, and then to start the App-V Sequencer to monitor your specified app installations.
+
+**To create your ConfigFile for use by the PowerShell cmdlet**
+
+1. Determine the apps that need to be included in your app package, and then open a text editor, such as Notepad.
+
+2. Add the following XML info for each app:
+
+    - **&lt;Name&gt;.** The name of the app you're adding to the package.
+    
+    - **&lt;InstallerFolder&gt;.** The file path to the folder with the app installer.
+
+    - **&lt;Installer&gt;.** The file name for the app executable. This will typically be an .exe or .msi file.
+
+    - **&lt;InstallerOptions&gt;.** The command-line options required for the app installation.
+
+    - **&lt;Package&gt;.** The file path to the location of your App-V packages. These packages were created when you sequenced your apps.
+
+    - **&lt;TimeoutInMinutes&gt;.** The maximum amount of time, in minutes, that the cmdlet should wait for updating to complete. You can enter a different value for each app, based on the size and complexity of the app itself.
+
+    - **&lt;Cmdlet&gt;.** Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to use cmdlet-based updating, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps.
+    
+    - **&lt;Enabled&gt;.** Indicates whether the app should be sequenced. **True** includes the app, while **False** ignores it. You can include as many apps as you want in the batch file, but optionally enable only a few of them.
+
+        **Example:**
+        ```XML
+        <?xml version="1.0"?>
+            <Applications>
+                <Application>
+                    <Name>Skype for Windows Update</Name>
+                    <InstallerFolder>D:\Install\Update\SkypeforWindows</InstallerFolder>
+                    <Installer>SkypeSetup.exe</Installer>
+                    <InstallerOptions>/S</InstallerOptions>
+                    <Package>C:\App-V_Package\Microsoft_Apps\skypeupdate.appv</Package>
+                    <TimeoutInMinutes>20</TimeoutInMinutes>
+                    <Cmdlet>True</Cmdlet>
+                    <Enabled>True</Enabled>
+                </Application>
+                <Application>
+                    <Name>Microsoft Power BI Update</Name>
+                    <InstallerFolder>D:\Install\Update\PowerBI</InstallerFolder>
+                    <Installer>PBIDesktop.msi</Installer>
+                    <InstallerOptions>/S</InstallerOptions>
+                    <Package>C:\App-V_Package\MS_Apps\powerbiupdate.appv</Package>
+                    <TimeoutInMinutes>20</TimeoutInMinutes>
+                    <Cmdlet>True</Cmdlet>
+                    <Enabled>True</Enabled>
+                </Application>
+            </Applications>
+        </xml>
+        ```
+
+3. Save your completed file, using the name **ConfigFile**.
+
+
+**To start the App-V Sequencer interface and app installation process**
+- Open PowerShell as an admin on the Host computer and run the following commands to start the batch updating:
+
+    ```ps1
+    New-BatchAppVSequencerPackages –ConfigFile <path_to_configfile> –VMName <name_of_vm> -OutputPath <path_to_your_output> 
+    ```
+    Where _VMName_ is the name of the virtual machine (VM) with the App-V Sequencer installed, where you'll run the batch updating, and _OutputPath_ is the full path to where the updated packages should be copied.
+
+    The cmdlet creates a "clean" checkpoint on the VM. Next, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM, and finally a new session of the VM opens (through VMConnect) and updating of the app begins from the command-line. After completing updating and package creation for the first app on the VM, the package is copied from the VM to the Host computer, specified in the OutputPath parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off.
+ 
+### Update multiple apps by using the App-V Sequencer interface
+Updating multipe apps at the same time requires that you create a **ConfigFile** to collect all of the info related to each round of updating. This file is then used by the App-V Sequencer interface after creating a "clean" checkpoint on your VM.
+
+**To create your ConfigFile for use by the App-V Sequencer interface**
+
+1. Determine the apps that need to be updated and then open a text editor, such as Notepad.
+
+2. Add the following XML info for each app:
+
+    - **&lt;Name&gt;.** The name of the app you're adding to the package.
+    
+    - **&lt;InstallerFolder&gt;.** The file path to the folder with the app installer.
+
+    - **&lt;Installer&gt;.** The file name for the app executable. This will typically be an .exe or .msi file.
+
+    - **&lt;Package&gt;.** The file path to the location of your App-V packages. These packages were created when you sequenced your apps.    
+
+    - **&lt;TimeoutInMinutes&gt;.** The maximum amount of time, in minutes, the cmdlet should wait for updating to complete. You can enter a different value for each app, based on the size and complexity of the app itself.
+
+    - **&lt;Cmdlet&gt;.** Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to usea cmdlet-based updating, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps.
+    
+    - **&lt;Enabled&gt;.** Indicates whether the app should be sequenced. **True** includes the app, while **False** ignores it. You can include as many apps as you want in the batch file, but optionally enable only a few of them.
+
+        **Example:**
+
+        ```XML
+        <?xml version="1.0"?>
+            <Applications>
+                <Application>
+                    <Name>Skype for Windows Update</Name>
+                    <InstallerFolder>D:\Install\Update\SkypeforWindows</InstallerFolder>
+                    <Installer>SkypeSetup.exe</Installer>
+                    <InstallerOptions>/S</InstallerOptions>
+                    <Package>C:\App-V_Package\Microsoft_Apps\skypeupdate.appv</Package>
+                    <TimeoutInMinutes>20</TimeoutInMinutes>
+                    <Cmdlet>False</Cmdlet>
+                    <Enabled>True</Enabled>
+                </Application>
+                <Application>
+                    <Name>Microsoft Power BI Update</Name>
+                    <InstallerFolder>D:\Install\Update\PowerBI</InstallerFolder>
+                    <Installer>PBIDesktop.msi</Installer>
+                    <InstallerOptions>/S</InstallerOptions>
+                    <Package>C:\App-V_Package\MS_Apps\powerbiupdate.appv</Package>
+                    <TimeoutInMinutes>20</TimeoutInMinutes>
+                    <Cmdlet>False</Cmdlet>
+                    <Enabled>True</Enabled>
+                </Application>
+            </Applications>
+        </xml>
+        ```   
+
+**To start the App-V Sequencer interface and app installation process**
+- Open PowerShell as an admin on the Host computer and run the following commands to start the batch updating:
+
+    ```ps1
+    New-BatchAppVSequencerPackages –ConfigFile <path_to_configfile> –VMName <name_of_vm> -OutputPath <path_to_your_output> 
+    ```
+    Where _VMName_ is the name of the virtual machine (VM) with the App-V Sequencer installed, where you'll run the batch updating, and _OutputPath_ is the full path to where the updated packages should be copied.
+
+    The cmdlet creates a "clean" checkpoint on the VM. Next, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM, and finally a new session of the VM opens (through VMConnect) and updating of the app begins from the command-line. After completing updating and package creation for the first app on the VM, the package is copied from the VM to the Host computer, specified in the OutputPath parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off.
+
+### Review the log files
+There are 3 types of log files that occur when you sequence multiple apps at the same time:
+
+- **New-BatchAppVSequencerPackages-&lt;*time_stamp*&gt;.txt**. Located in the %temp%\AutoSequencer\Logs directory. This log contains info about the updating activities, such as "Copying installer to VM", "Scheduling updating task", and so on for each app. Additionally, if an app times out, this log contains the failure along with the checkpoint for troubleshooting the problem.
+
+- **New-BatchAppVSequencerPackages-report-&lt;*time_stamp*&gt;.txt**. Located in the **OutputPath** folder you specified earlier. This log contains info about the connections made to the VM, showing if there were any failures. Additionally, it briefly includes success or failure info for all of the apps.
+
+- **Log.txt file**. Located in the **Output Package** folder. This file contains all code included in the NewAppVSequencerPackage cmdlet, including the allowed parameters.
+
+### Related topics
+- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+
+- [How to install the App-V Sequencer](appv-install-the-sequencer.md)
+
+- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server)
+
+- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md)
+
+- [Manually sequence a single app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md)
+
+- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md)
+
+- [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md)
+
+
+**Have a suggestion for App-V?**<p>
+Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
\ No newline at end of file
diff --git a/windows/manage/appv-auto-clean-unpublished-packages.md b/windows/manage/appv-auto-clean-unpublished-packages.md
new file mode 100644
index 0000000000..234222854e
--- /dev/null
+++ b/windows/manage/appv-auto-clean-unpublished-packages.md
@@ -0,0 +1,76 @@
+---
+title: Automatically cleanup unpublished packages on the App-V client (Windows 10)
+description: How to automatically clean-up any unpublished packages on your App-V client devices.
+author: eross-msft
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Automatically cleanup unpublished packages on the App-V client
+
+**Applies to**
+-   Windows 10, version 1703
+
+Previous versions of App-V have required you to manually remove your unpublished packages from your client devices, to free up additional storage space. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
+
+## Cleanup by using PowerShell commands
+Using PowerShell, you can turn on the **AutoCleanupEnabled** setting to automatically cleanup your unpublished App-V packages from your App-V client devices.
+
+**To turn on the AutoCleanupEnabled option**
+
+1. Open PowerShell as an admin and run the following command to turn on the automatic package cleanup functionality:
+
+    ```ps1
+    Set-AppvClientConfiguration -AutoCleanupEnabled 1
+    ```
+
+    The command runs and you should see the following info on the PowerShell screen:
+    
+    <table border="1">
+        <tr>
+            <thead>
+                <th>Name</th>
+                <th>Value</th>
+                <th>SetbyGroupPolicy</th>
+            </thead>
+        </tr>
+        <tbody>
+            <tr>
+                <td>AutoCleanupEnabled</td>
+                <td>1</td>
+                <td>False</td>
+            </tr>
+        </tbody>
+    </table>
+
+2. Run the following command to make sure the configuration is ready to automatically cleanup your packages.
+
+    ```ps1
+    Get-AppvClientConfiguration
+    ```
+    You should see the **AutoCleanupEnabled** option turned on (shows a value of "1") in the configuration list.
+
+## Cleanup by using Group Policy settings
+Using Group Policy, you can turn on the **Enable automatic cleanup of unused appv packages** setting to automatically cleanup your unpublished App-V packages from your App-V client devices.
+
+**To turn on the Enable automatic cleanup of unused appv packages setting**
+
+1. Open your Group Policy editor and double-click the Administrative Templates\System\App-V\PackageManagement\Enable automatic cleanup of unused appv packages setting.
+
+2. Click **Enabled**, and then click **OK**.
+
+    After your Group Policy updates, the setting is turned on and will cleanup any unpublished App-V packages on the App-V Client after restarting.
+
+### Related topics
+- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+
+- [Download the Microsoft Application Virtualization 5.0 Client UI Application](https://www.microsoft.com/en-us/download/details.aspx?id=41186)
+
+- [Using the App-V Client Management Console](appv-using-the-client-management-console.md)
+
+
+**Have a suggestion for App-V?**<p>
+Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
\ No newline at end of file
diff --git a/windows/manage/appv-auto-provision-a-vm.md b/windows/manage/appv-auto-provision-a-vm.md
new file mode 100644
index 0000000000..b4b1819a25
--- /dev/null
+++ b/windows/manage/appv-auto-provision-a-vm.md
@@ -0,0 +1,127 @@
+---
+title: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10)
+description: How to automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) PowerShell cmdlet or the user interface.
+author: eross-msft
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)
+
+**Applies to**
+-   Windows 10, version 1703
+
+Previous versions of the App-V Sequencer have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine.
+
+## Automatic VM provisioning of the sequencing environment
+You have 2 options for provisioning an VM for auto-sequencing:
+- Using a Virtual Hard Disk (VHD)
+
+    -OR-
+
+- Updating an existing VM
+
+   >[!NOTE]
+   >We have reduced the number of environmental checks performed by the App-V Sequencer, narrowing down the list of apps that need to be disabled or turned off for a clean sequencing experience. We've also suppressed antivirus and other similar app warnings.
+
+### Provision a new VM by using a VHD file
+Provisioning your new VM includes creating a VHD file, setting up a user account, turning on remote PowerShell scripting, and installing the App-V Sequencer.
+
+#### Create a VHD file
+For this process to work, you must have a base operating system available as a VHD image file, we recommend using the [Convert-WindowsImage.ps1](https://gallery.technet.microsoft.com/scriptcenter/Convert-WindowsImageps1-0fe23a8f) command-line tool.
+
+**To create a VHD file by using the Convert-WindowsImage command-line tool**
+1. Open PowerShell as an admin and run the Convert-WindowsImage tool, using the following commands:
+
+    ```ps1
+    Convert-WindowsImage -SourcePath "<path_to_iso_image>" -VHDFormat "VHD" -VHDPartitionStyle "MBR"
+    ```
+    Where *&lt;path_to_iso_image&gt;* is the full path to your ISO image. 
+    
+    >[!IMPORTANT]
+    >You must specify the _VHDPartitionStyle_ as **MBR**. Using the default value, **GPT**, will cause a boot failure in your VHD image.
+
+#### Provision your VM using your VHD file
+After you have a VHD file, you must provision your VM for auto-sequencing.
+
+**To provision your VM using your VHD file**
+1. On the Host device, install Windows 10, version 1703 and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md).
+
+2. Make sure that Hyper-V is turned on. For more info about turning on and using Hyper-V, see [Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server).
+
+3. Open PowerShell as an admin and run the **New-AppVSequencerVM** cmdlet, using the following parameters:
+
+    ```ps1
+    New-AppVSequencerVM -VMName "<name_of_new_vm>" -ADKPath "<path_to_adk_install_folder>" -VHDPath "<path_to_vhd_file>" -VMMemory <vm_memory_size> -VMSwitch "<name_of_network_switch>"
+    ```
+    
+This command creates a new Hyper-V VM file using the provided VHD file and also creates a "clean" checkpoint, from where all sequencing and updating will start.
+
+
+### Provision an existing VM for auto-sequencing
+If your apps require custom prerequisites, such as Microsoft SQL Server, we recommend that you preinstall the prerequisites on your VM and then use that VM for auto-sequencing. Using these steps will establish a connection to your existing VM.
+
+**To connect to your existing VM**
+- Open PowerShell as an admin and run the following commands on your existing VM:
+
+    - **Set the network category of your connection profile on the VM to _Private_:** 
+    
+        ```ps1
+        Get-netconnectionprofile | set-netconnectionprofile -NetworkCategory Private
+        ```
+        
+    - **Enable firewall rules for _Remote Desktop_ and _Windows Remote Management_:** 
+    
+        ```ps1
+        Enable-NetFirewallRule -DisplayGroup “Remote Desktop” 
+        Enable-NetFirewallRule -DisplayGroup “Windows Remote Management”
+        ```
+
+    - **Set the VM to receive remote commands without a confirmation prompt:**
+    
+        ```ps1
+        Enable-PSRemoting –Force
+        ```
+
+**To provision an existing VM**
+1. On the Host device, install Windows 10, version 1703 and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md).
+
+2. Open PowerShell as an admin and run the **Connect-AppvSequencerVM** cmdlet, using the following parameters:
+
+    ```ps1
+    Connect-AppvSequencerVM -VMName "<name_of_vm>" -ADKPath "<path_to_adk_install_folder>"
+    ```
+    
+    Where *&lt;name_of_vm&gt;* is the name of the VM granted during its creation and shown in the Hyper-V Manager tool.
+
+This command creates a new Hyper-V VM file using the provided VHD file and also creates a "clean" checkpoint, from where all sequencing and updating will start.
+
+
+### Review the provisioning log files
+The 2 types of provisioning log files, located at %temp%\AutoSequencer\Logs, are:
+
+- **New-AppVSequencerVM-&lt;*time_stamp*&gt;.txt**. Includes info about the provisioning activities, such as "Waiting for VM session", "Copying installer for Sequencer", and so on.
+
+- **Connect-AppvSequencerVM-report-&lt;*time_stamp*&gt;.txt**. Includes info about the connections made to the VM, showing whether there were any failures.
+
+
+### Next steps
+After provisioning your sequencing environment, you must sequence your apps, either as a group or individually. For more info about sequencing your apps, see [Manually sequence a single new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md), [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md), and [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md).
+
+After you sequence your packages, you can automatically cleanup any unpublished packages on the App-V client. For more info, see [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md).
+
+### Related topics
+- [Download the Convert-WindowsImage tool](https://gallery.technet.microsoft.com/scriptcenter/Convert-WindowsImageps1-0fe23a8f)
+
+- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+
+- [How to install the App-V Sequencer](appv-install-the-sequencer.md)
+
+- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server)
+
+
+**Have a suggestion for App-V?**<p>
+Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
\ No newline at end of file
diff --git a/windows/manage/appv-available-mdm-settings.md b/windows/manage/appv-available-mdm-settings.md
new file mode 100644
index 0000000000..dc5eb1a61a
--- /dev/null
+++ b/windows/manage/appv-available-mdm-settings.md
@@ -0,0 +1,211 @@
+---
+title: Available Mobile Data Management (MDM) settings for App-V (Windows 10)
+description: A list of the available MDM settings for App-V on Windows 10.
+author: eross-msft
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# Available Mobile Data Management (MDM) settings for App-V
+With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps by using these Mobile Data Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) page. 
+
+<table>
+    <tr>
+        <th>Policy name</th>
+        <th>Supported versions</th>
+        <th>Details</th>
+    </tr>
+    <tr>
+        <td>Name</td>
+        <td>Windows 10, version 1703</td>
+        <td>
+            <ul>
+                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/Name</li>
+                <li><strong>Data type.</strong> String</li>
+                <li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
+            </ul>
+        </td>
+    </tr>
+    <tr>
+        <td>Version</td>
+        <td>Windows 10, version 1703</td>
+        <td>
+            <ul>
+                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/Version</li>
+                <li><strong>Data type.</strong> String</li>
+                <li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
+            </ul>
+        </td>
+    </tr>
+    <tr>
+        <td>Publisher</td>
+        <td>Windows 10, version 1703</td>
+        <td>
+            <ul>
+                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/Publisher</li>
+                <li><strong>Data type.</strong> String</li>
+                <li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
+            </ul>
+        </td>
+    </tr>
+    <tr>
+        <td>InstallLocation</td>
+        <td>Windows 10, version 1703</td>
+        <td>
+            <ul>
+                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/InstallLocation</li>
+                <li><strong>Data type.</strong> String</li>
+                <li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
+            </ul>
+        </td>
+    </tr>
+    <tr>
+        <td>InstallDate</td>
+        <td>Windows 10, version 1703</td>
+        <td>
+            <ul>
+                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/InstallDate</li>
+                <li><strong>Data type.</strong> String</li>
+                <li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
+            </ul>
+        </td>
+    </tr>
+    <tr>
+        <td>Users</td>
+        <td>Windows 10, version 1703</td>
+        <td>
+            <ul>
+                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/Users</li>
+                <li><strong>Data type.</strong> String</li>
+                <li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
+            </ul>
+        </td>
+    </tr>
+    <tr>
+        <td>AppVPackageID</td>
+        <td>Windows 10, version 1703</td>
+        <td>
+            <ul>
+                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/AppVPackageID</li>
+                <li><strong>Data type.</strong> String</li>
+                <li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
+            </ul>
+        </td>
+    </tr>
+    <tr>
+        <td>AppVVersionID</td>
+        <td>Windows 10, version 1703</td>
+        <td>
+            <ul>
+                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/AppVVersionID</li>
+                <li><strong>Data type.</strong> String</li>
+                <li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
+            </ul>
+        </td>
+    </tr>
+    <tr>
+        <td>AppVPackageUri</td>
+        <td>Windows 10, version 1703</td>
+        <td>
+            <ul>
+                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/AppVPackageUri</li>
+                <li><strong>Data type.</strong> String</li>
+                <li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
+            </ul>
+        </td>
+    </tr>
+    <tr>
+        <td>LastError</td>
+        <td>Windows 10, version 1703</td>
+        <td>
+            <ul>
+                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/LastError</li>
+                <li><strong>Data type.</strong> String</li>
+                <li><strong>Value.</strong> Read-only data, provided by your App-V client.</li>
+            </ul>
+        </td>
+    </tr>
+    <tr>
+        <td>LastErrorDescription</td>
+        <td>Windows 10, version 1703</td>
+        <td>
+            <ul>
+                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/LastErrorDescription</li>
+                <li><strong>Data type.</strong> String</li>
+                <li><strong>Values.</strong>
+                    <ul>
+                        <li><strong>0.</strong> No errors returned during publish.</li>
+                        <li><strong>1.</strong> Unpublish groups failed during publish.</li>
+                        <li><strong>2.</strong> Publish no-group packages failed during publish.</li>
+                        <li><strong>3.</strong> Publish group packages failed during publish.</li>
+                        <li><strong>4.</strong> Unpublish packages failed during publish.</li>
+                        <li><strong>5.</strong> New policy write failed during publish.</li>
+                        <li><strong>6.</strong> Multiple non-fatal errors occurred during publish.</li>
+                    </ul>
+                </li>
+            </ul>                                                                                                                     
+        </td>
+    </tr>
+    <tr>
+        <td>SyncStatusDescription</td>
+        <td>Windows 10, version 1703</td>
+        <td>
+            <ul>
+                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncStatusDescription</li>
+                <li><strong>Data type.</strong> String</li>
+                <li><strong>Values.</strong>
+                    <ul>
+                        <li><strong>0.</strong> App-V publishing is idle.</li>
+                        <li><strong>1.</strong> App-V connection groups publish in progress.</li>
+                        <li><strong>2.</strong> App-V packages (non-connection group) publish in progress.</li>
+                        <li><strong>3.</strong> App-V packages (connection group) publish in progress.</li>
+                        <li><strong>4.</strong> App-V packages unpublish in progress.</li>
+                    </ul>
+                </li>
+            </ul>                                                                                             
+        </td>
+    </tr>
+    <tr>
+        <td>SyncProgress</td>
+        <td>Windows 10, version 1703</td>
+        <td>
+            <ul>
+                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncProgress</li>
+                <li><strong>Data type.</strong> String</li>
+                <li><strong>Values.</strong>
+                    <ul>
+                        <li><strong>0.</strong> App-V Sync is idle.</li>
+                        <li><strong>1.</strong> App-V Sync is initializing.</li>
+                        <li><strong>2.</strong> App-V Sync is in progress.</li>
+                        <li><strong>3.</strong> App-V Sync is complete.</li>
+                        <li><strong>4.</strong> App-V Sync requires device reboot.</li>
+                    </ul>
+                </li>
+            </ul>                                                                                    
+        </td>
+    </tr>
+    <tr>
+        <td>PublishXML</td>
+        <td>Windows 10, version 1703</td>
+        <td>
+            <ul>
+                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML</li>
+                <li><strong>Data type.</strong> String</li>
+                <li><strong>Value.</strong> Custom value, entered by admin.</li>
+            </ul>
+        </td>
+    </tr>
+    <tr>
+        <td>Policy</td>
+        <td>Windows 10, version 1703</td>
+        <td>
+            <ul>
+                <li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/configurationid/Policy</li>
+                <li><strong>Data type.</strong> String</li>
+                <li><strong>Value.</strong> Custom value, entered by admin.</li>
+            </ul>
+        </td>
+    </tr>
+</table>
\ No newline at end of file
diff --git a/windows/manage/appv-create-and-use-a-project-template.md b/windows/manage/appv-create-and-use-a-project-template.md
index c6a0be63bb..1496e43518 100644
--- a/windows/manage/appv-create-and-use-a-project-template.md
+++ b/windows/manage/appv-create-and-use-a-project-template.md
@@ -1,55 +1,64 @@
 ---
-title: How to Create and Use a Project Template (Windows 10)
-description: How to Create and Use a Project Template
-author: MaggiePucciEvans
+title: Create and apply an App-V project template to a sequenced App-V package (Windows 10)
+description: Steps for how to create and apply an App-V project template (.appvt) to a sequenced App-V package.
+author: eross-msft
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
 ---
 
