Merge branch 'master' into tvm-hva

2025-05-13 13:57:22 +00:00 · 2020-07-13 12:18:35 -07:00 · 2020-07-13 12:18:35 -07:00 · aa20b18cbc
commit aa20b18cbc
parent 1c8a6314ee 9d9298a3b3
52 changed files with 1017 additions and 348 deletions
--- a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
@ -16,6 +16,9 @@ ms.date: 07/27/2017
 # .NET Framework problems with Internet Explorer 11
 ## Summary
 If you’re having problems launching your legacy apps while running Internet Explorer 11, it’s most likely because Internet Explorer no longer starts apps that use managed browser hosting controls, like in .NET Framework 1.1 and 2.0.
 **To turn managed browser hosting controls back on**
@ -24,11 +27,14 @@ If you’re having problems launching your legacy apps while running Internet Ex
 2.  **For 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
-For more information, see the [Web Applications](https://go.microsoft.com/fwlink/p/?LinkId=308903) section of the Application Compatibility in the .NET Framework 4.5 page.
+## More information
- 
+IEHost is a Microsoft .NET Framework 1.1-based technology that provides a better model than ActiveX controls to host controls within the browser. The IEHost controls are lightweight and are operated under the .NET security model where they are operated inside a sandbox. 
 From the .NET Framework 4, we remove the IEHost.dll file for the following reasons:
 - IEHost/HREF-EXE-style controls are exposed to the Internet. This poses a high security risk, and most customers who install the Framework are benefiting very little from this security risk.
 - Managed hosting controls and invoking random ActiveX controls may be unsafe, and this risk cannot be countered in the .NET Framework. Therefore, the ability to host is disabled. We strongly suggest that IEHost should be disabled in any production environment.
 - Potential security vulnerabilities and assembly versioning conflicts in the default application domain. By relying on COM Interop wrappers to load your assembly, it is implicitly loaded in the default application domain. If other browser extensions do the same function, they have the risks in the default application domain such as disclosing information, and so on. If you are not using strong-named assemblies as dependencies, type loading exceptions can occur. You cannot freely configure the common language runtime (CLR), because you do not own the host process, and you cannot run any code before your extension is loaded.
 For more information about .NET Framework application compatibility, see [Application compatibility in the .NET Framework](/dotnet/framework/migration-guide/application-compatibility).
--- a/store-for-business/prerequisites-microsoft-store-for-business.md
+++ b/store-for-business/prerequisites-microsoft-store-for-business.md
@ -63,7 +63,8 @@ If your organization restricts computers on your network from connecting to the
 - www.msftconnecttest.com/connecttest.txt (replaces www.msftncsi.com
  starting with Windows 10, version 1607)
-
+Store for Business requires Microsoft Windows HTTP Services (WinHTTP) to install, or update apps.
 For more information about how to configure WinHTTP proxy settings to devices, see [Use Group Policy to apply WinHTTP proxy settings to Windows clients](https://support.microsoft.com/en-us/help/4494447/use-group-policy-to-apply-winhttp-proxy-settings-to-clients).
--- a/windows/client-management/administrative-tools-in-windows-10.md
+++ b/windows/client-management/administrative-tools-in-windows-10.md
@ -29,7 +29,7 @@ The tools in the folder might vary depending on which edition of Windows you are
 ![Screenshot of folder of admin tools](images/admin-tools-folder.png)
-These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders.
+These tools were included in previous versions of Windows. The associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders.
--- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
@ -81,7 +81,7 @@ To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use
 <a href="" id="terms-of-use-endpoint-"></a>**Terms of Use endpoint**
 Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user’s consent before the actual enrollment phase begins.
-It’s important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g., users in certain geographies may be subject to stricter device management policies).
+It’s important to understand that the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g., users in certain geographies may be subject to stricter device management policies).
 The Terms of Use endpoint can be used to implement additional business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which could lead to a highly degraded user experience. It’s not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@ -56,21 +56,16 @@ The supported operations are Add and Execute.
 The data type is string.
 Expected value:
-Set and Execute are functionality equivalent, and each accepts an XML snippet (as a string) describing what data to gather and where to upload it.
+Set and Execute are functionality equivalent, and each accepts a `Collection` XML snippet (as a string) describing what data to gather and where to upload it. The results are zipped and uploaded to the specified SasUrl. The zipped filename format is "DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip".
-The following is an example of the XML. This example instructs the CSP to gather:
+The following is an example of a `Collection` XML.
 - All the keys and values under a registry path
 - All the *.etl files in a folder
 - The output of two commands
 - Additional files created by one of the commands
 - All the Application event log events. 
 The results are zipped and uploaded to the specified SasUrl. The filename format is "DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip".
 ``` xml
 <Collection>
-   <ID>server generated guid value such as f1e20cb4-9789-4f6b-8f6a-766989764c6d</ID>
+   <!--NOTE: The value shown here is an example only, for more information see the ID documentation which follows the example -->
-   <SasUrl>server generated url where the HTTP PUT will be accepted</SasUrl>
+   <ID>f1e20cb4-9789-4f6b-8f6a-766989764c6d</ID>
   <!--NOTE: The value shown here is an example only, for more information see the SasUrl documentation which follows the example -->
   <SasUrl><![CDATA[https://myaccount.blob.core.windows.net/mycontainer?sp=aw&st=2020-07-01T23:02:07Z&se=2020-07-02T23:02:07Z&sv=2019-10-10&sr=c&sig=wx9%2FhwrczAI0nZL7zl%2BhfZVfOBvboTAnrGYfjlO%2FRFA%3D]]></SasUrl>
   <RegistryKey>HKLM\Software\Policies</RegistryKey>
   <FoldersFiles>%ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl</FoldersFiles>
   <Command>%windir%\system32\ipconfig.exe /all</Command>
@ -83,15 +78,13 @@ The results are zipped and uploaded to the specified SasUrl. The filename format
 The XML should include the following elements within the `Collection` element:
 **ID**  
-The ID value is a server-generated GUID string that identifies this data-gathering request. To avoid accidental repetition of data gathering, the CSP ignores subsequent Set or Execute invocations with the same ID value.
+The ID value uniquely identifies this data-gathering request. To avoid accidental repetition of data gathering, the CSP ignores subsequent Set or Execute invocations with the same ID value. The CSP expects the value to be populated when the request is received, so it must be generated by the IT admin or the management server.
 **SasUrl**  
-The SasUrl value is the target URI to which the CSP uploads the results zip file. It is the responsibility of the management server to provision storage in such a way that the server accepts the HTTP PUT to this URL. For example, the device management service could:
+The SasUrl value is the target URI to which the CSP uploads the zip file containing the gathered data. It is the responsibility of the management server to provision storage in such a way that the storage server accepts the device's HTTP PUT to this URL. For example, the device management service could:
- Provision cloud storage, such as an Azure blob storage container or other storage managed by the device management server
+- Provision cloud storage reachable by the target device, such as a Microsoft Azure blob storage container
- Generate a dynamic https SAS token URL representing the storage location (and which is understood by the server to allow a one-time upload or time-limited uploads)
+- Generate a Shared Access Signature URL granting the possessor (the target device) time-limited write access to the storage container
- Pass this value to the CSP as the SasUrl value. 
+- Pass this value to the CSP on the target device through the `Collection` XML as the `SasUrl` value. 
 Assuming a case where the management server's customer (such as an IT admin) is meant to access the data, the management server would also expose the stored data through its user interface or APIs.
 **One or more data gathering directives, which may include any of the following:**  
@ -1482,4 +1475,4 @@ To read a log file:
 5.  Set **BlockIndexToRead** to initialize read start point.
 6.  Get **BlockData** for upload log block.
 7.  Increase **BlockIndexToRead**.
-8.  Repeat step 5 to 7 until **BlockIndexToRead == (BlockIndexToRead – 1)**.
+8.  Repeat steps 5 to 7 until **BlockIndexToRead == (BlockIndexToRead – 1)**.
--- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
+++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
@ -1,6 +1,6 @@
 ---
 title: Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices
-description: Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet.
+description: Overview of how to enable offline updates using Microsoft Endpoint Configuration Manager.
 ms.assetid: ED3DAF80-847C-462B-BDB1-486577906772
 ms.reviewer: 
 manager: dansimp
@ -15,9 +15,9 @@ ms.date: 06/26/2017
 # Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices
-Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet. However, in some enterprise environments, devices may not be able to access the Internet to retrieve their updates. Because of network restrictions or other enterprise policies, devices must download their updates from an internal location. This document describes how to enable offline updates using Microsoft Endpoint Configuration Manager.
+Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet. However, in some enterprise environments, devices may not be able to access the Internet to retrieve their updates. There are also situations where network restrictions or other enterprise policies require that devices download updates from an internal location. This article describes how to enable offline updates using Microsoft Endpoint Configuration Manager.
-Here is a table of update path to Windows 10 Mobile.
+The following table describes the update path to Windows 10 Mobile.
 <table>
 <colgroup>
@ -47,9 +47,7 @@ Here is a table of update path to Windows 10 Mobile.
 </table>
-To configure the MDM service provider and enable the mobile devices to download updates from a predefined internal location, an IT administrator or device administrator must perform a series of manual and automated steps.
+To configure the mobile device management (MDM) service provider and enable mobile devices to download updates from a predefined internal location, an IT administrator or device administrator must perform a series of manual and automated steps:
 Here is the outline of the process:
 1.  Prepare a test device that can connect to the Internet to download the released update packages. 
 2.  After the updates are downloaded and before pressing the install button, retrieve an XML file on the device that contains all the metadata about each update package.
@ -61,64 +59,65 @@ Here is the outline of the process:
 8.  Create two additional XML files that define the specific updates to download and the specific locations from which to download the updates, and deploy them onto the production device.
 9.  Start the update process from the devices.
-As a part of the update process, Windows will run data migrators to bring forward configured settings and data on the device. For instance, if the device was configured with a maintenance time or other update policy in Windows Embedded 8.1 Handheld, these settings will automatically get migrated to Windows 10 as part of the update process. If the Handheld device was configured for assigned access lockdown, then this configuration will also get migrated to Windows 10 as part of the update process. This includes ProductId & AumId conversion for all internal apps (including buttonremapping apps).
+As a part of the update process, Windows runs data migrators to bring forward configured settings and data on the device. For instance, if the device was configured with a maintenance time or other update policy in Windows Embedded 8.1 Handheld, these settings are automatically migrated to Windows 10 as part of the update process. If the handheld device was configured for assigned access lockdown, then this configuration is also migrated to Windows 10 as part of the update process. This includes ProductId and AumId conversion for all internal apps (including buttonremapping apps).
-Note that the migrators do not take care of the following:
+Be aware that the migrators do not take care of the following:
-   3rd party apps provided by OEMs
+-   Third-party apps provided by OEMs.
-   deprecated 1st party apps, such as Bing News
+-   Deprecated first-party apps, such as Bing News.
-   deprecated system/application settings, such as Microsoft.Game, Microsoft.IE
+-   Deprecated system or application settings, such as Microsoft.Game and Microsoft.IE.
 In the event of an Enterprise Reset, these migrated settings are automatically persisted.
-Down the road, after the upgrade to Windows 10 is complete, if you decide to push down a new wehlockdown.xml, you would need to take the following steps to ensure that the updated settings are persisted through an Enterprise Reset:
+After the upgrade to Windows 10 is complete, if you decide to push down a new wehlockdown.xml, you need to take the following steps to ensure that the updated settings are persisted through an Enterprise Reset:
 1.  Delete the TPK\*ppkg and push down a new ppkg with your new configuration to the persistent folder.
-2.  Push down a new ppkg with your new configuration with higher priority. Note that in ICD, Owner=Microsoft, Rank=0 is the lowest priority; and vise versa. With this step, the old assigned access lockdown configuration will be overwritten.
+2.  Push down a new ppkg with your new configuration with higher priority. (Be aware that in ICD, Owner=Microsoft, Rank=0 is the lowest priority, and vice versa. With this step, the old assigned access lockdown configuration is overwritten.)
 **Requirements:**
 -   The test device must be same as the other production devices that are receiving the updates.
-   Your test device must be enrolled with Microsoft Endpoint Configuration Manager.
+-   The test device must be enrolled with Microsoft Endpoint Configuration Manager.
-   Your device can connect to the Internet.
+-   The test device must be connected to the Internet.
-   Your device must have an SD card with at least 0.5 GB of free space.
+-   The test device must have an SD card with at least 0.5 GB of free space.
-   Ensure that the settings app and PhoneUpdate applet are available via Assigned Access.
+-   Ensure that the settings app and PhoneUpdate applet are available through Assigned Access.
-The following diagram is a high-level overview of the process.
+The following diagram shows a high-level overview of the process.
 ![update process for windows embedded 8.1 devices](images/windowsembedded-update.png)
 ## Step 1: Prepare a test device to download updates from Microsoft Update
-Define the baseline update set that will be applied to other devices. Use a device that is running the most recent image as the test device.
+Define the baseline update set that you want to apply to other devices. Use a device that is running the most recent image as the test device.
 Trigger the device to check for updates either manually or using Microsoft Endpoint Configuration Manager.
-**Manually**
+**Check for updates manually**
-1.  From the device, go to **Settings** &gt; **Phone updates** &gt; **Check for updates**.
+1.  On the device, go to **Settings** > **Phone updates** > **Check for updates**.
-2.  Sync the device. Go to **Settings** &gt; **Workplace** &gt; **Enrolled** and click the refresh icon. Repeat as needed.
