Merge branch 'master' into project-snowbird-windows

2025-06-17 03:13:44 +00:00 · 2020-04-20 08:48:31 -07:00
parent 7310d54a74 c585352cd6
commit aa77341f84
31 changed files with 714 additions and 724 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -86,6 +86,11 @@
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip",
 "redirect_document_id": false
 },
 {
 "source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure",
 "redirect_document_id": false
--- a/browsers/edge/about-microsoft-edge.md
+++ b/browsers/edge/about-microsoft-edge.md
@ -17,7 +17,7 @@ ms.date: 10/02/2018
 ---
 # Microsoft Edge system and language requirements
->Applies to:  Microsoft Edge on Windows 10 and Windows 10 Mobile
+> Applies to:  Microsoft Edge on Windows 10 and Windows 10 Mobile
 > [!NOTE]
 > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
@ -25,8 +25,8 @@ ms.date: 10/02/2018
 Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge lets you stay up-to-date through the Microsoft Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools.
->[!IMPORTANT]
+> [!IMPORTANT]
->The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don’t include Microsoft Edge or many other Universal Windows Platform (UWP) apps. Systems running the LTSB operating systems do not support these apps because their services get frequently updated with new functionality. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11.
+> The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don’t include Microsoft Edge or many other Universal Windows Platform (UWP) apps. Systems running the LTSB operating systems do not support these apps because their services get frequently updated with new functionality. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11.
 ## Minimum system requirements
--- a/browsers/edge/group-policies/favorites-management-gp.md
+++ b/browsers/edge/group-policies/favorites-management-gp.md
@ -23,8 +23,8 @@ ms.sitesec: library
 You can customize the favorites bar, for example, you can turn off features such as Save a Favorite and Import settings, and hide or show the favorites bar on all pages.  Another customization you can make is provisioning a standard list of favorites, including folders, to appear in addition to the user’s favorites. If it’s important to keep the favorites in both IE11 and Microsoft Edge synced, you can turn on syncing where changes to the list of favorites in one browser reflect in the other.
->[!TIP]
+> [!TIP]
->You can find the Favorites under C:\\Users\\<_username_>\\Favorites.
+> You can find the Favorites under C:\\Users\\<_username_>\\Favorites.
 You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
--- a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md
+++ b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md
@ -21,12 +21,11 @@ ms.topic: reference
 Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support.
->[!TIP] 
+> [!TIP]
->If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly.
+> If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly.
 **Technology not supported by Microsoft Edge**
 - ActiveX controls
 - Browser Helper Objects
@ -45,7 +44,6 @@ Using Enterprise Mode means that you can continue to use Microsoft Edge as your
 ## Relevant group policies
 1. [Configure the Enterprise Mode Site List](#configure-the-enterprise-mode-site-list)
 2. [Send all intranet sites to Internet Explorer 11](#send-all-intranet-sites-to-internet-explorer-11)
--- a/browsers/edge/includes/configure-home-button-include.md
+++ b/browsers/edge/includes/configure-home-button-include.md
@ -3,14 +3,15 @@ author: eavena
 ms.author: eravena
 ms.date:  10/28/2018
 ms.reviewer:
-audience: itpro
+audience: itpro
 manager: dansimp
 ms.prod: edge
 ms.topic: include
 ---
 <!-- ## Configure Home Button-->
-<!-- ## Configure Home Button-->  
+> *Supported versions: Microsoft Edge on Windows 10, version 1809*<br>
->*Supported versions: Microsoft Edge on Windows 10, version 1809*<br>
+> *Default setting: Disabled or not configured (Show home button and load the Start page)*
 [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)]
@ -28,9 +29,8 @@ ms.topic: include
 ---
-
+> [!TIP]
->[!TIP]
+> If you want to make changes to this policy:<ol><li>Enable the **Unlock Home Button** policy.</li><li>Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.</li><li>Disable the **Unlock Home Button** policy.</li></ol>
 >If you want to make changes to this policy:<ol><li>Enable the **Unlock Home Button** policy.</li><li>Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.</li><li>Disable the **Unlock Home Button** policy.</li></ol>
 ### ADMX info and settings
 #### ADMX info
@ -54,8 +54,6 @@ ms.topic: include
 ### Related policies
 - [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)]
 - [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)]
 - [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)]
 <hr>
--- a/browsers/edge/includes/configure-open-edge-with-include.md
+++ b/browsers/edge/includes/configure-open-edge-with-include.md
@ -3,15 +3,16 @@ author: eavena
 ms.author: eravena
 ms.date:  10/02/2018
 ms.reviewer:
-audience: itpro
+audience: itpro
 manager: dansimp
 ms.prod: edge
 ms.topic: include
 ---
 <!-- Configure Open Microsoft Edge With-->
-
+> *Supported versions: Microsoft Edge on Windows 10, version 1809*<br>
->*Supported versions: Microsoft Edge on Windows 10, version 1809*<br>
+> *Default setting:  Enabled (A specific page or pages)*
 [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)]
@ -31,10 +32,8 @@ ms.topic: include
 ---
-
+> [!TIP]
-
+> If you want to make changes to this policy:<ol><li>Set the **Disabled Lockdown of Start Pages** policy to not configured.</li><li>Make changes to the **Configure Open Microsoft With** policy.</li><li>Enable the **Disabled Lockdown of Start Pages** policy.</li></ol>
 >[!TIP]
 >If you want to make changes to this policy:<ol><li>Set the **Disabled Lockdown of Start Pages** policy to not configured.</li><li>Make changes to the **Configure Open Microsoft With** policy.</li><li>Enable the **Disabled Lockdown of Start Pages** policy.</li></ol>
 ### ADMX info and settings
@ -58,11 +57,7 @@ ms.topic: include
 ### Related policies
 - [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)]
 - [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)]
 - [Disable lockdown of Start pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)]
 ---
--- a/browsers/edge/includes/provision-favorites-include.md
+++ b/browsers/edge/includes/provision-favorites-include.md
@ -3,20 +3,21 @@ author: eavena
 ms.author: eravena
 ms.date:  10/02/2018
 ms.reviewer:
-audience: itpro
+audience: itpro
 manager: dansimp
 ms.prod: edge
 ms.topic: include
 ---
 <!-- ## Provision Favorites -->
-<!-- ## Provision Favorites -->
+> *Supported versions: Microsoft Edge on Windows 10, version 1511 or later*<br>
->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*<br>
+> *Default setting:  Disabled or not configured (Customizable)*
 [!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)]
-
+> [!IMPORTANT]
->[!IMPORTANT]
+> Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers.