-
-# How to Create and Use a Project Template
+# Create and apply an App-V project template to a sequenced App-V package
 
 **Applies to**
 -   Windows 10, version 1607
 
-You can use an App-V project template to save commonly applied settings associated with an existing virtual application package. These settings can then be applied when you create new virtual application packages in your environment. Using a project template can streamline the process of creating virtual application packages.
+You can use an App-V project template (.appvt) file to save commonly applied settings associated with an existing virtual application package. These settings can then be applied when you create new virtual application packages in your environment. Using a project template can streamline the process of creating virtual application packages. App-V project templates differ from App-V Package Accelerators because App-V Package Accelerators are application-specific, while App-V project templates can be applied to multiple applications. For more info about Package Accelerators, see the [How to create a Package Accelerator](appv-create-a-package-accelerator.md) topic.
 
-> **Note**&nbsp;&nbsp;You can, and often should apply an App-V project template during a package upgrade. For example, if you sequenced an application with a custom exclusion list, it is recommended that an associated template is created and saved for later use while upgrading the sequenced application.
+>[!IMPORTANT]
+>In Windows 10, version 1703, running the new-appvsequencerpackage or the update-appvsequencepackage cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template.
 
-App-V project templates differ from App-V Application Accelerators because App-V Application Accelerators are application-specific, and App-V project templates can be applied to multiple applications.
 
-Use the following procedures to create and apply a new template.
+## Create a project template
+You must first create and save a project template, including a virtual app package with settings to be used by the template.
 
 **To create a project template**
 
-1.  To start the App-V sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
+1. On the device running the App-V Sequencer, click **Start**, click **All Programs**, click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
 
-    > **Note**&nbsp;&nbsp;If the virtual application package is currently open in the App-V Sequencer console, skip to step 3 of this procedure.
+    >[!NOTE]
+    >If the virtual app package is currently open in the App-V Sequencer console, skip to Step 3 of this procedure.
 
-2.  To open the existing virtual application package that contains the settings you want to save with the App-V project template, click **File** / **Open**, and then click **Edit Package**. On the **Select Package** page, click **Browse** and locate the virtual application package that you want to open. Click **Edit**.
+2. On the **File** menu, click **Open**, click **Edit Package**, browse for the virtual app package that includes the settings you want to save with the App-V project template, and then click **Edit** to change any of the settings or info included in the file.
 
-3.  In the App-V Sequencer console, to save the template file, click **File** / **Save As Template**. After you have reviewed the settings that will be saved with the new template, click **OK**. Specify a name that will be associated with the new App-V project template. Click Save.
+3. On the **File** menu, click **Save As Template**, review the settings associated with the new template, click **OK**, name your new template, and then click **Save**.
 
     The new App-V project template is saved in the folder you specified.
 
-**To apply a project template**
+## Apply a project template
+After creating the template, you can apply it to all of your new virtual app packages, automatically including all of the settings.
 
-> **Important**&nbsp;&nbsp;Creating a virtual application package using a project template in conjunction with a Package Accelerator is not supported.
+>[!IMPORTANT]
+>Virtual app packages don't support using both a project template and a Package Accelerator together.
 
-1.  To start the App-V sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
+1. On the device running the App-V Sequencer, click **Start**, click **All Programs**, click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
 
-2.  To create or upgrade a new virtual application package by using an App-V project template, click **File** / **New From Template**.
+2. On the **File** menu, click **New From Template**, browse to your newly created project template, and then click **Open**.
 
-3.  To select the project template that you want to use, browse to the directory where the project template is saved, select the project template, and then click **Open**.
+3. Create your new virtual app package. The settings saved with your template are automatically applied.
 
-    Create the new virtual application package. The settings saved with the specified template will be applied to the new virtual application package that you are creating.
+### Related topics
+- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
 
-## Have a suggestion for App-V?
+- [How to install the App-V Sequencer](appv-install-the-sequencer.md)
 
+- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server)
+
+- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md)
+
+- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md)
+
+- [Manually sequence a new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md)
+
+**Have a suggestion for App-V?**<p>
 Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-
-## Related topics
-
-[Operations for App-V](appv-operations.md)
diff --git a/windows/manage/appv-creating-and-managing-virtualized-applications.md b/windows/manage/appv-creating-and-managing-virtualized-applications.md
index 861034a883..b6aeefb413 100644
--- a/windows/manage/appv-creating-and-managing-virtualized-applications.md
+++ b/windows/manage/appv-creating-and-managing-virtualized-applications.md
@@ -68,7 +68,9 @@ The **Options** dialog box in the sequencer console contains the following tabs:
 
 App-V supports applications that include Microsoft Windows Services. If an application includes a Windows service, the Service will be included in the sequenced virtual package as long as it is installed while being monitored by the sequencer. If a virtual application creates a Windows service when it initially runs, then later, after installation, the application must be run while the sequencer is monitoring so that the Windows Service will be added to the package. Only Services that run under the Local System account are supported. Services that are configured for AutoStart or Delayed AutoStart are started before the first virtual application in a package runs inside the package’s Virtual Environment. Windows Services that are configured to be started on demand by an application are started when the virtual application inside the package starts the Service via API call.
 
-[How to Sequence a New Application with App-V](appv-sequence-a-new-application.md)
+- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md)
+- [How to Sequence a New Application with App-V](appv-sequence-a-new-application.md)
+- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md)
 
 ## <a href="" id="---------app-v-5-1-shell-extension-support"></a> App-V shell extension support
 
@@ -166,11 +168,7 @@ You can use the sequencer to modify an existing package. The computer on which y
 [How to Modify an Existing Virtual Application Package](appv-modify-an-existing-virtual-application-package.md)
 
 ## Creating a project template
-
-
-A .appvt file is a project template that can be used to save commonly applied, customized settings. You can then more easily use these settings for future sequencings.
-
-App-V project templates differ from App-V Application Accelerators because App-V Application Accelerators are application-specific, and App-V project templates can be applied to multiple applications. Additionally, you cannot use a project template when you use a Package Accelerator to create a virtual application package. The following general settings are saved with an App-V project template:
+An App-V project template (.appvt) file is a project template that can be used to save commonly applied, customized settings. You can then more easily use these settings for future sequencings. App-V project templates differ from App-V Application Accelerators because App-V Application Accelerators are application-specific, and App-V project templates can be applied to multiple applications. Additionally, you cannot use a project template when you use a Package Accelerator to create a virtual application package. The following general settings are saved with an App-V project template:
 
 A template can specify and store multiple settings as follows:
 
@@ -180,10 +178,15 @@ A template can specify and store multiple settings as follows:
 
 -   **Exclusion Items.** Contains the Exclusion pattern list.
 
+In Windows 10, version 1703, running the new-appvsequencerpackage or the update-appvsequencepackage cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. 
+
+>[!IMPORTANT]
+>If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template. 
+
 [How to Create and Use a Project Template](appv-create-and-use-a-project-template.md)
 
-## Creating a package accelerator
 
+## Creating a package accelerator
 
 **Note**  
 Package accelerators created using a previous version of App-V must be recreated using App-V.
diff --git a/windows/manage/appv-for-windows.md b/windows/manage/appv-for-windows.md
index 3938202a14..ed4d234781 100644
--- a/windows/manage/appv-for-windows.md
+++ b/windows/manage/appv-for-windows.md
@@ -42,10 +42,14 @@ The topics in this section provide information and step-by-step procedures to he
 [Operations for App-V](appv-operations.md)  
 
 - [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md)
+- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md)
+- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md)
+- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md)
 - [Administering App-V Virtual Applications by Using the Management Console](appv-administering-virtual-applications-with-the-management-console.md)
 - [Managing Connection Groups](appv-managing-connection-groups.md)
 - [Deploying App-V Packages by Using Electronic Software Distribution (ESD)](appv-deploying-packages-with-electronic-software-distribution-solutions.md)
 - [Using the App-V Client Management Console](appv-using-the-client-management-console.md)
+- [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md)
 - [Migrating to App-V from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md)
 - [Maintaining App-V](appv-maintaining-appv.md)
 - [Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md)
diff --git a/windows/manage/appv-modify-client-configuration-with-powershell.md b/windows/manage/appv-modify-client-configuration-with-powershell.md
index ef256839b0..e3ca1981bf 100644
--- a/windows/manage/appv-modify-client-configuration-with-powershell.md
+++ b/windows/manage/appv-modify-client-configuration-with-powershell.md
@@ -16,15 +16,15 @@ ms.prod: w10
 
 Use the following procedure to configure the App-V client configuration.
 