+2.  Sync the device, go to **Settings** > **Workplace** > **Enrolled**, and then select the refresh icon. Repeat as needed.
-3.  Follow the prompts to download the updates, but do not press the install button.
+3.  Follow the prompts to download the updates, but do not select the **Install** button.
-> **Note**  There is a bug in all OS versions up to GDR2 where the CSP will not set the assigned value. There is no way to change or set this until GDR2 is deployed onto the device.
+> [!NOTE]
 > There is a bug in all OS versions up to GDR2 where the Cloud Solution Provider (CSP) does not set the assigned value. There is no way to change or set this until GDR2 is deployed onto the device.
-**Using Microsoft Endpoint Configuration Manager**
+**Check for updates by using Microsoft Endpoint Configuration Manager**
-1.  Remotely trigger a scan of the test device by deploying a Trigger Scan Configuration Baseline.
+1.  Remotely trigger a scan of the test device by deploying a Trigger Scan configuration baseline.
    ![device scan using Configuration Manager](images/windowsembedded-update2.png)
-2.  Set the value of this OMA-URI by browsing to the settings of this Configuration Item and selecting the newly created Trigger Scan settings from the previous step.
+2.  Set the value of this OMA-URI by going to **Configuration Item**, and then selecting the newly created Trigger Scan settings from the previous step.
    ![device scan using Configuration Manager](images/windowsembedded-update3.png)
-3.  Ensure that the value that is specified for this URI is greater than the value on the device(s) and that the Remediate noncompliant rules when supported option is checked. For the first time, any value that is greater than 0 will work, but for subsequent configurations, ensure that you specify an incremented value.
+3.  Ensure that the value that is specified for this URI is greater than the value on the device(s), and that the **Remediate noncompliant rules when supported** option is selected. For the first time, any value that is greater than 0 will work, but for subsequent configurations, ensure that you specify an incremented value.
    ![device scan using Configuration Manager](images/windowsembedded-update4.png)
-4.  Create a Configuration Baseline for TriggerScan and Deploy. It is recommended that this Configuration Baseline be deployed after the Controlled Updates Baseline has been applied to the device (the corresponding files are deployed on the device through a device sync session).
+4.  Create a configuration baseline for Trigger Scan and Deploy. We recommend that this configuration baseline be deployed after the Controlled Updates baseline has been applied to the device. (The corresponding files are deployed on the device through a device sync session.)
 5.  Follow the prompts for downloading the updates, but do not install the updates on the device.
@ -130,23 +129,24 @@ There are two ways to retrieve this file from the device; one pre-GDR1 and one p
 **Pre-GDR1: Parse a compliance log from the device in ConfigMgr**
-1.  Create a Configuration Item using ConfigMgr to look at the registry entry ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/ApprovedUpdatesXml.
+1.  Use ConfigMgr to create a configuration item to look at the registry entry ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/ApprovedUpdatesXml.
-    > **Note**  In Microsoft Endpoint Configuration Manager, you may see an error about exceeding the file limit when using ApprovedUpdatesXml. However, the process still completes even if the file is large.
+    > [!NOTE]
    > In Microsoft Endpoint Configuration Manager, you may see an error about exceeding the file limit when using ApprovedUpdatesXml, but the process still completes even if the file is large.
-    If the XML file is greater than 32K you can also use ./Vendor/MSFT/FileSystem/&lt;*filename*&gt;.
+    If the XML file is greater than 32 KB, you can also use ./Vendor/MSFT/FileSystem/&lt;*filename*&gt;.
-2.  Set a baseline for this Configuration Item with a “dummy” value (such as zzz), and ensure that you do not remediate it.
+2.  Set a baseline for this configuration item with a “dummy” value (such as zzz), and ensure that you do not remediate it.
-    The dummy value is not be set; it is only used for comparison.
+    The dummy value is not set; it is only used for comparison.
 3.  After the report XML is sent to the device, Microsoft Endpoint Configuration Manager displays a compliance log that contains the report information. The log can contain significant amount of data.
 4.  Parse this log for the report XML content.
-For a step-by-step walkthrough, see [How to retrieve a device update report using Microsoft Endpoint Configuration Manager logs](#how-to-retrieve-a-device-update-report-using-microsoft-endpoint-configuration-manager-logs).
+For a step-by-step walkthrough, see [Retrieve a device update report using Microsoft Endpoint Configuration Manager logs](#retrieve-a-device-update-report-using-microsoft-endpoint-configuration-manager-logs).
 **Post-GDR1: Retrieve the report xml file using an SD card**
-1.  Create a Configuration Item using ConfigMgr to set a registry value for ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/CopyUpdateReportToSDCard.
+1.  Use ConfigMgr to create a configuration item to set a registry value for ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/CopyUpdateReportToSDCard.
-2.  The value that you define for this Configuration Item is defined by the relative path to the SD card which includes the filename of the XML file (such as SDCardRoot\\Update\\DUReport.xml).
+2.  The value that you define for this configuration item is defined by the relative path to the SD card, which includes the filename of the XML file (such as SDCardRoot\\Update\\DUReport.xml).
 3.  Remove the SD card from device and copy the XML file to your PC.
 ## Step 3: Check the status code in the XML file
@ -197,46 +197,49 @@ Here are the two files.
-For a walkthrough of these steps, [How to deploy controlled updates](#how-to-deploy-controlled-updates). Ensure that the trigger scan configuration baseline HAS NOT been deployed.
+For a walkthrough of these steps, see [Deploy controlled updates](#deploy-controlled-updates). Ensure that the Trigger Scan configuration baseline has NOT been deployed.
 <a href="" id="deploy-controlled-updates"></a>
 ### How to deploy controlled updates
-This process has three parts:
+### Deploy controlled updates
-   Create a configuration item for DUControlledUpdates.xml
+The deployment process has three parts:
-   Create a configuration item for DUCustomContentURIs.xml
+
 -   Create a configuration item for DUControlledUpdates.xml.
 -   Create a configuration item for DUCustomContentURIs.xml.
 -   Create a configuration item for approved updates.
 <a href="" id="create-ducontrolledupdates"></a>
 **Create a configuration item for DUControlledUpdates.xml**
-1.  Create a configuration item. In the **Browse Settings** window, select **Device File** as a filter, and then click **Select**.
+1.  Create a configuration item. In the **Browse Settings** window, select **Device File** as a filter, and then select **Select**.
    ![embedded device update](images/windowsembedded-update18.png)
-2.  Browse to the DUControlledUpdates.xml that was created from the test device and specify that file path and name on the device as `NonPersistent\DUControlledUpdates.xml`.
+2.  Browse to the DUControlledUpdates.xml that was created from the test device, and then specify the file path and name on the device as `NonPersistent\DUControlledUpdates.xml`.
    ![embedded device update](images/windowsembedded-update19.png)
-3.  Check the box **Remediate noncompliant settings**.
+3.  Select **Remediate noncompliant settings**, and then select **OK**.
 4.  Click **OK**.
 <a href="" id="create-ducustomcontent"></a>
 **Create a configuration item for DUCustomContentURIs.xml**
-1.  Create a configuration item and specify that file path and name on the device as `NonPersistent\DUCustomContentURIs.xml`
+1.  Create a configuration item and specify the file path and name on the device as `NonPersistent\DUCustomContentURIs.xml`
-2.  Check the box **Remediate noncompliant settings**.
+2.  Select **Remediate noncompliant settings**.
    ![embedded device update](images/windowsembedded-update21.png)
-3.  Click **OK**.
+3.  Select **OK**.
 <a href="" id="create-config-baseline"></a>
 **Create a configuration baseline for approved updates**
 1.  Create a configuration baseline item and give it a name (such as ControlledUpdates).
-2.  Add the DUControlledUpdates and DUCustomContentURIs configuration items, and then click **OK**.
+2.  Add the DUControlledUpdates and DUCustomContentURIs configuration items, and then select **OK**.
    ![embedded device update](images/windowsembedded-update22.png)
@ -244,20 +247,20 @@ This process has three parts:
    ![embedded device update](images/windowsembedded-update23.png)
-4.  Click **OK**.
+4.  Select **OK**.
 ## Step 7: Trigger the other devices to scan, download, and install updates
 Now that the other "production" or "in-store" devices have the necessary information to download updates from an internal share, the devices are ready for updates.
-### Use this process for unmanaged devices
+### Update unmanaged devices
 If the update policy of the device is not managed or restricted by Microsoft Endpoint Configuration Manager, an update process can be initiated on the device in one of the following ways:
-   Initiated by a periodic scan that the device automatically performs.
+-   A periodic scan that the device automatically performs.
-   Initiated manually through **Settings** -&gt; **Phone Update** -&gt; **Check for Updates**.
+-   Manually through **Settings** > **Phone Update** > **Check for Updates**.
-### Use this process for managed devices
+### Update managed devices
 If the update policy of the device is managed or restricted by MDM, an update process can be initiated on the device in one of the following ways:
@ -265,12 +268,13 @@ If the update policy of the device is managed or restricted by MDM, an update pr
    Ensure that the trigger scan has successfully executed, and then remove the trigger scan configuration baseline.
-    > **Note**  Ensure that the PhoneUpdateRestriction Policy is set to a value of 0, to ensure that the device will not perform an automatic scan.
+    > [!NOTE]
    > Ensure that the PhoneUpdateRestriction Policy is set to a value of 0 so that the device doesn't perform an automatic scan.
 -   Trigger the device to scan as part of a Maintenance Window defined by the IT Admin in Microsoft Endpoint Configuration Manager.
-After the installation of updates is completed, the IT Admin can use the DUReport generated in the production devices to determine if the device successfully installed the list of updates. If the device did not, error codes are provided in the DUReport.xml. To retrieve the device update report from a device, perform the same steps defined in [Step 2](#step2).
+After the updates are installed, the IT Admin can use the DUReport generated in the production devices to determine whether the device successfully installed the list of updates. If the device did not, error codes are provided in the DUReport.xml. To retrieve the device update report from a device, perform the same steps defined in [Step 2](#step2).
 <a href="" id="example-script"></a>
 ## Example PowerShell script
@ -456,71 +460,70 @@ DownloadFiles $inputFile $downloadCache $localCacheURL
 ```
 <a href="" id="how-to-retrieve"></a>
-## How to retrieve a device update report using Microsoft Endpoint Configuration Manager logs
+## Retrieve a device update report using Microsoft Endpoint Configuration Manager logs
 Use this procedure for pre-GDR1 devices.
 **For pre-GDR1 devices**
 Use this procedure for pre-GDR1 devices:
-1.  Trigger a device scan. Go to **Settings** -&gt; **Phone Update** -&gt; **Check for Updates**.
+1.  Trigger a device scan by going to **Settings** > **Phone Update** > **Check for Updates**.
    Since the DUReport settings have not been remedied, you should see a non-compliance.
-2.  In Microsoft Endpoint Configuration Manager under **Assets and Compliance** &gt; **Compliance Settings**, right-click on **Configuration Items**.
+2.  In Microsoft Endpoint Configuration Manager, under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Items**.
 3.  Select **Create Configuration Item**.
    ![device update using Configuration Manager](images/windowsembedded-update5.png)
-4.  Enter a filename (such as GetDUReport) and then choose **Mobile Device**.
+4.  Enter a filename (such as GetDUReport), and then select **Mobile Device**.
-5.  In the **Mobile Device Settings** page, check the box **Configure Additional Settings that are not in the default settings group**, and the click **Next**.
+5.  On the **Mobile Device Settings** page, select **Configure Additional Settings that are not in the default settings group**, and then select **Next**.
    ![device update using Configuration Manager](images/windowsembedded-update6.png)
-6.  In the **Additional Settings** page, click **Add**.
+6.  On the **Additional Settings** page, select **Add**.
    ![device update using Configuration Manager](images/windowsembedded-update7.png)
-7.  In the **Browse Settings** page, click **Create Setting**.
+7.  On the **Browse Settings** page, select **Create Setting**.
    ![device update](images/windowsembedded-update8.png)
-8.  Enter a unique **Name**. For the **Setting type**, select **OMA-URI** and for the **Data type**, select **String**.
+8.  Enter a unique **Name**. For **Setting type**, select **OMA-URI**, and for **Data type**, select **String**.
-9.  In the **OMA-URI** text box, enter `./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml`, the click **OK**.
+9.  In the **OMA-URI** text box, enter `./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml`, and then select **OK**.
    ![handheld device update](images/windowsembedded-update9.png)
-10. In the **Browse Settings** page, click **Close**.
+10. On the **Browse Settings** page, select **Close**.
-11. In the **Create Configuration Item Wizard** page, check **All Windows Embedded 8.1 Handheld** as the supported platform, and then click **Next**.
+11. On the **Create Configuration Item Wizard** page, select **All Windows Embedded 8.1 Handheld** as the supported platform, and then select **Next**.
    ![embedded device update](images/windowsembedded-update10.png)
 12. Close the **Create Configuration Item Wizard** page.
 13. Right-click on the newly create configuration item, and then select the **Compliance Rules** tab.
-14. Click the new created mobile device setting (such as DUReport) and then click **Select**.
+14. Select the new created mobile device setting (such as DUReport), and then select **Select**.
 15. Enter a dummy value (such as zzz) that is different from the one on the device.
    ![embedded device update](images/windowsembedded-update11.png)
-16. Disable remediation by unchecking the **Remediate noncompliant rules when supported** option.
+16. Disable remediation by deselecting the **Remediate noncompliant rules when supported** option.