 ### Supported values
--- a/browsers/edge/includes/send-all-intranet-sites-ie-include.md
+++ b/browsers/edge/includes/send-all-intranet-sites-ie-include.md
@ -3,19 +3,20 @@ author: eavena
 ms.author: eravena
 ms.date:  10/02/2018
 ms.reviewer:
-audience: itpro
+audience: itpro
 manager: dansimp
 ms.prod: edge
 ms.topic: include
 ---
 <!-- ## Send all intranet sites to Internet Explorer 11 -->
-<!-- ## Send all intranet sites to Internet Explorer 11 -->
+> *Supported versions: Microsoft Edge on Windows 10*<br>
->*Supported versions: Microsoft Edge on Windows 10*<br>
+> *Default setting:  Disabled or not configured*
 [!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)]
-
+> [!TIP]
->[!TIP]
+> Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager.
 ### Supported values
--- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
+++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
@ -16,8 +16,8 @@ ms.date: 01/17/2020
 # Deploy Microsoft Edge Legacy kiosk mode
->Applies to: Microsoft Edge Legacy (version 45 and earlier) on Windows 10, version 1809 or later 
+> Applies to: Microsoft Edge Legacy (version 45 and earlier) on Windows 10, version 1809 or later
->Professional, Enterprise, and Education
+> Professional, Enterprise, and Education
 > [!NOTE]
 > You've reached the documentation for Microsoft Edge Legacy (version 45 and earlier.) To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). For information about kiosk mode in the new version of Microsoft Edge, see [Microsoft Edge kiosk mode](https://docs.microsoft.com/DeployEdge/microsoft-edge-kiosk-mode).
@ -35,7 +35,7 @@ At the end of this topic, you can find a list of [supported policies](#supported
 ## Kiosk mode configuration types
->**Policy** = Configure kiosk mode (ConfigureKioskMode)
+> **Policy** = Configure kiosk mode (ConfigureKioskMode)
 Microsoft Edge Legacy kiosk mode supports four configurations types that depend on how Microsoft Edge Legacy is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario.
@ -151,8 +151,8 @@ Windows Settings is the simplest and the only way to set up one or a couple of s
 With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge Legacy kiosk mode in assigned access and how it behaves on a kiosk device. To learn about a few app fundamentals and requirements before adding them to Intune, see [Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add).
->[!IMPORTANT]
+> [!IMPORTANT]
->If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device.
+> If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device.
 1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps.
@ -262,7 +262,7 @@ In the following table, we show you the features available in both Microsoft Edg
 |-----------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------:|
 |                       Print support                       |                                                                 ![Supported](images/148767.png)                                                                 |                                                           ![Not supported](images/148766.png)                                                           |
 |                     Multi-tab support                     |                                                                 ![Supported](images/148767.png)                                                                 |                                                           ![Not supported](images/148766.png)                                                           |
-|                  Allow/Block URL support                  | ![Not Supported](images/148766.png)                                                             ![Supported](images/148767.png)                                                             |
+|                  Allow/Block URL support                  |                                                             ![Not Supported](images/148766.png)                                                                 |                                                             ![Supported](images/148767.png)                                                             |
 |                   Configure Home Button                   |                                                                 ![Supported](images/148767.png)                                                                 |                                                             ![Supported](images/148767.png)                                                             |
 |                   Set Start page(s) URL                   |                                                                 ![Supported](images/148767.png)                                                                 |                                              ![Supported](images/148767.png) <p>*Same as Home button URL*                                               |
 |                   Set New Tab page URL                    |                                                                 ![Supported](images/148767.png)                                                                 |                                                           ![Not supported](images/148766.png)                                                           |
--- a/browsers/edge/web-app-compat-toolkit.md
+++ b/browsers/edge/web-app-compat-toolkit.md
@ -14,7 +14,7 @@ ms.localizationpriority: high
 # Web Application Compatibility lab kit
->Updated: October, 2017
+> Updated: October, 2017
 Upgrading web applications to modern standards is the best long-term solution to ensure compatibility with today’s web browsers, but using backward compatibility can save time and money. Internet Explorer 11 has features that can ease your browser and operating system upgrades, reducing web application testing and remediation costs. On Windows 10, you can standardize on Microsoft Edge for faster, safer browsing and fall back to Internet Explorer 11 just for sites that need backward compatibility.
@ -54,5 +54,5 @@ The Web Application Compatibility Lab Kit is also available in the following lan
 [DOWNLOAD THE LAB KIT](https://www.microsoft.com/evalcenter/evaluate-windows-10-web-application-compatibility-lab)
->[!TIP]
+> [!TIP]
->Please use a broad bandwidth to download this content to enhance your downloading experience. Lab environment requires 8 GB of available memory and 100 GB of free disk space.
+> Please use a broad bandwidth to download this content to enhance your downloading experience. Lab environment requires 8 GB of available memory and 100 GB of free disk space.
--- a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md
+++ b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md
@ -25,8 +25,8 @@ ms.author: dansimp
 Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal.
->[!Important]
+> [!Important]
->Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. 
+> Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
 **To create a new change request**
 1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**.
@ -70,4 +70,4 @@ Employees assigned to the Requester role can create a change request. A change r
    - **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator.
 ## Next steps
-After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic.
+After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md).
--- a/browsers/enterprise-mode/enterprise-mode-features-include.md
+++ b/browsers/enterprise-mode/enterprise-mode-features-include.md
@ -1,4 +1,5 @@
 ### Enterprise Mode features
 Enterprise Mode includes the following features:
 - **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting several site patterns that aren’t currently supported by existing document modes.
@ -8,8 +9,8 @@ Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microso
 - **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools.
-    >[!Important]
+    > [!Important]
-    >All centrally-made decisions override any locally-made choices. 
+    > All centrally-made decisions override any locally-made choices.
 - **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites.
--- a/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md
+++ b/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md
@ -23,8 +23,8 @@ ms.author: dansimp
 - Windows Server 2012 R2
 - Windows Server 2008 R2 with Service Pack 1 (SP1)
->[!Important]
+> [!Important]
->This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. 
+> This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
 The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including:
--- a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md
+++ b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md
@ -3,15 +3,16 @@ author: eavena
 ms.author: eravena
 ms.date:  10/02/2018
 ms.reviewer:
-audience: itpro
+audience: itpro
 manager: dansimp
 ms.prod: edge
 ms.topic: include
 ---
 If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager.