-1.  To configure the client settings using Windows PowerShell, use the **Set-AppvClientConfiguration** cmdlet. For more information about installing Windows PowerShell, and a list of cmdlets see, [How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help](appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md).
+1.  To configure the client settings using Windows PowerShell, use the **Set-AppVClientConfiguration** cmdlet. For more information about installing Windows PowerShell, and a list of cmdlets see, [How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help](appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md).
 
-2.  To modify the client configuration, open a Windows PowerShell Command prompt and run **Set-AppvClientConfiguration** with any required parameters. For example:
+2.  To modify the client configuration, open a Windows PowerShell Command prompt and run **Set-AppVClientConfiguration** with any required parameters. For example:
 
-    `$config = Get-AppvClientConfiguration`
+    `$config = Get-AppVClientConfiguration`
 
-    `Set-AppcClientConfiguration $config`
+    `Set-AppVClientConfiguration $config`
 
-    `Set-AppcClientConfiguration –Name1 MyConfig –Name2 “xyz”`
+    `Set-AppVClientConfiguration –Name1 MyConfig –Name2 “xyz”`
 
 
 ## Have a suggestion for App-V? 
diff --git a/windows/manage/appv-planning-for-using-appv-with-office.md b/windows/manage/appv-planning-for-using-appv-with-office.md
index bd79da1f4f..a08cd69548 100644
--- a/windows/manage/appv-planning-for-using-appv-with-office.md
+++ b/windows/manage/appv-planning-for-using-appv-with-office.md
@@ -28,81 +28,16 @@ Use the following information to plan how to deploy Office by using Microsoft Ap
 
 You can use the App-V Sequencer to create plug-in packages for Language Packs, Language Interface Packs, Proofing Tools and ScreenTip Languages. You can then include the plug-in packages in a Connection Group, along with the Office package that you create by using the Office Deployment Toolkit. The Office applications and the plug-in Language Packs interact seamlessly in the same connection group, just like any other packages that are grouped together in a connection group.
 
-**Note**  
-Microsoft Visio and Microsoft Project do not provide support for the Thai Language Pack.
+>[!NOTE] 
+>Microsoft Visio and Microsoft Project do not provide support for the Thai Language Pack.
 
 ## <a href="" id="bkmk-office-vers-supp-appv"></a>Supported versions of Microsoft Office
+See [Microsoft Office Product IDs that App-V supports](https://support.microsoft.com/en-us/help/2842297/product-ids-that-are-supported-by-the-office-deployment-tool-for-click) for a list of supported Office products.
 
-<!-- As of February 28, 2017, the first row of the table should be updated, because at that point, support for the Office 2013 version of Office 365 will end. It might also be good to have a link to this KB article: https://support.microsoft.com/kb/3199744 -->
+>[!NOTE]
+>You must use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported. You cannot use the App-V Sequencer.
 
-The following table lists the versions of Microsoft Office that App-V supports, methods of Office package creation, supported licensing, and supported deployments.
-
-<table>
-<colgroup>
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Supported Office Version</th>
-<th align="left">Package Creation</th>
-<th align="left">Supported Licensing</th>
-<th align="left">Supported Deployments</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Office 365 ProPlus (either the Office 2013 or the Office 2016 version)</p>
-<p>Also supported:</p>
-<ul>
-<li><p>Visio Pro for Office 365</p></li>
-<li><p>Project Pro for Office 365</p></li>
-</ul></td>
-<td align="left"><p>Office Deployment Tool</p></td>
-<td align="left"><p>Subscription</p></td>
-<td align="left"><ul>
-<li><p>Desktop</p></li>
-<li><p>Personal VDI</p></li>
-<li><p>Pooled VDI</p></li>
-<li><p>RDS</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><ul>
-<li><p>Visio Professional 2016 (C2R-P)</p></li>
-<li><p>Visio Standard 2016 (C2R-P)</p></li>
-<li><p>Project Professional 2016 (C2R-P)</p></li>
-<li><p>Project Standard 2016 (C2R-P)</p></li>
-</ul></td>
-<td align="left"><p>Office Deployment Tool</p></td>
-<td align="left"><p>Volume Licensing</p></td>
-<td align="left"><ul>
-<li><p>Desktop</p></li>
-<li><p>Personal VDI</p></li>
-<li><p>Pooled VDI</p></li>
-<li><p>RDS</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Office Professional Plus 2013</p>
-<p>Also supported:</p>
-<ul>
-<li><p>Visio Professional 2013</p></li>
-<li><p>Project Professional 2013</p></li>
-</ul></td>
-<td align="left"><p>Office Deployment Tool</p></td>
-<td align="left"><p>Volume Licensing</p></td>
-<td align="left"><ul>
-<li><p>Desktop</p></li>
-<li><p>Personal VDI</p></li>
-<li><p>Pooled VDI</p></li>
-<li><p>RDS</p></li>
-</ul></td>
-</tr>
-</tbody>
-</table>
+>Support for the [Office 2013 version of Office 365 ended in Februrary 2017](https://support.microsoft.com/kb/3199744)
 
 ## <a href="" id="bkmk-plan-coexisting"></a>Planning for using App-V with coexisting versions of Office
 
@@ -148,8 +83,8 @@ The Office documentation provides extensive guidance on coexistence for Windows
 
 The following tables summarize the supported coexistence scenarios. They are organized according to the version and deployment method you’re starting with and the version and deployment method you are migrating to. Be sure to fully test all coexistence solutions before deploying them to a production audience.
 
-**Note**  
-Microsoft does not support the use of multiple versions of Office in Windows Server environments that have the Remote Desktop Session Host role service enabled. To run Office coexistence scenarios, you must disable this role service.
+>[!NOTE] 
+>Microsoft does not support the use of multiple versions of Office in Windows Server environments that have the Remote Desktop Session Host role service enabled. To run Office coexistence scenarios, you must disable this role service.
 
  
 
diff --git a/windows/manage/appv-release-notes-for-appv-for-windows-1703.md b/windows/manage/appv-release-notes-for-appv-for-windows-1703.md
new file mode 100644
index 0000000000..9e787d612c
--- /dev/null
+++ b/windows/manage/appv-release-notes-for-appv-for-windows-1703.md
@@ -0,0 +1,121 @@
+---
+title: Release Notes for App-V for Windows 10, version 1703 (Windows 10)
+description: A list of known issues and workarounds for App-V running on Windows 10, version 1703.
+author: eross-msft
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Release Notes for App-V for Windows 10, version 1703
+
+**Applies to**
+-   Windows 10, version 1703
+
+The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10, version 1703.
+
+<table border="1">
+    <thead>
+        <th>Problem</th>
+        <th>Workaround</th>
+    </thead>
+    <tbody>
+        <tr>
+            <td>Unable to manually create a system-owned folder needed for the <code>set-AppVClientConfiguration</code> PowerShell cmdlet when using the <i>PackageInstallationRoot</i>, <i>IntegrationRootUser</i>, or <i>IntegrationRootGlobal</i> parameters.</td>
+            <td>Don't create this file manually, instead let the <code>Add-AppVClientPackage</code> cmdlet auto-generate it.</td>
+        </tr>
+        <tr>
+            <td>Failure to update an App-V package from App-V 5.x to the latest in-box version, by using the PowerShell sequencing commands.</td>
+            <td>Make sure you have the complete App-V package or the MSI file from the original app.</td>
+        </tr>
+        <tr>
+            <td>Unable to modify the locale for auto-sequencing.</td>
+            <td>Open the <code>C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\AutoSequencer\Unattend_Sequencer_User_Setup_Template.xml</code> file and include the language code for your locale. For example, if you wanted Spanish (Spain), you'd use: <strong>es-ES</strong>.</td>
+        </tr>
+        <tr>
+            <td>Filetype and protocol handlers aren't registering properly with the Google Chrome browser, causing you to not see App-V packages as an option for default apps from the <strong>Settings > Apps> Default Apps</strong> area.</td>
+            <td>The recommended workaround is to add the following code to the AppXManifest.xml file, underneath the <strong>&lt;appv:Extensions&gt;</strong> tag:
+<pre><code>
+&lt;appv:Extension Category="AppV.URLProtocol"&gt;
+	&lt;appv:URLProtocol&gt;
+		&lt;appv:Name&gt;ftp&lt;/appv:Name&gt;
+		&lt;appv:ApplicationURLProtocol&gt;
+			&lt;appv:DefaultIcon&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0&lt;/appv:DefaultIcon&gt;
+			&lt;appv:ShellCommands&gt;
+				&lt;appv:DefaultCommand&gt;open&lt;/appv:DefaultCommand&gt;
+				&lt;appv:ShellCommand&gt;
+					&lt;appv:ApplicationId&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe&lt;/appv:ApplicationId&gt;
+					&lt;appv:Name&gt;open&lt;/appv:Name&gt;
+					&lt;appv:CommandLine&gt;"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"&lt;/appv:CommandLine&gt;
+					&lt;appv:DdeExec&gt;
+						&lt;appv:DdeCommand /&gt;
+					&lt;/appv:DdeExec&gt;
+				&lt;/appv:ShellCommand&gt;
+			&lt;/appv:ShellCommands&gt;
+		&lt;/appv:ApplicationURLProtocol&gt;
+	&lt;/appv:URLProtocol&gt;
+&lt;/appv:Extension&gt;
+&lt;appv:Extension Category="AppV.URLProtocol"&gt;
+	&lt;appv:URLProtocol&gt;
+		&lt;appv:Name&gt;http&lt;/appv:Name&gt;
+		&lt;appv:ApplicationURLProtocol&gt;
+			&lt;appv:DefaultIcon&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0&lt;/appv:DefaultIcon&gt;
+			&lt;appv:ShellCommands&gt;
+				&lt;appv:DefaultCommand&gt;open&lt;/appv:DefaultCommand&gt;
+				&lt;appv:ShellCommand&gt;
+					&lt;appv:ApplicationId&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe&lt;/appv:ApplicationId&gt;
+					&lt;appv:Name&gt;open&lt;/appv:Name&gt;
+					&lt;appv:CommandLine&gt;"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"&lt;/appv:CommandLine&gt;
+					&lt;appv:DdeExec&gt;
+						&lt;appv:DdeCommand /&gt;
+					&lt;/appv:DdeExec&gt;
+				&lt;/appv:ShellCommand&gt;
+			&lt;/appv:ShellCommands&gt;
+		&lt;/appv:ApplicationURLProtocol&gt;
+	&lt;/appv:URLProtocol&gt;
+&lt;/appv:Extension&gt;
+&lt;appv:Extension Category="AppV.URLProtocol"&gt;
+	&lt;appv:URLProtocol&gt;
+		&lt;appv:Name&gt;https&lt;/appv:Name&gt;
+		&lt;appv:ApplicationURLProtocol&gt;
+			&lt;appv:DefaultIcon&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0&lt;/appv:DefaultIcon&gt;
+			&lt;appv:ShellCommands&gt;
+				&lt;appv:DefaultCommand&gt;open&lt;/appv:DefaultCommand&gt;
+				&lt;appv:ShellCommand&gt;
+					&lt;appv:ApplicationId&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe&lt;/appv:ApplicationId&gt;
+					&lt;appv:Name&gt;open&lt;/appv:Name&gt;
+					&lt;appv:CommandLine&gt;"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"&lt;/appv:CommandLine&gt;
+					&lt;appv:DdeExec&gt;
+						&lt;appv:DdeCommand /&gt;
+					&lt;/appv:DdeExec&gt;
+				&lt;/appv:ShellCommand&gt;
+			&lt;/appv:ShellCommands&gt;
+		&lt;/appv:ApplicationURLProtocol&gt;
+	&lt;/appv:URLProtocol&gt;
+&lt;/appv:Extension&gt;
+</code></pre>            
+            </td>
+        </tr>
+    </tbody>
+</table>
+
+
+## Related resources list
+For information that can help with troubleshooting App-V for Windows 10, see:
+- [Application Virtualization (App-V): List of Microsoft Support Knowledge Base Articles](http://social.technet.microsoft.com/wiki/contents/articles/14272.app-v-v5-x-list-of-microsoft-support-knowledge-base-articles.aspx)
+
+- [The Official Microsoft App-V Team Blog](https://blogs.technet.microsoft.com/appv/)
+
+- [Technical Reference for App-V](https://technet.microsoft.com/itpro/windows/manage/appv-technical-reference)
+
+- [App-V TechNet Forum](https://social.technet.microsoft.com/forums/en-us/home?forum=mdopappv)
+
+## Have a suggestion for App-V?
+Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+- [What's new in App-V for Windows 10](appv-about-appv.md)
+
+- [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows-1703.md)
diff --git a/windows/manage/appv-release-notes-for-appv-for-windows.md b/windows/manage/appv-release-notes-for-appv-for-windows.md
index 0982031249..290e4b19b9 100644
--- a/windows/manage/appv-release-notes-for-appv-for-windows.md
+++ b/windows/manage/appv-release-notes-for-appv-for-windows.md
@@ -1,23 +1,21 @@
 ---
-title: Release Notes for App-V (Windows 10)
-description: Release Notes for App-V
-author: MaggiePucciEvans
+title: Release Notes for App-V for Windows 10, version 1607 (Windows 10)
+description: A list of known issues and workarounds for App-V running on Windows 10, version 1607.
+author: eross-msft
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
 ---
 
-
 # Release Notes for App-V for Windows 10, version 1607
 
 **Applies to**
 -   Windows 10, version 1607
 
-The following are known issues in Application Virtualization (App-V) for Windows 10, version 1607.
+The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10, version 1607.
  
 ## Windows Installer packages (.msi files) generated by the App-V sequencer (version 5.1 and earlier) fail to install on computers with the in-box App-V client
-
 MSI packages that were generated using an App-V sequencer from previous versions of App-V (App-V versions 5.1 and earlier) include a check to validate that the App-V client is installed on client devices before allowing the MSI package to install. Now that the App-V client is installed automatically when you upgrade user devices to Windows 10, version 1607, the pre-requisite check fails and causes the MSI to fail.
 
 **Workaround**:
@@ -45,13 +43,11 @@ MSI packages that were generated using an App-V sequencer from previous versions
     where the path is to the new directory (**C:\MyMsiTools\ for this example**).
 
 ## Error occurs during publishing refresh between App-V 5.0 SP3 Management Server and App-V Client on Windows 10
-
 An error is generated during publishing refresh when synchronizing packages from the App-V 5.0 SP3 management server to an App-V client on Windows 10. This error occurs because the App-V 5.0 SP3 server does not understand the Windows 10 operating system that is specified in the publishing URL. The issue is fixed for App-V publishing server, but is not backported to versions of App-V 5.0 SP3 or earlier.
 
 **Workaround**: Upgrade the App-V 5.0 Management server to the App-V Management server for Windows 10 Clients.
 
 ## Custom configurations do not get applied for packages that will be published globally if they are set using the App-V Server
-
 If you assign a package to an AD group that contains machine accounts and apply a custom configuration to that group using the App-V Server, the custom configuration will not be applied to those machines. The App-V Client will publish packages assigned to a machine account globally. However, it stores custom configuration files per user in each user’s profile. Globally published packages will not have access to this custom configuration.
 
 **Workaround**: Do one of the following:
@@ -95,7 +91,6 @@ On the Packages page of the Management Console, if you click **Add or Upgrade**
 3.  Paste the path into the **Add Package** dialog box input field
 
 ## <a href="" id="upgrading-app-v-management-server-to-5-1-sometimes-fails-with-the-message--a-database-error-occurred-"></a>Upgrading App-V Management Server to 5.1 sometimes fails with the message “A database error occurred”
-
 If you install the App-V 5.0 SP1 Management Server, and then try to upgrade to App-V Server when multiple connection groups are configured and enabled, the following error is displayed: “A database error occurred. Reason: 'Invalid column name 'PackageOptional'. Invalid column name 'VersionOptional'.”
 