-17. Click **OK** to close the Edit Rule page.
+17. Select **OK** to close the **Edit Rule** page.
-18. Create a new configuration baseline. Under **Assets and Compliance** &gt; **Compliance Settings**, right-click on **Configuration Baselines**.
+18. Create a new configuration baseline. Under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Baselines**.
 19. Select **Create Configuration Item**.
    ![embedded device update](images/windowsembedded-update12.png)
 20. Enter a baseline name (such as RetrieveDUReport).
-21. Add the configuration item that you just created. Select **Add** and then select the configuration item that you just created (such as DUReport).
+21. Add the configuration item that you just created. Select **Add**, and then select the configuration item that you just created (such as DUReport).
    ![embedded device update](images/windowsembedded-update13.png)
-22. Click **OK**, then click **OK** again to complete the configuration baseline.
+22. Select **OK**, and then select **OK** again to complete the configuration baseline.
-23. Deploy the newly created configuration baseline to the appropriate device collection. Right-click on the configuration baseline that you created and the select **Deploy**.
+23. Deploy the newly created configuration baseline to the appropriate device collection. Right-click on the configuration baseline that you created, and then select **Deploy**.
    ![embedded device update](images/windowsembedded-update14.png)
-24. Check the check box **Remediate noncompliant rules when supported**.
+24. Select **Remediate noncompliant rules when supported**.
 25. Select the appropriate device collection and define the schedule.
    ![device update](images/windowsembedded-update15.png)
-26. To view the DUReport content, select the appropriate deployment for the configuration saseline that you created. Right-click on the deployment and select **View Status**.
+26. To view the DUReport content, select the appropriate deployment for the configuration baseline that you created. Right-click on the deployment, and then select **View Status**.
-27. Click **Run Summarization** and then click **Refresh**. On the Non-Compliant tab, the test device(s) should be listed.
+27. Select **Run Summarization**, and then select **Refresh**. The test device(s) should be listed on the **Non-Compliant** tab.
 28. Under **Asset Details**, right-click on the test device, and then select **Mode Details**.
    ![device update](images/windowsembedded-update16.png)
-29. In the Non-compliant tab, you will see the DUReport, but you cannot retrieve the content from here.
+29. On the **Non-compliant** tab, you can see the DUReport, but you cannot retrieve the content from here.
    ![device update](images/windowsembedded-update17.png)
-30. To retrieve the DUReport, open an Explorer windows to C:\\Program Files\\SMS\_CCM\\SMS\_DM.log.
+30. To retrieve the DUReport, open C:\\Program Files\\SMS\_CCM\\SMS\_DM.log.
-31. In the log file, search from the bottom for "./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml" RuleExression="Equals zzz" where zzz is the dummy value. Just above this copy the information for UpdateData and use this information to create the DUControlledUpdates.xml.
+31. In the log file, search from the bottom for "./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml" RuleExression="Equals zzz," where zzz is the dummy value. Just above this, copy the information for UpdateData and use this information to create the DUControlledUpdates.xml.
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@ -80,7 +80,7 @@ The following steps demonstrate required settings using the Intune service:
    ![Mobility setting MDM intune](images/auto-enrollment-microsoft-intune-setting.png)
-7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM) is properly deployed to all devices which should be enrolled into Intune. 
+7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune. 
 You may contact your domain administrators to verify if the group policy has been deployed successfully.
 8. Verify that the device is not enrolled with the old Intune client used on the Intune Silverlight Portal (this is the Intune portal used before the Azure portal).
@ -114,7 +114,7 @@ Requirements:
    ![MDM autoenrollment policy](images/autoenrollment-policy.png)
-5. Click **Enable**, then click **OK**.
+5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**.
    > [!NOTE]
    > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. 
@ -165,27 +165,43 @@ Requirements:
 - Enterprise AD must be integrated with Azure AD.
 - Ensure that PCs belong to same computer group.
-[!IMPORTANT]
+> [!IMPORTANT]
-If you do not see the policy, it may be because you don’t have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible):        
+> If you do not see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible.
 1. Download:  
-  1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or  
+  
-  1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or
+   - 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880)
-  1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all)
+     
   - 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576)
   - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all)
 2. Install the package on the Domain Controller.
 3. Navigate, depending on the version to the folder:
-  1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or  
+  
-  1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or
+   - 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**
-  1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**
+     
   - 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**
   - 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**
 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
 5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. 
-  (If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain).
+  
   If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain.
 6. Restart the Domain Controller for the policy to be available.
 This procedure will work for any future version as well.
 1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
 2. Create a Security Group for the PCs.
 3. Link the GPO.
 4. Filter using Security Groups.
 ## Troubleshoot auto-enrollment of devices
@ -194,7 +210,7 @@ Investigate the log file if you have issues even after performing all the mandat
 To collect Event Viewer logs:
 1. Open Event Viewer.
-2. Navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin.
+2. Navigate to **Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin**.
    > [!Tip]
    > For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc).
@ -208,14 +224,14 @@ To collect Event Viewer logs:
    To troubleshoot, check the error code that appears in the event. See [Troubleshooting Windows device enrollment problems in Microsoft Intune](https://support.microsoft.com/en-ph/help/4469913/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for more information.
    - The auto-enrollment did not trigger at all. In this case, you will not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section.
-    The auto-enrollment process is triggered by a task (Microsoft > Windows > EnterpriseMgmt) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (Computer Configuration > Policies > Administrative Templates > Windows Components > MDM) is successfully deployed to the target machine as shown in the following screenshot:
+    The auto-enrollment process is triggered by a task (**Microsoft > Windows > EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is successfully deployed to the target machine as shown in the following screenshot:
    ![Task scheduler](images/auto-enrollment-task-scheduler.png)
    > [!Note]
    > This task isn't visible to standard users - run Scheduled Tasks with administrative credentials to find the task.
    This task runs every 5 minutes for the duration of 1 day. To confirm if the task succeeded, check the task scheduler event logs:
-    Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational.
+    **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**.
    Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from AAD is triggered by event ID 107.
    ![Event ID 107](images/auto-enrollment-event-id-107.png)
@ -226,11 +242,11 @@ To collect Event Viewer logs:
    Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment.
    If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required. 
-    One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (HKLM > Software > Microsoft > Enrollments). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen:
+    One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen:
    ![Outdated enrollment entries](images/auto-enrollment-outdated-enrollment-entries.png)
-    By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational event log file under event ID 7016. 
+    By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016. 
    A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display less entries as shown in the following screenshot:
    ![Manually deleted entries](images/auto-enrollment-activation-verification-less-entries.png)
--- a/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png
+++ b/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -562,11 +562,11 @@ The following diagram shows the Policy configuration service provider in tree fo
  </dd>
 </dl>
-### Bitlocker policies
+### BitLocker policies
 <dl>
  <dd>
-    <a href="./policy-csp-bitlocker.md#bitlocker-encryptionmethod" id="bitlocker-encryptionmethod">Bitlocker/EncryptionMethod</a>
+    <a href="./policy-csp-bitlocker.md#bitlocker-encryptionmethod" id="bitlocker-encryptionmethod">BitLocker/EncryptionMethod</a>
  </dd>
 </dl>
@ -4061,6 +4061,9 @@ The following diagram shows the Policy configuration service provider in tree fo
 - [Policy CSPs supported by Group Policy](policy-csps-supported-by-group-policy.md)
 - [ADMX-backed policy CSPs](policy-csps-admx-backed.md)
 > [!NOTE]
 > Not all Policy CSPs supported by Group Policy are ADMX-backed. For more details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 ## Policy CSPs supported by HoloLens devices
 - [Policy CSPs supported by HoloLens 2](policy-csps-supported-by-hololens2.md)  
 - [Policy CSPs supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)  
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@ -1725,14 +1725,14 @@ Valid values: 0–90
 <!--Description-->
 This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed.  Usually these scheduled scans are missed because the computer was turned off at the scheduled time. 
-If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer.  If there is no scheduled scan configured, there will be no catch-up scan run. 
+If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer.  If there is no scheduled scan configured, there will be no catch-up scan run. 
-If you enable this setting, catch-up scans for scheduled full scans will be disabled.
+If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off.
 Supported values:
- 0 - Disabled 
+- 1 - Disabled (default)
- 1 - Enabled (default)
+- 0 - Enabled 
 OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/DisableCatchupFullScan
@ -1811,8 +1811,8 @@ If you disable or do not configure this setting, catch-up scans for scheduled qu
 Supported values:
- 0 - Disabled 
+- 1 - Disabled (default)
- 1 - Enabled (default)
+- 0 - Enabled 
 OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/DisableCatchupQuickScan
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@ -861,14 +861,11 @@ The following list shows the supported values:
 <!--/Scope-->
 <!--Description-->
-Allow the device to send diagnostic and usage telemetry data, such as Watson. 
+Allows the device to send diagnostic and usage telemetry data, such as Watson. 
 For more information about diagnostic data, including what is and what is not collected by Windows, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization).
-The following tables describe the supported values:
+The following list shows the supported values for Windows 8.1:  
 Windows 8.1 Values:
 -   0 - Not allowed.
 -   1 – Allowed, except for Secondary Data Requests.
 -   2 (default) – Allowed.
@ -896,13 +893,12 @@ Windows 8.1 Values:
 </tbody>
 </table>-->
-Windows 10 Values:
+In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft. The following list shows the supported values for Windows 10:  
-
+-   0 – (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender. 
-   0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
+    **Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
-    Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
+-   1 – (**Basic**) Sends the same data as a value of 0, plus additional basic device info, including quality-related data, app compatibility, and app usage data.
-   1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level.
+-   2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data.
-   2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels.
+-   3 – (**Full**) Sends the same data as a value of 2, plus all data necessary to identify and fix problems with devices.
 -   3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.
 <!--<table style="margin-left: 20px">
 <colgroup>
@ -1358,6 +1354,11 @@ ADMX Info:
 -   GP ADMX file name: *DataCollection.admx*
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 The following list shows the supported values:
 -   0 (default) - Enable telemetry change notifications
 -   1 - Disable telemetry change notifications
 <!--/SupportedValues-->
 <!--/Policy-->
 <hr/>
@ -1413,7 +1414,7 @@ If you set this policy setting to "Disable Telemetry opt-in Settings", telemetry
 If you set this policy setting to "Enable Telemetry opt-in Settings" or don't configure this policy setting, people can change their own telemetry levels in Settings.
 > [!Note]
-> Set the Allow Telemetry policy setting to prevent people from sending diagnostic data to Microsoft beyond your organization's limit.
+> Set the Allow Telemetry policy setting to prevent people from sending diagnostic data to Microsoft beyond your organization's acceptable level of data disclosure.
 <!--/Description-->
 <!--ADMXMapped-->
@ -1425,6 +1426,11 @@ ADMX Info:
 -   GP ADMX file name: *DataCollection.admx*
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 The following list shows the supported values:
 -   0 (default) - Enable Telemetry opt-in Settings
 -   1 - Disable Telemetry opt-in Settings
 <!--/SupportedValues-->
 <!--/Policy-->
 <hr/>
@ -2068,4 +2074,3 @@ Footnotes:
 -   8 - Added in Windows 10, version 2004.
 <!--/Policies-->
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@ -16,6 +16,9 @@ ms.date: 02/23/2018
 The Update configuration service provider enables IT administrators to manage and control the rollout of new updates.
 > [!Note]
 > All aspects of the Update CSP aside from Rollback are not recommended for managing desktop devices. To manage desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation. Rollback can be used for desktop devices on 1803 and above. 
 The following diagram shows the Update configuration service provider in tree format.
 ![update csp diagram](images/provisioning-csp-update.png)
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@ -1,22 +1,19 @@
 ---
 title: WindowsDefenderApplicationGuard CSP
-description: Configure the settings in Windows Defender Application Guard by using the WindowsDefenderApplicationGuard configuration service provider (CSP).
+description: Configure the settings in Microsoft Defender Application Guard by using the WindowsDefenderApplicationGuard configuration service provider (CSP).
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: manikadhiman
-ms.date: 09/10/2018
+ms.date: 07/07/2020
 ms.reviewer: 
 manager: dansimp
 ---
 # WindowsDefenderApplicationGuard CSP
-> [!WARNING]
+The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709.
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Windows Defender Application Guard. This CSP was added in Windows 10, version 1709.
 The following diagram shows the WindowsDefenderApplicationGuard configuration service provider in tree format.
@ -29,129 +26,275 @@ Root node. Supported operation is Get.
 Interior node. Supported operation is Get.
 <a href="" id="allowwindowsdefenderapplicationguard"></a>**Settings/AllowWindowsDefenderApplicationGuard**  
-Turn on Windows Defender Application Guard in Enterprise Mode. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Turn on Microsoft Defender Application Guard in Enterprise Mode. 
 Value type is integer. Supported operations are Add, Get, Replace, and Delete.
 The following list shows the supported values:  
 - 0 - Stops Application Guard in Enterprise Mode. Trying to access non-enterprise domains on the host will not automatically get transferred into the insolated environment.
 - 1 - Enables Application Guard in Enterprise Mode. Trying to access non-enterprise websites on the host will automatically get transferred into the container. 
 <a href="" id="clipboardfiletype"></a>**Settings/ClipboardFileType**  
-Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Determines the type of content that can be copied from the host to Application Guard environment and vice versa. 
- 0 - Disables content copying. 
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
 This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
 The following list shows the supported values:  
 - 1 - Allow text copying.
 - 2 - Allow image copying.
 - 3 - Allow text and image copying.