-
+> [!IMPORTANT]
->[!IMPORTANT]
+> Importing your file overwrites everything that’s currently in the tool, so make sure it’s what want to do.
 1.  In the Enterprise Mode Site List Manager, click **File \> Import**.
--- a/browsers/includes/interoperability-goals-enterprise-guidance.md
+++ b/browsers/includes/interoperability-goals-enterprise-guidance.md
@ -26,8 +26,8 @@ You must continue using IE11 if web apps use any of the following:
 * legacy document modes
 If you have uninstalled IE11, you can download it from the Microsoft Store or the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. 
-
+
->[!TIP]
+> [!TIP]
 > If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=620714).  
@ -38,4 +38,3 @@ If you have uninstalled IE11, you can download it from the Microsoft Store or th
 |Document modes     | Starting with IE8, Internet Explorer introduced a new “document mode” with every release. These document modes could be requested via the x-ua-compatible header to put the browser into a mode which emulates legacy versions.        |Similar to other modern browsers, Microsoft Edge has a single “living” document mode. To minimize the compatibility burden, we test features behind switches in about:flags until stable and ready to be turned on by default.         |
 ---
--- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
@ -26,8 +26,8 @@ ms.author: dansimp
 Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal.
->[!Important]
+> [!Important]
->Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. 
+> Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
 **To create a new change request**
 1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**.
@ -71,4 +71,5 @@ Employees assigned to the Requester role can create a change request. A change r
    - **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator.
 ## Next steps
-After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic.
+
 After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md).
--- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
@ -24,8 +24,8 @@ ms.author: dansimp
 - Windows Server 2012 R2
 - Windows Server 2008 R2 with Service Pack 1 (SP1)
->[!Important]
+> [!Important]
->This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. 
+> This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
 The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including:
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
@ -33,7 +33,7 @@ If you have specific websites and apps that you know have compatibility problems
 Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11.
->[!TIP]
+> [!TIP]
 > If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly.
 For Windows 10 and Windows 10 Mobile, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. 
@ -54,8 +54,8 @@ Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microso
 - **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools.
-    >[!Important]
+    > [!Important]
-    >All centrally-made decisions override any locally-made choices. 
+    > All centrally-made decisions override any locally-made choices. 
 - **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites.
--- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
@ -18,8 +18,8 @@ ms.date: 05/10/2018
 Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
->[!Important]
+> [!Important]
->If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment.
+> If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment.
 - [Automatic updates delivery process](#automatic-updates-delivery-process)
--- a/browsers/internet-explorer/ie11-ieak/index.md
+++ b/browsers/internet-explorer/ie11-ieak/index.md
@ -18,8 +18,8 @@ The Internet Explorer Administration Kit (IEAK) simplifies the creation, deploym
 Use this guide to learn about the several options and processes you'll need to consider while you're using the Internet Explorer Administration Kit 11 (IEAK 11) to customize, deploy, and manage Internet Explorer 11 for your employee's devices.
->[!IMPORTANT]
+> [!IMPORTANT]
->Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary.
+> Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary.
 ## Included technology
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
@ -21,8 +21,8 @@ In addition to the Software License Terms for the Internet Explorer Administrati
 During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment.
 -   **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If you are an ISP or an ICP, your license agreement also states that you must show the Internet Explorer logo on your packaging and promotional goods, as well as on your website.
-    >[!IMPORTANT]
+    > [!IMPORTANT]
-    >Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations.
+    > Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations.
 -   **Internal Distribution via a Corporate Intranet.** This version is for network admins that plan to directly deploy IE11 into a corporate environment.
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@ -18,9 +18,9 @@ ms.topic: article
 # Monitor Windows Updates with Update Compliance
 > [!IMPORTANT]
-> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal. A few retirements are planned, noted below, but are placed on hold until the current situation stabilizes. 
+> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal. A few retirements are planned, noted below, but are placed **on hold** until the current situation stabilizes. 
-> * As of March 31, 2020, The Windows Defender Antivirus reporting feature of Update Compliance is no longer supported and will soon be retired. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
+> * The Windows Defender Antivirus reporting feature of Update Compliance will soon be retired. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
-> * As of March 31, 2020, The Perspectives feature of Update Compliance is no longer supported and will soon be retired in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
+> * As of March 31, 2020, The Perspectives feature of Update Compliance will soon be retired in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
 ## Introduction
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@ -191,6 +191,8 @@ When you have the required Azure AD subscription, group-based licensing is the p
 If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. 
 Caution: Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE(Out Of Box Experience)
 If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.
 If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt:
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@ -10,7 +10,7 @@ ms.sitesec: library
 ms.localizationpriority: high
 audience: ITPro
 author: medgarmedgar
-ms.author: v-medgar
+ms.author: robsize
 manager: robsize
 ms.collection: M365-security-compliance
 ms.topic: article
@ -39,8 +39,8 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline]
 >[!Note]
 >Regarding the Windows Restricted Traffic Limited Functionality Baseline, the 1903 settings (folder) are applicable to 1909 Windows >Enterprise devices. There were no additional settings required for the 1909 release.
->[!Warning] 
+> [!Warning] 
->If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option (or the >"Remove Everything" option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order >re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline >settings.
+> If a user executes the **Reset this PC** command (Settings -> Update & Security -> Recovery) with the **Keep my files option** (or the **Remove Everything** option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order to re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings.
 To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm)
@ -1898,4 +1898,3 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre
 To learn more, see [Device update management](https://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](https://technet.microsoft.com/library/cc720539.aspx).
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@ -43,18 +43,20 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
 ### Connect Azure Active Directory with the PIN reset service
-1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant.
+1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
-2. After you log in, click **Accept** to give consent for the PIN reset service to access your account.
+2. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account.
 ![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png)
-3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant.
+3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
-4. After you log in, click **Accept** to give consent for the PIN reset client to access your account.
+4. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account.
 > [!NOTE]
 > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.
 ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png)
 5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
 ![PIN reset service permissions page](images/pinreset/pin-reset-applications.png)
 >[!NOTE]
 >After you Accept the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN Reset applications are listed for your tenant.
 ### Configure Windows devices to use PIN reset using Group Policy
 You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
@ -70,8 +72,8 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10
 #### Create a PIN Reset Device configuration profile using Microsoft Intune
-1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account.
+1. Sign-in to [Azure Portal](https://portal.azure.com) using a Global administrator account.