 **Workaround**: Run this command on your SQL database:
@@ -105,14 +100,11 @@ If you install the App-V 5.0 SP1 Management Server, and then try to upgrade to A
 where “AppVManagement” is the name of the database.
 
 ## Users cannot open a package in a user-published connection group if you add or remove an optional package
-
 In environments that are running the RDS Client or that have multiple concurrent users per computer, logged-in users cannot open applications in packages that are in a user-published connection group if an optional package is added to or removed from the connection group.
 
 **Workaround**: Have users log out and then log back in.
 
 ## Error message is erroneously displayed when the connection group is published only to the user
-
-
 When you run Repair-AppvClientConnectionGroup, the following error is displayed, even when the connection group is published only to the user: “Internal App-V Integration error: Package not integrated for the user. Please ensure that the package is added to the machine and published to the user.”
 
 **Workaround**: Do one of the following:
@@ -132,40 +124,37 @@ When you run Repair-AppvClientConnectionGroup, the following error is displayed,
     3.  If the package is currently published, run **Repair-AppvClientPackage** on that package.
 
 ## Icons not displayed properly in Sequencer
-
 Icons in the Shortcuts and File Type Associations tab are not displayed correctly when modifying a package in the App-V Sequencer. This problem occurs when the size of the icons are not 16x16 or 32x32.
 
 **Workaround**: Only use icons that are 16x16 or 32x32.
 
 ## InsertVersionInfo.sql script no longer required for the Management Database
-
-
 The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3.
 
 The Permissions.sql script should be updated according to **Step 2** in [KB article 3031340](https://support.microsoft.com/kb/3031340).
 
-**Important**  
-**Step 1** is not required for versions of App-V later than App-V 5.0 SP3.
-
+>[!IMPORTANT] 
+>**Step 1** of the KB article listed above isn't required for versions of App-V later than App-V 5.0 SP3.
 
 ## Microsoft Visual Studio 2012 not supported
+App-V doesn't support Visual Studio 2012.
 
-
-App-V does not support Visual Studio 2012.
-
-**Workaround**: None
+**Workaround**: Use a newer version of Microsoft Visual Studio.
 
 ## Application filename restrictions for App-V Sequencer
-
-
 The App-V Sequencer cannot sequence applications with filenames matching "CO_&lt;x&gt;" where x is any numeral. Error 0x8007139F will be generated.
 
 **Workaround**: Use a different filename
 
-## Have a suggestion for App-V?
+## Related resources list
+For information that can help with troubleshooting App-V for Windows 10, see:
+- [Application Virtualization (App-V): List of Microsoft Support Knowledge Base Articles](http://social.technet.microsoft.com/wiki/contents/articles/14272.app-v-v5-x-list-of-microsoft-support-knowledge-base-articles.aspx)
+- [The Official Microsoft App-V Team Blog](https://blogs.technet.microsoft.com/appv/)
+- [Technical Reference for App-V](https://technet.microsoft.com/itpro/windows/manage/appv-technical-reference)
+- [App-V TechNet Forum](https://social.technet.microsoft.com/forums/en-us/home?forum=mdopappv)
 
+## Have a suggestion for App-V?
 Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
 
-## Related topics
+<a href="https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md" class="button big">Help us to improve</a>
 
-[What's new in App-V for Windows 10](appv-about-appv.md)
diff --git a/windows/manage/appv-sequence-a-new-application.md b/windows/manage/appv-sequence-a-new-application.md
index 24b1fb9ba1..7479636bf9 100644
--- a/windows/manage/appv-sequence-a-new-application.md
+++ b/windows/manage/appv-sequence-a-new-application.md
@@ -1,7 +1,7 @@
 ---
-title: How to Sequence a New Application with App-V (Windows 10)
-description: How to Sequence a New Application with App-V
-author: MaggiePucciEvans
+title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10)
+description: How to manually sequence a new app using the App-V Sequencer
+author: eross-msft
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -9,10 +9,10 @@ ms.prod: w10
 ---
 
 
-# How to Sequence a New Application with App-V
+# Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer)
 
 **Applies to**
--   Windows 10, version 1607
+-   Windows 10, version 1607 and later
 
 In Windows 10, version 1607, the App-V Sequencer is included with the Windows ADK. For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md).
 
@@ -36,8 +36,8 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD
 
     -   If short paths have been disabled for the virtualized package’s target volume, you must also sequence the package to a volume that was created and still has short-paths disabled. It cannot be the system volume.
 
-> [!NOTE]    
-> The App-V Sequencer cannot sequence applications with filenames matching "CO_<_x_>" where x is any numeral. Error 0x8007139F will be generated.
+>[!NOTE]    
+>The App-V Sequencer cannot sequence applications with filenames matching "CO_<_x_>" where x is any numeral. Error 0x8007139F will be generated.
 
 **To sequence a new standard application**
 
@@ -47,15 +47,15 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD
 
 3.  On the **Prepare Computer** page, review the issues that could cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
 
-    > [!IMPORTANT]  
-    > If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package.
+    >[!IMPORTANT]  
+    >If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package.
 
 4.  On the **Type of Application** page, click the **Standard Application (default)** check box, and then click **Next**.
 
 5.  On the **Select Installer** page, click **Browse** and specify the installation file for the application.
 
-    > [!NOTE]  
-    > If the specified application installer modifies security access to a file or directory, existing or new, the associated changes will not be captured into the package.
+    >[!NOTE]  
+    >If the specified application installer modifies security access to a file or directory, existing or new, the associated changes will not be captured into the package.
     
     If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Perform a Custom Installation** check box, and then click **Next**.
 
@@ -65,8 +65,8 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD
 
 7.  On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process.
 
-    > [!IMPORTANT]  
-    > You should always install applications to a secure location and make sure no other users are logged on to the computer running the sequencer during monitoring.
+    >[!IMPORTANT]  
+    >You should always install applications to a secure location and make sure no other users are logged on to the computer running the sequencer during monitoring.
     
     Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run** to locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.
 
@@ -74,8 +74,8 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD
 
 9.  On the **Configure Software** page, optionally run the programs contained in the package. This step allows you to complete any necessary license or configuration tasks before you deploy and run the package on target computers. To run all the programs at one time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. You may need to wait several minutes for all programs to run.
 
-    > [!NOTE]  
-    > To run first-use tasks for any application that is not available in the list, open the application. The associated information will be captured during this step.
+    >[!NOTE]  
+    >To run first-use tasks for any application that is not available in the list, open the application. The associated information will be captured during this step.
     
     Click **Next**.
 
@@ -91,23 +91,21 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD
 
 12. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**.
 
-    > [!NOTE]  
-    > If you do not open any applications during this step, the default streaming method is on-demand streaming delivery. This means applications will be downloaded bit by bit until it can be opened, and then depending on how the background loading is configured, will load the rest of the application.
-
-     
+    >[!NOTE]  
+    >If you do not open any applications during this step, the default streaming method is on-demand streaming delivery. This means applications will be downloaded bit by bit until it can be opened, and then depending on how the background loading is configured, will load the rest of the application.
 
 13. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select **Allow this package to run on any operating system**. To configure this package to run only on specific operating systems, select **Allow this package to run only on the following operating systems** and select the operating systems that can run this package. Click **Next**.
 
-    > [!IMPORTANT]  
-    > Make sure that the operating systems you specify here are supported by the application you are sequencing.
+    >[!IMPORTANT]  
+    >Make sure that the operating systems you specify here are supported by the application you are sequencing.
 
 
 14. The **Create Package** page is displayed. To modify the package without saving it, select **Continue to modify package without saving using the package editor**. This option opens the package in the sequencer console so that you can modify the package before it is saved. Click **Next**.
 
     To save the package immediately, select **Save the package now** (default). Add optional **Comments** to be associated with the package. Comments are useful for identifying the program version and other information about the package.
 
-    > [!IMPORTANT]  
-    > The system does not support non-printable characters in **Comments** and **Descriptions**.
+    >[!IMPORTANT]  
+    >The system does not support non-printable characters in **Comments** and **Descriptions**.
     
     The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**.
 
@@ -115,14 +113,13 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD
 
     The package is now available in the sequencer.
 
-    > [!IMPORTANT]  
-    > After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
-
+    >[!IMPORTANT]  
+    >After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
      
 
 **To sequence an add-on or plug-in application**
 
-> [!NOTE]  
+>[!NOTE]  
 >Before performing the following procedure, install the parent application locally on the computer that is running the sequencer. Or if you have the parent application virtualized, you can follow the steps in the add-on or plug-in workflow to unpack the parent application on the computer.
 
 >For example, if you are sequencing a plug-in for Microsoft Excel, install Microsoft Excel locally on the computer that is running the sequencer. Also install the parent application in the same directory where the application is installed on target computers. If the plug-in or add-on is going to be used with an existing virtual application package, install the application on the same virtual application drive that was used when you created the parent virtual application package.
@@ -133,9 +130,8 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD
 
 3.  On the **Prepare Computer** page, review the issues that might cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
 
-    > [!IMPORTANT] 
-    > If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package.
-
+    >[!IMPORTANT] 
+    >If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package.
 
 4.  On the **Type of Application** page, select **Add-on or Plug-in**, and then click **Next**.
 
@@ -143,17 +139,17 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD
 
 6.  On the **Install Primary** page, ensure that the primary application is installed on the computer that runs the sequencer. Alternatively, you can expand an existing package that has been saved locally on the computer that runs the sequencer. To do this, click **Expand Package**, and then select the package. After you have expanded or installed the parent program, select **I have installed the primary parent program**.
 
-    Click **Next**.
+7. Click **Next**.
 
-7.  On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name will be displayed in the App-V Management Console.
+8.  On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name will be displayed in the App-V Management Console.
 
-    Click **Next**.
+9. Click **Next**.
 
-8.  On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the plug-in or add-in application so the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run** and locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**, and then click **Next**.
+10.  On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the plug-in or add-in application so the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run** and locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**, and then click **Next**.
 
-9.  On the **Installation Report** page, you can review information about the virtual application package that you just sequenced. For a more detailed explanation about the information displayed in **Additional Information**, double-click the event. After you have reviewed the information, click **Next**.
+11.  On the **Installation Report** page, you can review information about the virtual application package that you just sequenced. For a more detailed explanation about the information displayed in **Additional Information**, double-click the event. After you have reviewed the information, click **Next**.
 
-10. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 12 of this procedure. To perform either of the following customizations, select **Customize**.
+12. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 12 of this procedure. To perform either of the following customizations, select **Customize**.
 
     -   Optimize how the package will run across a slow or unreliable network.
 
@@ -161,12 +157,10 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD
 
     Click **Next**.
 
-11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all the applications to run. After all applications have run, close each of the applications. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Click **Next**.
+13. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all the applications to run. After all applications have run, close each of the applications. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Click **Next**.
 
-    > [!NOTE]   
-    > If necessary, you can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and select one of the check boxes: **Stop all applications** or **Stop this application only**.
-
-     
+    >[!NOTE]   
+    >If necessary, you can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and select one of the check boxes: **Stop all applications** or **Stop this application only**.
 
 12. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box, and then select the operating systems that can run this package. Click **Next**.
 
@@ -174,8 +168,8 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD
 
     To save the package immediately, select **Save the package now**. Optionally, add a **Description** that will be associated with the package. Descriptions are useful for identifying the version and other information about the package.
 
-    > [!IMPORTANT]   
-    > The system does not support non-printable characters in Comments and Descriptions.
+    >[!IMPORTANT]   
+    >The system does not support non-printable characters in Comments and Descriptions.
     
     The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**.
 
@@ -187,9 +181,8 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD
 
 3.  On the **Prepare Computer** page, review the issues that could cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
 
-    > [!IMPORTANT] 
-    > If you are required to disable virus scanning software, you should first scan the computer that runs the App-V Sequencer in order to ensure that no unwanted or malicious files can be added to the package.
-
+    >[!IMPORTANT] 
+    >If you are required to disable virus scanning software, you should first scan the computer that runs the App-V Sequencer in order to ensure that no unwanted or malicious files can be added to the package.
 
 4.  On the **Type of Application** page, select **Middleware**, and then click **Next**.
 
@@ -197,37 +190,35 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD
 
 6.  On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name is displayed in the App-V Management Console.
 
-    Click **Next**.
+7. Click **Next**.
 
-7.  On the **Installation** page, when the sequencer and middleware application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run**, to locate and run the additional installation files. When you are finished with the installation, select the **I am finished installing** check box, and then click **Next**.
+8. On the **Installation** page, when the sequencer and middleware application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run**, to locate and run the additional installation files. When you are finished with the installation, select the **I am finished installing** check box, and then click **Next**.
 
-8.  On the **Installation** page, wait while the sequencer configures the virtual application package.
+9. On the **Installation** page, wait while the sequencer configures the virtual application package.
 
-9.  On the **Installation Report** page, you can review information about the virtual application package that you have just sequenced. In **Additional Information**, double-click an event to obtain more detailed information. To proceed, click **Next**.
+10. On the **Installation Report** page, you can review information about the virtual application package that you have just sequenced. In **Additional Information**, double-click an event to obtain more detailed information. To proceed, click **Next**.
 
-10. On the **Target OS** page, specify the operating systems that can run this package. To enable all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box and select the operating systems that can run this package. Click **Next**.
+11. On the **Target OS** page, specify the operating systems that can run this package. To enable all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box and select the operating systems that can run this package. Click **Next**.
 
-11. On the **Create Package** page is displayed. To modify the package without saving it, select **Continue to modify package without saving using the package editor**. This option opens the package in the sequencer console so that you can modify the package before it is saved. Click **Next**.
+12. On the **Create Package** page is displayed. To modify the package without saving it, select **Continue to modify package without saving using the package editor**. This option opens the package in the sequencer console so that you can modify the package before it is saved. Click **Next**.
 
     To save the package immediately, select **Save the package now**. Optionally, add a **Description** to be associated with the package. Descriptions are useful for identifying the program version and other information about the package.
 
-    > [!IMPORTANT]   
-    > The system does not support non-printable characters in Comments and Descriptions.
+    >[!IMPORTANT]   
+    >The system does not support non-printable characters in Comments and Descriptions.
     
     The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**.
 
-12. The **Completion** page is displayed. Review the information in the **Virtual Application Package Report** pane as needed, then click **Close**. This information is also available in the **Report.xml** file that is located in the directory specified in step 11 of this procedure.
+13. The **Completion** page is displayed. Review the information in the **Virtual Application Package Report** pane as needed, then click **Close**. This information is also available in the **Report.xml** file that is located in the directory specified in step 11 of this procedure.
 
     The package is now available in the sequencer. To edit the package properties, click **Edit \[Package Name\]**.
 
-    > [!IMPORTANT]    
-    > After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
+    >[!IMPORTANT]    
+    >After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
 
 ## Have a suggestion for App-V?
-
 Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
 
 ## Related topics
-
 - [Install the App-V Sequencer](appv-install-the-sequencer.md)
 - [Operations for App-V](appv-operations.md)
diff --git a/windows/manage/appv-sequence-a-package-with-powershell.md b/windows/manage/appv-sequence-a-package-with-powershell.md
index e1920755b9..1d3143b133 100644
--- a/windows/manage/appv-sequence-a-package-with-powershell.md
+++ b/windows/manage/appv-sequence-a-package-with-powershell.md
@@ -59,10 +59,15 @@ The following list displays additional optional parameters that can be used with
 
 -   FullLoad - specifies that the package must be fully downloaded to the computer running the App-V before it can be opened.
 
-## Have a suggestion for App-V?
+In Windows 10, version 1703, running the new-appvsequencerpackage or the update-appvsequencepackage cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. 
 
-Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+>[!IMPORTANT]
+>If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template. 
 
 ## Related topics
 
 - [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md)
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
\ No newline at end of file
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index 83c075218f..d6a3868254 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -18,23 +18,35 @@ This topic lists new and updated topics in the [Manage Windows 10](index.md) doc
 
 The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). Some topics have been moved to [Update Windows 10](../update/index.md) or to [Configure Windows 10](../configure/index.md).
 