-<a href="" id="clipboardsettings"></a>**Settings/ClipboardSettings**  
+<!--ADMXMapped-->
-This policy setting allows you to decide how the clipboard behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete
+ADMX Info:  
 - GP English name: *Configure Microsoft Defender Application Guard clipboard settings*
 - GP name: *AppHVSIClipboardFileType*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*
 <!--/ADMXMapped-->
 <a href="" id="clipboardsettings"></a>**Settings/ClipboardSettings**  
 This policy setting allows you to decide how the clipboard behaves while in Application Guard.
 Value type is integer. Supported operations are Add, Get, Replace, and Delete.
 This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
 The following list shows the supported values:  
 - 0 (default) - Completely turns Off the clipboard functionality for the Application Guard.
- 1 - Turns On clipboard operation from an isolated session to the host
+- 1 - Turns On clipboard operation from an isolated session to the host.
- 2 - Turns On clipboard operation from the host to an isolated session
+- 2 - Turns On clipboard operation from the host to an isolated session.
- 3 - Turns On clipboard operation in both the directions
+- 3 - Turns On clipboard operation in both the directions.
 > [!IMPORTANT]
 > Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended. 
 <!--ADMXMapped-->
 ADMX Info:  
 - GP English name: *Configure Microsoft Defender Application Guard clipboard settings*
 - GP name: *AppHVSIClipboardSettings*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*
 <!--/ADMXMapped-->
 <a href="" id="printingsettings"></a>**Settings/PrintingSettings**  
-This policy setting allows you to decide how the print functionality behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy setting allows you to decide how the print functionality behaves while in Application Guard. 
 - 0 - Disables all print functionality (default)
 - 1 - Enables only XPS printing
 - 2 - Enables only PDF printing
 - 3 - Enables both PDF and XPS printing
 - 4 - Enables only local printing
 - 5 - Enables both local and XPS printing    - 6 - Enables both local and PDF printing
 - 7 - Enables local, PDF, and XPS printing
 - 8 - Enables only network printing
 - 9 - Enables both network and XPS printing
 - 10 - Enables both network and PDF printing
 - 11 - Enables network, PDF, and XPS printing
 - 12 - Enables both network and local printing
 - 13 - Enables network, local, and XPS printing
 - 14 - Enables network, local, and PDF printing
 - 15 - Enables all printing
 <a href="" id="blocknonenterprisecontent"></a>**Settings/BlockNonEnterpriseContent**  
 This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
 - 0 (default) -  Non-enterprise content embedded in enterprise sites is allowed to open outside of the Windows Defender Application Guard container, directly in Internet Explorer and Microsoft Edge..
 - 1  - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Windows Defender Application Guard.
 <a href="" id="allowpersistence"></a>**Settings/AllowPersistence**  
 This policy setting allows you to decide whether data should persist across different sessions in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
 - 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off.
 - 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
 <a href="" id="allowvirtualgpu"></a>**Settings/AllowVirtualGPU**  
 Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual GPU to process graphics. Supported operations are Add, Get, Replace, and Delete. Value type is integer.  
 - 0 (default) - Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0).
 - 1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container. 
 <a href="" id="savefilestohost"></a>**Settings/SaveFilesToHost**  
 Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. Supported operations are Add, Get, Replace, and Delete. Value type is integer. 
 - 0 (default) - The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0).
 - 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system.  
 <a href="" id="filetrustcriteria"></a>**Settings/FileTrustCriteria**  
 Placeholder for future use. Do not use in production code.
 <a href="" id="filetrustoriginremovablemedia"></a>**Settings/FileTrustOriginRemovableMedia**  
 Placeholder for future use. Do not use in production code.
 <a href="" id="filetrustoriginnetworkshare"></a>**Settings/FileTrustOriginNetworkShare**  
 Placeholder for future use. Do not use in production code.
 <a href="" id="filetrustoriginmarkoftheweb"></a>**Settings/FileTrustOriginMarkOfTheWeb**  
 Placeholder for future use. Do not use in production code.
 <a href="" id="certificatethumbprints"></a>**Settings/CertificateThumbprints**  
 Added in Windows 10, version 1809. This policy setting allows certain Root Certificates to  be shared with the Windows Defender Application Guard container. 
 Value type is string. Supported operations are Add, Get, Replace, and Delete.
 If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. You can specify multiple certificates using a comma to separate the thumbprints for each certificate you want to transfer.
 Example:  b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924
 If you disable or don’t configure this setting, certificates are not shared with the Windows Defender Application Guard container.
 <a href="" id="allowcameramicrophoneredirection"></a>**Settings/AllowCameraMicrophoneRedirection**  
 Added in Windows 10, version 1809. The policy allows you to determine whether applications inside Windows Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device.
 Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-If you enable this policy, applications inside Windows Defender Application Guard will be able to access the camera and microphone on the user’s device.
+This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
-If you disable or don't configure this policy, applications inside Windows Defender Application Guard will be unable to access the camera and microphone on the user’s device.
+The following list shows the supported values:  
 - 0 (default) - Disables all print functionality.
 - 1 - Enables only XPS printing.
 - 2 - Enables only PDF printing.
 - 3 - Enables both PDF and XPS printing.
 - 4 - Enables only local printing.
 - 5 - Enables both local and XPS printing.
 - 6 - Enables both local and PDF printing.
 - 7 - Enables local, PDF, and XPS printing.
 - 8 - Enables only network printing.
 - 9 - Enables both network and XPS printing.
 - 10 - Enables both network and PDF printing.
 - 11 - Enables network, PDF, and XPS printing.
 - 12 - Enables both network and local printing.
 - 13 - Enables network, local, and XPS printing.
 - 14 - Enables network, local, and PDF printing.
 - 15 - Enables all printing.
 <!--ADMXMapped-->
 ADMX Info:  
 - GP English name: *Configure Microsoft Defender Application Guard print settings*
 - GP name: *AppHVSIPrintingSettings*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*
 <!--/ADMXMapped-->
 <a href="" id="blocknonenterprisecontent"></a>**Settings/BlockNonEnterpriseContent**  
 This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. 
 Value type is integer. Supported operations are Add, Get, Replace, and Delete.
 This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
 The following list shows the supported values:  
 - 0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.
 - 1 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard.
 > [!NOTE]
 > This policy setting is no longer supported in the new Microsoft Edge browser.
 <!--ADMXMapped-->
 ADMX Info:  
 - GP English name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer*
 - GP name: *BlockNonEnterpriseContent*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*
 <!--/ADMXMapped-->
 <a href="" id="allowpersistence"></a>**Settings/AllowPersistence**  
 This policy setting allows you to decide whether data should persist across different sessions in Application Guard. 
 Value type is integer. Supported operations are Add, Get, Replace, and Delete.
 This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
 The following list shows the supported values:  
 - 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off.
 - 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
 <!--ADMXMapped-->
 ADMX Info:  
 - GP English name: *Allow data persistence for Microsoft Defender Application Guard*
 - GP name: *AllowPersistence*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*
 <!--/ADMXMapped-->
 <a href="" id="allowvirtualgpu"></a>**Settings/AllowVirtualGPU**  
 Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics. 
 Value type is integer. Supported operations are Add, Get, Replace, and Delete.  
 This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
 If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering.
 The following list shows the supported values:  
 - 0 (default) - Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0).
 - 1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container. 
 > [!WARNING]
 > Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
 <!--ADMXMapped-->
 ADMX Info:  
 - GP English name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard*
 - GP name: *AllowVirtualGPU*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*
 <!--/ADMXMapped-->
 <a href="" id="savefilestohost"></a>**Settings/SaveFilesToHost**  
 Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. 
 Value type is integer. Supported operations are Add, Get, Replace, and Delete. 
 This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
 The following list shows the supported values:  
 - 0 (default) - The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0).
 - 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system.  
 <!--ADMXMapped-->
 ADMX Info:  
 - GP English name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard*
 - GP name: *SaveFilesToHost*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*
 <!--/ADMXMapped-->
 <a href="" id="certificatethumbprints"></a>**Settings/CertificateThumbprints**  
 Added in Windows 10, version 1809. This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container. 
 Value type is string. Supported operations are Add, Get, Replace, and Delete.
 This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
 If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. Multiple certificates can be specified by using a comma to separate the thumbprints for each certificate you want to transfer.
 Here's an example:  
 b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924
 If you disable or don’t configure this setting, certificates are not shared with the Microsoft Defender Application Guard container.
 <!--ADMXMapped-->
 ADMX Info:  
 - GP English name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device*
 - GP name: *CertificateThumbprints*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*
 <!--/ADMXMapped-->
 <a href="" id="allowcameramicrophoneredirection"></a>**Settings/AllowCameraMicrophoneRedirection**  
 Added in Windows 10, version 1809. This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device.
 Value type is integer. Supported operations are Add, Get, Replace, and Delete.
 This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
 If you enable this policy setting, applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the user’s device.
 If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the user’s device.
 The following list shows the supported values:  
 - 0 (default) - Microsoft Defender Application Guard cannot access the device’s camera and microphone. When the policy is not configured, it is the same as disabled (0).
 - 1 - Turns on the functionality to allow Microsoft Defender Application Guard to access the device’s camera and microphone.
 > [!IMPORTANT]
-> If you turn on this policy, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.  To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed.
+> If you turn on this policy setting, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed.
 <!--ADMXMapped-->
 ADMX Info:  
 - GP English name: *Allow camera and microphone access in Microsoft Defender Application Guard*
 - GP name: *AllowCameraMicrophoneRedirection*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*
 <!--/ADMXMapped-->
 <a href="" id="status"></a>**Status**  
-Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Value type is integer. Supported operation is Get.
+Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. 
- Bit 0   - Set to 1 when	WDAG is enabled into enterprise manage mode
+Value type is integer. Supported operation is Get.
- Bit 1	- Set to 1 when	the client machine is Hyper-V capable
+
- Bit 2	- Set to 1 when	the client machine has a valid OS license and SKU 
+- Bit 0 - Set to 1 when	Application Guard is enabled into enterprise manage mode.
- Bit 3	- Set to 1 when	WDAG installed on the client machine
+- Bit 1	- Set to 1 when	the client machine is Hyper-V capable.
- Bit 4	- Set to 1 when	required Network Isolation Policies are configured
+- Bit 2	- Set to 1 when	the client machine has a valid OS license and SKU.
- Bit 5	- Set to 1 when the client machine meets minimum hardware requirements
+- Bit 3	- Set to 1 when	Application Guard installed on the client machine.
 - Bit 4	- Set to 1 when	required Network Isolation Policies are configured.
 - Bit 5	- Set to 1 when the client machine meets minimum hardware requirements.
 - Bit 6 - Set to 1 when system reboot is required.
 <a href="" id="platformstatus"></a>**PlatformStatus**  
 Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device. 
 Value type is integer. Supported operation is Get.
 - Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
 - Bit 1 - Set to 1 when the client machine is Hyper-V capable.
 - Bit 2 - Reserved for Microsoft.
 - Bit 3 - Set to 1 when Application Guard is installed on the client machine.
 - Bit 4 - Reserved for Microsoft.
 - Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
 <a href="" id="installwindowsdefenderapplicationguard"></a>**InstallWindowsDefenderApplicationGuard**  
-Initiates remote installation of Application Guard feature. Supported operations are Get and Execute.
+Initiates remote installation of Application Guard feature. 
- Install - Will initiate feature install
+Supported operations are Get and Execute.
- Uninstall - Will initiate feature uninstall
+
 The following list shows the supported values: 
 - Install - Will initiate feature install.
 - Uninstall - Will initiate feature uninstall.
 <a href="" id="audit"></a>**Audit**  
-Interior node. Supported operation is Get
+Interior node. Supported operation is Get.
 <a href="" id="auditapplicationguard"></a>**Audit/AuditApplicationGuard**  
-This policy setting allows you to decide whether auditing events can be collected from Application Guard. Value type in integer. Supported operations are Add, Get, Replace, and Delete.
+This policy setting allows you to decide whether auditing events can be collected from Application Guard. 
- 0 (default) - - Audit event logs aren't collected for Application Guard.
+Value type in integer. Supported operations are Add, Get, Replace, and Delete.
- 1 - Application Guard inherits its auditing policies from Microsoft Edge and starts to audit system events specifically for Application Guard.
+
 This policy setting is supported on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
 The following list shows the supported values:  
 - 0 (default) - Audit event logs aren't collected for Application Guard.
 - 1 - Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container.
 <!--ADMXMapped-->
 ADMX Info:  
 - GP English name: *Allow auditing events in Microsoft Defender Application Guard*
 - GP name: *AuditApplicationGuard*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*
 <!--/ADMXMapped-->
--- a/windows/configuration/mobile-devices/provisioning-configure-mobile.md
+++ b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
@ -17,7 +17,7 @@ manager: dansimp
 # Use Windows Configuration Designer to configure Windows 10 Mobile devices 
-Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using provisioning packages, ayou can easily specify desired configuration, settings, and information required to enroll the devices into management, and then apply that configuration to target devices in a matter of minutes. 
+Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using provisioning packages, you can easily specify desired configuration, settings, and information required to enroll the devices into management, and then apply that configuration to target devices in a matter of minutes. 