-2. You need your tenant ID to complete the following task.  You can discovery your tenant ID viewing the **Properties** of your Azure Active Directory from the Azure Portal. It will be listed under Directory ID. You can also use the following command in a command Window on any Azure AD joined or hybrid Azure AD joined computer.</br>
+2. You need your tenant ID to complete the following task.  You can discover your tenant ID by viewing the **Properties** of your Azure Active Directory from the Azure Portal. It will be listed under Directory ID. You can also use the following command in a Command window on any Azure AD-joined or hybrid Azure AD-joined computer.</br>
    ```
    dsregcmd /status | findstr -snip "tenantid"
@ -86,9 +88,9 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10
 #### Assign the PIN Reset Device configuration profile using Microsoft Intune
-1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account. 
+1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account. 
-2. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. From the list of device configuration profiles, click the profile that contains the PIN reset configuration.
+2. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration.
-3. In the device configuration profile, click **Assignments**.
+3. In the device configuration profile, select **Assignments**.
 4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups.
 ## On-premises Deployments
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@ -644,28 +644,28 @@ Sign-in a workstation with access equivalent to a _domain user_.
 3. Select **Device Configuration**, and then click **Profiles**.
 4. Select **Create Profile**.
   ![Intune Device Configuration Create Profile](images/aadjcert/intunedeviceconfigurationcreateprofile.png)
-5. Next to **Name**, type **WHFB Certificate Enrollment**.
+5. Select **Windows 10 and later** from the **Platform** list.
-6. Next to **Description**, provide a description meaningful for your environment.
+6. Choose **SCEP certificate** from the **Profile** list, and select **Create**.
-7. Select **Windows 10 and later** from the **Platform** list.
+7. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**.
-8. Select **SCEP certificate** from the **Profile** list.
+8. Next to **Description**, provide a description meaningful for your environment, then select **Next**.
-   ![WHFB Scep Profile Blade](images/aadjcert/intunewhfbscepprofile-00.png)
+9. Select **User** as a certificate type.
-9. The **SCEP Certificate** blade should open. Configure **Certificate validity period** to match your organization.
+10. Configure **Certificate validity period** to match your organization.
   > [!IMPORTANT]
   > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity.
-10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
+11. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
-11. Select **Custom** from the **Subject name format** list.
+12. Select **Custom** from the **Subject name format** list.
-12. Next to **Custom**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
+13. Next to **Custom**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
-13. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** value.
+14. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** value.
-14. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
+15. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
-15. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority.
+16. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority.
    ![WHFB SCEP certificate profile Trusted Certificate selection](images/aadjcert/intunewhfbscepprofile-01.png)
-16. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
+17. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
-17. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
+18. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
    ![WHFB SCEP certificate Profile EKUs](images/aadjcert/intunewhfbscepprofile-03.png)
-18. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
+19. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
-19. Click **OK**.
+20. Click **Next**.
-20. Click **Create**.
+21. Click **Next** two more times to skip the **Scope tags** and **Assignments** steps of the wizard and click **Create**.
 ### Assign Group to the WHFB Certificate Enrollment Certificate Profile
 Sign-in a workstation with access equivalent to a _domain user_.
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@ -15,7 +15,7 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 10/18/2017
+ms.date: 4/16/2017
 ---
 # Manage Windows Hello for Business in your organization
@ -34,7 +34,7 @@ You can create a Group Policy or mobile device management (MDM) policy that will
 ## Group Policy settings for Windows Hello for Business
-The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.
+The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.
 > [!NOTE]
 > Starting with Windows 10, version 1709, the location of the PIN complexity section of the Group Policy is: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **PIN Complexity**.
@ -42,13 +42,15 @@ The following table lists the Group Policy settings that you can configure for W
 <table>
 <tr>
 <th colspan="2">Policy</th>
 <th>Scope</th>
 <th>Options</th>
 </tr>
 <tr>
 <td>Use Windows Hello for Business</td>
 <td></td>
 <td>Computer or user</td>
 <td>
-<p><b>Not configured</b>: Users can provision Windows Hello for Business, which encrypts their domain password.</p>
+<p><b>Not configured</b>: Device does not provision Windows Hello for Business for any user.</p>
 <p><b>Enabled</b>: Device provisions Windows Hello for Business using keys or certificates for all users.</p>
 <p><b>Disabled</b>: Device does not provision Windows Hello for Business for any user.</p>
 </td>
@ -56,15 +58,41 @@ The following table lists the Group Policy settings that you can configure for W
 <tr>
 <td>Use a hardware security device</td>
 <td></td>
 <td>Computer</td>
 <td>
 <p><b>Not configured</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
-<p><b>Enabled</b>: Windows Hello for Business will only be provisioned using TPM.</p>
+<p><b>Enabled</b>: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.</p>
 <p><b>Disabled</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
 </td>
 </tr>
 <tr>
 <td>Use certificate for on-premises authentication</td>
 <td></td>
 <td>Computer or user</td>
 <td>
 <p><b>Not configured</b>: Windows Hello for Business enrolls a key that is used for on-premises authentication.</p>
 <p><b>Enabled</b>: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.</p>
 <p><b>Disabled</b>: Windows Hello for Business enrolls a key that is used for on-premises authentication.</p>
 </td>
 </tr>
 <td>Use PIN recovery</td>
 <td></td>
 <td>Computer</td>
 <td>
 <p>Added in Windows 10, version 1703</p>
 <p><b>Not configured</b>: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.</p>
 <p><b>Enabled</b>: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.</p>
 <p><b>Disabled</b>: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.</p>
 <p>
 For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).