-## February 2017
+## March 2017
+| New or changed topic | Description |
+| --- | --- |
+|[Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work-scenario-6.md) |New |
+|[What's new in App-V for Windows 10, version 1703 and earlier](appv-about-appv.md)|Updated to include new features in App-V for Windows 10, version 1703. |
+|[Release Notes for App-V for Windows 10, version 1703](appv-release-notes-for-appv-for-windows-1703.md)|New |
+|[Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) |New |
+|[Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) |New |
+|[Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) |New |
+|[Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) |New |
+|[Available Mobile Data Management (MDM) settings for App-V](appv-available-mdm-settings.md) |New |
 
+## February 2017
 | New or changed topic | Description |
 | --- | --- |
 | [Windows Libraries](windows-libraries.md) | New |
 | [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | New |
 | [Get started with Update Compliance](update-compliance-get-started.md) | New |
 | [Use Update Compliance to monitor Windows Updates](update-compliance-using.md) | New |
-| [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) | Added Group Policy setting that blocks user access to Windows Update. |
-| [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Added Express updates. |
+|[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) | Added Group Policy setting that blocks user access to Windows Update. |
+|[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |Added Express updates. | 
 | [Distribute offline apps](distribute-offline-apps.md) | General updates to topic. Added links to supporting content for System Center Configuration Manager and Microsoft Intune.  |
 
+
 ## January 2017
 
 | New or changed topic | Description |
 | --- | --- |
-|[Cortana at work topics](../configure/cortana-at-work-overview.md)]|New |
+| [Cortana at work topics](../configure/cortana-at-work-overview.md)]|New |
 | [Start layout XML for desktop editions of Windows 10](start-layout-xml-desktop.md) | New (previously published in Hardware Dev Center on MSDN) |
 | [Start layout XML for mobile editions of Windows 10](start-layout-xml-mobile.md) | New (previously published in Hardware Dev Center on MSDN) |
 | [Quick guide to Windows as a service](waas-quick-start.md) | Added video that explains how Windows as a service works. |
@@ -89,11 +101,11 @@ The topics in this library have been updated for Windows 10, version 1703 (also
 
 ## RELEASE: Windows 10, version 1607
 
-The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: 
+The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
 
 - [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
 - [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
-- [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
+- [Set up a shared or guest PC with Windows 10](../configure/set-up-shared-or-guest-pc.md)
 - [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
 - [Application Virtualization (App-V) for Windows 10](appv-for-windows.md)
 - [User Experience Virtualization (UE-V) for Windows 10](uev-for-windows.md)
@@ -121,7 +133,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
 | [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | New telemetry content |
 | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) |Removed info about sharing wi-fi network access with contacts, since it's been deprecated. |
 | [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher |
-| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Removed Windows 10 Mobile from **Applies to** | 
+| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Removed Windows 10 Mobile from **Applies to** |
 
 
 
@@ -146,12 +158,12 @@ The topics in this library have been updated for Windows 10, version 1607 (also
 | New or changed topic | Description |
 | ---|---|
 | [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Added call history and email to the Settings &gt; Privacy section.<br />Added the Turn off Windows Mail application Group Policy to the Mail synchronization section. |
-| [Customize and export Start layout](customize-and-export-start-layout.md) | Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later |
+| [Customize and export Start layout](customize-and-export-start-layout.md) | Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later |
 | [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | Added instructions for replacing markup characters with escape characters in Start layout XML |
 | [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md) | New |
 | [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | New |
-| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). |
- 
+| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). |
+
 
 ## December 2015
 
@@ -189,5 +201,3 @@ The topics in this library have been updated for Windows 10, version 1607 (also
 [Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md)
 
 [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
-
- 
diff --git a/windows/manage/images/button.png b/windows/manage/images/button.png
new file mode 100644
index 0000000000..1ba7590f76
Binary files /dev/null and b/windows/manage/images/button.png differ
diff --git a/windows/manage/images/cortana-communication-history-permissions.png b/windows/manage/images/cortana-communication-history-permissions.png
new file mode 100644
index 0000000000..db182be13c
Binary files /dev/null and b/windows/manage/images/cortana-communication-history-permissions.png differ
diff --git a/windows/manage/images/cortana-suggested-reminder-settings.png b/windows/manage/images/cortana-suggested-reminder-settings.png
new file mode 100644
index 0000000000..176dbff483
Binary files /dev/null and b/windows/manage/images/cortana-suggested-reminder-settings.png differ
diff --git a/windows/manage/images/cortana-suggested-reminder.png b/windows/manage/images/cortana-suggested-reminder.png
new file mode 100644
index 0000000000..4184bd1b6c
Binary files /dev/null and b/windows/manage/images/cortana-suggested-reminder.png differ
diff --git a/windows/manage/images/waas-wufb-update-compliance.png b/windows/manage/images/waas-wufb-update-compliance.png
new file mode 100644
index 0000000000..0c1bbaea7c
Binary files /dev/null and b/windows/manage/images/waas-wufb-update-compliance.png differ
diff --git a/windows/manage/manage-windows-10-in-your-organization-modern-management.md b/windows/manage/manage-windows-10-in-your-organization-modern-management.md
index f149335e36..ed2c748110 100644
--- a/windows/manage/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/manage/manage-windows-10-in-your-organization-modern-management.md
@@ -44,11 +44,10 @@ As indicated in the diagram, Microsoft continues to provide support for deep man
 
 With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can:
 
-<!-- The phrase "Windows Imaging and Configuration Designer (ICD)" below might need to be changed to "Windows Configuration Designer" -->
 
 -   Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services like [Microsoft Intune](https://docs.microsoft.com/intune/understand-explore/introduction-to-microsoft-intune).
 
--   Create self-contained provisioning packages built with the [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113(v=vs.85).aspx).
+-   Create self-contained provisioning packages built with the [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages).
 
 -   Use traditional imaging techniques such as deploying custom images using [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction).
 
diff --git a/windows/manage/set-up-shared-or-guest-pc.md b/windows/manage/set-up-shared-or-guest-pc.md
deleted file mode 100644
index f641f80569..0000000000
--- a/windows/manage/set-up-shared-or-guest-pc.md
+++ /dev/null
@@ -1,302 +0,0 @@
----
-title: Set up a shared or guest PC with Windows 10 (Windows 10)
-description: Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios.
-keywords: ["shared pc mode"]
-ms.prod: W10
-ms.mktglfcycl: manage
-ms.sitesec: library
-author: jdeckerMS
-localizationpriority: high
----
-
-# Set up a shared or guest PC with Windows 10
-
-
-**Applies to**
-
--   Windows 10
-
-Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise  and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise.
-
-> [!NOTE]
-> If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](https://technet.microsoft.com/edu/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education.
-
-##Shared PC mode concepts
-A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen. Users who sign-in are signed in as standard users, not admin users.
-
-###Account models
-It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC as a standard user. The user who originally joined the PC to the domain will have administrative rights when they sign in. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Start without an account** option on the sign-in screen, which doesn't require any user credentials or authentication and creates a new local account.
-
-###Account management
-When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Start without an account** option. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low.
-
-###Maintenance and sleep
-Shared PC mode is configured to take advantage of maintenance time periods which run while the PC is not in use. Therefore, sleep is strongly recommended so that the PC can wake up when it is not is use to perform maintenance, clean up accounts, and run Windows Update. The recommended settings can be set by choosing **SetPowerPolicies** in the list of shared PC options. Additionally, on devices without Advanced Configuration and Power Interface (ACPI) wake alarms, shared PC mode will always override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods.
-
-While shared PC mode does not configure Windows Update itself, it is strongly recommended to configure Windows Update to automatically install updates and reboot (if necessary) during maintenance hours. This will help ensure the PC is always up to date and not interrupting users with updates. Use one of the following methods to configure Windows Update:
-
-- Group Policy: Set **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** to `4` and check **Install during automatic maintenance**.
-- MDM: Set **Update/AllowAutoUpdate** to `4`. 
-- Provisioning: In Windows Imaging and Configuration Designer (ICD), set **Policies/Update/AllowAutoUpdate** to `4`. 
-
-[Learn more about the AllowAutoUpdate settings](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_AllowAutoUpdate)
-
-###App behavior
-
-Apps can take advantage of shared PC mode by changing their app behavior to align with temporary use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences. For information on how an app can query for shared PC mode, see [SharedModeSettings class](https://msdn.microsoft.com/en-us/library/windows/apps/windows.system.profile.sharedmodesettings.aspx).
-
-###Customization
-Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring shared PC mode on Windows](#configuring-shared-pc-mode-on-windows). The options are listed in the following table.
-
-| Setting | Value |
-|:---|:---|
-| EnableSharedPCMode | Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. Some of the remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**.  |
-| AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. Specifying the guest option will add the **Start without an account** option to the sign-in screen and enable anonymous guest access to the PC. <br/>  - **Only guest** allows anyone to use the PC as a local standard (non-admin) account.<br/>  - **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.<br/>-   **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account.   |
-| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out. <br/>- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed. <br/><br/>Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not.  |
-| AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching.   |
-| AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion.   |
-| AccountManagement: EnableAccountManager | Set as **True** to enable automatic account management. If this is not set to true, no automatic account management will be done. |
-| Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value.   |
-| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. When **SetEduPolicies** is **True**, the following additional settings are applied:<br/>- Local storage locations are restricted. Users can only save files to the cloud. <br/>- Custom Start and taskbar layouts are set.\* <br/>- A custom sign-in screen background image is set.\* <br/>- Additional educational policies are applied (see full list below).<br/><br/>\*Only applies to Windows 10 Pro Education, Enterprise, and Education  |
-| Customization: SetPowerPolicies |  When set as **True**:<br/>- Prevents users from changing power settings<br/>- Turns off hibernate<br/>- Overrides all power state transitions to sleep (e.g. lid close)  |
-| Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep.     |
-| Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies.     |
-
-
-##Configuring shared PC mode on Windows
-You can configure Windows to be in shared PC mode in a couple different ways:
-- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx). Your MDM policy can contain any of the options listed in the [Customization](#customization) section. The following image shows a Microsoft Intune policy with the shared PC options added as OMA-URI settings. [Learn more about Windows 10 policy settings in Microsoft Intune.](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune)
-
-![custom OMA-URI policy in Intune](images/oma-uri-shared-pc.png) 
-
-- A provisioning package created with the Windows Imaging and Configuration Designer (ICD): You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Imaging and Configuration Designer (ICD). Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in ICD as SharedPC.
-
-![Shared PC settings in ICD](images/icd-adv-shared-pc.png)
-
-
-### Create a provisioning package for shared use
-
-Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device for shared PC mode. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
-
-1.  Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). 
-
-2. On the **Start page**, select **Advanced provisioning**.
-
-3. Enter a name and (optionally) a description for the project, and click **Next**.
-
-4. Select **All Windows desktop editions**, and click **Next**.
-
-5. Click **Finish**. Your project opens in Windows ICD.
-
-6. Go to **Runtime settings** > **SharedPC**. [Select the desired settings for shared PC mode.](#customization)
-
-7. On the **File** menu, select **Save.**
-8.  On the **Export** menu, select **Provisioning package**.
-9.  Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
-10. Set a value for **Package Version**.
-    > [!TIP]
-    > You can make changes to existing packages and change the version number to update previously applied packages.
-  
-11. (*Optional*) In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
-    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
-    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
-    
-       > [!IMPORTANT]  
-       > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
-        
-12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
-    Optionally, you can click **Browse** to change the default output location.
-13. Click **Next**.
-14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
-    If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
-15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
-    If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
-    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
-    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
-16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
-
-    -   Shared network folder
-
-    -   SharePoint site
-
-    -   Removable media (USB/SD) (select this option to apply to a PC during initial setup)
-    
-
-### Apply the provisioning package
-
-You can apply the provisioning package to a PC during initial setup or to a PC that has already been set up.
-
-**During initial setup**
-1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
-
-    ![The first screen to set up a new PC](images/oobe.jpg)
-
-2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. If there is only one provisioning package on the USB drive, you don't need to press the Windows key five times, Windows will automatically ask you if you want to set up the device. Select **Set up**.
-
-    ![Set up device?](images/setupmsg.jpg)
-
-3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
-
-    ![Provision this device](images/prov.jpg)
-    
-4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
-
-    ![Choose a package](images/choose-package.png)
-
-5. Select **Yes, add it**.
-
-    ![Do you trust this package?](images/trust-package.png)
-    
-6. Read and accept the Microsoft Software License Terms.  
-
-    ![Sign in](images/license-terms.png)
-    
-7. Select **Use Express settings**.
-
-    ![Get going fast](images/express-settings.png)
-
-8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
-
-    ![Who owns this PC?](images/who-owns-pc.png)
-
-9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
-
-    ![Connect to Azure AD](images/connect-aad.png)
-
-10. Sign in with  your domain, Azure AD,  or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
-
-    ![Sign in](images/sign-in-prov.png)
-
-    
-**After setup**
-
-On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work access** &gt; **Add or remove a management package** &gt; **Add a package**, and selects the package to install. 
-
-![add a package option](images/package.png)
-
-> [!NOTE]
-> If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost.
-
-## Guidance for accounts on shared PCs
-
-* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
-* When a PC is set up in shared PC mode, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Start without an account** will also be deleted automatically at sign out.
-* On a Windows PC joined to Azure Active Directory:
-    * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
-    * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
-* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out.
-* If admin accounts are necessary on the PC
-    * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
-    * Create admin accounts before setting up shared PC mode, or 
-    * Create exempt accounts before signing out when turning shared pc mode on.
-* The account management service supports accounts that are exempt from deletion.
-    * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key.
-    * To add the account SID to the registry key using PowerShell:<br/>
-        ```
-        $adminName = "LocalAdmin"
-        $adminPass = 'Pa$$word123'
-        iex "net user /add $adminName $adminPass"
-        $user = New-Object System.Security.Principal.NTAccount($adminName) 
-        $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) 
-        $sid = $sid.Value;
-        New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force
-        ``` 
-
-
-
-
-## Policies set by shared PC mode
-Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options.
-
-> [!IMPORTANT]
-> It is not recommended to set additional policies on PCs configured for **Shared PC Mode**.	The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required.
-
-<table border="1"> 
-
-<tr><th><p>Policy name</p></th><th><p>Value</p></th><th><p>When set?</p></th></tr> </thead>
-<tbody>
-<tr><td colspan="3"><p><strong>Admin Templates</strong> > <strong>Control Panel</strong> > <strong>Personalization</strong></p></td></tr> 
-<tr><td><p>Prevent enabling lock screen slide show</p></td><td><p>Enabled</p></td><td><p>Always</p></td></tr> 
-<tr><td><p>Prevent changing lock screen and logon image</p></td><td><p>Enabled</p></td><td><p>Always</p></td></tr> 
-<tr><td colspan="3"><p><strong>Admin Templates</strong> > <strong>System</strong> > <strong>Power Management</strong> > <strong>Button Settings</strong></p></td></tr> 
-<tr><td><p>Select the Power button action (plugged in)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr><td><p>Select the Power button action (on battery)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr><td><p>Select the Sleep button action (plugged in)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr><td><p>Select the lid switch action (plugged in)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr><td><p>Select the lid switch action (on battery)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr><td colspan="3"><p><strong>Admin Templates</strong> > <strong>System</strong> > <strong>Power Management</strong> > <strong>Sleep Settings</strong></p></td></tr> 
-<tr><td><p>Require a password when a computer wakes (plugged in)</p></td><td><p>Enabled</p></td><td><p>SignInOnResume=True</p></td></tr> 
-<tr><td><p>Require a password when a computer wakes (on battery)</p></td><td><p>Enabled</p></td><td><p>SignInOnResume=True</p></td></tr>
-<tr><td><p>Specify the system sleep timeout (plugged in)</p></td><td><p>*SleepTimeout*</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr><td><p>Specify the system sleep timeout (on battery)</p></td><td><p>*SleepTimeout*</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr> <td> <p>Turn off hybrid sleep (plugged in)</p></td> <td> <p>Enabled</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr> <td> <p>Turn off hybrid sleep (on battery)</p></td> <td> <p>Enabled</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr> <td> <p>Specify the unattended sleep timeout (plugged in)</p></td> <td> <p>*SleepTimeout*</p> </td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr> <td> <p>Specify the unattended sleep timeout (on battery)</p></td> <td> <p>*SleepTimeout*</p> </td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr> <td> <p>Allow standby states (S1-S3) when sleeping (plugged in)</p></td> <td> <p>Enabled</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr> <td> <p>Allow standby states (S1-S3) when sleeping (on battery)</p></td> <td> <p>Enabled</p></td> <td><p>SetPowerPolicies=True</p></td></tr> 
-<tr> <td> <p>Specify the system hibernate timeout (plugged in)</p></td> <td> <p>Enabled, 0</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr> <td> <p>Specify the system hibernate timeout (on battery)</p></td> <td> <p>Enabled, 0</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>System</strong>><strong>Power Management</strong>><strong>Video and Display Settings</strong></p></td></tr> 
-<tr> <td> <p>Turn off the display (plugged in)</p></td> <td> <p>*SleepTimeout*</p> </td></td><td><p>SetPowerPolicies=True</p></td></tr>
- <tr> <td> <p>Turn off the display (on battery</p></td> <td> <p>*SleepTimeout*</p> </td></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>System</strong>><strong>Logon</strong></p></td></tr> 
-<tr> <td> <p>Show first sign-in animation</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Hide entry points for Fast User Switching</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Turn on convenience PIN sign-in</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Turn off picture password sign-in</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Turn off app notification on the lock screen</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Allow users to select when a password is required when resuming from connected standby</p></td> <td> <p>Disabled</p></td><td><p>SignInOnResume=True</p></td>
-</tr> 
-<tr> <td> <p>Block user from showing account details on sign-in</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>System</strong>><strong>User Profiles</strong></p></td></tr> 
-<tr> <td> <p>Turn off the advertising ID</p></td> <td> <p>Enabled</p></td><td><p>SetEduPolicies=True</p></td></tr> 
-<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components </strong></p></td></tr> 
-<tr> <td> <p>Do not show Windows Tips </p>*Only on Pro, Enterprise, Pro Education, and Education* </td> <td> <p>Enabled</p></td><td><p>SetEduPolicies=True</p></td></tr> 
-<tr> <td> <p>Turn off Microsoft consumer experiences </p>*Only on Pro, Enterprise, Pro Education, and Education* </td> <td> <p>Enabled</p></td><td><p>SetEduPolicies=True</p></td></tr> 
-<tr> <td> <p>Microsoft Passport for Work</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Prevent the usage of OneDrive for file storage</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Biometrics</strong></p></td></tr> 
-<tr> <td> <p>Allow the use of biometrics</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Allow users to log on using biometrics</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Allow domain users to log on using biometrics</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Data Collection and Preview Builds</strong></p></td></tr> 
-<tr> <td> <p>Toggle user control over Insider builds</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Disable pre-release features or settings</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Do not show feedback notifications</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>File Explorer</strong></p></td></tr> 
-<tr> <td> <p>Show lock in the user tile menu</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Maintenance Scheduler</strong></p></td></tr> 
-<tr> <td> <p>Automatic Maintenance Activation Boundary</p></td> <td> <p>*MaintenanceStartTime*</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Automatic Maintenance Random Delay</p></td> <td> <p>Enabled, 2 hours</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Automatic Maintenance WakeUp Policy</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Microsoft Edge</strong></p></td></tr> 
-<tr> <td> <p>Open a new tab with an empty tab</p></td> <td> <p>Disabled</p></td><td><p>SetEduPolicies=True</p></td></tr> 
-<tr> <td> <p>Configure corporate home pages</p></td> <td> <p>Enabled, about:blank</p></td><td><p>SetEduPolicies=True</p></td></tr> 
-<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Search</strong></p></td></tr> 
-<tr> <td> <p>Allow Cortana</p> </td> <td> <p>Disabled</p> </td><td><p>SetEduPolicies=True</p></td></tr> 
-<tr> <td colspan="3"> <p><strong>Windows Settings</strong>><strong>Security Settings</strong>><strong>Local Policies</strong>><strong>Security Options</strong></p></td> 
-</tr>
-<tr> <td> <p>Interactive logon: Do not display last user name</p> </td> <td> <p>Enabled, Disabled when account model is only guest</p> </td><td><p>Always</p></td></tr>
-<tr> <td> <p>Interactive logon: Sign-in last interactive user automatically after a system-initiated restart</p> </td> <td> <p>Disabled</p> </td> <td><p>Always</p></td> 
-</tr> 
-<tr> <td> <p>Shutdown: Allow system to be shut down without having to log on</p> </td> <td> <p>Disabled</p> </td><td><p>Always</p></td></tr> 
-<tr> <td> <p>User Account Control: Behavior of the elevation prompt for standard users</p> </td> <td> <p>Auto deny</p> </td><td><p>Always</p></td></tr> 
-</tbody>
-</table> </br></br>
-
-
-
-## Related topics
-
-[Set up a device for anyone to use (kiosk)](set-up-a-device-for-anyone-to-use.md)
-
-
- 
-
- 
-
-
-
-
-
diff --git a/windows/manage/windows-store-for-business-overview.md b/windows/manage/windows-store-for-business-overview.md
index c2ce1d7706..a3a565c261 100644
--- a/windows/manage/windows-store-for-business-overview.md
+++ b/windows/manage/windows-store-for-business-overview.md
@@ -18,12 +18,12 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
-With the new Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
+With Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
 