 A provisioning package (.ppkg) is a container for a collection of configuration settings. Using Windows Configuration Designer, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@ -43,6 +43,8 @@
          href: update/plan-determine-app-readiness.md 
        - name: Define your servicing strategy
          href: update/plan-define-strategy.md
        - name: Delivery Optimization for Windows 10 updates
          href: update/waas-delivery-optimization-reference.md
        - name: Best practices for feature updates on mission-critical devices
          href: update/feature-update-mission-critical.md
        - name: Windows 10 deployment considerations
--- a/windows/deployment/update/update-compliance-configuration-script.md
+++ b/windows/deployment/update/update-compliance-configuration-script.md
@ -35,6 +35,10 @@ The script is organized into two folders **Pilot** and **Deployment**. Both fold
 > [!IMPORTANT]
 > If you encounter an issue with Update Compliance, the first step should be to run the script in Pilot mode on a device you are encountering issues with, and save these Logs for reference with Support.
 > [!IMPORTANT]
 > The script must be run in the System context. To do this, use the PsExec tool included in the file. For more about PsExec, see [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec).
 When using the script in the context of troubleshooting, use `Pilot`. Enter `RunConfig.bat`, and configure it as follows:
 1. Configure `logPath` to a path where the script will have write access and a place you can easily access. This specifies the output of the log files generated when the script is in Verbose mode.
--- a/windows/deployment/update/waas-delivery-optimization-reference.md
+++ b/windows/deployment/update/waas-delivery-optimization-reference.md
@ -23,7 +23,7 @@ ms.topic: article
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference.
+There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows 10 updates](waas-delivery-optimization-setup.md).
 ## Delivery Optimization options
@ -47,9 +47,9 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
 | [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | 1607 |
 | [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 |
 | [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 |
-| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 |
+| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs)  or [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)|
-| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 |
+| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs)  or [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)|
-| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 |
+| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (removed in Windows 10, version 2004) |
 | [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 |
 | [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 |
 | [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 |
@ -64,6 +64,10 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
 | [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 |
 | [Delay foreground download cache server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 |
 | [Delay background download cache server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 |
 | [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 2004  |
 | [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004  |
 | [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs)         | DOMaxForegroundDownloadBandwidth | 2004 |
 | [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 |
 ### More detail on Delivery Optimization settings:
@ -131,7 +135,7 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection
 - 0 = not set
 - 1 = AD Site
 - 2 = Authenticated domain SID
- 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID)
+- 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 235 and use the returned GUID value as the Group ID)
 - 4 = DNS Suffix
 - 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
@ -232,4 +236,33 @@ The device can download from peers while on battery regardless of this policy.
 >[!IMPORTANT]
 > By default, devices **will not upload while on battery**. To enable uploads while on battery, you need to enable this policy and set the battery value under which uploads pause.
 ### Cache Server Hostname 
 Set this policy to to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma separated, for example: myhost.somerandomhost.com,myhost2.somrandomhost.com,10.10.1.7.
 ### Cache Server Hostname Source
 This policy allows you to specify how your client(s) can discover Delivery Optimization in Network Cache servers dynamically. There are two options:
 - 1 = DHCP Option 235.
 - 2 = DHCP Option 235 Force.
 with either option, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set.
 Set this policy to designate one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. You can add one or more value either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
 > [!NOTE]
 > If you format the DHCP Option ID incorrectly, the client will fall back to the Cache Server Hostname policy value if that value has been set.
 ### Maximum Foreground Download Bandwidth (in KB/s)
 Specifies the maximum foreground download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization.
 The default value of 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
 ### Maximum Background Download Bandwidth (in KB/s)
 Specifies the maximum background download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization.
 The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
--- a/windows/deployment/update/waas-delivery-optimization-setup.md
+++ b/windows/deployment/update/waas-delivery-optimization-setup.md
@ -24,7 +24,7 @@ ms.topic: article
 ## Recommended Delivery Optimization settings
-Delivery Optimization offers a great many settings to fine-tune its behavior (see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list), but for the most efficient performance, there are just a few key parameters that will have the greatest impact if particular situations exist in your deployment:
+Delivery Optimization offers a great many settings to fine-tune its behavior (see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list), but for the most efficient performance, there are just a few key parameters that will have the greatest impact if particular situations exist in your deployment. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md).
 - Does your topology include multiple breakouts to the internet (i.e., a "hybrid WAN") or are there only a few connections to the internet, so that all requests appear to come from a single external IP address (a "hub and spoke" topology)?
 - If you use boundary groups in your topology, how many devices are present in a given group?
@ -129,7 +129,6 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**
 | ExpireOn | The target expiration date and time for the file. |
 | Pinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). |
 Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers.
 `Get-DeliveryOptimizationPerfSnap` returns a list of key performance data:
@ -147,7 +146,7 @@ Using the `-Verbose` option returns additional information:
 - Bytes from CDN (the number of bytes received over HTTP)
 - Average number of peer connections per download 
-Starting in Windows 10, version 2004, `Get-DeliveryOptimizationPerfSnap` has a new option `-PeerInfo` which returns a real-time list of the connected peers.
+**Starting in Windows 10, version 2004**, `Get-DeliveryOptimizationPerfSnap` has a new option `-PeerInfo` which returns a real-time list of the connected peers.
 Starting in Windows 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status.
@ -178,7 +177,10 @@ You can now "pin" files to keep them persistent in the cache. You can only do th
 **Starting in Windows 10, version 2004:**
-`Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]`
+- `Enable-DeliveryOptimizationVerboseLogs`
 - `Disable-DeliveryOptimizationVerboseLogs`
 - `Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]`
 With no options, this cmdlet returns these data:
@ -218,7 +220,7 @@ Log entries are written to the PowerShell pipeline as objects. To dump logs to a
 Update Compliance provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
-![DO status](images/UC_workspace_DO_status.png)
+[ ![DO status](images/UC_workspace_DO_status.png) ](images/UC_workspace_DO_status.png#lightbox)
 For details, see [Delivery Optimization in Update Compliance](update-compliance-delivery-optimization.md).
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@ -1,5 +1,5 @@
 ---
-title: Configure Delivery Optimization for Windows 10 updates (Windows 10)
+title: Delivery Optimization for Windows 10 updates
 ms.reviewer: 
 manager: laurawi
 description: Delivery Optimization is a peer-to-peer distribution method in Windows 10
@ -28,6 +28,8 @@ Windows updates, upgrades, and applications can contain packages with very large
 Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet.
 For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows 10 updates](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md).
 >[!NOTE]
 >WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. 
@ -38,7 +40,30 @@ Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimi
  ![absolute bandwidth settings in delivery optimization interface](images/DO-absolute-bandwidth.png)
- Activity Monitor now identifies the cache server used for as the source for Microsoft Connected Cache. For more information about using Microsoft Connected Cache with Configuration Manager, see [Microsoft Connected Cache](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#microsoft-connected-cache).
+- Activity Monitor now identifies the cache server used for as the source for Microsoft Connected Cache. For more information about using Microsoft Connected Cache with Configuration Manager, see [Microsoft Connected Cache](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache).
 - New options for [`Get-DeliveryOptimizationPerfSnap`](waas-delivery-optimization-setup.md#analyze-usage).
 - New cmdlets:
    - `Enable-DeliveryOptimizationVerboseLogs`
    - `Disable-DeliveryOptimizationVerboseLogs`
    - `Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]`
 - New policy settings:
    - [DOCacheHost](waas-delivery-optimization-reference.md#cache-server-hostname)
    - [DOCacheHostSource](waas-delivery-optimization-reference.md#cache-server-hostname-source)
    - [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs); replaces DOPercentageMaxDownloadBandwidth
    - [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs)
 - Removed policy settings (if you set these policies in Windows 10, 2004, they will have no effect):
    - DOMaxDownloadBandwidth; use [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) or [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) instead.
    - DOPercentageMaxDownloadBandwidth; use [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) or [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) instead.
    - DOMaxUploadBandwidth
 - Support for new types of downloads:
    - Office installations and updates
    - Xbox game pass games
    - MSIX apps (HTTP downloads only)
 ## Requirements
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@ -48,7 +48,7 @@ When run by Windows Setup, the following [parameters](#parameters) are used:
 - /Output:%windir%\logs\SetupDiag\SetupDiagResults.xml
 - /RegPath:HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupDiag\Results
-The resulting SetupDiag analysis can be found at **%WinDir%\Logs\SetupDiag\SetupDiagResults.xml** and in the registry under **HKLM\Setup\SetupDiag\Results**.
+The resulting SetupDiag analysis can be found at **%WinDir%\Logs\SetupDiag\SetupDiagResults.xml** and in the registry under **HKLM\SYSTEM\Setup\SetupDiag\Results**.
 If the upgrade process proceeds normally, the **Sources** directory including **setupdiag.exe** is moved under **%SystemDrive%\Windows.Old** for cleanup. If the **Windows.old** directory is deleted later, **setupdiag.exe** will also be removed.
--- a/windows/deployment/windows-autopilot/policy-conflicts.md
+++ b/windows/deployment/windows-autopilot/policy-conflicts.md
@ -35,6 +35,9 @@ There are a significant number of policy settings available for Windows 10, both
 <br>Windows 10 Security Baseline / <a href="https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions">Require admin approval mode for administrators</a></td>
 <td>When modifying user account control (UAC) settings during the OOBE using the device Enrollment Status Page (ESP), additional UAC prompts may result, especially if the device reboots after these policies are applied, enabling them to take effect.  To work around this issue, the policies can be targeted to users instead of devices so that they apply later in the process.</td>
 <tr><td width="50%">Device restrictions / Cloud and Storage / <a href="https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#cloud-and-storage">Microsoft Account sign-in assistant</a></td>
 <td>Setting this policy to "disabled" will disable the Microsoft Sign-in Assistant service (wlidsvc).  This service is required by Windows Autopilot to obtain the Windows Autopilot profile.</td>
 </table>
 ## Related topics
--- a/windows/deployment/windows-autopilot/user-driven.md
+++ b/windows/deployment/windows-autopilot/user-driven.md
@ -101,7 +101,7 @@ The following additional requirements apply for Hybrid Azure AD Join with VPN su
  - Windows 10 1909 + December 10th Cumulative update (KB4530684, OS build 18363.535) or higher  
  - Windows 10 2004 or later 
 - Enable the new “Skip domain connectivity check” toggle in the Hybrid Azure AD Join Autopilot profile.
- A VPN configuration that can be deployed via Intune that enables the user to manualy establish a VPN connection from the Windows logon screen, or one that automatically establishes a VPN connection as needed.  
+- A VPN configuration that can be deployed via Intune that enables the user to manually establish a VPN connection from the Windows logon screen, or one that automatically establishes a VPN connection as needed.  
 The specific VPN configuration required depends on the VPN software and authentication being used.  For third-party (non-Microsoft) VPN solutions, this typically would involve deploying a Win32 app (containing the VPN client software itself as well as any specific connection information, e.g. VPN endpoint host names) via Intune Management Extensions.  Consult your VPN provider's documentation for configuration details specific to that provider.
@ -131,7 +131,7 @@ For VPN configurations that automatically connect, the validation steps may be d
 To validate the end-to-end process, ensure the needed Windows 10 cumulative update has been installed on Windows 10 1903 or Windows 10 1909. This can be done manually during OOBE by first downloading the latest cumulative from https://catalog.update.microsoft.com and then manually installing it:
 - Press Shift-F10 to open a command prompt.
- Insert a USB key containing the donwloaded update.
+- Insert a USB key containing the downloaded update.
 - Install the update using the command (substituting the real file name): WUSA.EXE <filename>.msu /quiet
 - Reboot the computer using the command: shutdown.exe /r /t 0
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@ -14,7 +14,7 @@ ms.author: obezeajo
 manager: robsize
 ms.collection: M365-security-compliance
 ms.topic: article
-ms.date: 6/3/2020
+ms.date: 7/7/2020
 ---
 # Manage connections from Windows 10 operating system components to Microsoft services
@ -57,18 +57,18 @@ The following table lists management options for each setting, beginning with Wi
 | Setting | UI | Group Policy | Registry | 
 | - | :-: | :-: | :-: | 
 | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [8. Internet Explorer](#bkmk-ie) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [9. License Manager](#bkmk-licmgr) | | |  ![Check mark](images/checkmark.png) |
 | [10. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [11. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) |
 | [12. Microsoft Account](#bkmk-microsoft-account) | | |  ![Check mark](images/checkmark.png) |
-| [13. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [13. Microsoft Edge](#bkmk-edge) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [15. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
@ -613,6 +613,10 @@ You can turn off NCSI by doing one of the following:
 You can turn off the ability to download and update offline maps.
 - Turn **Off** the feature in the UI by going to **Settings -> Apps -> Offline maps -> Map updates**, toggle the **Automatically update maps** switch to **Off**
  -or-
 - **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Maps** &gt; **Turn off Automatic Download and Update of Map Data**
  -or-
@ -929,7 +933,7 @@ To turn off **Location for this device**:
  -or-
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Location and Sensors** &gt; **Turn off location**.
+- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access location** and set the **Select a setting** box to **Force Deny**.
  -or-
@ -942,7 +946,7 @@ To turn off **Location**:
  -or-
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access location** and set the **Select a setting** box to **Force Deny**.
+- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Location and Sensors** &gt; **Turn off location**.
  -or-
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@ -169,7 +169,7 @@ When Active Directory is installed on the first domain controller in the domain,
 ## <a href="" id="sec-guest"></a>Guest account
-The Guest account is a default local account has limited access to the computer and is disabled by default. The Guest account cannot be deleted or disabled, and the account name cannot be changed. By default, the Guest account password is left blank. A blank password allows the Guest account to be accessed without requiring the user to enter a password.