 </p>
 </td>
 </tr>
 <tr>
 <td>Use biometrics</td>
 <td></td>
 <td>Computer</td>
 <td>
 <p><b>Not configured</b>: Biometrics can be used as a gesture in place of a PIN.</p>
 <p><b>Enabled</b>: Biometrics can be used as a gesture in place of a PIN.</p>
@ -74,6 +102,7 @@ The following table lists the Group Policy settings that you can configure for W
 <tr>
 <td rowspan="8">PIN Complexity</td>
 <td>Require digits</td>
 <td>Computer</td>
 <td>
 <p><b>Not configured</b>: Users must include a digit in their PIN.</p>
 <p><b>Enabled</b>: Users must include a digit in their PIN.</p>
@ -82,6 +111,7 @@ The following table lists the Group Policy settings that you can configure for W
 </tr>
 <tr>
 <td>Require lowercase letters</td>
 <td>Computer</td>
 <td>
 <p><b>Not configured</b>: Users cannot use lowercase letters in their PIN.</p>
 <p><b>Enabled</b>: Users must include at least one lowercase letter in their PIN.</p>
@ -90,6 +120,7 @@ The following table lists the Group Policy settings that you can configure for W
 </tr>
 <tr>
 <td>Maximum PIN length</td>
 <td>Computer</td>
 <td>
 <p><b>Not configured</b>: PIN length must be less than or equal to 127.</p>
 <p><b>Enabled</b>: PIN length must be less than or equal to the number you specify.</p>
@ -98,6 +129,7 @@ The following table lists the Group Policy settings that you can configure for W
 </tr>
 <tr>
 <td>Minimum PIN length</td>
 <td>Computer</td>
 <td>
 <p><b>Not configured</b>: PIN length must be greater  than or equal to 4.</p>
 <p><b>Enabled</b>: PIN length must be greater than or equal to the number you specify.</p>
@ -106,6 +138,7 @@ The following table lists the Group Policy settings that you can configure for W
 </tr>
 <tr>
 <td>Expiration</td>
 <td>Computer</td>
 <td>
 <p><b>Not configured</b>: PIN does not expire.</p>
 <p><b>Enabled</b>: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.</p>
@ -114,6 +147,7 @@ The following table lists the Group Policy settings that you can configure for W
 </tr>
 <tr>
 <td>History</td>
 <td>Computer</td>
 <td>
 <p><b>Not configured</b>: Previous PINs are not stored.</p>
 <p><b>Enabled</b>: Specify the number of previous PINs that can be associated to a user account that can&#39;t be reused.</p>
@ -124,6 +158,7 @@ The following table lists the Group Policy settings that you can configure for W
 </tr>
 <tr>
 <td>Require special characters</td>
 <td>Computer</td>
 <td>
 <p><b>Not configured</b>: Users cannot include a special character in their PIN.</p>
 <p><b>Enabled</b>: Users must include at least one special character in their PIN.</p>
@ -132,6 +167,7 @@ The following table lists the Group Policy settings that you can configure for W
 </tr>
 <tr>
 <td>Require uppercase letters</td>
 <td>Computer</td>
 <td>
 <p><b>Not configured</b>: Users cannot include an uppercase letter in their PIN.</p>
 <p><b>Enabled</b>: Users must include at least one uppercase letter in their PIN.</p>
@ -139,9 +175,9 @@ The following table lists the Group Policy settings that you can configure for W
 </td>
 </tr>
 <tr>
-<td>&gt;Phone Sign-in</td>
+<td>Phone Sign-in</td>
-<td>
+<td>Use Phone Sign-in</td>
-<p>Use Phone Sign-in</p>
+<td>Computer</td>
 </td>
 <td>
 <p>Not currently supported.</p>
@ -166,7 +202,7 @@ The following table lists the MDM policy settings that you can configure for Win
 <tr>
 <td>UsePassportForWork</td>
 <td></td>
-<td>Device</td>
+<td>Device or user</td>
 <td>True</td>
 <td>
 <p>True: Windows Hello for Business will be provisioned for all users on the device.</p>
@ -178,7 +214,7 @@ The following table lists the MDM policy settings that you can configure for Win
 <tr>
 <td>RequireSecurityDevice</td>
 <td></td>
-<td>Device</td>
+<td>Device or user</td>
 <td>False</td>
 <td>
 <p>True: Windows Hello for Business will only be provisioned using TPM.</p>
@ -186,6 +222,32 @@ The following table lists the MDM policy settings that you can configure for Win
 </td>
 </tr>
 <tr>
 <td>ExcludeSecurityDevice</td>
 <td>TPM12</td>
 <td>Device</td>
 <td>False</td>
 <td>
 <p>Added in Windows 10, version 1703</p>
 <p>True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.</p>
 <p>False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.</p>
 </td>
 </tr>
 <tr>
 <td>EnablePinRecovery</td>
 <td></td>
 <td>Device or user</td>
 <td>False</td>
 <td>
 <p>Added in Windows 10, version 1703</p>
 <p>True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.</p>
 <p>False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.</p>
 <p>
 For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).
 </p>
 </td>
 </tr>
 <tr>
 <td rowspan="2">Biometrics</td>
 <td>
 <p>UseBiometrics</p>
@ -216,19 +278,41 @@ The following table lists the MDM policy settings that you can configure for Win
 <tr>
 <td>Digits </td>
 <td>Device or user</td>
-<td>2 </td>
+<td>1 </td>
 <td>
-<p>1: Numbers are not allowed. </p>
+<p>0: Digits are allowed. </p>
-<p>2: At least one number is required.</p>
+<p>1: At least one digit is required.</p>
 <p>2: Digits are not allowed. </p>
 </td>
 </tr>
 <tr>
 <td>Lowercase letters </td>
 <td>Device or user</td>
-<td>1 </td>
+<td>2</td>
 <td>
-<p>1: Lowercase letters are not allowed. </p>
+<p>0: Lowercase letters are allowed. </p>
-<p>2: At least one lowercase letter is required.</p>
+<p>1: At least one lowercase letter is required.</p>
 <p>2: Lowercase letters are not allowed. </p>
 </td>
 </tr>
 <tr>
 <td>Special characters</td>
 <td>Device or user</td>
 <td>2</td>
 <td>
 <p>0: Special characters are allowed. </p>
 <p>1: At least one special character is required. </p>
 <p>2: Special characters are not allowed.</p>
 </td>
 </tr>
 <tr>
 <td>Uppercase letters</td>
 <td>Device or user</td>
 <td>2</td>
 <td>
 <p>0: Uppercase letters are allowed. </p>
 <p>1: At least one uppercase letter is required.</p>
 <p>2: Uppercase letters are not allowed. </p>
 </td>
 </tr>
 <tr>
@ -252,7 +336,7 @@ The following table lists the MDM policy settings that you can configure for Win
 <td>Device or user</td>
 <td>0</td>
 <td>
-<p>Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. 
+<p>Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.
 </p>
 </td>
 </tr>
@ -261,29 +345,11 @@ The following table lists the MDM policy settings that you can configure for Win
 <td>Device or user</td>
 <td>0</td>
 <td>
-<p>Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. 
+<p>Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.