 ## Features
 
 
-Organizations of any size can benefit from using the Store for Business provides:
+Organizations of any size can benefit from using the Store for Business:
 
 -   **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate the Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
 
@@ -47,7 +47,6 @@ Organizations of any size can benefit from using the Store for Business provides
 
 ## Prerequisites
 
-
 You'll need this software to work with the Store for Business.
 
 ### Required
@@ -78,7 +77,6 @@ While not required, you can use a management tool to distribute and manage apps.
 
 ## How does the Store for Business work?
 
-
 ### Sign up!
 
 The first step for getting your organization started with the Store for Business is signing up. To sign up for the Business store, you need an Azure AD account and you must be a Global Administrator for your organization.
@@ -89,50 +87,12 @@ For more information, see [Sign up for the Store for Business](../manage/sign-up
 
 After your admin signs up for the Store for Business, they can assign roles to other employees in your company. The admin needs Azure AD User Admin permissions to assign WSFB roles. These are the roles and their permissions.
 
-<table>
-<colgroup>
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Permission</th>
-<th align="left">Account settings</th>
-<th align="left">Acquire apps</th>
-<th align="left">Distribute apps</th>
-<th align="left">Device Guard signing</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Admin</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Purchaser</p></td>
-<td align="left"></td>
-<td align="left"><p>X</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Device Guard signer</p></td>
-<td align="left"></td>
-<td align="left"></td>
-<td align="left"></td>
-<td align="left"><p>X</p></td>
-</tr>
-</tbody>
-</table>
-
+| Permission | Account settings | Acquire apps | Distribute apps | Device Guard signing |
+| ---------- | ---------------- | ------------ | --------------- | -------------------- |
+| Admin | X | X | X |  |
+| Purchaser |  | X | X |  |
+| Device Guard signer |  |  |  | X |
  
-
 In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](../manage/manage-users-and-groups-windows-store-for-business.md).
 
 Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with the Store for Business.
@@ -292,6 +252,7 @@ Store for Business is currently available in these markets.
             <li>Luxembourg</li>
             <li>Malaysia</li>
             <li>Malta</li>
+            <li>Mauritius</li>
             <li>Mexico</li>
             <li>Mongolia</li>
             <li>Montenegro</li>
@@ -313,12 +274,12 @@ Store for Business is currently available in these markets.
             <li>Portugal</li>
             <li>Puerto Rico</li>
             <li>Qatar</li>
-            <li>Romania</li>
-            <li>Rwanda</li>
+            <li>Romania</li>          
         </ul>
     </td>
     <td>
         <ul>
+            <li>Rwanda</li>
             <li>Saint Kitts and Nevis</li>
             <li>Saudi Arabia</li>
             <li>Senegal</li>
@@ -343,8 +304,7 @@ Store for Business is currently available in these markets.
             <li>Viet Nam</li>
             <li>Virgin Islands, U.S.</li>
             <li>Zambia</li>
-            <li>Zimbabwe<br>&nbsp;<br>&nbsp;<br>&nbsp;<br>&nbsp;</li>
-            
+            <li>Zimbabwe<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</li>           
         </ul>
     </td>
    </tr>
@@ -367,7 +327,19 @@ Store for Business is currently available in these markets.
    </tr>
 </table>
 
-  
+## Privacy notice
+
+Microsoft Store for Business services get names and email addresses of people in your organization from Azure Active Directory. This information is needed for these admin functions:
+- Granting and managing permissions
+- Managing app licenses 
+- Distributing apps to people (names appear in a list that admins can select from)
+ 
+Store for Business does not save names, or email addresses.
+
+Your use of Store for Business is also governed by the Store for Business Terms of Use. 
+
+Information sent to Store for Business is subject to the [Store for Business Privacy Statement](https://privacy.microsoft.com/privacystatement/).
+
 ## <a href="" id="isv-wsfb"></a>ISVs and the Store for Business
 
 
diff --git a/windows/plan/TOC.md b/windows/plan/TOC.md
index 9bee9778e7..08c2baded5 100644
--- a/windows/plan/TOC.md
+++ b/windows/plan/TOC.md
@@ -1,4 +1,5 @@
 # [Plan for Windows 10 deployment](index.md)
+## [Windows 10 Enterprise FAQ for IT Pros](windows-10-enterprise-faq-itpro.md)
 ## [Windows 10 deployment considerations](windows-10-deployment-considerations.md)
 ## [Windows 10 compatibility](windows-10-compatibility.md)
 ## [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
diff --git a/windows/plan/index.md b/windows/plan/index.md
index dfa19e4252..125db28968 100644
--- a/windows/plan/index.md
+++ b/windows/plan/index.md
@@ -16,6 +16,7 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi
 ## In this section
 |Topic |Description |
 |------|------------|
+|[Windows 10 Enterprise: FAQ for IT professionals](windows-10-enterprise-faq-itpro.md) | Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. |
 |[Windows 10 deployment considerations](windows-10-deployment-considerations.md) |There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. |
 |[Windows 10 compatibility](windows-10-compatibility.md) |Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. |
 |[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. |
diff --git a/windows/plan/windows-10-enterprise-faq-itpro.md b/windows/plan/windows-10-enterprise-faq-itpro.md
new file mode 100644
index 0000000000..192d0910c6
--- /dev/null
+++ b/windows/plan/windows-10-enterprise-faq-itpro.md
@@ -0,0 +1,138 @@
+---
+title: Windows 10 Enterprise FAQ for IT pros (Windows 10)
+description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise.
+keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage udpates, Windows as a service, servicing branches, deployment tools
+ms.prod: w10
+ms.mktglfcycl: plan
+localizationpriority: high
+ms.sitesec: library
+author: 
+---
+
+# Windows 10 Enterprise: FAQ for IT professionals
+
+Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise.
+
+## Download and requirements
+
+### Where can I download Windows 10 Enterprise?
+
+If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you do not have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/en-us/Licensing/how-to-buy/how-to-buy.aspx).
+
+### What are the system requirements?
+
+For details, see [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752).
+
+### What are the hardware requirements for Windows 10?
+
+Most computers that are compatible with Windows 8.1 will be compatible with Windows 10. You may need to install updated drivers in Windows 10 for your devices to properly function. See [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications) for more information.
+
+### Can I evaluate Windows 10 Enterprise?
+
+Yes, a 90-day evaluation of Windows 10 Enterprise is available through the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise). The evaluation is available in Chinese (Simplified), Chinese (Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day Evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features.
+
+## Drivers and compatibility
+
+### Where can I find drivers for my devices for Windows 10 Enterprise?
+
+For many devices, drivers will be automatically installed in Windows 10 and there will be no need for additional action.
+- For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers are not automatically installed, visit the manufacturer’s support website for your device to download and manually install the drivers. If Windows 10 drivers are not available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10.
+- For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable additional functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability.
+- Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft System Center Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include:
+    - [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html)
+    - [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment)
+    - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/documents/ht074984)
+
+### Where can I find out if an application or device is compatible with Windows 10?
+
+Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices. The [Ready for Windows](https://www.readyforwindows.com/) website lists software solutions that are supported and in use for Windows 10. You can find additional guidance to help with application compatibility at [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793) on the Windows IT Center.
+
+### Is there an easy way to assess if my organization’s devices are ready to upgrade to Windows 10?
+
+[Windows Upgrade Readiness](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects.
+
+## Administration and deployment
+
+### Which deployment tools support Windows 10?
+
+Updated versions of Microsoft deployment tools, including MDT, Configuration Manager, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10.
+- [MDT](http://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment.
+- Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [System Center Configuration Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center.
+- The [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#winADK) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center.
+
+### Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image?
+
+Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit).
+
+### Are there any deployment tools available to support Windows 10?
+
+Updated versions of Microsoft deployment tools, including Configuration Manager, MDT, and the Windows Assessment and Deployment Kit (Windows ADK) have been released adding support for Windows 10. For most organizations currently using MDT or Configuration Manager to deploy Windows, deployment of Windows 10 will change very little. 
+
+For more information on deployment methods for Windows 10, see [Windows 10 deployment tools](https://technet.microsoft.com/library/mt297512.aspx) and [Windows 10 deployment scenarios](https://technet.microsoft.com/library/mt282208.aspx).
+
+### Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free?
+
+If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Software Assurance, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
+
+For devices that are licensed under a volume license agreement for Windows that does not include Software Assurance, new licenses will be required to upgrade these devices to Windows 10.
+
+## Managing updates
+
+### What is Windows as a service?
+
+The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. For more information, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
+
+### How is servicing different with Windows as a service?
+
+Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month.
+
+### What are the servicing branches?
+
+To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing branches to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers three servicing branches for Windows 10: Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). For details about the versions in each servicing branch, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each branch, see [servicing branches](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#servicing-branches).
+
+### What tools can I use to manage Windows as a service updates?
+
+There are many tools are available. You can choose from these:
+- Windows Update
+- Windows Update for Business
+- Windows Server Update Services
+- System Center Configuration Manager
+
+For more information on pros and cons for these tools, see [Servicing Tools](https://technet.microsoft.com/itpro/windows/manage/waas-overview#servicing-branches).
+
+## User experience
+
+### Where can I find information about new features and changes in Windows 10 Enterprise?
+
+For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](https://tnstage.redmond.corp.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1703?branch=rs2) in the TechNet library. You can find information You'll find info on features like these:
+-  Modern deployment - Zero-touch deployment, bulk AD enrollment with provisioning, UEFI conversion tooland 
+- Windows Analytics -  Upgrade Readiness, and Update Compliance
+- Windows as a service enhancements -  Differential feature update support, express update support for System Center Configuration Manager and third-party management software
+- Mobile application management (MAM) and  enhanced MDM
+- Advanced security with Windows Defender - App Guard, Credential Guard, App Control, ATP) and Windows Hello
+
+Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. 
+
+To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare).
+
+### How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1?
+
+Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 for Business Onboarding Kit](https://blogs.technet.microsoft.com/windowsitpro/2016/06/28/windows-10-for-business-onboarding-kit/) and see our [end user readiness](https://technet.microsoft.com/windows/dn621092) resources.
+
+### How does Windows 10 help people work with applications and data across a variety of devices?
+
+The desktop experience in Windows 10 has been improved to provide a better experience for people that use a traditional mouse and keyboard. Key changes include:
+- Start menu is a launching point for access to apps.
+- Universal apps now open in windows instead of full screen.
+- [Multitasking is improved with adjustable Snap](http://blogs.windows.com/bloggingwindows/2015/06/04/arrange-your-windows-in-a-snap/), which allows you to have more than two windows side-by-side on the same screen and to customize how those windows are arranged.
+- Tablet Mode to simplify using Windows with a finger or pen by using touch input.
+
+## Help and support
+
+### Where can I ask a question about Windows 10?
+
+Use the following resources for additional information about Windows 10.
+- If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet.
+- If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](http://answers.microsoft.com/windows/forum/windows_10).
+- If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev) or [Windows and Windows phone apps forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsapps) on MSDN.
+- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet.
\ No newline at end of file
diff --git a/windows/update/images/waas-wufb-settings-branch.jpg b/windows/update/images/waas-wufb-settings-branch.jpg
new file mode 100644
index 0000000000..7dfb770d4a
Binary files /dev/null and b/windows/update/images/waas-wufb-settings-branch.jpg differ
diff --git a/windows/update/images/waas-wufb-settings-defer.jpg b/windows/update/images/waas-wufb-settings-defer.jpg
new file mode 100644
index 0000000000..5e6c58a101
Binary files /dev/null and b/windows/update/images/waas-wufb-settings-defer.jpg differ
diff --git a/windows/update/images/waas-wufb-update-compliance.png b/windows/update/images/waas-wufb-update-compliance.png
new file mode 100644
index 0000000000..0c1bbaea7c
Binary files /dev/null and b/windows/update/images/waas-wufb-update-compliance.png differ
diff --git a/windows/update/waas-configure-wufb.md b/windows/update/waas-configure-wufb.md
index dc56767535..f6029dff92 100644
--- a/windows/update/waas-configure-wufb.md
+++ b/windows/update/waas-configure-wufb.md
@@ -18,7 +18,7 @@ localizationpriority: high
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
-You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for both Windows 10, version 1511, and Windows 10, version 1607. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx).  
+You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx).  
 