+The Guest account is a default local account that has limited access to the computer and is disabled by default. By default, the Guest account password is left blank. A blank password allows the Guest account to be accessed without requiring the user to enter a password.
 The Guest account enables occasional or one-time users, who do not have an individual account on the computer, to sign in to the local server or domain with restricted rights and permissions. The Guest account can be enabled, and the password can be set up if needed, but only by a member of the Administrator group on the domain.
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@ -33,6 +33,9 @@ Windows Certificate APIs (CertVerifyCertificateChainPolicy and WinVerifyTrust) a
 These restrictions are encapsulated in a Pin Rules Certificate Trust List (CTL) that is configured and deployed to Windows 10 computers. 
 Any site certificate triggering a name mismatch causes Windows to write an event to the CAPI2 event log and prevents the user from navigating to the web site using Microsoft Edge or Internet Explorer.
 > [!NOTE]
 > Enterprise Certificate Pinning feature triggering doesn't cause clients other than Microsoft Edge or Internet Explorer to block the connection.
 ## Deployment
 To deploy enterprise certificate pinning, you need to:
--- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
@ -31,6 +31,9 @@ In a mobile-first, cloud-first world, Azure Active Directory enables single sign
 To improve productivity, Azure Active Directory provides your users with a broad range of options to access your corporate assets. With application access management, Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain applications even for the right people? For example, it might be OK for you if the right people are accessing certain applications from a trusted network; however, you might not want them to access these applications from a network you don't trust. You can address these questions using conditional access.
 > [!NOTE]
 > For more details about the way Windows Hello for Business interacts with Azure Multi Factor Authentication and Conditional Access, see [this article](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/why-are-my-users-not-prompted-for-mfa-as-expected/ba-p/1449032).
 Read [Conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal) to learn more about Conditional Access.  Afterwards, read [Getting started with conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal-get-started) to start deploying Conditional access.
 ## Related topics
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -570,6 +570,7 @@
 ###### [Vulnerability]()
 ####### [Vulnerability methods and properties](microsoft-defender-atp/vulnerability.md)
 ####### [List vulnerabilities](microsoft-defender-atp/get-all-vulnerabilities.md)
 ####### [List vulnerabilities by Machine and Software](microsoft-defender-atp/get-all-vulnerabilities-by-machines.md)
 ####### [Get vulnerability by Id](microsoft-defender-atp/get-vulnerability-by-id.md)
 ####### [List machines by vulnerability](microsoft-defender-atp/get-machines-by-vulnerability.md)
--- a/windows/security/threat-protection/intelligence/developer-faq.md
+++ b/windows/security/threat-protection/intelligence/developer-faq.md
@ -31,7 +31,7 @@ Submit the file in question as a software developer. Wait until your submission
 If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
-We encourage all software vendors and developers to read about how Microsoft identifies malware and unwanted software. 
+We encourage all software vendors and developers to read about [how Microsoft identifies malware and Potentially Unwanted Applications (PUA)](criteria.md).
 ## Why is Microsoft asking for a copy of my program?
@ -47,4 +47,4 @@ This is not related to Microsoft Defender Antivirus and other Microsoft antimalw
 ## Why does the Windows Defender SmartScreen say my program is not commonly downloaded?
-This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website.
+This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. You can find out more from the [SmartScreen website.](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
@ -12,7 +12,7 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 06/25/2020
+ms.date: 07/08/2020
 ms.reviewer: 
 manager: dansimp
 ---
@ -47,13 +47,15 @@ See [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defend
 After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
-Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication.
+Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. 
 The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication.
 | **Service**| **Description** |**URL** |
 | :--: | :-- | :-- |
 | Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com` <br/> `*.wdcpalt.microsoft.com` <br/> `*.wd.microsoft.com`|
-| Microsoft Update Service (MU) <br/> Windows Update Service (WU)|	Security intelligence and product updates	|`*.update.microsoft.com` <br/> `*.delivery.mp.microsoft.com`<br/> `*.windowsupdate.com` <br/> for details see [Connection endpoints for Windows Update](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints#windows-update)|
+| Microsoft Update Service (MU) <br/> Windows Update Service (WU)|	Security intelligence and product updates	|`*.update.microsoft.com` <br/> `*.delivery.mp.microsoft.com`<br/> `*.windowsupdate.com` <br/><br/> For details see [Connection endpoints for Windows Update](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints#windows-update)|
 |Security intelligence updates Alternate Download Location (ADL)|	Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)|	`*.download.microsoft.com`  </br> `*.download.windowsupdate.com`</br> `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`|
 | Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission	| `ussus1eastprod.blob.core.windows.net` <br/>    `ussus1westprod.blob.core.windows.net` <br/>    `usseu1northprod.blob.core.windows.net` <br/>    `usseu1westprod.blob.core.windows.net` <br/>    `ussuk1southprod.blob.core.windows.net` <br/>    `ussuk1westprod.blob.core.windows.net` <br/>    `ussas1eastprod.blob.core.windows.net` <br/>    `ussas1southeastprod.blob.core.windows.net` <br/>    `ussau1eastprod.blob.core.windows.net` <br/>    `ussau1southeastprod.blob.core.windows.net` |
 | Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL	| `https://www.microsoft.com/pkiops/crl/` <br/> `https://www.microsoft.com/pkiops/certs` <br/>   `https://crl.microsoft.com/pki/crl/products` <br/> `https://www.microsoft.com/pki/certs` |
--- a/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-history-wdsc.png
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-history-wdsc.png
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@ -58,6 +58,28 @@ All our updates contain:
 * serviceability improvements
 * integration improvements (Cloud, MTP)  
 <br/>
 <details>
 <summary> June-2020 (Platform: 4.18.2006.10 | Engine: 1.1.17200.2)</summary>
 &ensp;Security intelligence update version: **1.319.20.0**  
 &ensp;Released: **June 22, 2020**  
 &ensp;Platform: **4.18.2006.10**  
 &ensp;Engine: **1.1.17200.2**  
 &ensp;Support phase: **Security and Critical Updates**
 ### What's new
 * Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)
 * Skipping aggressive catchup scan in Passive mode.
 * Allow Defender to update on metered connections
 * Fixed performance tuning when caching is disabled 
 * Fixed registry query 
 * Fixed scantime randomization in ADMX
 ### Known Issues
 No known issues  
 <br/>
 </details>
 <details>
 <summary> May-2020 (Platform: 4.18.2005.4 | Engine: 1.1.17100.2)</summary>
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@ -102,19 +102,21 @@ See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/
 ## Enable access to Microsoft Defender ATP service URLs in the proxy server
-If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed below to the allowed domains list.
+If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed in the downloadable sheet to the allowed domains list.
 |**Item**|**Description**|
 |:-----|:-----|
 |[![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)<br/> [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)  | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS. 
 If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed below from HTTPS scanning.
 > [!NOTE]
 > settings-win.data.microsoft.com is only needed if you have Windows 10 devices running version 1803 or earlier.<br>
 > URLs that include v20 in them are only needed if you have Windows 10 devices running version 1803 or later. For example, ```us-v20.events.data.microsoft.com``` is needed for a Windows 10 device running version 1803 or later and onboarded to US Data Storage region.
 Service location | Microsoft.com DNS record
 -|-
 Common URLs for all locations | ```crl.microsoft.com/pki/crl/*```<br> ```ctldl.windowsupdate.com``` <br>```www.microsoft.com/pkiops/*```<br>```events.data.microsoft.com```<br>```notify.windows.com```<br> ```settings-win.data.microsoft.com```
 European Union | ```eu.vortex-win.data.microsoft.com``` <br> ```eu-v20.events.data.microsoft.com``` <br> ```usseu1northprod.blob.core.windows.net```  <br>```usseu1westprod.blob.core.windows.net``` <br> ```winatp-gw-neu.microsoft.com``` <br> ```winatp-gw-weu.microsoft.com``` <br>```wseu1northprod.blob.core.windows.net``` <br>```wseu1westprod.blob.core.windows.net``` <br>```automatedirstrprdweu.blob.core.windows.net``` <br>```automatedirstrprdneu.blob.core.windows.net```
 United Kingdom | ```uk.vortex-win.data.microsoft.com``` <br>```uk-v20.events.data.microsoft.com``` <br>```ussuk1southprod.blob.core.windows.net``` <br>```ussuk1westprod.blob.core.windows.net``` <br>```winatp-gw-uks.microsoft.com``` <br>```winatp-gw-ukw.microsoft.com``` <br>```wsuk1southprod.blob.core.windows.net``` <br>```wsuk1westprod.blob.core.windows.net``` <br>```automatedirstrprduks.blob.core.windows.net``` <br>```automatedirstrprdukw.blob.core.windows.net```  
 United States | ```us.vortex-win.data.microsoft.com``` <br> ```ussus1eastprod.blob.core.windows.net``` <br> ```ussus1westprod.blob.core.windows.net``` <br> ```ussus2eastprod.blob.core.windows.net``` <br> ```ussus2westprod.blob.core.windows.net``` <br> ```ussus3eastprod.blob.core.windows.net``` <br> ```ussus3westprod.blob.core.windows.net``` <br> ```ussus4eastprod.blob.core.windows.net``` <br> ```ussus4westprod.blob.core.windows.net``` <br> ```us-v20.events.data.microsoft.com``` <br> ```winatp-gw-cus.microsoft.com``` <br> ```winatp-gw-eus.microsoft.com``` <br> ```wsus1eastprod.blob.core.windows.net``` <br> ```wsus1westprod.blob.core.windows.net``` <br> ```wsus2eastprod.blob.core.windows.net``` <br> ```wsus2westprod.blob.core.windows.net``` <br> ```automatedirstrprdcus.blob.core.windows.net``` <br> ```automatedirstrprdeus.blob.core.windows.net```
 > [!NOTE]
 > If you are using Microsoft Defender Antivirus in your environment, please refer to the following article for details on allowing connections to the Microsoft Defender Antivirus cloud service: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus
--- a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx
+++ b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
@ -0,0 +1,104 @@
 ---
 title: Get all vulnerabilities by Machine and Software
 description: Retrieves a list of all the vulnerabilities affecting the organization by Machine and Software
 keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: dolmont
 author: DulceMontemayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ---
 # List vulnerabilities by Machine and Software
 **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 Retrieves a list of all the vulnerabilities affecting the organization per [Machine](machine.md) and [Software](software.md).
 <br>If the vulnerability has a fixing KB, it will appear in the response.
 <br>Supports [OData V4 queries](https://www.odata.org/documentation/).
 <br>The OData ```$filter``` is supported on all properties.
 >[!Tip]
 >This is great API for [Power BI integration](api-power-bi.md).
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
 Permission type |	Permission	|	Permission display name
 :---|:---|:---
 Application |	Vulnerability.Read.All |	'Read Threat and Vulnerability Management vulnerability information'
 Delegated (work or school account) | Vulnerability.Read |	'Read Threat and Vulnerability Management vulnerability information'
 ## HTTP request
 ```
 GET /api/vulnerabilities/machinesVulnerabilities
 ```
 ## Request headers
 Name | Type | Description
 :---|:---|:---
 Authorization | String | Bearer {token}. **Required**.
 ## Request body
 Empty
 ## Response
 If successful, this method returns 200 OK with the list of vulnerabilities in the body.
 ## Example
 **Request**
 Here is an example of the request.
 ```
 GET https://api.securitycenter.windows.com/api/vulnerabilities/machinesVulnerabilities
 ```
 **Response**
 Here is an example of the response.
 ```json
 {
    "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicAssetVulnerabilityDto)",
    "value": [
        {
            "id": "5afa3afc92a7c63d4b70129e0a6f33f63a427e21-_-CVE-2020-6494-_-microsoft-_-edge_chromium-based-_-81.0.416.77-_-",
            "cveId": "CVE-2020-6494",
            "machineId": "5afa3afc92a7c63d4b70129e0a6f33f63a427e21",
            "fixingKbId": null,
            "productName": "edge_chromium-based",
            "productVendor": "microsoft",
            "productVersion": "81.0.416.77",
            "severity": "Low"
        },
        {
            "id": "7a704e17d1c2977c0e7b665fb18ae6e1fe7f3283-_-CVE-2016-3348-_-microsoft-_-windows_server_2012_r2-_-6.3.9600.19728-_-3185911",
            "cveId": "CVE-2016-3348",
            "machineId": "7a704e17d1c2977c0e7b665fb18ae6e1fe7f3283",
            "fixingKbId": "3185911",
            "productName": "windows_server_2012_r2",
            "productVendor": "microsoft",
            "productVersion": "6.3.9600.19728",
            "severity": "Low"
        },
 		...