 </p>
 </td>
 </tr>
 <tr>
 <td>Special characters</td>
 <td>Device or user</td>
 <td>1</td>
 <td>
 <p>1: Special characters are not allowed. </p>
 <p>2: At least one special character is required.</p>
 </td>
 </tr>
 <tr>
 <td>Uppercase letters</td>
 <td>Device or user</td>
 <td>1</td>
 <td>
 <p>1: Uppercase letters are not allowed </p>
 <p>2: At least one uppercase letter is required</p>
 </td>
 </tr>
 <tr>
 <td>Remote</td>
 <td>
 <p>UseRemotePassport</p>
@ -297,20 +363,53 @@ The following table lists the MDM policy settings that you can configure for Win
 </table>
 >[!NOTE]
-> If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN.
+> In Windows 10, version 1709 and later, if policy is not configured to explicitly require letters or special characters, users can optionally set an alphanumeric PIN. Prior to version 1709 the user is required to set a numeric PIN.
 ## Policy conflicts from multiple policy sources
 Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device.
 Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. All PIN complexity policies are grouped together and enforced from a single policy source.
 Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies is enforced on a per policy basis.  
 >[!NOTE]
 > Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP.
 ><b>Examples</b>
 >
 >The following are configured using computer Group Policy:
 >
 >- Use Windows Hello for Business - Enabled
 >- User certificate for on-premises authentication - Enabled
 >- Require digits - Enabled
 >- Minimum PIN length - 6
 >
 >The following are configured using device MDM Policy:
 >
 >- UsePassportForWork - Disabled
 >- UseCertificateForOnPremAuth - Disabled
 >- MinimumPINLength - 8
 >- Digits - 1
 >- LowercaseLetters - 1
 >- SpecialCharacters - 1
 >
 >Enforced policy set:
 >
 >- Use Windows Hello for Business - Enabled
 >- Use certificate for on-premises authentication - Enabled
 >- Require digits - Enabled
 >- Minimum PIN length - 6d
 ## How to use Windows Hello for Business with Azure Active Directory
 There are three scenarios for using Windows Hello for Business in Azure AD–only organizations:
- **Organizations that use the version of Azure AD included with Office 365**. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant’s directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone. 
+- **Organizations that use the version of Azure AD included with Office 365**. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant's directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone.
- **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won’t be enabled unless and until the organization’s administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered. 
+- **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won't be enabled unless and until the organization's administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered. 
 - **Organizations that have subscribed to Azure AD Premium** have access to the full set of Azure AD MDM features. These features include controls to manage Windows Hello for Business. You can set policies to disable or force the use of Windows Hello for Business, require the use of a TPM, and control the length and strength of PINs set on the device.
-If you want to use Windows Hello for Business with certificates, you’ll need a device registration system. That means that you set up Configuration Manager, Microsoft Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates. 
+If you want to use Windows Hello for Business with certificates, you'll need a device registration system. That means that you set up Configuration Manager, Microsoft Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates.
 ## Related topics
--- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
+++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
@ -1,122 +0,0 @@
 ---
 title: How Windows Information Protection (WIP) protects files with a sensitivity label (Windows 10)
 description: Explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label.
 keywords: sensitivity, labels, WIP, Windows Information Protection, EDP, Enterprise Data Protection
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: dulcemontemayor
 ms.author: dansimp
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 04/30/2019
 ms.reviewer: 
 ---
 # How Windows Information Protection (WIP) protects a file that has a sensitivity label 
 **Applies to:**
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 - Windows 10, version 1903
 - Windows 10, version 1809
 >[!IMPORTANT]
 >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 This topic explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label. 
 Microsoft information protection technologies work together as an integrated solution to help enterprises:
 - Discover corporate data on endpoint devices
 - Classify and label information based on its content and context
 - Protect corporate data from unintentionally leaving to non-business environments
 - Enable audit reports of user interactions with corporate data on endpoint devices
 Microsoft information protection technologies include:
 - [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP. 
 - [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services.
 - [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security) is a cloud access security broker (CASB) solution that allows you to discover, classify, protect, and monitor user data in first-party and third-party Software-as-a-Service (SaaS) apps used by your organization.
 ## How WIP protects sensitivity labels with endpoint data loss prevention
 You can create and manage [sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) in the Microsoft 365 compliance center. 
 When you [create a sensitivity label](https://docs.microsoft.com/microsoft-365/compliance/create-sensitivity-labels), you can specify that endpoint data loss prevention applies to content with that label. 
 ![Endpoint data loss prevention](images/sensitivity-label-endpoint-dlp.png)
 Office app users can choose a sensitivity label from a menu and apply it to a file.
 ![Sensitivity labels](images/sensitivity-labels.png)
 WIP enforces default endpoint protection as follows: 
 - If endpoint data loss prevention is enabled, the device enforces work protection for any file with the label
 - If endpoint data loss prevention is not enabled:
  - The device enforces work protection to a file downloaded from a work site 
  - The device does not enforce work protection to a file downloaded from a personal site
 Here's an example where a file remains protected without any work context beyond the sensitivity label: 
 1. Sara creates a PDF file on a Mac and labels it as **Confidential**.
 1. She emails the PDF from her Gmail account to Laura.
 1. Laura opens the PDF file on her Windows 10 device. 
 1. Windows Defender Advanced Threat Protection (Windows Defender ATP) scans Windows 10 for any file that gets modified or created, including files that were created on a personal site. 
 1. Windows Defender ATP triggers WIP policy.
 1. WIP policy protects the file even though it came from a personal site.
 ## How WIP protects automatically classified files
 The next sections cover how Windows Defender ATP extends discovery and protection of sensitive information with improvements in Windows 10 version 1903. 
 ### Discovery
 Windows Defender ATP can extract the content of the file itself and evaluate whether it contains sensitive information types such as credit card numbers or employee ID numbers. 
 When you create a sensitivity label, you can specify that the label be added to any file that contains a sensitive information type. 
 ![Sensitivity labels](images/sensitivity-label-auto-label.png)
 A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, driver's license numbers, and so on.
 You can also [create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type), which can include any keyword or expression that you want to evaluate. 
 ### Protection
 When a file is created or edited on a Windows 10 endpoint, Windows Defender ATP extracts the content and evaluates if it contains any default or custom sensitive information types that have been defined. 
 If the file has a match, Windows Defender ATP applies endpoint data loss prevention even if the file had no label previously. 
 Windows Defender ATP is integrated with Azure Information Protection for data discovery and reports sensitive information types that were discovered. 
 Azure Information Protection aggregates the files with sensitivity labels and the sensitive information types they contain across the enterprise. 