 >[!IMPORTANT]
 >For Windows Update for Business policies to be honored, the Telemetry level of the device must be set to **1 (Basic)** or higher.  If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system telemetry level](https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization#configure-the-operating-system-telemetry-level).
@@ -32,27 +32,35 @@ By grouping devices with similar deferral periods, administrators are able to cl
 >[!TIP]
 >In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/). 
 
-
+<span id="configure-devices-for-current-branch-or-current-branch-for-business"/>
 ## Configure devices for Current Branch (CB) or Current Branch for Business (CBB)
 
-With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](https://technet.microsoft.com/en-us/itpro/windows/manage/introduction-to-windows-10-servicing). 
+With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-branches). 
 
 **Release branch policies**
 
 | Policy | Sets registry key under **HKLM\Software** |
 | --- | --- |
-| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel |
+| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel |
 | GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade |
-| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel |
+| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel |
 | MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**RequireDeferredUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
 
+Starting with version 1703, users are able to configure their device's branch readiness level, by going to **Settings > Update & security > Windows Update > Advanced options**.
+
+![Branch readiness level setting](images/waas-wufb-settings-branch.jpg)
+
+>[!NOTE]
+>Users will not be able to change this setting if it was configured by policy.
 
 ## Configure when devices receive Feature Updates
 
-After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update.  You can defer receiving these Feature Updates for a period of 180 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.  
+After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update.  You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.  
 
 >[!IMPORTANT]
 >This policy does not apply to Windows 10 Mobile Enterprise.
+>
+>You can only defer up to 180 days prior to version 1703.
 
 **Examples**
 
@@ -66,16 +74,28 @@ After you configure the servicing branch (CB or CBB), you can then define if, an
 
 | Policy | Sets registry key under **HKLM\Software** |
 | --- | --- |
-| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays |
+| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays |
 | GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod |
-| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays |
+| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays |
 | MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
 
+>[!NOTE]
+>If not configured by policy, users can defer feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
 
 ## Pause Feature Updates
 
 You can also pause a device from receiving Feature Updates by a period of up to 60 days from when the value is set. After 60 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again.
 
+Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 60 days to the start date. 
+
+In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 60 days by configuring a later start date.
+
+With version 1703, pause will provide a more consistent experience:
+- Any active restart notification are cleared or closed
+- Any pending restarts are canceled
+- Any pending update installations are canceled
+- Any update installation running when pause is activated will attempt to rollback
+
 >[!IMPORTANT]
 >This policy does not apply to Windows 10 Mobile Enterprise.
 
@@ -83,12 +103,11 @@ You can also pause a device from receiving Feature Updates by a period of up to
 
 | Policy | Sets registry key under **HKLM\Software** |
 | --- | --- |
-| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates  |
+| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates</br>**1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate |
 | GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
-| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseFeatureUpdates** | \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates |
+| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates</br> **1703:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartDate |
 | MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
 
-
 You can check the date Feature Updates were paused at by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. 
 
 The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 60 days automatically, the pause checkbox will remain checked in the policy editor.  To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
@@ -99,6 +118,8 @@ The local group policy editor (GPEdit.msc) will not reflect if your Feature Upda
 | 1 | Feature Updates paused |
 | 2 | Feature Updates have auto-resumed after being paused |
 
+>[!NOTE]
+>If not configured by policy, users can pause feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
 
 ## Configure when devices receive Quality Updates
 
@@ -113,16 +134,28 @@ You can set your system to receive updates for other Microsoft products—known
 
 | Policy | Sets registry key under **HKLM\Software** |
 | --- | --- |
-| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays  |
+| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays  |
 | GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod |
-| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays |
+| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays |
 | MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate  |
 
+>[!NOTE]
+>If not configured by policy, users can defer quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
 
 ## Pause Quality Updates
 
 You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set.  After 35 days has passed, pause functionality will automatically expire and the system will scan Windows Updates for applicable Quality Updates. Following this scan, Quality Updates for the device can then be paused again.
 
+Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date. 
+
+In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date.
+
+With version 1703, pause will provide a more consistent experience:
+- Any active restart notification are cleared or closed
+- Any pending restarts are canceled
+- Any pending update installations are canceled
+- Any update installation running when pause is activated will attempt to rollback
+
 >[!IMPORTANT]
 >This policy pauses both Feature and Quality Updates on Windows 10 Mobile Enterprise.
 
@@ -130,12 +163,11 @@ You can also pause a system from receiving Quality Updates for a period of up to
 
 | Policy | Sets registry key under **HKLM\Software** |
 | --- | --- |
-| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |\Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates  |
+| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |**1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates</br>**1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdatesStartTime  |
 | GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
-| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseQualityUpdates** | \Microsoft\PolicyManager\default\Update\PauseQualityUpdates |
+| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates</br>**1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime |
 | MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
 
-
 You can check the date that Quality Updates were paused at by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. 
 
 The local group policy editor (GPEdit.msc) will not reflect if your Quality Update Pause period has expired. Although the device will resume Quality Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor.  To see if a device has auto-resumed taking Quality Updates, you can check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
@@ -146,22 +178,23 @@ The local group policy editor (GPEdit.msc) will not reflect if your Quality Upda
 | 1 | Quality Updates paused |
 | 2 | Quality Updates have auto-resumed after being paused |
 
+>[!NOTE]
+>If not configured by policy, users can pause quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
+
 ## Exclude drivers from Quality Updates
 
-In Windows 10, version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle.  This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete.
+In Windows 10, starting with version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle.  This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete.
 
 **Exclude driver policies**
 
 | Policy | Sets registry key under **HKLM\Software** |
 | --- | --- |
-| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate  |
-| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
+| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate  |
+| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
 
+## Summary: MDM and Group Policy for version 1703
 
-
-## Summary: MDM and Group Policy for version 1607
-
-Below are quick-reference tables of the supported Windows Update for Business policy values for Windows 10, version 1607.
+Below are quick-reference tables of the supported Windows Update for Business policy values for Windows 10, version 1607 and above.
 
 **GPO: HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
 
@@ -169,11 +202,11 @@ Below are quick-reference tables of the supported Windows Update for Business po
 | --- | --- | --- |
 | BranchReadinessLevel	| REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)</br>32: systems take Feature Updates for the Current Branch for Business (CBB)</br>Note: Other value or absent: receive all applicable updates (CB) |
 | DeferQualityUpdates | REG_DWORD | 1: defer quality updates</br>Other value or absent: don’t defer quality updates | 
-| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-30: defer quality updates by given days |
-| PauseQualityUpdates | REG_DWORD | 1: pause quality updates</br>Other value or absent: don’t pause quality updates |
+| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days |
+| PauseQualityUpdatesStartDate | REG_DWORD | 1: pause quality updates</br>Other value or absent: don’t pause quality updates |
 |DeferFeatureUpdates | REG_DWORD | 1: defer feature updates</br>Other value or absent: don’t defer feature updates |
-| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-180: defer feature updates by given days |
-| PauseFeatureUpdates | REG_DWORD |1: pause feature updates</br>Other value or absent: don’t pause feature updates |
+| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days |
+| PauseFeatureUpdatesStartDate | REG_DWORD |1: pause feature updates</br>Other value or absent: don’t pause feature updates |
 | ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers</br>Other value or absent: offer Windows Update drivers |
 
 
@@ -182,19 +215,19 @@ Below are quick-reference tables of the supported Windows Update for Business po
 | MDM Key | Key type | Value |
 | --- | --- | --- |
 | BranchReadinessLevel | REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)</br>32: systems take Feature Updates for the Current Branch for Business (CBB)</br>Note: Other value or absent: receive all applicable updates (CB) |
-| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-30: defer quality updates by given days |
-| PauseQualityUpdates | REG_DWORD | 1: pause quality updates</br>Other value or absent: don’t pause quality updates |
-| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-180: defer feature updates by given days |
-| PauseFeatureUpdates | REG_DWORD | 1: pause feature updates</br>Other value or absent: don’t pause feature updates |
+| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days |
+| PauseQualityUpdatesStartDate | REG_DWORD | 1: pause quality updates</br>Other value or absent: don’t pause quality updates |
+| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days |
+| PauseFeatureUpdatesStartDate | REG_DWORD | 1: pause feature updates</br>Other value or absent: don’t pause feature updates |
 | ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers</br>Other value or absent: offer Windows Update drivers |
 
-## Update devices from Windows 10, version 1511 to version 1607
+## Update devices to newer versions
 
-Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511.  However,Windows Update for Business clients running version 1511 will still see their policies honored after they update to version 1607; the old policy keys will continue to exist with their values ported forward during the update. Following the update to version 1607, it should be noted that only the version 1511 keys will be populated and not the new version 1607 keys, until the newer keys are explicitly defined on the device by the administrator.
+Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703, is also using a few new GPO and MDM keys than those available in version 1607. However,Windows Update for Business clients running version older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, it should be noted that only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator.
 
-### How version 1511 policies are respected on version 1607
+### How older version policies are respected on newer versions
 
-When a client running version 1607 sees an update available on Windows Update, the client will first evaluate and execute against the Windows Updates for Business policy keys for version 1607.  If these are not present, it will then check to see if any of the version 1511 keys are set and defer accordingly.  Update keys for version 1607 will always supersede the version 1511 equivalent.
+When a client running a newer version sees an update available on Windows Update, the client will first evaluate and execute against the Windows Updates for Business policy keys for it's version.  If these are not present, it will then check to see if any of the older version keys are set and defer accordingly.  Update keys for newer versions will always supersede the older equivalent.
 
 ### Comparing the version 1511 keys to the version 1607 keys
 
@@ -209,9 +242,12 @@ Enabling allows user to set deferral periods for upgrades and updates.  It also
 <tbody><tr><td valign="top">**RequireDeferUpgade**: *bool*</br>&nbsp;&nbsp;&nbsp;Puts the device on CBB (no ability to defer updates while on the CB branch).</br></br>**DeferUpgradePeriod**: *0 - 8 months*</br></br>**DeferUpdatePeriod**: *1 – 4 weeks*</br></br>**PauseDeferrals**: *bool*</br>&nbsp;&nbsp;&nbsp;Enabling will pause both upgrades and updates for a max of 35 days</td><td>**BranchReadinessLevel**</br>&nbsp;&nbsp;&nbsp;Set system on CB or CBB</br></br>**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*</br></br>**PauseFeatureUpdates**: *enable/disable*</br>&nbsp;&nbsp;&nbsp;Enabling will pause Feature updates for a max of 60 days</br></br>**DeferQualityUpdatesPeriodinDays**: *0 - 30 days*</br></br>**PauseQualityUpdates**: *enable/disable*</br>&nbsp;&nbsp;&nbsp;  Enabling will pause Quality updates for a max of 35 days</br></br>**ExcludeWUDriversInQualityUpdate**: *enable/disable<*/td></tr>
 </tbody></table>
 
+### Comparing the version 1607 keys to the version 1703 keys
 
-
-
+| Version 1607 key | Version 1703 key |
+| --- | --- |
+| PauseFeatureUpdates | PauseFeatureUpdatesStartTime |
+| PauseQualityUpdates | PauseQualityUpdatesStartTime |
 
 ## Related topics
 
diff --git a/windows/update/waas-delivery-optimization.md b/windows/update/waas-delivery-optimization.md
index 1522b12876..ffc4f91f43 100644
--- a/windows/update/waas-delivery-optimization.md
+++ b/windows/update/waas-delivery-optimization.md
@@ -37,19 +37,24 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
 
 Several Delivery Optimization features are configurable:
 
-| Group Policy setting | MDM setting |
-| --- | --- |
-| [Download mode](#download-mode) | DODownloadMode |
-| [Group ID](#group-id)  | DOGroupID |
-| [Max Cache Age](#max-cache-age) | DOMaxCacheAge |
-| [Max Cache Size](#max-cache-size)  | DOMaxCacheSize |
-| [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize |
-| [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive |
-| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth |
-| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth |
-| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth |
-| [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap |
-| [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS |
+| Group Policy setting | MDM setting | Supported from version |
+| --- | --- | --- |
+| [Download mode](#download-mode) | DODownloadMode | 1511 |
+| [Group ID](#group-id)  | DOGroupID | 1511 |
+| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 |
+| [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 |
+| [Max Cache Age](#max-cache-age) | DOMaxCacheAge | 1511 |
+| [Max Cache Size](#max-cache-size)  | DOMaxCacheSize | 1511 |
+| [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | 1607 |
+| [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 |
+| [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 |
+| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 |
+| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 |
+| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 |
+| [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 |
+| [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 |
+| [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1703 |
+| [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1703 |
 
 When configuring Delivery Optimization on Windows 10 devices, the first and most important thing to configure, would be [Download mode](#download-mode). Download mode dictates how Delivery Optimization downloads Windows updates.
 
@@ -65,12 +70,20 @@ Delivery Optimization uses locally cached updates. In cases where devices have a
 >[!NOTE]
 >It is possible to configure preferred cache devices. For more information, see [Set “preferred” cache devices for Delivery Optimization](#set-preferred-cache-devices).
 
+All cached files have to be above a set minimum size. This size is automatically set by the Delivery Optimization cloud services. Administrators may choose to change it, which will result in increased performance, when local storage is sufficient and the network isn't strained or congested. [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size) determines the minimum size of files to be cached.
+
 There are additional options available to robustly control the impact Delivery Optimization has on your network:
 - [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) controls the download bandwidth used by Delivery Optimization.
 - [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage.
 - [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers per month.
 - [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network.
 
+Various controls allow administrators to further customize scenarios where Delivery Optimization will be used:
+- [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled.
+- [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) sets the minimum disk size required for peer caching to be enabled.
+- [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) allows clients connected through VPN to use peer caching.
+- [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) controls the minimum battery level required for uploads to occur. Enabling this policy is required to allow upload while on battery.
+
 ### How Microsoft uses Delivery Optimization
 In Microsoft, to help ensure that ongoing deployments weren’t affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet.
 
@@ -99,8 +112,23 @@ Download mode dictates which download sources clients are allowed to use when do
 By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to peer. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. 
 