    ]
 }
 ```
 ## Related topics
 - [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
 - [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
--- a/windows/security/threat-protection/microsoft-defender-atp/images/mac-approved-system-extensions.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/mac-approved-system-extensions.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-intune.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-intune.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-intune2.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-intune2.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-privacy.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-privacy.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-urls.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-urls.png
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
@ -86,10 +86,10 @@ The following table lists commands for some of the most common scenarios. Run `m
 |Configuration         |Turn on/off product diagnostics                         |`mdatp config cloud-diagnostic --value [enabled|disabled]`             |
 |Configuration         |Turn on/off automatic sample submission                 |`mdatp config cloud-automatic-sample-submission [enabled|disabled]`    |
 |Configuration         |Turn on/off AV passive mode                             |`mdatp config passive-mode [enabled|disabled]`                         |
-|Configuration         |Add/remove an antivirus exclusion for a file extension  |`mdatp exclusion extension [add|remove] --name <extension>`            |
+|Configuration         |Add/remove an antivirus exclusion for a file extension  |`mdatp exclusion extension [add|remove] --name [extension]`            |
-|Configuration         |Add/remove an antivirus exclusion for a file            |`mdatp exclusion file [add|remove] --path <path-to-file>`              |
+|Configuration         |Add/remove an antivirus exclusion for a file            |`mdatp exclusion file [add|remove] --path [path-to-file]`              |
-|Configuration         |Add/remove an antivirus exclusion for a directory       |`mdatp exclusion folder [add|remove] --path <path-to-directory>`       |
+|Configuration         |Add/remove an antivirus exclusion for a directory       |`mdatp exclusion folder [add|remove] --path [path-to-directory]`       |
-|Configuration         |Add/remove an antivirus exclusion for a process         |`mdatp exclusion process [add|remove] --path <path-to-process>`<br/>`mdatp exclusion process [add|remove] --name <process-name>`   |
+|Configuration         |Add/remove an antivirus exclusion for a process         |`mdatp exclusion process [add|remove] --path [path-to-process]`<br/>`mdatp exclusion process [add|remove] --name [process-name]`   |
 |Configuration         |List all antivirus exclusions                           |`mdatp exclusion list`                                                 |
 |Configuration         |Turn on PUA protection                                  |`mdatp threat policy set --type potentially_unwanted_application --action block` |
 |Configuration         |Turn off PUA protection                                 |`mdatp threat policy set --type potentially_unwanted_application --action off` |
@ -103,12 +103,12 @@ The following table lists commands for some of the most common scenarios. Run `m
 |Protection            |Cancel an ongoing on-demand scan                        |`mdatp scan cancel`                                                    |
 |Protection            |Request a security intelligence update                  |`mdatp definitions update`                                             |
 |Protection history    |Print the full protection history                       |`mdatp threat list`                                                    |
-|Protection history    |Get threat details                                      |`mdatp threat get --id <threat-id>`                                    |
+|Protection history    |Get threat details                                      |`mdatp threat get --id [threat-id]`                                    |
 |Quarantine management |List all quarantined files                              |`mdatp threat quarantine list`                                         |
 |Quarantine management |Remove all files from the quarantine                    |`mdatp threat quarantine remove-all`                                   |
-|Quarantine management |Add a file detected as a threat to the quarantine       |`mdatp threat quarantine add --id <threat-id>`                         |
+|Quarantine management |Add a file detected as a threat to the quarantine       |`mdatp threat quarantine add --id [threat-id]`                         |
-|Quarantine management |Remove a file detected as a threat from the quarantine  |`mdatp threat quarantine add --id <threat-id>`                         |
+|Quarantine management |Remove a file detected as a threat from the quarantine  |`mdatp threat quarantine add --id [threat-id]`                         |
-|Quarantine management |Restore a file from the quarantine                      |`mdatp threat quarantine add --id <threat-id>`                         |
+|Quarantine management |Restore a file from the quarantine                      |`mdatp threat quarantine add --id [threat-id]`                         |
 ## Microsoft Defender ATP portal information
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
@ -0,0 +1,281 @@
 ---
 title: New configuration profiles for macOS Catalina and newer versions of macOS
 description: This topic describes the changes that are must be made in order to benefit from the system extensions, which are a replacement for kernel extensions on macOS Catalina and newer versions of macOS.
 keywords: microsoft, defender, atp, mac, kernel, system, extensions, catalina
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: security
 ms.sitesec: library
 ms.pagetype: security
 ms.author: dansimp
 author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: conceptual
 ROBOTS: noindex,nofollow
 ---
 # New configuration profiles for macOS Catalina and newer versions of macOS
 In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. This update will only be applicable to macOS Catalina (10.15.4) and newer versions of macOS.
 If you have deployed Microsoft Defender ATP for Mac in a managed environment (through JAMF, Intune, or another MDM solution), you must deploy new configuration profiles. Failure to do these steps will result in users getting approval prompts to run these new components.
 ## JAMF
 ### System Extensions Policy
 To approve the system extensions, create the following payload:
 1. In **Computers > Configuration Profiles** select **Options > System Extensions**.
 2. Select **Allowed System Extensions** from the **System Extension Types** drop-down list.
 3. Use **UBF8T346G9** for Team Id.
 4. Add the following bundle identifiers to the **Allowed System Extensions** list:
    - **com.microsoft.wdav.epsext**
    - **com.microsoft.wdav.netext**
    ![Approved system extensions screenshot](images/mac-approved-system-extensions.png)
 ### Privacy Preferences Policy Control
 Add the following JAMF payload to grant Full Disk Access to the Microsoft Defender ATP Endpoint Security Extension. This policy is a pre-requisite for running the extension on your device.
 1. Select **Options** > **Privacy Preferences Policy Control**.
 2. Use `com.microsoft.wdav.epsext` as the **Identifier** and `Bundle ID` as **Bundle type**.
 3. Set Code Requirement to `identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`
 4. Set **App or service** to **SystemPolicyAllFiles** and access to **Allow**.
    ![Privacy Preferences Policy Control](images/mac-system-extension-privacy.png)
 ### Web Content Filtering Policy
 A web content filtering policy is needed to run the network extension. Add the following web content filtering policy:
 >[!NOTE]
 >JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed.
 >As such, the following steps provide a workaround that involve signing the web content filtering configuration profile.
 1. Save the following content to your device as `com.apple.webcontent-filter.mobileconfig`
    ```xml
    <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1">
        <dict>
            <key>PayloadUUID</key>
            <string>DA2CC794-488B-4AFF-89F7-6686A7E7B8AB</string>
            <key>PayloadType</key>
            <string>Configuration</string>
            <key>PayloadOrganization</key>
            <string>Microsoft Corporation</string>
            <key>PayloadIdentifier</key>
            <string>DA2CC794-488B-4AFF-89F7-6686A7E7B8AB</string>
            <key>PayloadDisplayName</key>
            <string>Microsoft Defender ATP Content Filter</string>
            <key>PayloadDescription</key>
            <string/>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>PayloadEnabled</key>
            <true/>
            <key>PayloadRemovalDisallowed</key>
            <true/>
            <key>PayloadScope</key>
            <string>System</string>
            <key>PayloadContent</key>
            <array>
                <dict>
                    <key>PayloadUUID</key>
                    <string>2BA070D9-2233-4827-AFC1-1F44C8C8E527</string>
                    <key>PayloadType</key>
                    <string>com.apple.webcontent-filter</string>
                    <key>PayloadOrganization</key>
                    <string>Microsoft Corporation</string>
                    <key>PayloadIdentifier</key>
                    <string>CEBF7A71-D9A1-48BD-8CCF-BD9D18EC155A</string>
                    <key>PayloadDisplayName</key>
                    <string>Approved Content Filter</string>
                    <key>PayloadDescription</key>
                    <string/>
                    <key>PayloadVersion</key>
                    <integer>1</integer>
                    <key>PayloadEnabled</key>
                    <true/>
                    <key>FilterType</key>
                    <string>Plugin</string>
                    <key>UserDefinedName</key>
                    <string>Microsoft Defender ATP Content Filter</string>
                    <key>PluginBundleID</key>
                    <string>com.microsoft.wdav</string>
                    <key>FilterSockets</key>
                    <true/>
                    <key>FilterDataProviderBundleIdentifier</key>
                    <string>com.microsoft.wdav.netext</string>
                    <key>FilterDataProviderDesignatedRequirement</key>
                    <string>identifier &quot;com.microsoft.wdav.netext&quot; and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
                </dict>
            </array>
        </dict>
    </plist>
    ```
 2. Verify that the above file was copied correctly. From the Terminal, run the following command and verify that it outputs `OK`:
    ```bash
    $ plutil -lint com.apple.webcontent-filter.mobileconfig
    com.apple.webcontent-filter.mobileconfig: OK
    ```
 3. Follow the instructions on [this page](https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority) to create a signing certificate using JAMF’s built-in certificate authority
 4. After the certificate is created and installed to your device, run the following command from the Terminal:
    ```bash
    $ security cms -S -N "<certificate name>" -i com.apple.webcontent-filter.mobileconfig -o com.apple.webcontent-filter.signed.mobileconfig
    ```
 5. From the JAMF portal, navigate to **Configuration Profiles** and click the **Upload** button. Select `com.apple.webcontent-filter.signed.mobileconfig` when prompted for the file.
 ## Intune
 ### System Extensions Policy
 To approve the system extensions:
 1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
 2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Extensions**. Select **Create**.
 3. In the `Basics` tab, give a name to this new profile.
 4. In the `Configuration settings` tab, add the following entries in the `Allowed system extensions` section:
    Bundle identifier         | Team identifier
    --------------------------|----------------
    com.microsoft.wdav.epsext | UBF8T346G9
    com.microsoft.wdav.netext | UBF8T346G9
    ![System configuration profiles screenshot](images/mac-system-extension-intune2.png)
 5. In the `Assignments` tab, assign this profile to **All Users & All devices**.
 6. Review and create this configuration profile.
 ### Create and deploy the Custom Configuration Profile
 The following configuration profile enables the web content filter and grants Full Disk Access to the Endpoint Security system extension. 
 Save the following content to a file named **sysext.xml**:
 ```xml
 <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1">
    <dict>
        <key>PayloadUUID</key>
        <string>7E53AC50-B88D-4132-99B6-29F7974EAA3C</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadOrganization</key>
        <string>Microsoft Corporation</string>
        <key>PayloadIdentifier</key>
        <string>7E53AC50-B88D-4132-99B6-29F7974EAA3C</string>
        <key>PayloadDisplayName</key>
        <string>Microsoft Defender ATP System Extensions</string>
        <key>PayloadDescription</key>
        <string/>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadEnabled</key>
        <true/>
        <key>PayloadRemovalDisallowed</key>
        <true/>
        <key>PayloadScope</key>
        <string>System</string>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadUUID</key>
                <string>2BA070D9-2233-4827-AFC1-1F44C8C8E527</string>
                <key>PayloadType</key>
                <string>com.apple.webcontent-filter</string>
                <key>PayloadOrganization</key>
                <string>Microsoft Corporation</string>
                <key>PayloadIdentifier</key>
                <string>CEBF7A71-D9A1-48BD-8CCF-BD9D18EC155A</string>
                <key>PayloadDisplayName</key>
                <string>Approved Content Filter</string>
                <key>PayloadDescription</key>
                <string/>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>PayloadEnabled</key>
                <true/>
                <key>FilterType</key>
                <string>Plugin</string>
                <key>UserDefinedName</key>
                <string>Microsoft Defender ATP Content Filter</string>
                <key>PluginBundleID</key>
                <string>com.microsoft.wdav</string>
                <key>FilterSockets</key>
                <true/>
                <key>FilterDataProviderBundleIdentifier</key>
                <string>com.microsoft.wdav.netext</string>
                <key>FilterDataProviderDesignatedRequirement</key>
                <string>identifier &quot;com.microsoft.wdav.netext&quot; and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
            </dict>
            <dict>
                <key>PayloadUUID</key>
                <string>56105E89-C7C8-4A95-AEE6-E11B8BEA0366</string>
                <key>PayloadType</key>
                <string>com.apple.TCC.configuration-profile-policy</string>
                <key>PayloadOrganization</key>
                <string>Microsoft Corporation</string>
                <key>PayloadIdentifier</key>
                <string>56105E89-C7C8-4A95-AEE6-E11B8BEA0366</string>
                <key>PayloadDisplayName</key>
                <string>Privacy Preferences Policy Control</string>
                <key>PayloadDescription</key>
                <string/>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>PayloadEnabled</key>
                <true/>
                <key>Services</key>
                <dict>
                    <key>SystemPolicyAllFiles</key>
                    <array>
                        <dict>
                            <key>Identifier</key>
                            <string>com.microsoft.wdav.epsext</string>
                            <key>CodeRequirement</key>
                            <string>identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
                            <key>IdentifierType</key>
                            <string>bundleID</string>
                            <key>StaticCode</key>
                            <integer>0</integer>
                            <key>Allowed</key>
                            <integer>1</integer>
                        </dict>
                    </array>
                </dict>
            </dict>
        </array>
    </dict>
 </plist>
 ```
 Verify that the above file was copied correctly. From the Terminal, run the following command and verify that it outputs `OK`:
    ```bash
    $ plutil -lint sysext.xml
    sysext.xml: OK
    ```
 To deploy this custom configuration profile:
 1.	In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create profile**.
 2. Choose a name for the profile. Change **Platform=macOS** and **Profile type=Custom**. Select **Configure**.
 3.	Open the configuration profile and upload **sysext.xml**. This file was created in the preceding step.
 4.	Select **OK**.
    ![System extension in Intune screenshot](images/mac-system-extension-intune.png)
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@ -26,6 +26,10 @@ ms.topic: conceptual
 > 
 > If you have previously allowed the kernel extension as part of your remote deployment, that warning should not be presented to the end user. If you have not previously deployed a policy to allow the kernel extension, your users will be presented with the warning. To proactively silence the warning, you can still deploy a configuration to allow the kernel extension. Refer to the instructions in the [JAMF-based deployment](mac-install-with-jamf.md#approved-kernel-extension) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
 ## 101.03.12
 - Performance improvements & bug fixes
 ## 101.01.54
 - Improvements around compatibility with Time Machine
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
@ -136,4 +136,4 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
 ## Related topic
-[Microsoft Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats)
+[Microsoft Defender ATP helps detect sophisticated threats](https://www.microsoft.com/en-us/itshowcase/microsoft-defender-atps-antivirus-capabilities-boost-malware-protection)
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
@ -27,7 +27,7 @@ ms.topic: conceptual
 > 
 > As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
 > 
-> If you have preview features turned on in the Microsoft Defender Security Center, you should be able to access the Linux onboarding page immediately. If you have not yet opted into previews, we encourage you to [turn on preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview) in the Microsoft Defender Security Center today.