 ![Image of Azure Information Protection - Data discovery](images/azure-data-discovery.png)
 You can see sensitive information types in Microsoft 365 compliance under **Classifications**. Default sensitive information types have Microsoft as the publisher. The publisher for custom types is the tenant name.
 ![Sensitive information types](images/sensitive-info-types.png)
 >[!NOTE]
 >Automatic classification does not change the file itself, but it applies protection based on the label. 
 >WIP protects a file that contains a sensitive information type as a work file.
 >Azure Information Protection works differently in that it extends a file with a new attribute so the protection persists if the file is copied. 
 ## Prerequisites
 - Endpoint data loss prevention requires Windows 10, version 1809
 - Auto labelling requires Windows 10, version 1903
 - Devices need to be onboarded to [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection), which scans content for a label and applies WIP policy
 - [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in Microsoft 365 compliance center
 - WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-configmgr.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@ -18,7 +18,9 @@ ms.topic: article
 # View details and results of automated investigations
-Pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) are listed in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)).
+During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP) is configured for your organization, some remediation actions are taken automatically. 
 If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation.
 >[!NOTE]
 >If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation. 
@ -27,12 +29,13 @@ Pending and completed [remediation actions](manage-auto-investigation.md#remedia
 ![Action center page](images/action-center.png)
-The action center consists of two main tabs, as described in the following table.
+The action center consists of two main tabs: **Pending actions** and **History**.
-
+- **Pending actions**  Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject. The Pending tab appears only if there are pending actions to be approved (or rejected). 
-|Tab  |Description  |
+- **History**  Acts as an audit log for all of the following items: <br/>
-|---------|---------|
+   - Remediation actions that were taken as a result of an automated investigation
-|Pending actions     |Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject. <br/><br/>**NOTE**: The Pending tab appears only if there are pending actions to be approved (or rejected).        |
+   - Remediation actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone) 
-|History     |Acts as an audit log for all of the following: <br/>- All actions taken by automated investigation and remediation in Microsoft Defender ATP <br/>Actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone) <br/>- All commands ran and remediation actions that were applied in Live Response sessions (some actions can be undone) <br/>- Remediation actions that were applied by Windows Defender Antivirus (some actions can be undone) |
+   - Commands that were run and remediation actions that were applied in Live Response sessions (some actions can be undone)
   - Remediation actions that were applied by Windows Defender Antivirus (some actions can be undone) 
 Use the **Customize columns** menu to select columns that you'd like to show or hide. 
@ -58,29 +61,30 @@ On the **Investigations** page, you can view details and use filters to focus on
 |---------|---------|
 |**Status**     |(See [Automated investigation status](#automated-investigation-status))         |
 |**Triggering alert** | The alert that initiated the automated investigation |
-|**Detection source** |The source of the alert that initiated the automated investigation. |
+|**Detection source** |The source of the alert that initiated the automated investigation |
-|**Entities** | These can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that you might have created. |
+|**Entities** | Entities can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that were created. |
-|**Threat** |The category of threat detected during the automated investigation. |
+|**Threat** |The category of threat detected during the automated investigation |
-|**Tags** |Filter using manually added tags that capture the context of an automated investigation.|
+|**Tags** |Filter using manually added tags that capture the context of an automated investigation|
-|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't.|
+|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't|
 ## Automated investigation status
-An automated investigation can be have one of the following status values:
+An automated investigation can have one of the following status values:
 |Status  |Description  |
 |---------|---------|
-| No threats found | No malicious entities found during the investigation. |
+| Running    | The investigation process has started and is underway. Malicious artifacts that are found are remediated.    |
-| Failed  | A problem has interrupted the investigation, preventing it from completing.       |
+| Partially investigated      | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for specific details. |
-| Partially remediated  | A problem prevented the remediation of some malicious entities.  |
+| No threats found | The investigation has finished and no threats were identified. <br/>If you suspect something was missed (such as a false negative), you can use [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). |
-| Pending action  | Remediation actions require review and approval.   |
+| Pending action  | The investigation has found a threat, and an action to remediate that threat is awaiting approval. The Pending Action state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to see if other items are still pending completion.  |
 | Remediated   | The investigation finished and all actions were approved (fully remediated). |
 | Partially remediated  | The investigation resulted in remediation actions, and some were approved and completed. Other actions are still pending. |
 | Terminated by system  | The investigation stopped. An investigation can stop for several reasons:<br/>- The investigation's pending actions expired. Pending actions can time out after awaiting approval for an extended period of time. <br/>- There are too many actions in the list.<br/>Visit the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) to view and approve any pending actions.     |
 | Failed  | At least one investigation analyzer ran into a problem where it could not complete properly. <br/><br/>If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for detailed results.      |
 | Queued    | An investigation is being held in a queue. When other investigations complete, queued investigations begin.  |
 | Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. |
 | Queued    |   Investigation has been queued and will resume as soon as other remediation activities are completed.      |
 | Running    | Investigation ongoing. Malicious entities found will be remediated.    |
 | Remediated   | Malicious entities found were successfully remediated.       |
 | Terminated by system  | Investigation was stopped by the system.                 |
 | Terminated by user    | A user stopped the investigation before it could complete.  |
-| Partially investigated      | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. |
+
 ## View details about an automated investigation
@ -92,7 +96,7 @@ In this view, you'll see the name of the investigation, when it started and ende
 ### Investigation graph
-The investigation graph provides a graphical representation of an automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
+The investigation graph provides a graphical representation of an automated investigation. All investigation-related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
 A progress ring shows two status indicators:
 - Orange ring - shows the pending portion of the investigation
@ -108,7 +112,7 @@ From this view, you can also view and add comments and tags about the investigat
 ### Alerts
-The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to. 
+The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and to whom the investigation is assigned. 
 Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing. 
@ -124,7 +128,7 @@ Machines that show the same threat can be added to an ongoing investigation and
 Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
-Clicking on an machine name brings you the machine page.
+Clicking on a machine name brings you the machine page.
 ### Evidence
@ -146,7 +150,7 @@ You can also click on an action to bring up the details pane where you'll see in
 ### Pending actions
-If there are pending actions on an automated investigation, you'll see a pop up similar to the following image. 
+If there are pending actions on an automated investigation, you'll see a pop-up similar to the following image. 
 ![Image of pending actions](images/pending-actions.png)
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
@ -21,39 +21,39 @@ ms.topic: conceptual
 ## Remediation actions
-When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *Clean*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed.  
+When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed.  