 >[!NOTE]
+>To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)
+>
 >This configuration is optional and not required for most implementations of Delivery Optimization.
-    
+
+<span id="minimum-ram-allowed-to-use-peer-caching"/>
+### Minimum RAM (inclusive) allowed to use Peer Caching  
+
+This setting specifies the minimum RAM size in GB required to use Peer Caching. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. The recommended values are 1 to 4 GB, and the default value is 4 GB.
+
+### Minimum disk size allowed to use Peer Caching
+
+This setting specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The recommended values are 64 to 256 GB, and the default value is 32 GB.
+
+>[!NOTE]
+>If the [Modify Cache Drive](#modify-cache-drive) policy is set, the disk size check will apply to the new working directory specified by this policy.
+
+
 ### Max Cache Age
 
 In environments configured for Delivery Optimization, you may want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client computer. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations may choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed).
@@ -111,7 +139,11 @@ This setting limits the maximum amount of space the Delivery Optimization cache
 
 ### Absolute Max Cache Size
 
-This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the **DOMaxCacheSize** setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the **DOMaxCacheSize** setting. The default value for this setting is 10 GB.
+This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the [**Max Cache Size**](#max-cache-size) setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the [**Max Cache Size**](#max-cache-size) setting. The default value for this setting is 10 GB.
+
+### Minimum Peer Caching Content File Size
+
+This setting specifies the minimum content file size in MB enabled to use Peer Caching. The recommended values are from 1 to 100000 MB.
 
 ### Maximum Download Bandwidth
 
@@ -127,7 +159,7 @@ This setting allows you to limit the amount of upload bandwidth individual clien
 
 ### Minimum Background QoS
 
-This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more bytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network.
+This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network.
 
 ### Modify Cache Drive
 
@@ -136,7 +168,19 @@ This setting allows for an alternate Delivery Optimization cache location on the
 ### Monthly Upload Data Cap
 
 This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of 0 means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB.
-    
+
+### Enable Peer Caching while the device connects via VPN
+
+This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
+
+### Allow uploads while the device is on battery while under set Battery level
+
+This setting specifies battery levels at which a device will be allowed to upload data. Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery). Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set if you allow uploads on battery is 40 (for 40%).
+The device can download from peers while on battery regardless of this policy.
+
+>[!IMPORTANT]
+> By default, devices **will not upload while on battery**. To enable uploads while on battery, you need to enable this policy and set the battery value under which uploads pause.
+
 <span id="set-preferred-cache-devices"/>
 ## Set “preferred” cache devices for Delivery Optimization
 
@@ -146,7 +190,7 @@ To specify which devices are preferred, you can set the **Max Cache Age** config
 
 On devices that are not preferred, you can choose to set the following policy to prioritize data coming from local peers instead of the Internet:
 
--  Set **DOMinBackgroundQoS** with a low value, for example `65536` which is the equivalent of 64 KB/s.
+-  Set **DOMinBackgroundQoS** with a low value, for example `64` which is the equivalent of 64 KB/s.
 
 ## Learn more
 
diff --git a/windows/update/waas-manage-updates-wufb.md b/windows/update/waas-manage-updates-wufb.md
index f15a5388f4..f38ac5333c 100644
--- a/windows/update/waas-manage-updates-wufb.md
+++ b/windows/update/waas-manage-updates-wufb.md
@@ -104,6 +104,13 @@ Windows Update for Business was first made available in Windows 10, version 1511
 <tr><td><p>Drivers</p></td><td><p>No driver-specific controls</p></td><td><p>Drivers can be selectively excluded from Windows Update for Business.</p></td></tr>
 </tbody></table>
 
+## Monitor Windows Updates using Update Compliance
+
+Update Compliance, now **available in public preview**, provides a holistic view of OS update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This new service uses telemetry data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without additional infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated.
+
+![Update Compliance Dashboard](images/waas-wufb-update-compliance.png)
+
+For more information about Update Compliance, see [Monitor Windows Updates using Update Compliance](update-compliance-monitor.md).
 
 ## Steps to manage updates for Windows 10
 
@@ -119,9 +126,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
 </tbody></table>
 </br>
 
-
 ## Related topics
-
 - [Update Windows 10 in the enterprise](index.md)
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
diff --git a/windows/update/waas-optimize-windows-10-updates.md b/windows/update/waas-optimize-windows-10-updates.md
index d6ee795755..dba3ee72bb 100644
--- a/windows/update/waas-optimize-windows-10-updates.md
+++ b/windows/update/waas-optimize-windows-10-updates.md
@@ -13,24 +13,24 @@ localizationpriority: high
 
 **Applies to**
 
-- Windows 10
+- Windows 10
 
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
 
 When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows 10 offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows 10.
 
-Two methods of peer-to-peer content distribution are available in Windows 10. 
+Two methods of peer-to-peer content distribution are available in Windows 10.
 
-- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests. 
+- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests.
 
-    Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates. 
+    Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates.
 
-- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of the Windows Server 2016 Technical Preview and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7. 
+- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of the Windows Server 2016 Technical Preview and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
 
     >[!NOTE]
     >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations.
 
-    Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content. 
+    Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.
 
 </br></br>
 
@@ -49,8 +49,9 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
 Windows 10 update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
 
 ### How Microsoft supports Express
+- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager.
 - **Express on WSUS Standalone**
-  
+
   Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx).
 - **Express on devices directly connected to Windows Update**
 - **Enterprise devices managed using [Windows Update for Business](waas-manage-updates-wufb.md)** also get the benefit of Express update delivery support without any change in configuration.
@@ -61,7 +62,7 @@ For OS updates that support Express, there are two versions of the file payload
 1. **Full-file version** - essentially replacing the local versions of the update binaries.
 2. **Express version** - containing the deltas needed to patch the existing binaries on the device.
 
-Both the full-file version and the Express version are referenced in the udpate's metadata, which has been downloaded to the client as part of the scan phase.
+Both the full-file version and the Express version are referenced in the update's metadata, which has been downloaded to the client as part of the scan phase.
 
 **Express download works as follows:**
 
@@ -95,6 +96,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
 
 ## Related topics
 
+
 - [Update Windows 10 in the enterprise](index.md)
 - [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) 
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
@@ -104,5 +106,3 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
 - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
 - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
 - [Manage device restarts after updates](waas-restart.md)
-
-
diff --git a/windows/whats-new/images/bulk-token.PNG b/windows/whats-new/images/bulk-token.PNG
new file mode 100644
index 0000000000..b0d2221824
Binary files /dev/null and b/windows/whats-new/images/bulk-token.PNG differ
diff --git a/windows/whats-new/images/ldstore.PNG b/windows/whats-new/images/ldstore.PNG
new file mode 100644
index 0000000000..63f0eedee7
Binary files /dev/null and b/windows/whats-new/images/ldstore.PNG differ
diff --git a/windows/whats-new/images/wcd-options.png b/windows/whats-new/images/wcd-options.png
new file mode 100644
index 0000000000..b3d998ba1b
Binary files /dev/null and b/windows/whats-new/images/wcd-options.png differ
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
index 1c6c94f739..87a9c88d26 100644
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -130,7 +130,7 @@ Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilit
 
 ### Shared PC mode
 
-Windows 10, Version 1607, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](../manage/set-up-shared-or-guest-pc.md)
+Windows 10, Version 1607, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](../configure/set-up-shared-or-guest-pc.md)
 
 ### Application Virtualization (App-V) for Windows 10
 
@@ -146,7 +146,7 @@ Many users customize their settings for Windows and for specific applications. C
 
 With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.
 
-With the release of Windows 10, version 1607, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and EU-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. 
+With the release of Windows 10, version 1607, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. 
 
 [Learn how to synchronize user-customized settings with UE-V.](../manage/uev-for-windows.md)
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 3d06a1b80a..8b68fc3f56 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -1,23 +1,224 @@
 ---
-title: What's new in Windows 10, version 1607 (Windows 10)
-description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 and Windows 10 Mobile.
+title: What's in Windows 10, version 1703
+description: New and updated IT Pro content about new features in Windows 10, version 1703 (also known as the Creators Updated).
 keywords: ["What's new in Windows 10", "Windows 10", "creators update"]
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-author: TrudyHa
+author: JasonGerend
 localizationpriority: high
+ms.assetid: dca7c655-c4f6-45f8-aa02-64187b202617
 ---
 
-# What's new in Windows 10, version 1703
+# What's new in Windows 10, version 1703 IT Pro content
 
-Below is a list of some of the new and updated features in Windows 10, version 1703 (also known as the Creators Update).
+Below is a list of some of the new and updated content that discusses Information Technology (IT) Pro features in Windows 10, version 1703 (also known as the Creators Update).
+
+For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](index.md).
 
 >[!NOTE]
->For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info).
+>For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update).
  
+## Configuration
+
+### Windows Configuration Designer
+
+Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool for creating provisioning packages is renamed **Windows Configuration Designer**. The new Windows Configuration Designer is available in [Windows Store as an app](https://www.microsoft.com/store/apps/9nblggh4tx22). To run Windows Configuration Designer on earlier versions of Windows, you can still install Windows Configuration Designer from the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
+
+Windows Configuration Designer in Windows 10, version 1703, includes several new wizards to make it easier to create provisioning packages.
+
+![wizards for desktop, mobile, kiosk, HoloLens, Surface Hub](images/wcd-options.png)
+
+[Learn more about Windows Configuration Designer.](../configure/provisioning-packages.md)
 
 
-## Learn more
+### Bulk enrollment in Azure Active Directory
 
-- [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info)
+Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](../configure/provisioning-packages.md#configuration-designer-wizards). Bulk enrollment in Azure AD is available in the desktop, mobile, kiosk, and Surface Hub wizards.
+
+![get bulk token action in wizard](images/bulk-token.png) 
+
+
+### Windows Spotlight
+
+The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences:
+
+- **Turn off the Windows Spotlight on Action Center**
+- **Do not use diagnostic data for tailored experiences**
+- **Turn off the Windows Welcome Experience**
+
+[Learn more about Windows Spotlight.](../configure/windows-spotlight.md)
+
+
+### Start and taskbar layout
+
+Enterprises have been able to apply customized Start and taskbar layouts to devices running Windows 10 Enterprise and Education. In Windows 10, version 1703, customized Start and taskbar layout can also be applied to Windows 10 Pro. 
+
+Additional MDM policy settings are available for Start and taskbar layout. For details, see [Manage Windows 10 Start and taskbar layout](../configure/windows-10-start-layout-options-and-policies.md).
+
+Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10, version 1703, adds support for customized taskbars to [MDM](../configure/customize-windows-10-start-screens-by-using-mobile-device-management.md).
+
+### Lockdown Designer for Windows 10 Mobile lockdown files
+
+The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](../configure/lockdown-xml.md).
+
+![Lockdown Designer app in Store](images/ldstore.png)
+
+[Learn more about the Lockdown Designer app.](../configure/mobile-lockdown-designer.md)
+
+### Cortana at work
+
+Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.
+
+Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data.
+
+
+## Deployment
+
+### MBR2GPT.EXE
+
+MBR2GPT.EXE is a new command-line tool available in Windows 10 version 1703 and later versions. MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
+
+The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. 
+
+Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
+
+For details, see [MBR2GPT.EXE](../deploy/mbr-to-gpt.md).
+
+## Security
+
+### Windows Defender Advanced Threat Protection 
+
+New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10, version 1703 include:
+- **Detection**<br>
+  Enhancements to the detection capabilities include:
+  - [Use the threat intelligence API to create custom alerts](../keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
+  - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks
+  - Upgraded detections of ransomware and other advanced attacks
+  - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect attacks that previously went unnoticed
+
+- **Investigation**<br>
+  Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus detections and Device Guard blocks being surfaced in the Windows Defender ATP portal. Other capabilities have been added to help you gain a holistic view on investigations.
+
+   Other investigation enhancements include:
+   - [Investigate a user account](../keep-secure/investigate-user-windows-defender-advanced-threat-protection.md) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
+   - [Alert process tree](../keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
+   - [Pull alerts using REST API](../keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) - Use REST API to pull alerts from Windows Defender ATP.
+
+- **Response**<br>
+  When detecting an attack, security response teams can now take immediate action to contain a breach:
+  - [Take response actions on a machine](../keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
+  - [Take response actions on a file](../keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
+
+
+- **Other features**
+  - [Check sensor health state](../keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues.
+
+ 
+
+### Windows Defender Antivirus
+New features for Windows Defender Antivirus (AV) in Windows 10, version 1703 include:
+
+- [Updates to how the Block at First Sight feature can be configured](../keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md)
+- [The ability to specify the level of cloud-protection](../keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md)
+- [Windows Defender Antivirus protection in the Windows Defender Security Center app](../keep-secure/windows-defender-security-center-antivirus.md)
+
+Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](../keep-secure/windows-defender-antivirus-in-windows-10.md). 
+
+The new library includes information on:
+- [Deploying and enabling AV protection](../keep-secure/deploy-windows-defender-antivirus.md)
+- [Managing updates](../keep-secure/manage-updates-baselines-windows-defender-antivirus.md)
+- [Reporting](../keep-secure/report-monitor-windows-defender-antivirus.md)
+- [Configuring features](../keep-secure/configure-windows-defender-antivirus-features.md)
+- [Troubleshooting](../keep-secure/troubleshoot-windows-defender-antivirus.md)
+
+Some of the highlights of the new library include:
+- [Evaluation guide for Windows Defender AV](../keep-secure/evaluate-windows-defender-antivirus.md)
+- [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](../keep-secure/deployment-vdi-windows-defender-antivirus.md)
+
+
+### Device Guard and Credential Guard
+
+Additional security qualifications for Device Guard and Credential Guard help protect vulnerabilities in UEFI runtime. 
+For more information, see [Device Guard Requirements](../keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md#device-guard-requirements-for-improved-security) and [Credential Guard Security Considerations](../keep-secure/credential-guard.md#security-considerations).
+
+### Group Policy Security Options
+
+The security setting [**Interactive logon: Display user information when the session is locked**](../keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. 
+
+## Update
+
+### Windows Update for Business
+
+The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](../update/waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](../update/waas-configure-wufb.md#pause-quality-updates).
+
+You are now able to defer feature update installation by up to 365 days. In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details.
+
+### Optimize update delivery
+
+[Express updates](../update/waas-optimize-windows-10-updates.md#express-update-delivery) are now supported on System Center Configuration Manager, starting with version 1702 of Configuration Manager, in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
+
+Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios. 
+
+Added policies include:
+- [Allow uploads while the device is on battery while under set Battery level](../update/waas-delivery-optimization.md#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level)
+- [Enable Peer Caching while the device connects via VPN](../update/waas-delivery-optimization.md#enable-peer-caching-while-the-device-connects-via-vpn)
+- [Minimum RAM (inclusive) allowed to use Peer Caching](../update/waas-delivery-optimization.md#minimum-ram-allowed-to-use-peer-caching)
+- [Minimum disk size allowed to use Peer Caching](../update/waas-delivery-optimization.md#minimum-disk-size-allowed-to-use-peer-caching)
+- [Minimum Peer Caching Content File Size](../update/waas-delivery-optimization.md#minimum-peer-caching-content-file-size)
+
+To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](../update/waas-delivery-optimization.md)
+
+## Management
+
+### New MDM capabilities
+
+Windows 10, version 1703 adds several new configuration service providers (CSPs) that provide new capabilities for managing Windows 10 devices using MDM. Some of the new CSPs are:
+
+- The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. 
+
+- The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data.
+
+- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for fixed drives and removable drives.
+
+- The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections.
+
+[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
+
+
+
+### Application Virtualization for Windows (App-V)
+Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Addtionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
+
+For more info, see the following topics:
+- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-provision-a-vm.md)
+- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-batch-sequencing.md)
+- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-batch-updating.md)
+- [Automatically cleanup unpublished packages on the App-V client](../manage/appv-auto-clean-unpublished-packages.md)
+
+## New features in related products
+The following new features aren't part of Windows 10, but help you make the most of it.
+
+### Upgrade Readiness
+
+Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. 
+
+The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.  
+
+For more information about Upgrade Readiness, see the following topics:
+
+- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/)
+- [Manage Windows upgrades with Upgrade Readiness](../deploy/manage-windows-upgrades-with-upgrade-readiness.md)
+
+
+### Update Compliance
+
+Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
+
+Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
+
+For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](../manage/update-compliance-monitor.md).
+
+### Enhanced Mobile Device Management (MDM) support
+
+Mobile device management (MDM) has new configuration service providers (CSPs) that can be called from code to manage Windows 10 devices. For more info, see [What's new in MDM in Windows 10, version 1703](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10).