+> If you have preview features turned on in the Microsoft Defender Security Center, you should be able to access the Android onboarding page immediately. If you have not yet opted into previews, we encourage you to [turn on preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview) in the Microsoft Defender Security Center today. 
 This topic describes how to install, configure, update, and use Microsoft Defender ATP for Android.
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
@ -89,14 +89,15 @@ After you've enabled the service, you may need to configure your network or fire
 ### Network connections
-The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them.
+The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them.
 |**Item**|**Description**|
 |:-----|:-----|
 |[![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)<br/> [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)  | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS. 
 | Service location                         | DNS record              |
 | ---------------------------------------- | ----------------------- |
 | Common URLs for all locations            |  x.cp.wd.microsoft.com <br/> cdn.x.cp.wd.microsoft.com <br/> eu-cdn.x.cp.wd.microsoft.com <br/> wu-cdn.x.cp.wd.microsoft.com <br/> officecdn-microsoft-com.akamaized.net <br/> crl.microsoft.com <br/>  events.data.microsoft.com |
 | European Union                           | europe.x.cp.wd.microsoft.com <br/> eu-v20.events.data.microsoft.com <br/> usseu1northprod.blob.core.windows.net <br/> usseu1westprod.blob.core.windows.net |
 | United Kingdom                           | unitedkingdom.x.cp.wd.microsoft.com <br/> uk-v20.events.data.microsoft.com <br/> ussuk1southprod.blob.core.windows.net <br/> ussuk1westprod.blob.core.windows.net |
 | United States                            | unitedstates.x.cp.wd.microsoft.com  <br/> us-v20.events.data.microsoft.com <br/> ussus1eastprod.blob.core.windows.net <br/> ussus1westprod.blob.core.windows.net |
 > [!NOTE]
 > For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
@ -69,14 +69,15 @@ After you've enabled the service, you may need to configure your network or fire
 ### Network connections
-The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
+The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
 |**Item**|**Description**|
 |:-----|:-----|
 |[![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)<br/> [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)  | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS. 
 | Service location                         | DNS record              |
 | ---------------------------------------- | ----------------------- |
 | Common URLs for all locations            |  x.cp.wd.microsoft.com <br/> cdn.x.cp.wd.microsoft.com <br/> eu-cdn.x.cp.wd.microsoft.com <br/> wu-cdn.x.cp.wd.microsoft.com <br/> officecdn-microsoft-com.akamaized.net <br/> crl.microsoft.com <br/>  events.data.microsoft.com |
 | European Union                           | europe.x.cp.wd.microsoft.com <br/> eu-v20.events.data.microsoft.com <br/> usseu1northprod.blob.core.windows.net <br/> usseu1westprod.blob.core.windows.net <br/> winatp-gw-weu.microsoft.com <br/> winatp-gw-neu.microsoft.com |
 | United Kingdom                           | unitedkingdom.x.cp.wd.microsoft.com <br/> uk-v20.events.data.microsoft.com <br/> ussuk1southprod.blob.core.windows.net <br/> ussuk1westprod.blob.core.windows.net <br/> winatp-gw-ukw.microsoft.com <br/> winatp-gw-uks.microsoft.com |
 | United States                            | unitedstates.x.cp.wd.microsoft.com  <br/> us-v20.events.data.microsoft.com <br/> ussus1eastprod.blob.core.windows.net <br/> ussus1westprod.blob.core.windows.net <br/> winatp-gw-cus.microsoft.com <br/> winatp-gw-eus.microsoft.com |
 Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
 - Proxy auto-config (PAC)
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@ -43,6 +43,9 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
 > [!NOTE]
 > Eligible Licensed Users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices.
 Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP).
 Microsoft Defender Advanced Threat Protection, on Windows Server, requires one of the following licensing options:
 - [Azure Security Center Standard plan](https://docs.microsoft.com/azure/security-center/security-center-pricing) (per node)
@ -89,7 +92,7 @@ Access to Microsoft Defender ATP is done through a browser, supporting the follo
 Devices on your network must be running one of these editions.
-The hardware requirements for Microsoft Defender ATP on devices is the same as those for the supported editions.
+The hardware requirements for Microsoft Defender ATP on devices are the same for the supported editions.
 > [!NOTE]
 > Machines running mobile versions of Windows are not supported.
@ -122,8 +125,8 @@ When you run the onboarding wizard for the first time, you must choose where you
 > [!NOTE]
 > Microsoft Defender ATP doesn't require any specific diagnostic level as long as it's enabled.
-You must ensure that the diagnostic data service is enabled on all the devices in your organization.
+Make sure that the diagnostic data service is enabled on all the devices in your organization.
-By default, this service is enabled, but it&#39;s good practice to check to ensure that you&#39;ll get sensor data from them.
+By default, this service is enabled. It's good practice to check to ensure that you'll get sensor data from them.
 **Use the command line to check the Windows 10 diagnostic data service startup type**:
@ -143,7 +146,8 @@ By default, this service is enabled, but it&#39;s good practice to check to ensu
    ![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
-If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
+
 You'll need to set the service to automatically start if the **START_TYPE** is not set to **AUTO_START**.
 **Use the command line to set the Windows 10 diagnostic data service to automatically start:**
@ -180,9 +184,11 @@ Before you onboard devices, the diagnostic data service must be enabled. The ser
 ## Microsoft Defender Antivirus configuration requirement
 The Microsoft Defender ATP agent depends on the ability of Microsoft Defender Antivirus to scan files and provide information about them.
-You must configure Security intelligence updates on the Microsoft Defender ATP devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md).
+Configure Security intelligence updates on the Microsoft Defender ATP devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md).
-When Microsoft Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Microsoft Defender Antivirus goes on passive mode. If your organization has disabled Microsoft Defender Antivirus through group policy or other methods, devices that are onboarded to Microsoft Defender ATP must be excluded from this group policy.
+When Microsoft Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Microsoft Defender Antivirus goes on passive mode. 
 If your organization has turned off Microsoft Defender Antivirus through group policy or other methods, devices that are onboarded must be excluded from this group policy.
 If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Microsoft Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md).
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
@ -32,9 +32,6 @@ ms.topic: article
 Microsoft Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions.
 > [!IMPORTANT]
 > This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more information, see [Preview features](preview.md).
 To onboard down-level Windows client endpoints to Microsoft Defender ATP, you'll need to:
 - Configure and update System Center Endpoint Protection clients.
 - Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP as instructed below.
--- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
@ -229,15 +229,14 @@ URLs that include v20 in them are only needed if you have Windows 10, version
 1803 or later devices. For example, ```us-v20.events.data.microsoft.com``` is only
 needed if the device is on Windows 10, version 1803 or later.
-  Service location | Microsoft.com DNS record
+
-|-
+If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the listed URLs.
 Common URLs for all locations | ```crl.microsoft.com/pki/crl/*```<br> ```ctldl.windowsupdate.com``` <br>```www.microsoft.com/pkiops/*```<br>```events.data.microsoft.com```<br>```notify.windows.com```<br> ```settings-win.data.microsoft.com```
 European Union | ```eu.vortex-win.data.microsoft.com``` <br> ```eu-v20.events.data.microsoft.com``` <br> ```usseu1northprod.blob.core.windows.net```  <br>```usseu1westprod.blob.core.windows.net``` <br> ```winatp-gw-neu.microsoft.com``` <br> ```winatp-gw-weu.microsoft.com``` <br>```wseu1northprod.blob.core.windows.net``` <br>```wseu1westprod.blob.core.windows.net``` <br>```automatedirstrprdweu.blob.core.windows.net``` <br>```automatedirstrprdneu.blob.core.windows.net```
 United Kingdom | ```uk.vortex-win.data.microsoft.com``` <br>```uk-v20.events.data.microsoft.com``` <br>```ussuk1southprod.blob.core.windows.net``` <br>```ussuk1westprod.blob.core.windows.net``` <br>```winatp-gw-uks.microsoft.com``` <br>```winatp-gw-ukw.microsoft.com``` <br>```wsuk1southprod.blob.core.windows.net``` <br>```wsuk1westprod.blob.core.windows.net``` <br>```automatedirstrprduks.blob.core.windows.net``` <br>```automatedirstrprdukw.blob.core.windows.net```  
 United States | ```us.vortex-win.data.microsoft.com``` <br> ```ussus1eastprod.blob.core.windows.net``` <br> ```ussus1westprod.blob.core.windows.net``` <br> ```ussus2eastprod.blob.core.windows.net``` <br> ```ussus2westprod.blob.core.windows.net``` <br> ```ussus3eastprod.blob.core.windows.net``` <br> ```ussus3westprod.blob.core.windows.net``` <br> ```ussus4eastprod.blob.core.windows.net``` <br> ```ussus4westprod.blob.core.windows.net``` <br> ```us-v20.events.data.microsoft.com``` <br> ```winatp-gw-cus.microsoft.com``` <br> ```winatp-gw-eus.microsoft.com``` <br> ```wsus1eastprod.blob.core.windows.net``` <br> ```wsus1westprod.blob.core.windows.net``` <br> ```wsus2eastprod.blob.core.windows.net``` <br> ```wsus2westprod.blob.core.windows.net``` <br> ```automatedirstrprdcus.blob.core.windows.net``` <br> ```automatedirstrprdeus.blob.core.windows.net```
-If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
+|**Item**|**Description**|
 |:-----|:-----|
 |[![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)<br/> [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)  | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS. 
 ###  Microsoft Defender ATP service backend IP range
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
@ -75,15 +75,11 @@ Now that you have onboarded your organization's devices to Microsoft Defender AT
   2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC`.
   3. Look for an entry named **SmcInstData**. Right-click the item, and then choose **Delete**. 
-3. Remove Symantec from your devices. You can use SEP Manager to perform this task. See [Configuring client packages to uninstall existing security software](https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Managing-a-custom-installation/preparing-for-client-installation-v16742985-d21e7/configuring-client-packages-to-uninstall-existing-v73569396-d21e2634.html).
+3. Remove Symantec from your devices. If you need help with this, see the following Broadcom resources: 
-  
+   - [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html)
-
+   - Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040)
-> [!TIP]
+   - macOS computers: [Remove Symantec software for Mac using RemoveSymantecMacFiles](https://knowledge.broadcom.com/external/article?articleId=151387)
-> Need help? See the following Broadcom resources: 
+   - Linux devices: [Frequently Asked Questions for Endpoint Protection for Linux](https://knowledge.broadcom.com/external/article?articleId=162054)
 > - [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html).
 > -  Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040).
 > - macOS computers: [Remove Symantec software for Mac using RemoveSymantecMacFiles](https://knowledge.broadcom.com/external/article?articleId=151387).
 > - Linux devices: [Frequently Asked Questions for Endpoint Protection for Linux](https://knowledge.broadcom.com/external/article?articleId=162054). 
 ## Make sure Microsoft Defender ATP is in active mode
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
@ -46,7 +46,7 @@ WDAC policies apply to the managed computer as a whole and affects all users of
 ### WDAC System Requirements
 WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above.
-WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10.
+WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 and above via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10.
 ## AppLocker
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
@ -52,11 +52,10 @@ You can hide notifications that describe regular events related to the health an
 This can only be done in Group Policy.
 >[!IMPORTANT]
 >### Requirements
 >
->You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
+> Requirement: You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
-1. Download the latest [Administrative Templates (.admx) for Windows 10, v1809](https://www.microsoft.com/download/details.aspx?id=57576).
+1. Download the latest [Administrative Templates (.admx) for Windows 10, v2004](https://www.microsoft.com/download/101445).
 2.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -76,15 +75,17 @@ You can hide all notifications that are sourced from the Windows Security app. T
 This can only be done in Group Policy.
 >[!IMPORTANT]
 >### Requirements
 >
->You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
+> Requirement: You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5.  Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below the path would       be **Windows components > Windows Defender Security Center > Notifications**
+5.  Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below the path would       be **Windows components > Windows Defender Security Center > Notifications**.
    > [!NOTE]
    > For Windows 10 version 2004 and above the path would be **Windows components > Windows Security > Notifications**.
 6.  Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
@ -93,7 +94,7 @@ This can only be done in Group Policy.
    **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
    **"DisableNotifications"=dword:00000001**
-8.  Use the following registry key and DWORD value to **Hide not-critical notifications**
+8.  Use the following registry key and DWORD value to **Hide not-critical notifications**.
     **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
     **"DisableEnhancedNotifications"=dword:00000001**
`@ -29,7 +29,7 @@ The tools in the folder might vary depending on which edition of Windows you are`

	`![Screenshot of folder of admin tools](images/admin-tools-folder.png)`	`![Screenshot of folder of admin tools](images/admin-tools-folder.png)`

	`These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders.`	`These tools were included in previous versions of Windows. The associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders.`
`@ -136,4 +136,4 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf`


	`## Related topic`	`## Related topic`
	`[Microsoft Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats)`	`[Microsoft Defender ATP helps detect sophisticated threats](https://www.microsoft.com/en-us/itshowcase/microsoft-defender-atps-antivirus-capabilities-boost-malware-protection)`