 When a verdict of *Malicious* is reached for a piece of evidence, Microsoft Defender Advanced Threat Protection takes one of the following remediation actions automatically:
- Quarantine file
+- Quarantine a file
- Remove registry key
+- Remove a registry key
- Kill process
+- Kill a process
- Stop service
+- Stop a service
- Remove registry key
+- Remove a registry key
- Disable driver
+- Disable a driver
- Remove scheduled task
+- Remove a scheduled task
-Evidence determined as *Suspicious* results in pending actions that require approval. As a best practice, make sure to [approve (or reject) pending actions](#review-pending-actions) as soon as possible. This helps your automated investigations complete in a timely manner. 
+Evidence determined as *Suspicious* results in pending actions that require approval. As a best practice, make sure to [approve (or reject) pending actions](#review-pending-actions) as soon as possible so that you automated investigations complete in a timely manner. 
-No actions are taken when evidence is determined to be *Clean*. 
+No actions are taken when a verdict of *No threats found* is reached for a piece of evidence. 
 In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and viewable in the Microsoft Defender Security Center](#review-completed-actions).
 ## Review pending actions
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. This takes you to your Security dashboard.
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the Security dashboard.
 2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
 3. Review any items on the **Pending** tab. 
-    Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details.
+    Select an investigation from any of the categories to open a panel where you can approve or reject remediation actions. Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details.
    You can also select multiple investigations to approve or reject actions on multiple investigations. 
 ## Review completed actions
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. This takes you to your Security dashboard.
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the Security dashboard.
 2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
@ -61,6 +61,12 @@ In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and
 4. Select an item to view more details about that remediation action.
 ## Next steps
 - [View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center)
 - [Get an overview of live response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/live-response)
 ## Related articles
 - [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
@ -1,7 +1,7 @@
 ---
-title: Set up and use Windows Defender SmartScreen on individual devices (Windows 10)
+title: Set up and use Microsoft Defender SmartScreen on individual devices (Windows 10)
-description: Learn how employees can use Windows Security to set up Windows Defender SmartScreen. Windows Defender SmartScreen protects users from running malicious apps.
+description: Learn how employees can use Windows Security to set up Microsoft Defender SmartScreen. Microsoft Defender SmartScreen protects users from running malicious apps.
-keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen
+keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
@ -14,22 +14,22 @@ manager: dansimp
 ms.author: macapara
 ---
-# Set up and use Windows Defender SmartScreen on individual devices
+# Set up and use Microsoft Defender SmartScreen on individual devices
 **Applies to:**
 - Windows 10, version 1703
 - Windows 10 Mobile
 - Microsoft Edge
-Windows Defender SmartScreen helps to protect users if they try to visit sites previously reported as phishing or malware websites, or if a user tries to download potentially malicious files.
+Microsoft Defender SmartScreen helps to protect users if they try to visit sites previously reported as phishing or malware websites, or if a user tries to download potentially malicious files.
-## How users can use Windows Security to set up Windows Defender SmartScreen
+## How users can use Windows Security to set up Microsoft Defender SmartScreen
-Starting with Windows 10, version 1703, users can use Windows Security to set up Windows Defender SmartScreen for an individual device; unless and administrator has used Group Policy or Microsoft Intune to prevent it.
+Starting with Windows 10, version 1703, users can use Windows Security to set up Microsoft Defender SmartScreen for an individual device; unless an administrator has used Group Policy or Microsoft Intune to prevent it.
 >[!NOTE]
 >If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee.
-**To use Windows Security to set up Windows Defender SmartScreen on a device**
+**To use Windows Security to set up Microsoft Defender SmartScreen on a device**
 1. Open the Windows Security app, and then select **App & browser control** > **Reputation-based protection settings**.
 2. In the **Reputation-based protection** screen, choose from the following options:
@ -38,13 +38,13 @@ Starting with Windows 10, version 1703, users can use Windows Security to set up
       - **On.** Warns users that the apps and files being downloaded from the web are potentially dangerous but allows the action to continue.
-       - **Off.** Turns off Windows Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files.
+       - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files.
-   - In the **Windows Defender SmartScreen for Microsoft Edge** area:
+   - In the **Microsoft Defender SmartScreen for Microsoft Edge** area:
       - **On.** Warns users that sites and downloads are potentially dangerous but allows the action to continue while running in Microsoft Edge.
-       - **Off.** Turns off Windows Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files.
+       - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files.
   - In the **Potentially unwanted app blocking** area:
      - **On.** Turns on both the 'Block apps' and 'Block downloads settings. To learn more, see [How Microsoft identifies malware and potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/intelligence/criteria#potentially-unwanted-application-pua).
@ -54,21 +54,21 @@ Starting with Windows 10, version 1703, users can use Windows Security to set up
      - **Off.** Turns off Potentially unwanted app blocking, so a user isn't alerted or stopped from downloading or installing potentially unwanted apps.
-   - In the **Windows Defender SmartScreen from Microsoft Store apps** area:
+   - In the **Microsoft Defender SmartScreen from Microsoft Store apps** area:
     - **On.** Warns users that the sites and downloads used by Microsoft Store apps are potentially dangerous but allows the action to continue.
-     - **Off.** Turns off Windows Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files.
+     - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files.
-       ![Windows Security, Windows Defender SmartScreen controls](images/windows-defender-smartscreen-control-2020.png)
+       ![Windows Security, Microsoft Defender SmartScreen controls](images/windows-defender-smartscreen-control-2020.png)
-## How Windows Defender SmartScreen works when a user tries to run an app
+## How Microsoft Defender SmartScreen works when a user tries to run an app
-Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Windows Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization.
+Microsoft Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Microsoft Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization.
-By default, users can bypass Windows Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block your employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended).
+By default, users can bypass Microsoft Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block your employees from using unrecognized apps, or to entirely turn off Microsoft Defender SmartScreen (not recommended).
 ## How users can report websites as safe or unsafe
-Windows Defender SmartScreen can be configured to warn users from going to a potentially dangerous site. Users can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11.
+Microsoft Defender SmartScreen can be configured to warn users from going to a potentially dangerous site. Users can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11.
 **To report a website as safe from the warning message**
 - On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions.
@ -82,7 +82,7 @@ Windows Defender SmartScreen can be configured to warn users from going to a pot
 ## Related topics
 - [Threat protection](../index.md)
- [Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)
+- [Microsoft Defender SmartScreen overview](windows-defender-smartscreen-overview.md)
 >[!NOTE]
 >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).